Merge "Revert "[train/backport] Prevent nftables to interfere with tripleo firewall"" into stable/train
This commit is contained in:
commit
a8c4160ec5
|
@ -68,35 +68,16 @@ outputs:
|
|||
include ::tripleo::firewall
|
||||
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- - name: Prevent Nftables to set up any rules
|
||||
copy:
|
||||
dest: /etc/sysconfig/nftables.conf
|
||||
content: |
|
||||
# This file has been explicitely emptied and disabled by TripleO
|
||||
# so that nftables and iptables do not race each other
|
||||
register: nftablesconf
|
||||
- when: nftablesconf is changed
|
||||
block:
|
||||
- name: Flush Nftables rules when nftables.conf changed
|
||||
shell: if [[ -x /usr/sbin/nft ]]; then /usr/sbin/nft flush ruleset; fi
|
||||
- name: Restart iptables to restore firewall after flushing nftables
|
||||
systemd:
|
||||
state: reloaded
|
||||
name: "{{item}}"
|
||||
loop:
|
||||
- iptables.service
|
||||
- ip6tables.service
|
||||
- if:
|
||||
- no_ctlplane
|
||||
- -
|
||||
name: Ensure ctlplane subnet is set
|
||||
fail:
|
||||
msg: |
|
||||
No CIDRs found in the ctlplane network tags.
|
||||
Please refer to the documentation in order to
|
||||
set the correct network tags in DeployedServerPortMap.
|
||||
- null
|
||||
if:
|
||||
- no_ctlplane
|
||||
-
|
||||
name: Ensure ctlplane subnet is set
|
||||
fail:
|
||||
msg: |
|
||||
No CIDRs found in the ctlplane network tags.
|
||||
Please refer to the documentation in order to
|
||||
set the correct network tags in DeployedServerPortMap.
|
||||
- null
|
||||
|
||||
deploy_steps_tasks:
|
||||
- when: step|int == 0
|
||||
|
|
Loading…
Reference in New Issue