From 0bf75a471ecce8c05718644e7e070b4d5a8657d6 Mon Sep 17 00:00:00 2001 From: Denis Buliga Date: Mon, 6 Feb 2017 16:56:46 +0200 Subject: [PATCH] Skips enabling kernel bridge firewall in container Calling enable_kernel_bridge_firewall inside a container, devstack will crash because it tries to load a kernel module by calling 'sudo modprobe' on net.bridge. Change-Id: Id4718c065d5a8c507d49f38e19c2796a64221aa4 Closes-Bug: #1662194 --- functions | 10 ++++++++++ lib/neutron | 4 +++- lib/neutron_plugins/linuxbridge_agent | 4 +++- lib/neutron_plugins/ovs_base | 4 +++- lib/nova | 4 +++- 5 files changed, 22 insertions(+), 4 deletions(-) diff --git a/functions b/functions index 89ee3672d3..f262fbccc4 100644 --- a/functions +++ b/functions @@ -664,6 +664,16 @@ function set_mtu { } +# running_in_container - Returns true otherwise false +function running_in_container { + if grep -q lxc /proc/1/cgroup; then + return 0 + fi + + return 1 +} + + # enable_kernel_bridge_firewall - Enable kernel support for bridge firewalling function enable_kernel_bridge_firewall { # Load bridge module. This module provides access to firewall for bridged diff --git a/lib/neutron b/lib/neutron index f6c705c2b0..a43fdeb903 100644 --- a/lib/neutron +++ b/lib/neutron @@ -188,7 +188,9 @@ function configure_neutron_new { iniset $NEUTRON_CORE_PLUGIN_CONF ovs local_ip $HOST_IP fi - enable_kernel_bridge_firewall + if ! running_in_container; then + enable_kernel_bridge_firewall + fi fi # DHCP Agent diff --git a/lib/neutron_plugins/linuxbridge_agent b/lib/neutron_plugins/linuxbridge_agent index 0c8ccb8718..f031fc7c59 100644 --- a/lib/neutron_plugins/linuxbridge_agent +++ b/lib/neutron_plugins/linuxbridge_agent @@ -71,7 +71,9 @@ function neutron_plugin_configure_plugin_agent { fi if [[ "$Q_USE_SECGROUP" == "True" ]]; then iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver - enable_kernel_bridge_firewall + if ! running_in_container; then + enable_kernel_bridge_firewall + fi else iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver fi diff --git a/lib/neutron_plugins/ovs_base b/lib/neutron_plugins/ovs_base index 62a4d00bcd..733a5c13e2 100644 --- a/lib/neutron_plugins/ovs_base +++ b/lib/neutron_plugins/ovs_base @@ -88,7 +88,9 @@ function _neutron_ovs_base_configure_debug_command { function _neutron_ovs_base_configure_firewall_driver { if [[ "$Q_USE_SECGROUP" == "True" ]]; then iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver iptables_hybrid - enable_kernel_bridge_firewall + if ! running_in_container; then + enable_kernel_bridge_firewall + fi else iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver noop fi diff --git a/lib/nova b/lib/nova index 4d336f6271..d1c0d470a7 100644 --- a/lib/nova +++ b/lib/nova @@ -864,7 +864,9 @@ function start_nova_rest { run_process n-crt "$NOVA_BIN_DIR/nova-cert --config-file $api_cell_conf" if is_service_enabled n-net; then - enable_kernel_bridge_firewall + if ! running_in_container; then + enable_kernel_bridge_firewall + fi fi run_process n-net "$NOVA_BIN_DIR/nova-network --config-file $compute_cell_conf"