We've bike-sheded over this before
(I5252a12223a35f7fb7a4ac3c58aa4a3cd1bc4799) but I have just traced
down further issues to firewalld with neutron+ipv6 (see the bug).
In fact, as mentioned in the comments, RDO disables firewalld and the
neutron guide says to disable it [1]. The force flag is left if
anyone really wants this; but nobody is testing (or, as far as I can
tell, working on) this so bring devstack back into line and disable it
always. Note we do not remove the package; as has been found in the
puppet scripts this can lead to dependency issues.
[1] http://docs.openstack.org/developer/devstack/guides/neutron.html
Change-Id: Ief7cb33d926a9538f4eb39c74d906ee0c879de35
Partial-Bug: 1455303
... | ... |
@@ -39,17 +39,6 @@ function install_libvirt { |
39 | 39 |
pip_install_gr libvirt-python |
40 | 40 |
install_package python-libguestfs |
41 | 41 |
fi |
42 |
- |
|
43 |
- # Restart firewalld after install of libvirt to avoid a problem |
|
44 |
- # with polkit, which libvirtd brings in. See |
|
45 |
- # https://bugzilla.redhat.com/show_bug.cgi?id=1099031 |
|
46 |
- |
|
47 |
- # Note there is a difference between F20 rackspace cloud images |
|
48 |
- # and HP images used in the gate; rackspace has firewalld but hp |
|
49 |
- # cloud doesn't. |
|
50 |
- if is_fedora && is_package_installed firewalld; then |
|
51 |
- sudo service firewalld restart || true |
|
52 |
- fi |
|
53 | 42 |
} |
54 | 43 |
|
55 | 44 |
# Configures the installed libvirt system so that is accessible by |
... | ... |
@@ -109,19 +109,28 @@ if is_fedora; then |
109 | 109 |
fi |
110 | 110 |
|
111 | 111 |
FORCE_FIREWALLD=$(trueorfalse False $FORCE_FIREWALLD) |
112 |
- if [[ ${DISTRO} =~ (f20) && $FORCE_FIREWALLD == "False" ]]; then |
|
112 |
+ if [[ $FORCE_FIREWALLD == "False" ]]; then |
|
113 | 113 |
# On Fedora 20 firewalld interacts badly with libvirt and |
114 |
- # slows things down significantly. However, for those cases |
|
115 |
- # where that combination is desired, allow this fix to be skipped. |
|
116 |
- |
|
117 |
- # There was also an additional issue with firewalld hanging |
|
118 |
- # after install of libvirt with polkit. See |
|
119 |
- # https://bugzilla.redhat.com/show_bug.cgi?id=1099031 |
|
114 |
+ # slows things down significantly (this issue was fixed in |
|
115 |
+ # later fedoras). There was also an additional issue with |
|
116 |
+ # firewalld hanging after install of libvirt with polkit [1]. |
|
117 |
+ # firewalld also causes problems with neturon+ipv6 [2] |
|
118 |
+ # |
|
119 |
+ # Note we do the same as the RDO packages and stop & disable, |
|
120 |
+ # rather than remove. This is because other packages might |
|
121 |
+ # have the dependency [3][4]. |
|
122 |
+ # |
|
123 |
+ # [1] https://bugzilla.redhat.com/show_bug.cgi?id=1099031 |
|
124 |
+ # [2] https://bugs.launchpad.net/neutron/+bug/1455303 |
|
125 |
+ # [3] https://github.com/redhat-openstack/openstack-puppet-modules/blob/master/firewall/manifests/linux/redhat.pp |
|
126 |
+ # [4] http://docs.openstack.org/developer/devstack/guides/neutron.html |
|
120 | 127 |
if is_package_installed firewalld; then |
121 |
- uninstall_package firewalld |
|
128 |
+ sudo systemctl disable firewalld |
|
129 |
+ sudo systemctl enable iptables |
|
130 |
+ sudo systemctl stop firewalld |
|
131 |
+ sudo systemctl start iptables |
|
122 | 132 |
fi |
123 | 133 |
fi |
124 |
- |
|
125 | 134 |
fi |
126 | 135 |
|
127 | 136 |
# The version of pip(1.5.4) supported by python-virtualenv(1.11.4) has |