From d879994e13e788123e2db1368b985d0e5fe9cb1b Mon Sep 17 00:00:00 2001
From: Matt Thompson <mattt@defunct.ca>
Date: Wed, 12 Aug 2015 10:12:57 +0100
Subject: [PATCH] Add iptables rule to neutron agents containers

When running in an AIO environment, we need to drop an iptables rule to
ensure that communication between instances and the neutron metadata
service works.

Change-Id: Icc081fe83712ce883baa88f99db60c52dcc4c1ae
Closes-Bug: #1483603
---
 scripts/bootstrap-aio.sh |  1 +
 scripts/run-playbooks.sh | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/scripts/bootstrap-aio.sh b/scripts/bootstrap-aio.sh
index f2e04baceb..fd9b8edd16 100755
--- a/scripts/bootstrap-aio.sh
+++ b/scripts/bootstrap-aio.sh
@@ -20,6 +20,7 @@ set -e -u -x
 
 ## Vars ----------------------------------------------------------------------
 DEFAULT_PASSWORD=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 32)
+export BOOTSTRAP_AIO="yes"
 export ADMIN_PASSWORD=${ADMIN_PASSWORD:-$DEFAULT_PASSWORD}
 export SERVICE_REGION=${SERVICE_REGION:-"RegionOne"}
 export DEPLOY_SWIFT=${DEPLOY_SWIFT:-"yes"}
diff --git a/scripts/run-playbooks.sh b/scripts/run-playbooks.sh
index fb61ff3587..4dd42d7f8a 100755
--- a/scripts/run-playbooks.sh
+++ b/scripts/run-playbooks.sh
@@ -27,6 +27,7 @@ DEPLOY_SWIFT=${DEPLOY_SWIFT:-"yes"}
 DEPLOY_CEILOMETER=${DEPLOY_CEILOMETER:-"yes"}
 DEPLOY_TEMPEST=${DEPLOY_TEMPEST:-"no"}
 COMMAND_LOGS=${COMMAND_LOGS:-"/openstack/log/ansible_cmd_logs/"}
+ADD_NEUTRON_AGENT_CHECKSUM_RULE=${BOOTSTRAP_AIO:-"no"}
 
 
 ## Functions -----------------------------------------------------------------
@@ -109,6 +110,22 @@ pushd "playbooks"
                            --forks ${FORKS} \
                            -t "${COMMAND_LOGS}/force_apt_update" \
                            &> ${COMMAND_LOGS}/force_apt_update.log
+
+    # When running in an AIO, we need to drop the following iptables rule in any neutron_agent containers
+    # to that ensure instances can communicate with the neutron metadata service.
+    # This is necessary because in an AIO environment there are no physical interfaces involved in
+    # instance -> metadata requests, and this results in the checksums being incorrect.
+    if [ "${ADD_NEUTRON_AGENT_CHECKSUM_RULE}" == "yes" ]; then
+      mkdir -p "${COMMAND_LOGS}/add_neutron_agent_checksum_rule"
+      ansible neutron_agent -m command \
+                            -a '/sbin/iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j CHECKSUM --checksum-fill' \
+                            -t "${COMMAND_LOGS}/add_neutron_agent_checksum_rule" \
+                            &> ${COMMAND_LOGS}/add_neutron_agent_checksum_rule.log
+      ansible neutron_agent -m shell \
+                            -a 'DEBIAN_FRONTEND=noninteractive apt-get install iptables-persistent' \
+                            -t "${COMMAND_LOGS}/add_neutron_agent_checksum_rule" \
+                            &> ${COMMAND_LOGS}/add_neutron_agent_checksum_rule.log
+    fi
   fi
 
   if [ "${DEPLOY_LB}" == "yes" ]; then