Initialize ip(6)tables "raw" table

With RHEL8, we apparently hit an issue where the "raw" table doesn't exist. While this is worked around during the deploy, we need to ensure this table does exist upon reboot. This patch creates 2 systemd unit in order to ensure this table is present in both iptables and ip6tables. They are to be launched before the ip(6)tables.service in order to allow the standard rules to be loaded at boot time. Those units will probably be removed once we have an updated iptables package. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1673609 Change-Id: I5334ac3e8080700d77e7a1de3330fdad76bc633f (cherry picked from commit e97d4dcfd2)
2019-05-22 11:16:53 +02:00 · 2019-05-22 11:16:53 +02:00 · 108b8469f6
parent 017fc1dab9
commit 108b8469f6
1 changed files with 47 additions and 0 deletions
--- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
+++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
@ -55,6 +55,53 @@ outputs:

      step_config: |
        include ::tripleo::firewall
+      deploy_steps_tasks:
+        - when: step|int == 0
+          block:
+            - name: create iptables service
+              copy:
+                dest: /etc/systemd/system/tripleo-iptables.service
+                content: |
+                  [Unit]
+                  Description=Initialize iptables
+                  Before=iptables.service
+                  AssertPathExists=/etc/sysconfig/iptables
+
+                  [Service]
+                  Type=oneshot
+                  ExecStart=/usr/sbin/iptables -t raw -nL
+                  Environment=BOOTUP=serial
+                  Environment=CONSOLETYPE=serial
+                  StandardOutput=syslog
+                  StandardError=syslog
+                  [Install]
+                  WantedBy=basic.target
+            - name: enable tripleo-iptables service
+              service:
+                enabled: yes
+                name: tripleo-iptables.service
+            - name: create ip6tables service
+              copy:
+                dest: /etc/systemd/system/tripleo-ip6tables.service
+                content: |
+                  [Unit]
+                  Description=Initialize ip6tables
+                  Before=ip6tables.service
+                  AssertPathExists=/etc/sysconfig/ip6tables
+
+                  [Service]
+                  Type=oneshot
+                  ExecStart=/usr/sbin/ip6tables -t raw -nL
+                  Environment=BOOTUP=serial
+                  Environment=CONSOLETYPE=serial
+                  StandardOutput=syslog
+                  StandardError=syslog
+                  [Install]
+                  WantedBy=basic.target
+            - name: enable tripleo-ip6tables service
+              service:
+                enabled: yes
+                name: tripleo-ip6tables.service
      upgrade_tasks:
        - when: step|int == 3
          block: