5d51ff6dd7
A problem may occur if puppet attempts to inject a firewall rule while the underlying iptables/ip6tables has existing rules which use the --random-fully flag in the NAT table. The issue occurs because puppet-firewall first makes a call to iptables-save/ip6tables-save to parse the existing rules (to determine if the rule already exists). If it finds a rule with --random-fully, it will immediately bail out. The current version(s) of puppet-firewall in StarlingX are old enough that they don't have parsing logic for the --random-fully flag that was initially supported in iptables version 1.6.2+. Now that StarlingX uses iptables 1.8.4, we must account for the possibility that various components (ie. kubernetes) will make use of --random-fully rules. This feature has been implemented upstream in the following commits: https://github.com/puppetlabs/puppetlabs-firewall/commits/ 9a4bc6a81cf0cd4a56ba458fadac830a2c4df529 0ea2b74c0b4a451a37bae8c2ff105b72481ab485 The above commits have been ported back to: CentOS: puppet-firewall-1.8.2 Debian: puppetlabs-firewall-1.12.0 Since StarlingX does not currently build it's own version of puppet-firewall in either CentOS or Debian, this commit also contains the infrastructure to do so. Testing: Note: Since the issue is intermittent on unlock, the functional tests were performed with a custom runtime manifest that installed a dummy iptables/ip6tables rule when an interface was modified. At this time, it was guaranteed that there were rules with the --random-fully flag present. CentOS: Package build: PASS Present in iso: PASS IPv4 functional test (iptables): PASS IPv6 functional test (ip6tables): PASS Debian: Package build: PASS Present in iso: PASS IPv4 functional test (iptables): PASS IPv6 functional test (ip6tables): PASS Closes-Bug: #1971900 Signed-off-by: Steven Webster <steven.webster@windriver.com> Change-Id: I7dbb9e1b99d95df0aa5a7db7aa22c3c314253788 |
||
---|---|---|
base | ||
bmc/Redfishtool | ||
centos-debian-compat | ||
ceph/ceph | ||
config | ||
database | ||
devstack | ||
doc | ||
docker/python-docker | ||
filesystem | ||
golang-github-dev | ||
gpu/gpu-operator | ||
grub | ||
kubernetes | ||
ldap | ||
livepatch/kpatch/debian | ||
logging/logrotate/centos | ||
networking | ||
ostree | ||
python | ||
releasenotes | ||
requests-toolbelt | ||
security | ||
storage-drivers | ||
tools | ||
virt | ||
.gitignore | ||
.gitreview | ||
.yamllint | ||
.zuul.yaml | ||
CONTRIBUTORS.wrs | ||
LICENSE | ||
README.rst | ||
bindep.txt | ||
centos_build_layer.cfg | ||
centos_extra_downloads.lst | ||
centos_guest_image.inc | ||
centos_guest_image_rt.inc | ||
centos_iso_image.inc | ||
centos_pkg_dirs | ||
centos_pkg_dirs_installer | ||
centos_pkg_dirs_rt | ||
centos_srpms_3rdparties.lst | ||
centos_srpms_centos.lst | ||
centos_stable_docker_images.inc | ||
centos_stable_wheels.inc | ||
centos_tarball-dl.lst | ||
debian_build_layer.cfg | ||
debian_iso_image.inc | ||
debian_pkg_dirs | ||
distroless_stable_docker_images.inc | ||
pylint.rc | ||
test-requirements.txt | ||
tox.ini |
README.rst
integ
StarlingX Integration