Temporarily disable iptables restore during puppet
Docker and kubernetes add rules to iptables, which can end up persisted in /etc/sysconfig/iptables by calls to iptables-save. When the puppet manifest is applied during node initialization, kubernetes is not yet running, and any related iptables rules will fail. This update disables the restoration of iptables rules from previous boots, to ensure the puppet manifest does not fail to apply due to invalid rules. However, this means that in a DOR scenario (Dead Office Recovery, where both controllers will be intializing at the same time), the firewall rules will not get reapplied. Firewall management will be moved to Calico under story 2005066, at which point this code will be removed. Change-Id: I43369dba34e6859088af3794de25a68571c7154c Closes-Bug: 1815124 Signed-off-by: Don Penney <don.penney@windriver.com>
This commit is contained in:
Matt Peters
Don Penney
parent
4b35404d6a
commit
52a829d180
|
|
@ -7,7 +7,15 @@ Exec {
|
|||
path => '/usr/bin:/usr/sbin:/bin:/sbin:/usr/local/bin:/usr/local/sbin'
|
||||
}
|
||||
|
||||
include ::firewall
|
||||
#
|
||||
# Disable the firewall to protect against attempted
|
||||
# restoration of kubernetes-related iptables rules
|
||||
# during puppet apply, as kubernetes may not yet
|
||||
# be running and the restore will fail.
|
||||
#
|
||||
class { '::firewall':
|
||||
ensure => stopped
|
||||
}
|
||||
|
||||
include ::platform::config
|
||||
include ::platform::users
|
||||
|
|
|
|||
Loading…
Reference in New Issue