---
- name: Load and persist br_netfilter module
  include_role:
    name: module-load
  vars:
    modules:
      - { name: br_netfilter }
  when:
    - inventory_hostname in groups[nova_cell_compute_group]

- name: Setting sysctl values
  become: true
  vars:
    should_set: "{{ item.value != 'KOLLA_UNSET' }}"
  sysctl:
    name: "{{ item.name }}"
    state: "{{ should_set | ternary('present', 'absent') }}"
    value: "{{ should_set | ternary(item.value, omit) }}"
    sysctl_set: "{{ should_set }}"
    sysctl_file: "{{ kolla_sysctl_conf_path }}"
  with_items:
    - { name: "net.bridge.bridge-nf-call-iptables", value: 1}
    - { name: "net.bridge.bridge-nf-call-ip6tables", value: 1}
    - { name: "net.ipv4.conf.all.rp_filter", value: "{{ nova_compute_host_rp_filter_mode }}"}
    - { name: "net.ipv4.conf.default.rp_filter", value: "{{ nova_compute_host_rp_filter_mode }}"}
  when:
    - set_sysctl | bool
    - item.value != 'KOLLA_SKIP'
    - inventory_hostname in groups[nova_cell_compute_group]

# NOTE(yoctozepto): Part of bug #1681461 fix.
# This part can actually run on any distro and lets us drop the hardcoded
# chown and chmod from the nova-libvirt image extend_start and make the process
# more robust.
- name: Install udev kolla kvm rules
  become: true
  template:
    src: "99-kolla-kvm.rules.j2"
    dest: "/etc/udev/rules.d/99-kolla-kvm.rules"
    mode: "0644"
  when:
    - enable_nova_libvirt_container | bool
    - nova_compute_virt_type == 'kvm'
    - inventory_hostname in groups[nova_cell_compute_group]

# NOTE(yoctozepto): Part of bug #1681461 fix.
# This part only really makes sense on Ubuntu and would end up being confusing
# on others. This service changes /dev/kvm permissions.
- name: Mask qemu-kvm service
  become: true
  systemd:
    name: qemu-kvm.service
    masked: true
  when:
    - enable_nova_libvirt_container | bool
    - nova_compute_virt_type == 'kvm'
    - ansible_facts.distribution == 'Ubuntu'
    - inventory_hostname in groups[nova_cell_compute_group]