Add --wait to iptables calls

This change updates the calls that we us in the ocf scripts to determine if the rules are present to include the -w flag to prevent the scripts from failing if another iptables call is currently running. It has been reported that this can occur when the ocf scripts are running in parallel to the puppet deployment (firewall task) Change-Id: Ia603f5643720a5fa5407de36ca75830a7c3f57fa Closes-Bug: #1605540
2016-08-15 09:48:57 -06:00 · 2016-08-15 09:48:57 -06:00 · 8fffe24cb0
parent 40088d3ddf
commit 8fffe24cb0
3 changed files with 8 additions and 8 deletions
--- a/files/fuel-ha-utils/ocf/ns_haproxy
+++ b/files/fuel-ha-utils/ocf/ns_haproxy
@ -337,10 +337,10 @@ set_ns_routing() {
  fi

  # set masquerade on host node
-  iptables -n -t nat -L | grep -q masquerade-for-haproxy-namespace
+  iptables -n --wait -t nat -L | grep -q masquerade-for-haproxy-namespace
  if [ $? -gt 0 ]; then
    ocf_log debug "Creating NAT rule on the host system for traffic from IP: ${OCF_RESKEY_namespace_ip}"
-    ocf_run iptables -t nat -A POSTROUTING -s "${OCF_RESKEY_namespace_ip}" -j MASQUERADE -m comment --comment "masquerade-for-haproxy-namespace"
+    ocf_run iptables --wait -t nat -A POSTROUTING -s "${OCF_RESKEY_namespace_ip}" -j MASQUERADE -m comment --comment "masquerade-for-haproxy-namespace"
  fi

  ### Needed for ML2 routing ###
--- a/files/fuel-ha-utils/ocf/ns_vrouter
+++ b/files/fuel-ha-utils/ocf/ns_vrouter
@ -256,10 +256,10 @@ set_ns_routing() {
  fi

  # set masquerade on host node
-  iptables -n -t nat -L | grep -q masquerade-for-vrouter-namespace
+  iptables -n --wait -t nat -L | grep -q masquerade-for-vrouter-namespace
  if [ $? -gt 0 ]; then
    ocf_log debug "Creating NAT rule on the host system for traffic from IP: ${OCF_RESKEY_namespace_ip}"
-    ocf_run iptables -t nat -A POSTROUTING -s "${OCF_RESKEY_namespace_ip}" -j MASQUERADE -m comment --comment "masquerade-for-vrouter-namespace"
+    ocf_run iptables --wait -t nat -A POSTROUTING -s "${OCF_RESKEY_namespace_ip}" -j MASQUERADE -m comment --comment "masquerade-for-vrouter-namespace"
  fi

  ### Needed for ML2 routing ###
--- a/files/fuel-ha-utils/ocf/rabbitmq
+++ b/files/fuel-ha-utils/ocf/rabbitmq
@ -691,9 +691,9 @@ block_client_access()
    # do not add temporary RMQ blocking rule, if it is already exist
    # otherwise, try to add a blocking rule with max of 5 retries
    local tries=5
-    until $(iptables -nvL | grep -q 'temporary RMQ block') || [ $tries -eq 0 ]; do
+    until $(iptables -nvL --wait | grep -q 'temporary RMQ block') || [ $tries -eq 0 ]; do
      tries=$((tries-1))
-      iptables -I INPUT -p tcp -m tcp --dport ${OCF_RESKEY_node_port} -m state --state NEW,RELATED,ESTABLISHED \
+      iptables --wait -I INPUT -p tcp -m tcp --dport ${OCF_RESKEY_node_port} -m state --state NEW,RELATED,ESTABLISHED \
      -m comment --comment 'temporary RMQ block' -j REJECT --reject-with tcp-reset
      sleep 1
    done
@ -707,8 +707,8 @@ block_client_access()
 unblock_client_access()
 {
    # remove all temporary RMQ blocking rules, if there are more than one exist
-    for i in $(iptables -nvL --line-numbers | awk '/temporary RMQ block/ {print $1}'); do
-      iptables -D INPUT -p tcp -m tcp --dport ${OCF_RESKEY_node_port} -m state --state NEW,RELATED,ESTABLISHED \
+    for i in $(iptables -nvL --wait --line-numbers | awk '/temporary RMQ block/ {print $1}'); do
+      iptables --wait -D INPUT -p tcp -m tcp --dport ${OCF_RESKEY_node_port} -m state --state NEW,RELATED,ESTABLISHED \
      -m comment --comment 'temporary RMQ block' -j REJECT --reject-with tcp-reset
    done
 }