summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSofer Athlan-Guyot <sathlang@redhat.com>2017-03-24 13:45:10 +0100
committerSofer Athlan-Guyot <sathlang@redhat.com>2017-03-27 11:38:32 +0200
commit670399a2caeecd9259bea454e9518ab6c92cff49 (patch)
tree418a5ab194127bddfe6071e65e2ad38db5951b33
parent8716d9f769dd17ef17fef7f0fdefaf0df6a7fe24 (diff)
N->O upgrade, blanks ipv6 rules before activating it.
When the firewall is enabled with ipv6, the default rules set is taken as not ipv6 firewall was present for Newton. This make communication impossible until puppet is run again. This ensures that no rules are loaded when the firewall is enabled. This mimic this patch[1] [1] https://github.com/openstack/tripleo-heat-templates/commit/ae8aac36143d5dadb08af0d275f513678909dcc7 Change-Id: Id878b5caae666a799c89c8466ce46b9ecb86d9f7 Closes-Bug: #1675782
-rw-r--r--puppet/services/tripleo-firewall.yaml6
1 files changed, 6 insertions, 0 deletions
diff --git a/puppet/services/tripleo-firewall.yaml b/puppet/services/tripleo-firewall.yaml
index 67e14d9c..ff2b067f 100644
--- a/puppet/services/tripleo-firewall.yaml
+++ b/puppet/services/tripleo-firewall.yaml
@@ -37,3 +37,9 @@ outputs:
tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
step_config: |
include ::tripleo::firewall
+ upgrade_tasks:
+ - name: blank ipv6 rule before activating ipv6 firewall.
+ tags: step3
+ shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables
+ args:
+ creates: /etc/sysconfig/ip6tables.n-o-upgrade