File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ ---
2+
3+ # This playbook flushes iptables-legacy rules in the neutron_openvswitch_agent container on overcloud hosts.
4+ # It is intended to be used in scenarios where neutron_openvswitch_agent was updated to a version without
5+ # iptables-nft.
6+
7+ - hosts : overcloud
8+ gather_facts : false
9+ tasks :
10+ - name : Gather service facts
11+ ansible.builtin.service_facts :
12+
13+ - name : End play for hosts without openvswitch agent
14+ meta : end_host
15+ when : " 'kolla-neutron_openvswitch_agent-container.service' not in ansible_facts.services"
16+
17+ - name : Flush iptables-legacy in neutron_openvswitch_agent container
18+ ansible.builtin.shell : |
19+ set -euo pipefail
20+ {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -P INPUT ACCEPT
21+ {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -P FORWARD ACCEPT
22+ {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -P OUTPUT ACCEPT
23+ {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t nat -F
24+ {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t nat -X
25+ {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t mangle -F
26+ {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t mangle -X
27+ {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t raw -F
28+ {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t raw -X
29+ {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t filter -F
30+ {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t filter -X
31+ {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -F
32+ {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -X
33+ args :
34+ executable : /bin/bash
Original file line number Diff line number Diff line change 1+ ---
2+ fixes :
3+ - |
4+ Fixes an issue where neutron security rules were creating legacy iptables
5+ rules. The expectation was that these would be created as nf_tables rules
6+ using the iptables-nft compatability package. This matches the behaviour in
7+ the ``2024.1`` release.
8+ upgrade :
9+ - |
10+ In ML2/OVS deployments, neutron security group rules will be installed in
11+ nf_tables to match the behaviour in the ``2024.1`` release. The
12+ ``neutron_legacy_iptables`` kolla-ansible variable can be set to ``true``
13+ if you still wish to use legacy iptables. Otherwise, please run the
14+ ``$KAYOBE_CONFIG_PATH/ansible/fixes/flush-iptables-legacy.yml`` playbook
15+ after upgrading the neutron containers to prevent iptables-legacy
16+ conflicting with iptables-nft rules. If you upgrading to this release or
17+ newer, you do not have to run the playbook.
You can’t perform that action at this time.
0 commit comments