From 41432382a438ea01a25f4c2c7a4d7e9394f53b50 Mon Sep 17 00:00:00 2001 From: Emilien Macchi Date: Sun, 11 Mar 2018 08:30:19 +0100 Subject: [PATCH] firewall: don't reload IPtables after cleanup This patch stops the IPtables reload when doing Neutron rules cleanup. Full context: puppetlabs-firewall only manages the current state of iptables rules and writes out the rules to a file to ensure they are persisted. We are specifically running the following commands after the iptables rules to ensure the persisted file does not contain any ephemeral neutron rules. Neutron assumes the iptables rules are not persisted so it may cause an issue if the rule is loaded on boot (or via iptables restart). If an operator needs to reload iptables for any reason, they may need to manually reload the appropriate neutron agent to restore these iptables rules. rhbz#1541528 Related-Bug: #1747960 Change-Id: I1ab3a52306b91baadb70d2210a378417087f1ecf (cherry picked from commit 5fc0b5600d7bd1c2e032c8bfd1d9a550e8165845) --- manifests/firewall.pp | 35 ++++++++++++----------------------- 1 file changed, 12 insertions(+), 23 deletions(-) diff --git a/manifests/firewall.pp b/manifests/firewall.pp index 3b55fecf8..39de22886 100644 --- a/manifests/firewall.pp +++ b/manifests/firewall.pp @@ -131,35 +131,24 @@ class tripleo::firewall( $service_names = hiera('service_names', []) tripleo::firewall::service_rules { $service_names: } - # puppetlabs-firewall manages security rules via Puppet but make the rules - # consistent by default. Since Neutron also creates some rules, we don't - # want them to be consistent so we have to ensure that they're not stored - # into sysconfig. + + # puppetlabs-firewall only manages the current state of iptables + # rules and writes out the rules to a file to ensure they are + # persisted. We are specifically running the following commands after the + # iptables rules to ensure the persisted file does not contain any + # ephemeral neutron rules. Neutron assumes the iptables rules are not + # persisted so it may cause an issue if the rule is loaded on boot + # (or via iptables restart). If an operator needs to reload iptables + # for any reason, they may need to manually reload the appropriate + # neutron agent to restore these iptables rules. # https://bugzilla.redhat.com/show_bug.cgi?id=1541528 - # Also, we need to reload IPtables after the cleanup to make sure rules aren't persistent - # anymore. - # NOTE(aschultz): this needs to be a reload and not a restart due to - # BZ#1520534 where iptables my unload modules (like openvswitch) when it - # restarts. exec { 'nonpersistent_v4_rules_cleanup': command => '/bin/sed -i /neutron-/d /etc/sysconfig/iptables', - onlyif => '/bin/test -f /etc/sysconfig/iptables && /bin/grep -v neutron- /etc/sysconfig/iptables', - notify => Exec['reload_iptables'], - } - exec { 'reload_iptables': - command => 'systemctl reload iptables', - path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'], - refreshonly => true, + onlyif => '/bin/test -f /etc/sysconfig/iptables && /bin/grep -q neutron- /etc/sysconfig/iptables', } exec { 'nonpersistent_v6_rules_cleanup': command => '/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables', - onlyif => '/bin/test -f /etc/sysconfig/ip6tables && /bin/grep -v neutron- /etc/sysconfig/ip6tables', - notify => Exec['reload_ip6tables'], - } - exec { 'reload_ip6tables': - command => 'systemctl reload ip6tables', - path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'], - refreshonly => true, + onlyif => '/bin/test -f /etc/sysconfig/ip6tables && /bin/grep -q neutron- /etc/sysconfig/ip6tables', } Firewall<| |> -> Exec['nonpersistent_v4_rules_cleanup'] Firewall<| |> -> Exec['nonpersistent_v6_rules_cleanup']