Browse code
Disable firewalld always
We've bike-sheded over this before
(I5252a12223a35f7fb7a4ac3c58aa4a3cd1bc4799) but I have just traced
down further issues to firewalld with neutron+ipv6 (see the bug).
In fact, as mentioned in the comments, RDO disables firewalld and the
neutron guide says to disable it [1]. The force flag is left if
anyone really wants this; but nobody is testing (or, as far as I can
tell, working on) this so bring devstack back into line and disable it
always. Note we do not remove the package; as has been found in the
puppet scripts this can lead to dependency issues.
[1] http://docs.openstack.org/developer/devstack/guides/neutron.html
Change-Id: Ief7cb33d926a9538f4eb39c74d906ee0c879de35
Partial-Bug: 1455303
Ian Wienand authored on 2015/05/15 12:12:02Showing 2 changed files
| ... | ... |
@@ -39,17 +39,6 @@ function install_libvirt {
|
| 39 | 39 |
pip_install_gr libvirt-python |
| 40 | 40 |
install_package python-libguestfs |
| 41 | 41 |
fi |
| 42 |
- |
|
| 43 |
- # Restart firewalld after install of libvirt to avoid a problem |
|
| 44 |
- # with polkit, which libvirtd brings in. See |
|
| 45 |
- # https://bugzilla.redhat.com/show_bug.cgi?id=1099031 |
|
| 46 |
- |
|
| 47 |
- # Note there is a difference between F20 rackspace cloud images |
|
| 48 |
- # and HP images used in the gate; rackspace has firewalld but hp |
|
| 49 |
- # cloud doesn't. |
|
| 50 |
- if is_fedora && is_package_installed firewalld; then |
|
| 51 |
- sudo service firewalld restart || true |
|
| 52 |
- fi |
|
| 53 | 42 |
} |
| 54 | 43 |
|
| 55 | 44 |
# Configures the installed libvirt system so that is accessible by |
| ... | ... |
@@ -109,19 +109,28 @@ if is_fedora; then |
| 109 | 109 |
fi |
| 110 | 110 |
|
| 111 | 111 |
FORCE_FIREWALLD=$(trueorfalse False $FORCE_FIREWALLD) |
| 112 |
- if [[ ${DISTRO} =~ (f20) && $FORCE_FIREWALLD == "False" ]]; then
|
|
| 112 |
+ if [[ $FORCE_FIREWALLD == "False" ]]; then |
|
| 113 | 113 |
# On Fedora 20 firewalld interacts badly with libvirt and |
| 114 |
- # slows things down significantly. However, for those cases |
|
| 115 |
- # where that combination is desired, allow this fix to be skipped. |
|
| 116 |
- |
|
| 117 |
- # There was also an additional issue with firewalld hanging |
|
| 118 |
- # after install of libvirt with polkit. See |
|
| 119 |
- # https://bugzilla.redhat.com/show_bug.cgi?id=1099031 |
|
| 114 |
+ # slows things down significantly (this issue was fixed in |
|
| 115 |
+ # later fedoras). There was also an additional issue with |
|
| 116 |
+ # firewalld hanging after install of libvirt with polkit [1]. |
|
| 117 |
+ # firewalld also causes problems with neturon+ipv6 [2] |
|
| 118 |
+ # |
|
| 119 |
+ # Note we do the same as the RDO packages and stop & disable, |
|
| 120 |
+ # rather than remove. This is because other packages might |
|
| 121 |
+ # have the dependency [3][4]. |
|
| 122 |
+ # |
|
| 123 |
+ # [1] https://bugzilla.redhat.com/show_bug.cgi?id=1099031 |
|
| 124 |
+ # [2] https://bugs.launchpad.net/neutron/+bug/1455303 |
|
| 125 |
+ # [3] https://github.com/redhat-openstack/openstack-puppet-modules/blob/master/firewall/manifests/linux/redhat.pp |
|
| 126 |
+ # [4] http://docs.openstack.org/developer/devstack/guides/neutron.html |
|
| 120 | 127 |
if is_package_installed firewalld; then |
| 121 |
- uninstall_package firewalld |
|
| 128 |
+ sudo systemctl disable firewalld |
|
| 129 |
+ sudo systemctl enable iptables |
|
| 130 |
+ sudo systemctl stop firewalld |
|
| 131 |
+ sudo systemctl start iptables |
|
| 122 | 132 |
fi |
| 123 | 133 |
fi |
| 124 |
- |
|
| 125 | 134 |
fi |
| 126 | 135 |
|
| 127 | 136 |
# The version of pip(1.5.4) supported by python-virtualenv(1.11.4) has |