Skip to content

Commit a982513

Browse files
authored
[ML2/OVS] Use nftables instead of legacy iptables (#2214)
* WIP: [ML2/OVS] Use nftables instead of legacy iptables * Add image tags * Add release note * Wrap comment * Fix linting issues * Check for neutron rules before flushing * Fix typo * tweaks * Update kolla-image-tags.yml * Kolla change now merged in stackhpc branch Co-authored-by: Will Szumski <williamszumski@gmail.com> * Fresh images with upstream version of change
1 parent f85ecfe commit a982513

3 files changed

Lines changed: 81 additions & 2 deletions

File tree

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
---
2+
3+
# This playbook flushes iptables-legacy rules in the neutron_openvswitch_agent
4+
# container on overcloud hosts. It is intended to be used in scenarios where
5+
# neutron_openvswitch_agent was updated to a version without iptables-nft.
6+
7+
# NOTE(wszumski): Also had to run a rabbitmq reset after flushing. Potentially
8+
# we could do a more targetted restart of containers.
9+
10+
- name: Flushes legacy iptables rules on ML2/OVS deployments
11+
hosts: overcloud
12+
gather_facts: false
13+
become: true
14+
tasks:
15+
- name: Gather service facts
16+
ansible.builtin.service_facts:
17+
18+
- name: End play for hosts without openvswitch agent
19+
ansible.builtin.meta: end_host
20+
when: "'kolla-neutron_openvswitch_agent-container.service' not in ansible_facts.services"
21+
22+
- name: Check if neutron legacy iptables rules exist
23+
ansible.builtin.shell: |
24+
set -euo pipefail
25+
{{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy-save | grep neutron
26+
register: save_result
27+
failed_when: false
28+
args:
29+
executable: /bin/bash
30+
31+
- name: End play for hosts where legacy-iptables is not in use by neutron
32+
ansible.builtin.meta: end_host
33+
when: save_result.rc != 0
34+
35+
- name: Flush iptables-legacy in neutron_openvswitch_agent container
36+
ansible.builtin.shell: |
37+
set -euo pipefail
38+
{{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -P INPUT ACCEPT
39+
{{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -P FORWARD ACCEPT
40+
{{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -P OUTPUT ACCEPT
41+
{{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t nat -F
42+
{{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t nat -X
43+
{{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t mangle -F
44+
{{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t mangle -X
45+
{{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t raw -F
46+
{{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t raw -X
47+
{{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t filter -F
48+
{{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t filter -X
49+
{{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -F
50+
{{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -X
51+
args:
52+
executable: /bin/bash

etc/kayobe/kolla-image-tags.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,8 +30,8 @@ kolla_image_tags:
3030
rocky-9: 2025.1-rocky-9-20260421T115054
3131
ubuntu-noble: 2025.1-ubuntu-noble-20260421T115054
3232
neutron:
33-
rocky-9: 2025.1-rocky-9-20260403T083425
34-
ubuntu-noble: 2025.1-ubuntu-noble-20260403T083425
33+
rocky-9: 2025.1-rocky-9-20260409T132248
34+
ubuntu-noble: 2025.1-ubuntu-noble-20260409T132248
3535
nova:
3636
rocky-9: 2025.1-rocky-9-20260226T161930
3737
ubuntu-noble: 2025.1-ubuntu-noble-20260220T102812
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
---
2+
fixes:
3+
- |
4+
Fixed an issue where Neutron security group rules were being created as
5+
legacy iptables rules instead of nftables rules. The expected behaviour is
6+
that these rules are created using the iptables-nft compatibility package,
7+
matching the behaviour introduced in the ``2024.1`` release.
8+
9+
upgrade:
10+
- |
11+
In ML2/OVS deployments, Neutron security group rules will now be installed
12+
in nftables to align with the behaviour from the ``2024.1`` release. If you
13+
are running a ``2025.1`` release older than this one, please run the
14+
following commands **after upgrading the Neutron containers** to avoid
15+
conflicts between iptables-legacy and iptables-nft rules (this operation
16+
will cause downtime)::
17+
18+
kayobe playbook run \
19+
$KAYOBE_CONFIG_PATH/ansible/fixes/flush-iptables-legacy.yml \
20+
$KAYOBE_CONFIG_PATH/ansible/fixes/rabbitmq-reset.yml
21+
22+
You can check if Neutron has installed legacy iptables rules by running::
23+
24+
iptables-save-legacy | grep neutron
25+
26+
If you are upgrading directly to this release or a newer one, no action is
27+
required.

0 commit comments

Comments
 (0)