Really stop using firewalld

On some centos7 builds there is no firewalld so we have to be a bit more smarter about how we disable it. New method is to run an exec that stops the service if it is running then use a package resource to uninstall it completely. All of this happens before we install the iptables service so they should not confict with each other. Change-Id: I0750de9e75b63190531a3d39a5fcbb19f8e8c49e
2015-08-31 14:22:26 -07:00 · 2015-08-31 14:22:26 -07:00 · 6097fe5111
parent 7503162cc4
commit 6097fe5111
1 changed files with 9 additions and 5 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -43,11 +43,15 @@ class iptables(
    # On centos 7 firewalld and iptables-service confuse each other and you
    # end up with no firewall rules at all. Disable firewalld so that
    # iptables-service can be in charge.
-    if ($::osfamily == 'RedHat' and $::operatingsystemmajrelease >= '7') {
-      service { 'firewalld':
-        ensure => 'stopped',
-        enable => false,
-        before => Package['iptables'],
+    if ($::osfamily == 'RedHat') {
+      exec { 'stop-firewalld-if-running':
+        command => '/usr/bin/systemctl stop firewalld',
+        onlyif  => '/usr/bin/pgrep firewalld',
+      }
+      package { 'firewalld':
+        ensure  => 'purged',
+        require => Exec['stop-firewalld-if-running'],
+        before  => Package['iptables'],
      }
    }
  }