From 48c2a3f7ce958a8593795e29bbe244ba48f2708e Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Thu, 19 Jan 2017 09:53:19 +0100 Subject: [PATCH] Add a script to zero /etc/sysconfig/iptables at build time When including this element we empty the stock /etc/sysconfig/iptables file as shipped by the iptables rpm package. The reason for this is that puppet firewall has a hard time to cope with exiting rules when /etc/sysconfig/iptables is populated and the iptables service is not active. The referenced bug has a full explanation for the problem. Partial-Bug: #1657108 Change-Id: Iddc21316a1a3d42a1a43cbb4b9c178adba8f8db3 --- elements/iptables/install.d/99-empty-iptables | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100755 elements/iptables/install.d/99-empty-iptables diff --git a/elements/iptables/install.d/99-empty-iptables b/elements/iptables/install.d/99-empty-iptables new file mode 100755 index 000000000..6b5f0c756 --- /dev/null +++ b/elements/iptables/install.d/99-empty-iptables @@ -0,0 +1,7 @@ +#!/bin/bash +set -eux +set -o pipefail + +if [[ "rhel rhel7 centos7 fedora" =~ "$DISTRO_NAME" ]]; then + echo '# empty ruleset created by tripleo-image-elements' > /etc/sysconfig/iptables +fi