zuul/zuul-jobs
Code Issues Proposed changes
05303ec7b2
zuul-jobs/test-playbooks/multinode/persistent-firewall.yaml
Colleen Murphy 18285584f1 Use iptables for openSUSE 
In openSUSE Tumbleweed, the SuSEfirewall2 package was removed in favor
of firewalld[1]. This commit updates the iptables persistance tasks to
avoid using SuSEfirewall2 and instead use rc.local to restore saved
rules upon restart, and undefines the iptables_service variable for SUSE
since there is no service to restart any more. See the related change
for image builds[2].

[1] https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
[2] https://review.opendev.org/683236

Change-Id: I0f8d74dd00df192c20b96a9368b964839c306171
2019-09-27 15:45:01 -07:00

93 lines
3.6 KiB
YAML
Raw Blame History

- name: Test the persistent-firewall role
hosts: all
roles:
# We're including multi-node-bridge a second time with the toggle for
# enabling firewall rules for the bridge network subnet
# By this time, multi-node-firewall has already ran, we don't need to run
# it again -- we're testing here that both are persisted properly.
- { role: multi-node-bridge, bridge_authorize_internal_traffic: true }
post_tasks:
# NOTE (dmsimard): Using with_first_found and include_vars can yield
# unexpected results, see multinode_firewall_persistence_vars/README.rst
- name: Include OS-specific variables
include_vars: "{{ item }}"
with_first_found:
- "multinode_firewall_persistence_vars/{{ ansible_distribution }}_{{ ansible_distribution_release }}.yaml"
- "multinode_firewall_persistence_vars/{{ ansible_distribution }}.yaml"
- "multinode_firewall_persistence_vars/{{ ansible_os_family }}.yaml"
- "multinode_firewall_persistence_vars/default.yaml"
- name: Flush iptables rules
become: yes
command: "{{ item }}"
with_items:
- iptables --flush
- ip6tables --flush
# NOTE (dmsimard): We're using with_items here because RedHat and Gentoo
# need to restart both iptables and ip6tables.
- name: Restart iptables
become: yes
service:
name: "{{ item }}"
state: restarted
when: iptables_service is defined
with_items: "{{ iptables_service }}"
# If there is no iptables service (ie on opensuse), run the rc file to apply the rules
- name: Check for boot.local
stat:
path: /etc/init.d/boot.local
register: boot_local_file
when: ansible_os_family == "Suse"
- name: Restore iptables
become: yes
command: "/etc/init.d/boot.local"
when: ansible_os_family == "Suse" and iptables_service is not defined and boot_local_file.stat.exists == True
- name: switch and peer nodes should be in the ipv4 firewall
become: yes
command: iptables-save
changed_when: false
failed_when: false
register: iptables_rules
- name: Validate ipv4 private firewall configuration
assert:
that:
- "'-A INPUT -s {{ hostvars[item]['nodepool']['private_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
with_items: "{{ groups['all'] }}"
when:
- hostvars[item]['nodepool']['private_ipv4']
- name: Validate ipv4 public firewall configuration
assert:
that:
- "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
with_items: "{{ groups['all'] }}"
when:
- hostvars[item]['nodepool']['public_ipv4']
- name: Validate ipv4 bridge firewall configuration
assert:
that:
- "'-A INPUT -s {{ bridge_address_prefix }}.0/{{ bridge_address_subnet }} -d {{ bridge_address_prefix }}.0/{{ bridge_address_subnet }} -j ACCEPT' in iptables_rules.stdout"
with_items: "{{ groups['all'] }}"
# ipv6_addresses is set by the multi-node-firewall role
- when: ipv6_addresses | length > 0
block:
- name: switch and peer nodes should be in the ipv6 firewall
become: yes
command: ip6tables-save
changed_when: false
failed_when: false
register: ip6tables_rules
- name: Validate ipv6 firewall configuration
assert:
that:
- "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv6'] }}/128 -j ACCEPT' in ip6tables_rules.stdout"
with_items: "{{ groups['all'] }}"
View Git Blame Copy Permalink