Work around packaging issue in iptables-services.

When iptables-services is upgraded it restarts the iptables services
which breaks connectivity because it looses the current iptables
rules.

So we add another network workaround.  This time around the
iptables-services package.

The first target is the update process as this is where the problem
should arise, but as the framework for network workaround is already
is place, we cover upgrade as well.

Partial-Bug: #1758291

Change-Id: Ia2f94058bac6cf28b4bd425385ffd629555c9609

extraconfig/tasks/major_upgrade_ceph_storage.sh

@@ -9,6 +9,7 @@ set -o pipefail
 UPGRADE_SCRIPT=/root/tripleo_upgrade_node.sh
 
 declare -f update_os_net_config > $UPGRADE_SCRIPT
+declare -f special_case_iptables_services_upgrade_if_needed >> $UPGRADE_SCRIPT
 declare -f special_case_ovs_upgrade_if_needed >> $UPGRADE_SCRIPT
 declare -f update_network >> $UPGRADE_SCRIPT
 # use >> here so we don't lose the declaration we added above

extraconfig/tasks/major_upgrade_compute.sh

@@ -21,6 +21,7 @@ crudini  --set /etc/nova/nova.conf upgrade_levels compute $upgrade_level_nova_co
 # Special-case OVS for https://bugs.launchpad.net/tripleo/+bug/1669714
 $(declare -f update_os_net_config)
 $(declare -f special_case_ovs_upgrade_if_needed)
+$(declare -f special_case_iptables_services_upgrade_if_needed)
 $(declare -f update_network)
 update_network
 

extraconfig/tasks/major_upgrade_object_storage.sh

@@ -24,6 +24,7 @@ function systemctl_swift {
 }
 
 $(declare -f update_os_net_config)
+$(declare -f special_case_iptables_services_upgrade_if_needed)
 $(declare -f special_case_ovs_upgrade_if_needed)
 $(declare -f update_network)
 update_network

extraconfig/tasks/pacemaker_common_functions.sh

@@ -346,6 +346,33 @@ function special_case_ovs_upgrade_if_needed {
 
 }
 
+function special_case_iptables_services_upgrade_if_needed {
+    # Always ensure yum has full cache
+    yum makecache || echo "Yum makecache failed. This can cause failure later on."
+    # Return 0 when no upgrade is needed
+    if yum check-upgrade iptables-services; then
+        echo "Either iptables-services is not installed or a newer version is already there, skipping workaround."
+    fi
+    if rpm -q --scripts iptables-services | awk '/postuninstall/,/*/' | grep "systemctl.*try-restart" ; then
+        echo "Manual upgrade of iptables-services - restart in postun detected"
+        rm -rf ~/IPTABLES_UPGRADE
+        mkdir -p ~/IPTABLES_UPGRADE && pushd ~/IPTABLES_UPGRADE
+        echo "Attempting to download latest iptables-services with yumdownloader"
+        yumdownloader iptables-services # no deps on purpose.
+        pkg="$(ls -1 iptables-services-*.x86_64.rpm)"
+        if [ -z "${pkg}" ]; then
+            echo "Cannot find a valid package for iptables-services, aborting"
+            exit 1
+        fi
+        echo "Updating iptables-services to $pkg with --nopostun --notriggerun --nodeps"
+        rpm -U --replacepkgs --nopostun --notriggerun --nodeps ./${pkg}
+        systemctl daemon-reload
+        popd
+    else
+        echo "Skipping manual upgrade of iptables-services  - no restart in postun detected"
+    fi
+}
+
 # update os-net-config before ovs see https://bugs.launchpad.net/tripleo/+bug/1695893
 function update_os_net_config() {
   set +e
@@ -379,6 +406,7 @@ function update_network() {
     update_os_net_config
     # special case https://bugs.launchpad.net/tripleo/+bug/1635205 +bug/1669714
     special_case_ovs_upgrade_if_needed
+    special_case_iptables_services_upgrade_if_needed
 }
 
 # https://bugs.launchpad.net/tripleo/+bug/1704131 guard against yum update