Merge "Add ebtables to neutron agent configuration"

playbooks/roles/os_neutron/defaults/main.yml

@@ -239,6 +239,7 @@ neutron_apt_packages:
   - iputils-arping
   - keepalived
   - libpq-dev
+  - ebtables
 
 neutron_apt_remove_packages:
   - conntrackd

playbooks/roles/os_neutron/files/rootwrap.d/ebtables.filters

@@ -0,0 +1,13 @@
+# neutron-rootwrap command filters for nodes on which neutron is
+# expected to control network
+#
+# This file should be owned by (and only-writeable by) the root user
+
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+
+[Filters]
+
+# neutron/agent/linux/ebtables_driver.py
+ebtables: CommandFilter, ebtables, root
+ebtablesEnv: EnvFilter, ebtables, root, EBTABLES_ATOMIC_FILE=

playbooks/roles/os_neutron/tasks/neutron_post_install.yml

@@ -79,6 +79,7 @@
     - { src: "rootwrap.d/linuxbridge-plugin.filters", dest: "/etc/neutron/rootwrap.d/linuxbridge-plugin.filters" }
     - { src: "rootwrap.d/l3.filters", dest: "/etc/neutron/rootwrap.d/l3.filters" }
     - { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" }
+    - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
   notify:
     - Restart neutron services
   tags:

playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2

@@ -76,8 +76,11 @@ physical_interface_mappings = {{ neutron_provider_networks.network_mappings }}
 
 {% endif %}
 
-# Agent (empty for Linux bridge agent)
+# Agent
 [agent]
+# TODO: Allow this to be the default of True once the upstream issue
+# with access through floating IP's is fixed (odyssey4me re: liberty-2)
+prevent_arp_spoofing = False
 
 # L2 population
 [l2pop]