f25c27aa2c
The iptables-services package pushes a bunch of default rules, activated as soon as we start the "iptables" systemd unit. This patch intends to remove those default rules, in order to ensure we get only managed firewall rules (either by puppet, or by any openstack service like neutron). In order to prevent any issue, instead of erasing the file, we actually save the current state prior the iptables-services installation and subsequent service startup. The iptables-services installation and activation is done at the "include ::firewall" step. Prior that, iptables is empty, meaning if we save, and pre-create the /etc/sysconfig/iptables and /etc/sysconfig/ip6tables files before we include the "::firewall" class, we will get an empty, clean ruleset. Please note, this won't correct already deployed infrastructure though - that will probably requires an upgrade_tasks directly in tripleo-heat-templates. SecurityImpact Related: https://bugzilla.redhat.com/show_bug.cgi?id=1667887 Partial-Bug: #1812695 Change-Id: I74d15b8de216984ac42a0839430ae9afe2554d16 |
||
---|---|---|
doc | ||
files | ||
lib | ||
manifests | ||
releasenotes | ||
spec | ||
templates | ||
zuul.d | ||
.gitignore | ||
.gitreview | ||
.sync.yml | ||
Gemfile | ||
LICENSE | ||
Puppetfile_extras | ||
README.md | ||
Rakefile | ||
bindep.txt | ||
metadata.json | ||
setup.cfg | ||
setup.py | ||
tox.ini |
README.md
Team and repository tags
puppet-tripleo
Lightweight composition layer for Puppet TripleO.
Contributing
- Free software: Apache License (2.0)
- Source: http://git.openstack.org/cgit/openstack/puppet-tripleo
- Bugs: http://bugs.launchpad.net/tripleo (tag: puppet)
- Documentation:
- TripleO: https://docs.openstack.org/tripleo-docs/latest/
- Testing with puppet: https://docs.openstack.org/puppet-openstack-guide/latest/contributor/testing.html
- Release Notes https://docs.openstack.org/releasenotes/puppet-tripleo