Puppet seems to have some issue with creating a symlink in
/etc/sysconfig on CentOS, where it creates the link on the first run and
then corrects the seltype on the second run, breaking idempotency tests.
If we make sure to explicitly set it up front, puppet doesn't get
confused. This patch also removes the mode setting since setting the
permissions mode on a symlink doesn't make sense.
Change-Id: I7019c48220425fc583b9b431eff08a6261ee2ebc
On Ubuntu, the iptables service starts running when it is installed. On
CentOS, that's not the case, and signaling a restart in puppet does not
actually start the service. The result is that while the iptables
service is stopped, `iptables -S` is empty. This patch adds ensure =>
running to the service resources so that iptables behaves the same on
CentOS and Ubuntu.
Change-Id: I0584c988bcebeee5133f85d55f8d389d78ebac70
There seems to be a longstanding, inexplicably unresolved bug[1][2] in
the puppet package resource on CentOS where an uninstalled package will
repeatedly be reported as being "created" when it is not installed and
when the resource has ensure => purged. This breaks idempotency tests
and is just confusing. Setting the resource to absent instead of purge
works correctly and should be sufficient for ensuring firewalld isn't
interfering..
[1] https://projects.puppetlabs.com/issues/2833
[2] https://projects.puppetlabs.com/issues/3707
Change-Id: I702cf0130b311a5cd6786b4c4dd76fa03adbd2f7
This allows us to specify rules with hostnames, but have puppet
resolve those to IP addresses before writing out the iptables
config. This ensures that iptables will always be able to start,
as well as keeping firewalls up to date as hosts change.
Change-Id: I7a0dfbab67bdba72c0a56acc611503795d2bc350
Depends-On: I29d36cc527351e3e6d2ee2dc1919988379b8db3a
As described in the comment, we need to pre-install the iptables
package before the iptables-service package to avoid dependency
issues. This was causing F25 build failures.
Change-Id: I9541a1c8f11566198b6fa622e36c4be59d6670d2
Set the default snmp hosts to the empty set rather than
cacti.openstack.org.
Change-Id: Ibae45af594fc2b18024fcc2d6ef040afd4ddd926
Depends-On: I173ca1efae4644c89cfab68d6beeba0a1dae9ce2
Downstream consumers of this module likely don't need or want to open
snmp access from cacti.openstack.org. Parameterize the hosts to allow
snmp from so that downstreams don't have to fork the module in order to
remove the access.
Change-Id: I9394982811f8dcf0d63eccb782de04bf4a047ec7
Currently we don't start ip6tables service on centos-7. This fixes
that.
Change-Id: I64e62074b41e49cc2dc9b6bafcfbeeded2029487
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
We want to stop notify from working in a chroot, however we need to
make sure we properly setup our Service correctly. As a result, move
the logic outside of our chroot checks.
Change-Id: I4c9284ed8ed23944aa3649338b1a09abdc8b80df
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
On some centos7 builds there is no firewalld so we have to be a bit more
smarter about how we disable it. New method is to run an exec that stops
the service if it is running then use a package resource to uninstall it
completely. All of this happens before we install the iptables service
so they should not confict with each other.
One trick is we have to "purge" the package, because it may well have
dependencies (on RAX images, firewalld-fail2ban is installed along
with a bunch of other monitoring-type things by the "helpful"
tool-installation script that runs automatically). The "yum" provider
in puppet actually says to do this in it's documentation:
Using this provider's `uninstallable` feature will not remove
dependent packages. To remove dependent packages with this provider
use the `purgeable` feature, but note this feature is destructive
and should be used with the utmost care."
Change-Id: I0750de9e75b63190531a3d39a5fcbb19f8e8c49e
Firewalld is enabled by default on centos7. Unfortunately
iptables-service and firewalld appear to confuse each other resulting in
no firewall rules at all. Fix this by disabling firewalld allowing
iptables-service to be in charge and apply the rules it has configured.
Change-Id: I0089502b134c91ef2e8d11cef1e016ce314ecf96
In anticipation of puppet 4, start trying to deal with puppet 4 things
that can be helpfully predicted by puppet lint plugins. Also fix lint
errors caught by the puppet-lint-absolute_classname-check gem as well
as arrow alignment errors not caught before.
Change-Id: I56bce05c9c8d1b7924b78c78b74e4755d9a02936
The systemd version of iptables requires the 'iptables-services' package
for having the `regular` iptables rule restore on service startup.
The service also needs to be enabled explicitly.
Another iptables related issue with multinode_setup.sh,
tries to executes the iptables command without login shell.
The non-login shell does not contains /usr/sbin in PATH,
so multinode_setup.sh changed to use login shell defaults.
Warning: This change enables the iptables service on all
distribution.
Change-Id: I3174e43b3b19e28073a4364dd0f66fc39b0fa815
In chroots, as with diskimage-builder, managing service starts is
tricky. Also, we don't need to restart the service then, because
the service will get started on boot of the image.
Change-Id: Iaf90005039b8196ba3a0ac05c96d71e034f0b0b1
Updates the iptables module so that it uses parameters
to define the package, service, and files used to setup and
configure persistent iptables rules.
With these updates the module should now support both
RHEL and Ubuntu.
Change-Id: I45af4e72065c9baaf1d9a03f18b47f6effdce322
Reviewed-on: https://review.openstack.org/23278
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
A list of iptables commands that come after the "-A OPENSTACK-INPUT"
bit.
Change-Id: Iee595d9267738365c208f8ecb6f0fd4941b357e3
Reviewed-on: https://review.openstack.org/17172
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
Change-Id: I00cfd6765bf3f7acd44263347655228d5a839852
Signed-off-by: Paul Belanger <paul.belanger@polybeacon.com>
Reviewed-on: https://review.openstack.org/15844
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
Rackspace nova cloud supports ipv6. Add ip6tables support to the
iptables module so that we can take advantage of ipv6 on this cloud
platform.
Change-Id: I628b7c71ff486a925cdb3d44277cca0d6ae7c985
Reviewed-on: https://review.openstack.org/14315
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
Change-Id: I4f7314bcb1cb58f94ff7a78aebe27ec4591fc11c
Reviewed-on: https://review.openstack.org/14187
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins
Monty Taylor