commit bd34d2a2831eeb60e43b27c0e84aa087ada050db
author Vasyl Saienko <vsaienko@mirantis.com> Tue Mar 10 16:25:17 2020 +0200
committer Vasyl Saienko <vsaienko@mirantis.com> Tue Mar 10 16:48:13 2020 +0200
tree 4079ead8651634ce3dd42d7005eeba83d7ca5d06
parent f36f39cbcc12f33e9079270ff61b6bfdc571eb3e

Make forward rules persistent

Related-Prod: PRODX-00000
Change-Id: I8253200be525d8ad51a4713797e8c87cc47562f2

de/heat-templates/scripts/instance_boot.sh

diff --git a/de/heat-templates/scripts/instance_boot.sh b/de/heat-templates/scripts/instance_boot.sh
index b1b54fe..4436054 100644
--- a/de/heat-templates/scripts/instance_boot.sh
+++ b/de/heat-templates/scripts/instance_boot.sh
@@ -104,7 +104,7 @@
 function install_required_packages {
     function install_retry {
         apt update
-        apt install -y apt-transport-https ca-certificates curl software-properties-common jq unzip atop
+        export DEBIAN_FRONTEND=noninteractive; apt install -y apt-transport-https ca-certificates curl software-properties-common jq unzip atop iptables-persistent
     }
     retry 10 "Failed to install required packages" install_retry
 }
@@ -263,10 +263,23 @@
 }
 
 function workaround_default_forward_policy {
+    cat << EOF > /etc/iptables/rules.v4
+*filter
+:DOCKER-USER - [0:0]
+EOF
     for net in $FLOATING_NETWORK_PREFIXES; do
-        iptables -I DOCKER-USER  -d ${net} -j ACCEPT
-        iptables -I DOCKER-USER  -s ${net} -j ACCEPT
+cat << EOF >> /etc/iptables/rules.v4
+-A DOCKER-USER -d ${net} -j ACCEPT
+-A DOCKER-USER -s ${net} -j ACCEPT
+-A DOCKER-USER -j RETURN
+COMMIT
+EOF
     done
+
+cat << EOF >> /etc/iptables/rules.v4
+-A DOCKER-USER -j RETURN
+EOF
+    sudo netfilter-persistent reload
 }
 
 function network_config {
@@ -346,6 +359,7 @@
         prepare_network
         update_docker_network
         install_required_packages
+        workaround_default_forward_policy
         install_docker
         network_config
         swarm_init
@@ -354,7 +368,6 @@
         download_bundles
         rm_ucp_config
         install_kubectl
-        workaround_default_forward_policy
         wait_for_node
         set_node_labels
         ;;
@@ -363,12 +376,12 @@
         prepare_network
         update_docker_network
         install_required_packages
+        workaround_default_forward_policy
         install_docker
         network_config
         download_bundles
         join_node manager
         install_kubectl
-        workaround_default_forward_policy
         wait_for_node
         set_node_labels
         ;;
@@ -377,13 +390,13 @@
         prepare_network
         update_docker_network
         install_required_packages
+        workaround_default_forward_policy
         install_docker
         network_config
         load_modules
         download_bundles
         join_node worker
         install_kubectl
-        workaround_default_forward_policy
         wait_for_node
         set_node_labels
         ;;