diff --git a/defaults/main.yml b/defaults/main.yml index 152d20ab..d661033e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -395,13 +395,6 @@ neutron_dnsmasq_lease_max: 16777216 # neutron_metadata_workers: 16 neutron_metadata_backlog: 4096 -# When running in an AIO, we need to implement an iptables rule in any -# neutron_agent containers to that ensure instances can communicate with -# the neutron metadata service. This is necessary because in an AIO -# environment there are no physical interfaces involved in instance -> -# metadata requests, and this results in the checksums being incorrect. -neutron_metadata_checksum_fix: False - # The protocol used by neutron to access the nova metadata service. nova_metadata_protocol: http diff --git a/files/post-up-metadata-checksum b/files/post-up-metadata-checksum deleted file mode 100644 index c4f71946..00000000 --- a/files/post-up-metadata-checksum +++ /dev/null @@ -1,43 +0,0 @@ -#!/usr/bin/env bash -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# NOTICE: -# When running in an AIO, we need to drop the following iptables rule in any -# neutron_agent containers to that ensure instances can communicate with the -# neutron metadata service. This is necessary because in an AIO environment -# there are no physical interfaces involved in instance -> metadata requests, -# and this results in the checksums being incorrect. - -# Iptables path, used for ipv4 firewall. -IPTABLES=$(which iptables) -if [ ! -z "${IPTABLES}" ]; then - if ! ${IPTABLES} -C POSTROUTING -t mangle -p tcp --sport 80 -j CHECKSUM --checksum-fill 2> /dev/null; then - ${IPTABLES} -A POSTROUTING -t mangle -p tcp --sport 80 -j CHECKSUM --checksum-fill - fi - if ! ${IPTABLES} -C POSTROUTING -t mangle -p tcp --sport 8000 -j CHECKSUM --checksum-fill 2> /dev/null; then - ${IPTABLES} -A POSTROUTING -t mangle -p tcp --sport 8000 -j CHECKSUM --checksum-fill - fi -fi - -# Ip6tables path, used for ipv6 firewall. -IP6TABLES=$(which ip6tables) -if [ ! -z "${IP6TABLES}" ]; then - if ! ${IP6TABLES} -C POSTROUTING -t mangle -p udp --sport 80 -j CHECKSUM --checksum-fill 2> /dev/null; then - ${IP6TABLES} -A POSTROUTING -t mangle -p udp --sport 80 -j CHECKSUM --checksum-fill - fi - if ! ${IP6TABLES} -C POSTROUTING -t mangle -p udp --sport 8000 -j CHECKSUM --checksum-fill 2> /dev/null; then - ${IP6TABLES} -A POSTROUTING -t mangle -p udp --sport 8000 -j CHECKSUM --checksum-fill - fi -fi diff --git a/tasks/neutron_post_install.yml b/tasks/neutron_post_install.yml index 80cdf0ef..01e75694 100644 --- a/tasks/neutron_post_install.yml +++ b/tasks/neutron_post_install.yml @@ -164,42 +164,10 @@ # host and container. Additionally the execution of this script is now # controlled by a systemd oneshot service so the legacy configs are no longer # needed. -- name: Remove legacy checksum fix script +- name: Remove checksum fix scripts file: - path: "{{ neutron_checksum_script }}" + path: "{{ item }}" state: absent - -- name: Drop metadata iptables checksum fix - copy: - src: "post-up-metadata-checksum" - dest: "/usr/local/bin/post-up-metadata-checksum" - owner: "root" - group: "root" - mode: "0755" - when: - - neutron_metadata_checksum_fix | bool - - neutron_services['neutron-linuxbridge-agent']['group'] in group_names - -- name: Run the systemd service role - include_role: - name: systemd_service - private: true - vars: - systemd_services: - - service_name: "neutron-post-up-metadata-checksum" - config_overrides: - Unit: - Description: networking-post-up - After: network-online.target - Wants: network-online.target - Service: - RemainAfterExit: yes - service_type: oneshot - execstarts: - - "/usr/local/bin/post-up-metadata-checksum" - enabled: yes - state: started - systemd_tempd_prefix: openstack - when: - - neutron_metadata_checksum_fix | bool - - neutron_services['neutron-linuxbridge-agent']['group'] in group_names + with_items: + - "{{ neutron_checksum_script }}" + - "/usr/local/bin/post-up-metadata-checksum" diff --git a/tests/test-install-previous-neutron.yml b/tests/test-install-previous-neutron.yml index fd9bd815..7214db33 100644 --- a/tests/test-install-previous-neutron.yml +++ b/tests/test-install-previous-neutron.yml @@ -62,9 +62,6 @@ name: iptables state: present - - name: Add iptables rule for communication w/ metadata agent - command: /sbin/iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j CHECKSUM --checksum-fill - - name: Deploy neutron hosts: neutron_all user: root