From f7d2c3608d1fa6cbc8c562f9121ec0f0d80c3962 Mon Sep 17 00:00:00 2001 From: Rodolfo Alonso Hernandez Date: Wed, 7 Apr 2021 10:56:09 +0000 Subject: [PATCH] Add periodic jobs to test "nftables" binaries In order to check how the "nftables" binaries work with Neutron, two new jobs have been added to the periodic queue: - neutron-tempest-plugin-scenario-linuxbridge-nftables - neutron-tempest-plugin-scenario-openvswitch-iptables_hybrid-nftables In those two jobs, the binaries for "iptables", "ip6tables", "arptables" and "ebtables" are replaced with the "nftables" counterparts; by default, newer operating systems use the "nftables" versions, providing the legacy API to the user but executing the new packet handling in Netfilter. Change-Id: Idec6d480886298f6d71b1dd649c9255ee6b7bebb Related-Bug: #1508155 Related-Bug: #1922892 --- playbooks/install_nftables.yaml | 3 +++ roles/nftables/tasks/main.yaml | 43 +++++++++++++++++++++++++++++++++ zuul.d/base.yaml | 22 +++++++++++++++++ zuul.d/project.yaml | 2 ++ 4 files changed, 70 insertions(+) create mode 100644 playbooks/install_nftables.yaml create mode 100644 roles/nftables/tasks/main.yaml diff --git a/playbooks/install_nftables.yaml b/playbooks/install_nftables.yaml new file mode 100644 index 00000000000..be41d3bbe35 --- /dev/null +++ b/playbooks/install_nftables.yaml @@ -0,0 +1,3 @@ +- hosts: all + roles: + - nftables diff --git a/roles/nftables/tasks/main.yaml b/roles/nftables/tasks/main.yaml new file mode 100644 index 00000000000..e462e68f199 --- /dev/null +++ b/roles/nftables/tasks/main.yaml @@ -0,0 +1,43 @@ +- name: Ensure nftables is installed + package: + name: 'nftables' + state: latest + become: yes + +- name: Switch to nftables binaries + shell: + cmd: | + /usr/bin/update-alternatives --set iptables /usr/sbin/iptables-nft + /usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-nft + /usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-nft + /usr/bin/update-alternatives --set arptables /usr/sbin/arptables-nft + executable: /bin/bash + become: yes + +- name: Restart nftables service, that will replace iptables(4,6), ebtables and arptables + ansible.builtin.systemd: + state: restarted + name: nftables.service + become: yes + +- name: Check ipv4 rules, stored by iptables-persistent + stat: + path: '/etc/iptables/rules.v4' + register: ipv4_rules_file + +- name: Check ipv6 rules, stored by iptables-persistent + stat: + path: '/etc/iptables/rules.v6' + register: ipv6_rules_file + +- name: Restore saved IPv4 iptables rules, stored by iptables-persistent + shell: + cmd: | + iptables-restore '{{ ipv4_rules_file }}' + become: yes + +- name: Restore saved IPv6 iptables rules, stored by iptables-persistent + shell: + cmd: | + ip6tables-restore '{{ ipv6_rules_file }}' + become: yes diff --git a/zuul.d/base.yaml b/zuul.d/base.yaml index 2358465d499..e9484660cb5 100644 --- a/zuul.d/base.yaml +++ b/zuul.d/base.yaml @@ -92,3 +92,25 @@ # in base neutron-functional job as that is being used by neutron # stadium projects where they need to use stadium project as working dir. zuul_work_dir: src/opendev.org/openstack/neutron + +- job: + name: neutron-tempest-plugin-scenario-linuxbridge-nftables + parent: neutron-tempest-plugin-scenario-linuxbridge + pre-run: playbooks/install_nftables.yaml + vars: + devstack_local_conf: + post-config: + $NEUTRON_CONF: + SECURITYGROUP: + enable_ipset: false # Not compatible with nftables + +- job: + name: neutron-tempest-plugin-scenario-openvswitch-iptables_hybrid-nftables + parent: neutron-tempest-plugin-scenario-openvswitch-iptables_hybrid + pre-run: playbooks/install_nftables.yaml + vars: + devstack_local_conf: + post-config: + $NEUTRON_CONF: + SECURITYGROUP: + enable_ipset: false # Not compatible with nftables diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 1dcb7217bbe..cf32743e31c 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -107,3 +107,5 @@ - neutron-ovn-tripleo-ci-centos-8-containers-multinode: vars: *consumer_vars dependencies: *consumer_deps + - neutron-tempest-plugin-scenario-linuxbridge-nftables + - neutron-tempest-plugin-scenario-openvswitch-iptables_hybrid-nftables