Remove deprecated sysctl knobs
Kolla Ansible stopped setting them as they turned out to be unnecessary for its operations, yet may have conflicted with security policies of the hosts. [1] [2] [1] https://launchpad.net/bugs/1837551 [2] https://launchpad.net/bugs/1945453 Change-Id: Ie8ccd3ab6f22a6f548b1da8d3acd334068dc48f5
This commit is contained in:
parent
e890f161ed
commit
6a7e6a25bc
@ -575,8 +575,6 @@ openstack_neutron_auth: "{{ openstack_auth }}"
|
|||||||
|
|
||||||
# Set to KOLLA_SKIP to skip setting these (even if set already - total ignore).
|
# Set to KOLLA_SKIP to skip setting these (even if set already - total ignore).
|
||||||
# Set to KOLLA_UNSET to make Kolla unset these in the managed sysctl.conf file.
|
# Set to KOLLA_UNSET to make Kolla unset these in the managed sysctl.conf file.
|
||||||
neutron_l3_agent_host_ipv4_ip_forward: KOLLA_UNSET
|
|
||||||
neutron_l3_agent_host_rp_filter_mode: KOLLA_SKIP
|
|
||||||
neutron_l3_agent_host_ipv4_neigh_gc_thresh1: 128
|
neutron_l3_agent_host_ipv4_neigh_gc_thresh1: 128
|
||||||
neutron_l3_agent_host_ipv4_neigh_gc_thresh2: 28672
|
neutron_l3_agent_host_ipv4_neigh_gc_thresh2: 28672
|
||||||
neutron_l3_agent_host_ipv4_neigh_gc_thresh3: 32768
|
neutron_l3_agent_host_ipv4_neigh_gc_thresh3: 32768
|
||||||
|
@ -25,10 +25,6 @@
|
|||||||
sysctl_set: "{{ should_set }}"
|
sysctl_set: "{{ should_set }}"
|
||||||
sysctl_file: "{{ kolla_sysctl_conf_path }}"
|
sysctl_file: "{{ kolla_sysctl_conf_path }}"
|
||||||
with_items:
|
with_items:
|
||||||
# TODO(mgoddard): Remove net.ipv4.ip_forward from this list in Zed cycle.
|
|
||||||
- { name: "net.ipv4.ip_forward", value: "{{ neutron_l3_agent_host_ipv4_ip_forward }}"}
|
|
||||||
- { name: "net.ipv4.conf.all.rp_filter", value: "{{ neutron_l3_agent_host_rp_filter_mode }}"}
|
|
||||||
- { name: "net.ipv4.conf.default.rp_filter", value: "{{ neutron_l3_agent_host_rp_filter_mode }}"}
|
|
||||||
- { name: "net.ipv4.neigh.default.gc_thresh1", value: "{{ neutron_l3_agent_host_ipv4_neigh_gc_thresh1 }}"}
|
- { name: "net.ipv4.neigh.default.gc_thresh1", value: "{{ neutron_l3_agent_host_ipv4_neigh_gc_thresh1 }}"}
|
||||||
- { name: "net.ipv4.neigh.default.gc_thresh2", value: "{{ neutron_l3_agent_host_ipv4_neigh_gc_thresh2 }}"}
|
- { name: "net.ipv4.neigh.default.gc_thresh2", value: "{{ neutron_l3_agent_host_ipv4_neigh_gc_thresh2 }}"}
|
||||||
- { name: "net.ipv4.neigh.default.gc_thresh3", value: "{{ neutron_l3_agent_host_ipv4_neigh_gc_thresh3 }}"}
|
- { name: "net.ipv4.neigh.default.gc_thresh3", value: "{{ neutron_l3_agent_host_ipv4_neigh_gc_thresh3 }}"}
|
||||||
|
@ -462,10 +462,6 @@ nova_libvirt_logging_debug: "{{ nova_logging_debug }}"
|
|||||||
|
|
||||||
openstack_nova_auth: "{{ openstack_auth }}"
|
openstack_nova_auth: "{{ openstack_auth }}"
|
||||||
|
|
||||||
# Set to KOLLA_SKIP to skip setting these (even if set already - total ignore).
|
|
||||||
# Set to KOLLA_UNSET to make Kolla unset these in the managed sysctl.conf file.
|
|
||||||
nova_compute_host_rp_filter_mode: KOLLA_SKIP
|
|
||||||
|
|
||||||
nova_libvirt_port: "{{ '16514' if libvirt_tls | bool else '16509' }}"
|
nova_libvirt_port: "{{ '16514' if libvirt_tls | bool else '16509' }}"
|
||||||
nova_ssh_port: "8022"
|
nova_ssh_port: "8022"
|
||||||
|
|
||||||
|
@ -8,24 +8,19 @@
|
|||||||
when:
|
when:
|
||||||
- inventory_hostname in groups[nova_cell_compute_group]
|
- inventory_hostname in groups[nova_cell_compute_group]
|
||||||
|
|
||||||
- name: Setting sysctl values
|
- name: Enable bridge-nf-call sysctl variables
|
||||||
become: true
|
become: true
|
||||||
vars:
|
|
||||||
should_set: "{{ item.value != 'KOLLA_UNSET' }}"
|
|
||||||
sysctl:
|
sysctl:
|
||||||
name: "{{ item.name }}"
|
name: "{{ item }}"
|
||||||
state: "{{ should_set | ternary('present', 'absent') }}"
|
state: present
|
||||||
value: "{{ should_set | ternary(item.value, omit) }}"
|
value: "1"
|
||||||
sysctl_set: "{{ should_set }}"
|
sysctl_set: true
|
||||||
sysctl_file: "{{ kolla_sysctl_conf_path }}"
|
sysctl_file: "{{ kolla_sysctl_conf_path }}"
|
||||||
with_items:
|
loop:
|
||||||
- { name: "net.bridge.bridge-nf-call-iptables", value: 1}
|
- net.bridge.bridge-nf-call-iptables
|
||||||
- { name: "net.bridge.bridge-nf-call-ip6tables", value: 1}
|
- net.bridge.bridge-nf-call-ip6tables
|
||||||
- { name: "net.ipv4.conf.all.rp_filter", value: "{{ nova_compute_host_rp_filter_mode }}"}
|
|
||||||
- { name: "net.ipv4.conf.default.rp_filter", value: "{{ nova_compute_host_rp_filter_mode }}"}
|
|
||||||
when:
|
when:
|
||||||
- set_sysctl | bool
|
- set_sysctl | bool
|
||||||
- item.value != 'KOLLA_SKIP'
|
|
||||||
- inventory_hostname in groups[nova_cell_compute_group]
|
- inventory_hostname in groups[nova_cell_compute_group]
|
||||||
|
|
||||||
# NOTE(yoctozepto): Part of bug #1681461 fix.
|
# NOTE(yoctozepto): Part of bug #1681461 fix.
|
||||||
|
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
Deprecated sysctl knobs related to ``ip_forward`` and ``rp_filter``
|
||||||
|
were removed.
|
Loading…
Reference in New Issue
Block a user