openstack/devstack
Code Issues Proposed changes
0dab8d63b3
devstack/lib/neutron_plugins/linuxbridge_agent
Ihar Hrachyshka b3a210f643 Enable bridge firewalling if iptables are used 
With the plan [1] to stop enabling it by Neutron iptables firewall
driver itself, deployment tools should catch up and enable the firewall
themselves.

This is needed for distributions that decided to disable the kernel
firewall by default (upstream kernel has it enabled). This is also
needed for distributions that ship newer kernels but don't load the
br_netfilter module before starting nova-network or Neutron iptables
firewall driver. In the latter case, firewall may not work, depending on
the order of operations executed by the driver.

To isolate devstack setups from the difference in distribution
kernel configuration and version, the following steps are done:

- we load bridge kernel module, and br_netfilter if present, to get
  access to sysctl knobs controlling the firewall;
- once knobs are available, we unconditionally set them to 1, to make
  sure the firewall is in effect.

More details at:
http://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf

[1] I9137ea017624ac92a05f73863b77f9ee4681bbe7

Change-Id: Id6bfd9595f0772a63d1096ef83ebbb6cd630fafd
Related-Bug: #1622914
2016-09-29 04:26:56 +00:00

103 lines
3.4 KiB
Bash
Raw Blame History

#!/bin/bash
#
# Neutron Linux Bridge L2 agent
# -----------------------------
# Save trace setting
_XTRACE_NEUTRON_LB=$(set +o | grep xtrace)
set +o xtrace
function neutron_lb_cleanup {
sudo brctl delbr $PUBLIC_BRIDGE
if [[ "$Q_ML2_TENANT_NETWORK_TYPE" = "vxlan" ]]; then
for port in $(sudo brctl show | grep -o -e [a-zA-Z\-]*tap[0-9a-f\-]* -e vxlan-[0-9a-f\-]*); do
sudo ip link delete $port
done
elif [[ "$Q_ML2_TENANT_NETWORK_TYPE" = "vlan" ]]; then
for port in $(sudo brctl show | grep -o -e [a-zA-Z\-]*tap[0-9a-f\-]* -e ${LB_PHYSICAL_INTERFACE}\.[0-9a-f\-]*); do
sudo ip link delete $port
done
fi
for bridge in $(sudo brctl show |grep -o -e brq[0-9a-f\-]*); do
sudo ip link set $bridge down
sudo brctl delbr $bridge
done
}
function is_neutron_ovs_base_plugin {
# linuxbridge doesn't use OVS
return 1
}
function neutron_plugin_create_nova_conf {
:
}
function neutron_plugin_install_agent_packages {
install_package bridge-utils
}
function neutron_plugin_configure_debug_command {
iniset $NEUTRON_TEST_CONFIG_FILE DEFAULT external_network_bridge
}
function neutron_plugin_configure_dhcp_agent {
local conf_file=$1
:
}
function neutron_plugin_configure_l3_agent {
local conf_file=$1
sudo brctl addbr $PUBLIC_BRIDGE
set_mtu $PUBLIC_BRIDGE $PUBLIC_BRIDGE_MTU
iniset $conf_file DEFAULT external_network_bridge
}
function neutron_plugin_configure_plugin_agent {
# Setup physical network interface mappings. Override
# ``LB_VLAN_RANGES`` and ``LB_INTERFACE_MAPPINGS`` in ``localrc`` for more
# complex physical network configurations.
if [[ "$LB_INTERFACE_MAPPINGS" == "" ]] && [[ "$PHYSICAL_NETWORK" != "" ]] && [[ "$LB_PHYSICAL_INTERFACE" != "" ]]; then
LB_INTERFACE_MAPPINGS=$PHYSICAL_NETWORK:$LB_PHYSICAL_INTERFACE
fi
if [[ "$PUBLIC_BRIDGE" != "" ]] && [[ "$PUBLIC_PHYSICAL_NETWORK" != "" ]]; then
iniset /$Q_PLUGIN_CONF_FILE linux_bridge bridge_mappings "$PUBLIC_PHYSICAL_NETWORK:$PUBLIC_BRIDGE"
fi
if [[ "$LB_INTERFACE_MAPPINGS" != "" ]]; then
iniset /$Q_PLUGIN_CONF_FILE linux_bridge physical_interface_mappings $LB_INTERFACE_MAPPINGS
fi
if [[ "$Q_USE_SECGROUP" == "True" ]]; then
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
enable_kernel_bridge_firewall
else
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver
fi
AGENT_BINARY="$NEUTRON_BIN_DIR/neutron-linuxbridge-agent"
iniset /$Q_PLUGIN_CONF_FILE agent tunnel_types $Q_TUNNEL_TYPES
# Configure vxlan tunneling
if [[ "$ENABLE_TENANT_TUNNELS" == "True" ]]; then
if [[ "$Q_ML2_TENANT_NETWORK_TYPE" == "vxlan" ]]; then
iniset /$Q_PLUGIN_CONF_FILE vxlan enable_vxlan "True"
iniset /$Q_PLUGIN_CONF_FILE vxlan local_ip $TUNNEL_ENDPOINT_IP
else
iniset /$Q_PLUGIN_CONF_FILE vxlan enable_vxlan "False"
fi
else
iniset /$Q_PLUGIN_CONF_FILE vxlan enable_vxlan "False"
fi
}
function neutron_plugin_setup_interface_driver {
local conf_file=$1
iniset $conf_file DEFAULT interface_driver linuxbridge
}
function neutron_plugin_check_adv_test_requirements {
is_service_enabled q-agt && is_service_enabled q-dhcp && return 0
}
# Restore xtrace
$_XTRACE_NEUTRON_LB
View Git Blame Copy Permalink