Add a script to zero /etc/sysconfig/ip6tables at build time

In change Iddc21316a1a3d42a1a43cbb4b9c178adba8f8db3 we zeroed out
/etc/sysconfig/iptables, but we did not take care of ipv6. This change
is meant to take of the ipv6 part of the problem.
When including this element we empty the stock /etc/sysconfig/ip6tables
file as shipped by the iptables rpm package. The reason for this is that
puppet firewall has a hard time to cope with exiting rules when
/etc/sysconfig/iptables is populated and the iptables service is not
active. The referenced bug has a full explanation for the problem.

Note that ipv6 is slightly more delicate because we will also need a puppet-tripleo
change that implements the dhcpv6 rule that is contained by default
in /etc/sysconfig/ip6tables:
Depends-On: If22080054b2b1fa7acfd101e8c34d2707e8e7864

Change-Id: I0dee5ff045fbfe7b55d078583e16b107eec534aa
Partial-Bug: #1657108
This commit is contained in:
Michele Baldessari 2017-01-27 10:49:12 +01:00
parent 00b986959c
commit 96cb130c5a
1 changed files with 2 additions and 0 deletions

View File

@ -4,4 +4,6 @@ set -o pipefail
if [[ "rhel rhel7 centos7 fedora" =~ "$DISTRO_NAME" ]]; then
echo '# empty ruleset created by tripleo-image-elements' > /etc/sysconfig/iptables
echo '# empty ruleset created by tripleo-image-elements' > /etc/sysconfig/ip6tables
fi