From d900c3e3efbc0fd9e6ef2f7b62da32975aed96ed Mon Sep 17 00:00:00 2001 From: Alex Schultz Date: Mon, 15 Aug 2016 09:48:57 -0600 Subject: [PATCH] Add --wait to iptables calls This change updates the calls that we us in the ocf scripts to determine if the rules are present to include the -w flag to prevent the scripts from failing if another iptables call is currently running. It has been reported that this can occur when the ocf scripts are running in parallel to the puppet deployment (firewall task) Change-Id: Ia603f5643720a5fa5407de36ca75830a7c3f57fa Closes-Bug: #1605540 --- files/fuel-ha-utils/ocf/ns_haproxy | 12 ++++++------ files/fuel-ha-utils/ocf/ns_vrouter | 4 ++-- files/fuel-ha-utils/ocf/rabbitmq | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/files/fuel-ha-utils/ocf/ns_haproxy b/files/fuel-ha-utils/ocf/ns_haproxy index f10551f6d4..9126b9e6ee 100755 --- a/files/fuel-ha-utils/ocf/ns_haproxy +++ b/files/fuel-ha-utils/ocf/ns_haproxy @@ -262,9 +262,9 @@ block_client_access() # do not add temporary SYN blocking rule, if it is already exist # otherwise, try to add a blocking rule with max of 5 retries local tries=5 - until $($RUN_IN_NS iptables -t filter -nvL | grep -q 'temporary SYN block') || [ $tries -eq 0 ]; do + until $($RUN_IN_NS iptables -t filter -nvL --wait | grep -q 'temporary SYN block') || [ $tries -eq 0 ]; do tries=$((tries-1)) - ocf_run $RUN_IN_NS iptables -t filter -I INPUT -p tcp \ + ocf_run $RUN_IN_NS iptables --wait -t filter -I INPUT -p tcp \ -m comment --comment 'temporary SYN block' --syn -j DROP sleep 1 done @@ -279,8 +279,8 @@ block_client_access() unblock_client_access() { # remove all temporary SYN blocking rules, if there are more than one exist - for i in $($RUN_IN_NS iptables -t filter -nvL --line-numbers | awk '/temporary SYN block/ {print $1}'); do - ocf_run $RUN_IN_NS iptables -t filter -D INPUT -p tcp \ + for i in $($RUN_IN_NS iptables -t filter -nvL --wait --line-numbers | awk '/temporary SYN block/ {print $1}'); do + ocf_run $RUN_IN_NS iptables --wait -t filter -D INPUT -p tcp \ -m comment --comment 'temporary SYN block' --syn -j DROP done } @@ -370,10 +370,10 @@ set_ns_routing() { fi # set masquerade on host node - iptables -n -t nat -L | grep -q masquerade-for-haproxy-namespace + iptables -n --wait -t nat -L | grep -q masquerade-for-haproxy-namespace if [ $? -gt 0 ]; then ocf_log debug "Creating NAT rule on the host system for traffic from IP: ${OCF_RESKEY_namespace_ip}" - ocf_run iptables -t nat -A POSTROUTING -s "${OCF_RESKEY_namespace_ip}" -j MASQUERADE -m comment --comment "masquerade-for-haproxy-namespace" + ocf_run iptables --wait -t nat -A POSTROUTING -s "${OCF_RESKEY_namespace_ip}" -j MASQUERADE -m comment --comment "masquerade-for-haproxy-namespace" fi ### Needed for ML2 routing ### diff --git a/files/fuel-ha-utils/ocf/ns_vrouter b/files/fuel-ha-utils/ocf/ns_vrouter index 2604d6b68e..20e31e384b 100644 --- a/files/fuel-ha-utils/ocf/ns_vrouter +++ b/files/fuel-ha-utils/ocf/ns_vrouter @@ -256,10 +256,10 @@ set_ns_routing() { fi # set masquerade on host node - iptables -n -t nat -L | grep -q masquerade-for-vrouter-namespace + iptables -n --wait -t nat -L | grep -q masquerade-for-vrouter-namespace if [ $? -gt 0 ]; then ocf_log debug "Creating NAT rule on the host system for traffic from IP: ${OCF_RESKEY_namespace_ip}" - ocf_run iptables -t nat -A POSTROUTING -s "${OCF_RESKEY_namespace_ip}" -j MASQUERADE -m comment --comment "masquerade-for-vrouter-namespace" + ocf_run iptables --wait -t nat -A POSTROUTING -s "${OCF_RESKEY_namespace_ip}" -j MASQUERADE -m comment --comment "masquerade-for-vrouter-namespace" fi ### Needed for ML2 routing ### diff --git a/files/fuel-ha-utils/ocf/rabbitmq b/files/fuel-ha-utils/ocf/rabbitmq index b7a71f8abf..b5b7434b35 100755 --- a/files/fuel-ha-utils/ocf/rabbitmq +++ b/files/fuel-ha-utils/ocf/rabbitmq @@ -680,9 +680,9 @@ block_client_access() # do not add temporary RMQ blocking rule, if it is already exist # otherwise, try to add a blocking rule with max of 5 retries local tries=5 - until $(iptables -nvL | grep -q 'temporary RMQ block') || [ $tries -eq 0 ]; do + until $(iptables -nvL --wait | grep -q 'temporary RMQ block') || [ $tries -eq 0 ]; do tries=$((tries-1)) - iptables -I INPUT -p tcp -m tcp --dport ${OCF_RESKEY_node_port} -m state --state NEW,RELATED,ESTABLISHED \ + iptables --wait -I INPUT -p tcp -m tcp --dport ${OCF_RESKEY_node_port} -m state --state NEW,RELATED,ESTABLISHED \ -m comment --comment 'temporary RMQ block' -j REJECT --reject-with tcp-reset sleep 1 done @@ -696,8 +696,8 @@ block_client_access() unblock_client_access() { # remove all temporary RMQ blocking rules, if there are more than one exist - for i in $(iptables -nvL --line-numbers | awk '/temporary RMQ block/ {print $1}'); do - iptables -D INPUT -p tcp -m tcp --dport ${OCF_RESKEY_node_port} -m state --state NEW,RELATED,ESTABLISHED \ + for i in $(iptables -nvL --wait --line-numbers | awk '/temporary RMQ block/ {print $1}'); do + iptables --wait -D INPUT -p tcp -m tcp --dport ${OCF_RESKEY_node_port} -m state --state NEW,RELATED,ESTABLISHED \ -m comment --comment 'temporary RMQ block' -j REJECT --reject-with tcp-reset done }