Add periodic jobs to test "nftables" binaries

In order to check how the "nftables" binaries work with Neutron, two new jobs have been added to the periodic queue: - neutron-tempest-plugin-scenario-linuxbridge-nftables - neutron-tempest-plugin-scenario-openvswitch-iptables_hybrid-nftables In those two jobs, the binaries for "iptables", "ip6tables", "arptables" and "ebtables" are replaced with the "nftables" counterparts; by default, newer operating systems use the "nftables" versions, providing the legacy API to the user but executing the new packet handling in Netfilter. Change-Id: Idec6d480886298f6d71b1dd649c9255ee6b7bebb Related-Bug: #1508155 Related-Bug: #1922892
2021-04-07 10:56:09 +00:00 · 2021-04-07 10:56:09 +00:00 · f7d2c3608d
parent 0a931391d8
commit f7d2c3608d
4 changed files with 70 additions and 0 deletions
--- a/playbooks/install_nftables.yaml
+++ b/playbooks/install_nftables.yaml
@ -0,0 +1,3 @@
+- hosts: all
+  roles:
+    - nftables
--- a/roles/nftables/tasks/main.yaml
+++ b/roles/nftables/tasks/main.yaml
@ -0,0 +1,43 @@
+- name: Ensure nftables is installed
+  package:
+    name: 'nftables'
+    state: latest
+  become: yes
+
+- name: Switch to nftables binaries
+  shell:
+    cmd: |
+      /usr/bin/update-alternatives --set iptables /usr/sbin/iptables-nft
+      /usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
+      /usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-nft
+      /usr/bin/update-alternatives --set arptables /usr/sbin/arptables-nft
+    executable: /bin/bash
+  become: yes
+
+- name: Restart nftables service, that will replace iptables(4,6), ebtables and arptables
+  ansible.builtin.systemd:
+    state: restarted
+    name: nftables.service
+  become: yes
+
+- name: Check ipv4 rules, stored by iptables-persistent
+  stat:
+    path: '/etc/iptables/rules.v4'
+  register: ipv4_rules_file
+
+- name: Check ipv6 rules, stored by iptables-persistent
+  stat:
+    path: '/etc/iptables/rules.v6'
+  register: ipv6_rules_file
+
+- name: Restore saved IPv4 iptables rules, stored by iptables-persistent
+  shell:
+    cmd: |
+      iptables-restore '{{ ipv4_rules_file }}'
+  become: yes
+
+- name: Restore saved IPv6 iptables rules, stored by iptables-persistent
+  shell:
+    cmd: |
+      ip6tables-restore '{{ ipv6_rules_file }}'
+  become: yes
--- a/zuul.d/base.yaml
+++ b/zuul.d/base.yaml
@ -92,3 +92,25 @@
      # in base neutron-functional job as that is being used by neutron
      # stadium projects where they need to use stadium project as working dir.
      zuul_work_dir: src/opendev.org/openstack/neutron
+
+- job:
+    name: neutron-tempest-plugin-scenario-linuxbridge-nftables
+    parent: neutron-tempest-plugin-scenario-linuxbridge
+    pre-run: playbooks/install_nftables.yaml
+    vars:
+      devstack_local_conf:
+        post-config:
+          $NEUTRON_CONF:
+            SECURITYGROUP:
+              enable_ipset: false  # Not compatible with nftables
+
+- job:
+    name: neutron-tempest-plugin-scenario-openvswitch-iptables_hybrid-nftables
+    parent: neutron-tempest-plugin-scenario-openvswitch-iptables_hybrid
+    pre-run: playbooks/install_nftables.yaml
+    vars:
+      devstack_local_conf:
+        post-config:
+          $NEUTRON_CONF:
+            SECURITYGROUP:
+              enable_ipset: false  # Not compatible with nftables
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@ -107,3 +107,5 @@
        - neutron-ovn-tripleo-ci-centos-8-containers-multinode:
            vars: *consumer_vars
            dependencies: *consumer_deps
+        - neutron-tempest-plugin-scenario-linuxbridge-nftables
+        - neutron-tempest-plugin-scenario-openvswitch-iptables_hybrid-nftables