From 52a829d1803056da8222f30dcc002c39c86c6f54 Mon Sep 17 00:00:00 2001 From: Matt Peters Date: Thu, 21 Feb 2019 11:20:15 -0500 Subject: [PATCH] Temporarily disable iptables restore during puppet Docker and kubernetes add rules to iptables, which can end up persisted in /etc/sysconfig/iptables by calls to iptables-save. When the puppet manifest is applied during node initialization, kubernetes is not yet running, and any related iptables rules will fail. This update disables the restoration of iptables rules from previous boots, to ensure the puppet manifest does not fail to apply due to invalid rules. However, this means that in a DOR scenario (Dead Office Recovery, where both controllers will be intializing at the same time), the firewall rules will not get reapplied. Firewall management will be moved to Calico under story 2005066, at which point this code will be removed. Change-Id: I43369dba34e6859088af3794de25a68571c7154c Closes-Bug: 1815124 Signed-off-by: Don Penney --- puppet-manifests/src/manifests/controller.pp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/puppet-manifests/src/manifests/controller.pp b/puppet-manifests/src/manifests/controller.pp index 0154b13430..a4a18273ae 100644 --- a/puppet-manifests/src/manifests/controller.pp +++ b/puppet-manifests/src/manifests/controller.pp @@ -7,7 +7,15 @@ Exec { path => '/usr/bin:/usr/sbin:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } -include ::firewall +# +# Disable the firewall to protect against attempted +# restoration of kubernetes-related iptables rules +# during puppet apply, as kubernetes may not yet +# be running and the restore will fail. +# +class { '::firewall': + ensure => stopped +} include ::platform::config include ::platform::users