Make fw driver configurable

The neutron-gateway uses the firewall driver just as other nodes do when running neutron-openvswitch-agent. It is currently hardcoded to the deprecated iptables_hybrid driver. This patch allows the driver to be changed to openvswitch same as with the neutron-openvswitch driver with a firewall-driver config option that defaults to iptables_hybrid so as to maintain backwards compatibility. Change-Id: I4f5482425c91b5ad556c384abba7c27137c1948f
2021-07-20 14:55:28 +01:00 · 2021-07-20 14:55:28 +01:00 · 3de85d46c1
parent d29d295c32
commit 3de85d46c1
4 changed files with 30 additions and 1 deletions
--- a/config.yaml
+++ b/config.yaml
@ -327,6 +327,13 @@ options:
      for Neutron agents (DHCP and L3 agents). This option overrides the
      default-availability-zone charm config setting only when the Juju
      provider sets JUJU_AVAILABILITY_ZONE.
+  firewall-driver:
+    type: string
+    default:
+    description: |
+      Firewall driver to use to support use of security groups with
+      instances; valid values include iptables_hybrid (default) and
+      openvswitch. This config option is ignored for < Queens.
  firewall-group-log-output-base:
    type: string
    default:
--- a/hooks/neutron_contexts.py
+++ b/hooks/neutron_contexts.py
@ -49,10 +49,28 @@ CORE_PLUGIN = {
    OVS_ODL: NEUTRON_OVS_ODL_PLUGIN,
 }

+IPTABLES_HYBRID = 'iptables_hybrid'
+OPENVSWITCH = 'openvswitch'
+VALID_FIREWALL_DRIVERS = (IPTABLES_HYBRID, OPENVSWITCH)
+
 NFG_LOG_RATE_LIMIT_MIN = 100
 NFG_LOG_BURST_LIMIT_MIN = 25


+def _get_firewall_driver():
+    '''
+    Determine the firewall driver to use based on configuration,
+    OpenStack and Ubuntu releases.
+
+    @returns str: firewall driver to use for OpenvSwitch
+    '''
+    driver = config('firewall-driver') or IPTABLES_HYBRID
+    if driver not in VALID_FIREWALL_DRIVERS:
+        return IPTABLES_HYBRID
+
+    return driver
+
+
 def get_availability_zone():
    use_juju_az = config('customize-failure-domain')
    juju_az = os.environ.get('JUJU_AVAILABILITY_ZONE')
@ -217,6 +235,8 @@ class NeutronGatewayContext(NeutronAPIContext):
                NFG_LOG_BURST_LIMIT_MIN
            )

+        ctxt['firewall_driver'] = _get_firewall_driver()
+
        return ctxt


--- a/templates/queens/openvswitch_agent.ini
+++ b/templates/queens/openvswitch_agent.ini
@ -23,4 +23,4 @@ extensions = {{ extension_drivers }}
 {% endif %}

 [securitygroup]
-firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+firewall_driver = {{ firewall_driver }}
--- a/unit_tests/test_neutron_contexts.py
+++ b/unit_tests/test_neutron_contexts.py
@ -240,6 +240,7 @@ class TestNeutronGatewayContext(CharmTestCase):
            'nfg_log_rate_limit': 100,
            'ovsdb_timeout': 10,
            'keepalived_healthcheck_interval': 0,
+            'firewall_driver': "iptables_hybrid",
        })

    @patch.object(neutron_contexts, 'validate_nfg_log_path', lambda x: x)
@ -303,6 +304,7 @@ class TestNeutronGatewayContext(CharmTestCase):
            'nfg_log_rate_limit': None,
            'ovsdb_timeout': 60,
            'keepalived_healthcheck_interval': 0,
+            'firewall_driver': "iptables_hybrid",
        })

    @patch('os.environ.get')