From c93f59cd8e47b311440e2315afafc756bca4cc21 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 25 Oct 2021 08:16:09 +0000 Subject: [PATCH] Revert "Do not load br_netfilter" This reverts commit 15259002beb6b9f35f8eee6529132c6e1a126902. Reason for revert: The iptables_firewall produces warnings without it. Change-Id: Id046a3048436c4c18dd1fd9700ac9971d8c42c57 --- ansible/roles/nova-cell/tasks/config-host.yml | 11 +++++++++++ .../notes/bug-1945789-cfb50a9bd8693c41.yaml | 16 ---------------- 2 files changed, 11 insertions(+), 16 deletions(-) delete mode 100644 releasenotes/notes/bug-1945789-cfb50a9bd8693c41.yaml diff --git a/ansible/roles/nova-cell/tasks/config-host.yml b/ansible/roles/nova-cell/tasks/config-host.yml index 3a56334fd3..5b8d398df5 100644 --- a/ansible/roles/nova-cell/tasks/config-host.yml +++ b/ansible/roles/nova-cell/tasks/config-host.yml @@ -1,4 +1,13 @@ --- +- name: Load and persist br_netfilter module + include_role: + name: module-load + vars: + modules: + - { name: br_netfilter } + when: + - inventory_hostname in groups[nova_cell_compute_group] + - name: Setting sysctl values become: true vars: @@ -10,6 +19,8 @@ sysctl_set: "{{ should_set }}" sysctl_file: "{{ kolla_sysctl_conf_path }}" with_items: + - { name: "net.bridge.bridge-nf-call-iptables", value: 1} + - { name: "net.bridge.bridge-nf-call-ip6tables", value: 1} - { name: "net.ipv4.conf.all.rp_filter", value: "{{ nova_compute_host_rp_filter_mode }}"} - { name: "net.ipv4.conf.default.rp_filter", value: "{{ nova_compute_host_rp_filter_mode }}"} when: diff --git a/releasenotes/notes/bug-1945789-cfb50a9bd8693c41.yaml b/releasenotes/notes/bug-1945789-cfb50a9bd8693c41.yaml deleted file mode 100644 index 06af7040f1..0000000000 --- a/releasenotes/notes/bug-1945789-cfb50a9bd8693c41.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -fixes: - - | - Fixes ``br_netfilter`` kernel module not to be loaded nor configured - by Kolla Ansible. - It was loaded and configured on Nova compute hosts regardless of the - networking service config and its requirements. - Users of existing setups are advised to re-evaluate whether they - need this module loaded and unload if not necessary (also: remove - from the autoloaded modules, as well as remove the related sysctls - ``net.bridge.bridge-nf-call-*``). - Kolla Ansible will simply no longer try to load nor configure this - module at all. - Neutron agents handle loading and configuring this module as - necessary. - `LP#1945789 `__