diff options
| author | Jason DeTiberus <jdetiber@redhat.com> | 2015-04-20 22:52:12 -0400 |
|---|---|---|
| committer | Jason DeTiberus <jdetiber@redhat.com> | 2015-04-21 00:03:03 -0400 |
| commit | 991b232e34f86a6a745bdc34d62b046abd2291e7 (patch) | |
| tree | 7878cc09c884ddc46cbe4ab8786fd0e1047f7a91 /roles/os_firewall | |
| parent | 96dd0ab929b7f391eee9b23209aa377537114b72 (diff) | |
| download | openshift-991b232e34f86a6a745bdc34d62b046abd2291e7.tar.gz openshift-991b232e34f86a6a745bdc34d62b046abd2291e7.tar.bz2 openshift-991b232e34f86a6a745bdc34d62b046abd2291e7.tar.xz openshift-991b232e34f86a6a745bdc34d62b046abd2291e7.zip | |
fixes to better deal with gce image defaults
- remove exception if INPUT rules are not found, gce centos-7 image is stripped of
default rules
- ignore_errors for systemctl mask operation, fails with permission denied on
gce centos-7 image.
Diffstat (limited to 'roles/os_firewall')
| -rwxr-xr-x | roles/os_firewall/library/os_firewall_manage_iptables.py | 9 | ||||
| -rw-r--r-- | roles/os_firewall/tasks/firewall/firewalld.yml | 1 | ||||
| -rw-r--r-- | roles/os_firewall/tasks/firewall/iptables.yml | 1 |
3 files changed, 3 insertions, 8 deletions
diff --git a/roles/os_firewall/library/os_firewall_manage_iptables.py b/roles/os_firewall/library/os_firewall_manage_iptables.py index 9d0af497d..987cc6fc2 100755 --- a/roles/os_firewall/library/os_firewall_manage_iptables.py +++ b/roles/os_firewall/library/os_firewall_manage_iptables.py @@ -150,17 +150,10 @@ class IpTablesManager: continue last_rule_target = rule[1] - # Raise an exception if we do not find a valid rule - if not last_rule_num or not last_rule_target: - raise IpTablesCreateJumpRuleError( - chain=self.chain, - msg="Failed to find existing %s rules" % self.jump_rule_chain, - cmd=None, exit_code=None, output=None) - # Naively assume that if the last row is a REJECT rule, then # we can add insert our rule right before it, otherwise we # assume that we can just append the rule. - if last_rule_target == 'REJECT': + if last_rule_num and last_rule_target and last_rule_target == 'REJECT': # insert rule cmd = self.cmd + ['-I', self.jump_rule_chain, str(last_rule_num)] else: diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml index b6bddd5c5..5089eb3e0 100644 --- a/roles/os_firewall/tasks/firewall/firewalld.yml +++ b/roles/os_firewall/tasks/firewall/firewalld.yml @@ -44,6 +44,7 @@ - iptables - ip6tables when: pkg_check.rc == 0 + ignore_errors: yes # TODO: Ansible 1.9 will eliminate the need for separate firewalld tasks for # enabling rules and making them permanent with the immediate flag diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml index 7b5c00a9b..9af9d8d29 100644 --- a/roles/os_firewall/tasks/firewall/iptables.yml +++ b/roles/os_firewall/tasks/firewall/iptables.yml @@ -42,6 +42,7 @@ register: result changed_when: "'firewalld' in result.stdout" when: pkg_check.rc == 0 + ignore_errors: yes - name: Add iptables allow rules os_firewall_manage_iptables: |