Skip to content

Commit

Permalink
manifests: add iptables-nft.yaml for f36+
Browse files Browse the repository at this point in the history
Add a new conditional include which migrates streams on Fedora 36 and
higher to iptables-nft. This is magnitudes simpler than the current
alternative rollout procedure detailed in:

coreos/fedora-coreos-tracker#676
  • Loading branch information
jlebon committed Mar 3, 2022
1 parent 11a9aa9 commit 7616815
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 6 deletions.
6 changes: 0 additions & 6 deletions kola-denylist.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -53,12 +53,6 @@
streams:
- rawhide
- branched
- pattern: ext.config.firewall.iptables
tracker: https://github.com/coreos/fedora-coreos-tracker/issues/676
snooze: 2022-03-07
streams:
- rawhide
- branched
- pattern: coreos.boot-mirror.luks/detach-primary
tracker: https://github.com/coreos/coreos-assembler/issues/2725
arches:
Expand Down
5 changes: 5 additions & 0 deletions manifests/fedora-coreos-base.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,11 @@ ostree-layers:
- overlay/14NetworkManager-plugins
- overlay/20platform-chrony

conditional-include:
# https://github.com/coreos/fedora-coreos-tracker/issues/676
- if: releasever >= 36
include: iptables-nft.yaml

initramfs-args:
- --no-hostonly
# We don't support root on NFS, so we don't need it in the initramfs. It also
Expand Down
17 changes: 17 additions & 0 deletions manifests/iptables-nft.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Scripts for opting into staying on iptables-legacy after migration. Remove
# after the next barrier release.
ostree-layers:
- overlay/35coreos-iptables

# Default to iptables-nft. Otherwise, legacy wins. We can drop this once/if we
# remove iptables-legacy.
postprocess:
- |
#!/usr/bin/env bash
set -xeuo pipefail
ln -sf /usr/sbin/ip6tables-nft /etc/alternatives/ip6tables
ln -sf /usr/sbin/ip6tables-nft-restore /etc/alternatives/ip6tables-restore
ln -sf /usr/sbin/ip6tables-nft-save /etc/alternatives/ip6tables-save
ln -sf /usr/sbin/iptables-nft /etc/alternatives/iptables
ln -sf /usr/sbin/iptables-nft-restore /etc/alternatives/iptables-restore
ln -sf /usr/sbin/iptables-nft-save /etc/alternatives/iptables-save

0 comments on commit 7616815

Please sign in to comment.