Remove iptables checksum rule script

https://review.openstack.org/#/c/148718/ has been merged so including the post-up-checksum-rules script is no longer necessary. A new task has been added so that the script will be removed during upgrades from Liberty. Tests have been added to ensure that the dhcp agent is active, that the dhcp network namespace is being created as expected, and that this iptables rule is being created within that namespace. The unconfined apparmor profile has also been applied to the neutron test container so that it has the permissions required to create network namespaces. Change-Id: I068d091873d2744b0849b0d52a8083e129841b1b
2016-03-15 10:15:45 -07:00 · 2016-03-15 10:15:45 -07:00 · 4eee5af862
parent 9e234fcf55
commit 4eee5af862
4 changed files with 55 additions and 64 deletions
--- a/files/post-up-checksum-rules
+++ b/files/post-up-checksum-rules
@ -1,42 +0,0 @@
-#!/usr/bin/env bash
-# Copyright 2014, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# NOTICE:
-#   This script is purpose built to resolve an issue within neutron
-#   where packet checksums are being dropped.
-#   Launchpad issue:
-#     https://bugs.launchpad.net/bugs/1244589
-#
-#   Open review:
-#     https://review.openstack.org/#/c/148718/
-#
-# TODO(cloudnull) remove this script once the bug is fixed.
-
-
-# Iptables path, used for ipv4 firewall.
-IPTABLES=$(which iptables)
-if [ ! -z "${IPTABLES}" ]; then
-    if ! ${IPTABLES} -C POSTROUTING -t mangle -p udp --dport 68 -j CHECKSUM --checksum-fill 2> /dev/null; then
-        ${IPTABLES} -A POSTROUTING -t mangle -p udp --dport 68 -j CHECKSUM --checksum-fill
-    fi
-fi
-
-# Ip6tables path, used for ipv6 firewall.
-IP6TABLES=$(which ip6tables)
-if [ ! -z "${IP6TABLES}" ]; then
-    if ! ${IP6TABLES} -C POSTROUTING -t mangle -p udp --dport 68 -j CHECKSUM --checksum-fill 2> /dev/null; then
-        ${IP6TABLES} -A POSTROUTING -t mangle -p udp --dport 68 -j CHECKSUM --checksum-fill
-    fi
-fi
--- a/tasks/neutron_post_install.yml
+++ b/tasks/neutron_post_install.yml
@ -121,23 +121,11 @@
  tags:
    - neutron_config

- name: Drop iptables checksum fix
-  copy:
-    src: "post-up-checksum-rules"
-    dest: "/etc/network/if-up.d/post-up-checksum-rules"
-    owner: "root"
-    group: "root"
-    mode: "0755"
-  when: >
-    inventory_hostname in groups[neutron_services['neutron-linuxbridge-agent']['group']]
-  tags:
-    - neutron-config
-    - neutron-checksum-fix
-
- name: Run iptables checksum fix
-  command: /etc/network/if-up.d/post-up-checksum-rules
-  when: >
-    inventory_hostname in groups[neutron_services['neutron-linuxbridge-agent']['group']]
+#TODO(jmccrory): Remove this task prior to Newton release
+- name: Remove iptables checksum fix script
+  file:
+    path: /etc/network/if-up.d/post-up-checksum-rules
+    state: absent
  tags:
    - neutron-config
    - neutron-checksum-fix
--- a/tests/test-install-neutron.yml
+++ b/tests/test-install-neutron.yml
@ -18,6 +18,28 @@
  user: root
  gather_facts: true
  pre_tasks:
+    - name: Use the unconfined aa profile
+      lxc_container:
+        name: "{{ container_name }}"
+        container_config:
+          - "lxc.aa_profile=unconfined"
+      delegate_to: "{{ physical_host }}"
+    - name: Neutron extra lxc config
+      lxc_container:
+        name: "{{ container_name }}"
+        container_command: |
+          [[ ! -d "/lib/modules" ]] && mkdir -p "/lib/modules"
+        container_config:
+          - "lxc.cgroup.devices.allow=a *:* rmw"
+          - "lxc.mount.entry=/lib/modules lib/modules none bind 0 0"
+      delegate_to: "{{ physical_host }}"
+    - name: Wait for ssh to be available
+      local_action:
+        module: wait_for
+        port: "{{ ansible_ssh_port | default('22') }}"
+        host: "{{ ansible_ssh_host | default(inventory_hostname) }}"
+        search_regex: OpenSSH
+        delay: 1
    - name: Ensure rabbitmq vhost
      rabbitmq_vhost:
        name: "{{ neutron_rabbitmq_vhost }}"
@ -112,7 +134,7 @@
    neutron_developer_mode: true
    neutron_provider_networks:
      network_flat_networks: "flat"
-      network_mappings: "flat:eth12,vlan:eth11"
+      network_mappings: "flat:{{ ansible_default_ipv4.interface }}"
      network_types: "vxlan,flat,vlan"
      network_vlan_ranges: "vlan:1:1,vlan:1024:1025"
      network_vxlan_ranges: "1:1000"
--- a/tests/test-neutron-functional.yml
+++ b/tests/test-neutron-functional.yml
@ -27,6 +27,15 @@
    url: "http://localhost:9696"
    status_code: 200

+- name: Ensure that the DHCP agent is alive
+  shell: |
+    . /root/openrc
+    neutron agent-list | grep DHCP
+  register: neutron_dhcp_agent
+  until: neutron_dhcp_agent.stdout.find(':-)') != -1
+  retries: 5
+  delay: 10
+
 - name: Create test network
  neutron:
    command: create_network
@ -46,8 +55,22 @@
    . /root/openrc
    neutron port-create --name test-port test-network
  register: neutron_port_create
+  until: neutron_port_create.rc == 0
+  retries: 5
+  delay: 10

- name: Ensure neutron port was created successfully
-  assert:
-    that:
-      - neutron_port_create.rc == 0
+- name: Check for dhcp network namespace
+  shell: |
+    ip netns | grep "^qdhcp"
+  register: dhcp_namespace
+  until: dhcp_namespace.rc == 0
+  retries: 5
+  delay: 10
+
+- name: Check for iptables checksum rule
+  shell: |
+    ip netns exec {{ dhcp_namespace.stdout }} iptables -C neutron-dhcp-age-POSTROUTING -t mangle -p udp --dport 68 -j CHECKSUM --checksum-fill
+  register: checksum_rule
+  until : checksum_rule.rc == 0
+  retries: 5
+  delay: 10