diff options
| author |   Damien Ciabrini <dciabrin@redhat.com> | 2017-07-20 11:48:22 -0400 |
|---|---|---|
| committer |   Alex Schultz <aschultz@redhat.com> | 2017-07-27 18:59:30 +0000 |
| commit | 50f160a148b6a973891ffc6d0882f4c0d597336e (patch) | |
| tree | 187d7584789b669c94f8ecbd896618cef79409a4 /manifests/profile | |
| parent | 237e613a175fd975bf6679646eaf092ff6725015 (diff) | |
Prevent haproxy to run iptables during docker-puppet configuration
When docker-puppet runs module tripleo::haproxy to generate haproxy
configuration file, and tripleo::firewall::manage_firewall is true,
iptables is called to set up firewall rules for the proxied services
and fails due to lack of NET_ADMIN capability.
Make the generation of firewall rule configurable by exposing a
new argument to the puppet module. That way, firewall management can
be temporarily disabled when being run through docker-puppet.
Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9
Partial-Bug: #1697921
Diffstat (limited to 'manifests/profile')
| -rw-r--r-- | manifests/profile/base/haproxy.pp | 7 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/haproxy.pp | 10 |
2 files changed, 16 insertions, 1 deletions
diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp index 4f3322c..145f283 100644 --- a/manifests/profile/base/haproxy.pp +++ b/manifests/profile/base/haproxy.pp @@ -36,6 +36,11 @@ # (Optional) Whether or not loadbalancer is enabled. # Defaults to hiera('enable_load_balancer', true). # +# [*manage_firewall*] +# (optional) Enable or disable firewall settings for ports exposed by HAProxy +# (false means disabled, and true means enabled) +# Defaults to hiera('tripleo::firewall::manage_firewall', true) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -44,12 +49,14 @@ class tripleo::profile::base::haproxy ( $certificates_specs = {}, $enable_load_balancer = hiera('enable_load_balancer', true), + $manage_firewall = hiera('tripleo::firewall::manage_firewall', true), $step = Integer(hiera('step')), ) { if $step >= 1 { if $enable_load_balancer { class {'::tripleo::haproxy': internal_certificates_specs => $certificates_specs, + manage_firewall => $manage_firewall, } unless hiera('tripleo::haproxy::haproxy_service_manage', true) { diff --git a/manifests/profile/pacemaker/haproxy.pp b/manifests/profile/pacemaker/haproxy.pp index 7331071..5198243 100644 --- a/manifests/profile/pacemaker/haproxy.pp +++ b/manifests/profile/pacemaker/haproxy.pp @@ -26,6 +26,11 @@ # (Optional) Whether load balancing is enabled for this cluster # Defaults to hiera('enable_load_balancer', true) # +# [*manage_firewall*] +# (optional) Enable or disable firewall settings for ports exposed by HAProxy +# (false means disabled, and true means enabled) +# Defaults to hiera('tripleo::firewall::manage_firewall', true) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -38,10 +43,13 @@ class tripleo::profile::pacemaker::haproxy ( $bootstrap_node = hiera('haproxy_short_bootstrap_node_name'), $enable_load_balancer = hiera('enable_load_balancer', true), + $manage_firewall = hiera('tripleo::firewall::manage_firewall', true), $step = Integer(hiera('step')), $pcs_tries = hiera('pcs_tries', 20), ) { - include ::tripleo::profile::base::haproxy + class {'::tripleo::profile::base::haproxy': + manage_firewall => $manage_firewall, + } if $::hostname == downcase($bootstrap_node) { $pacemaker_master = true |