Add ebtables to neutron agent configuration

Neutron now uses ebtables as an extra security layer for ARP
spoof filtering. This patch adds the ebtables package and
rootwrap to the neutron role to ensure that the agent is able
to use this subsystem. Without it the networking from the
instances to the L3 router will fail.

Co-Authored-By: Evan Callicoat <diopter@gmail.com>
Closes-Bug: #1482756
Change-Id: Ibc960564a3acfbb10cfbc3cfe0ad60d3366d2443

defaults/main.yml

@@ -239,6 +239,7 @@ neutron_apt_packages:
   - iputils-arping
   - keepalived
   - libpq-dev
+  - ebtables
 
 neutron_apt_remove_packages:
   - conntrackd

files/rootwrap.d/ebtables.filters

@@ -0,0 +1,13 @@
+# neutron-rootwrap command filters for nodes on which neutron is
+# expected to control network
+#
+# This file should be owned by (and only-writeable by) the root user
+
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+
+[Filters]
+
+# neutron/agent/linux/ebtables_driver.py
+ebtables: CommandFilter, ebtables, root
+ebtablesEnv: EnvFilter, ebtables, root, EBTABLES_ATOMIC_FILE=

tasks/neutron_post_install.yml

@@ -79,6 +79,7 @@
     - { src: "rootwrap.d/linuxbridge-plugin.filters", dest: "/etc/neutron/rootwrap.d/linuxbridge-plugin.filters" }
     - { src: "rootwrap.d/l3.filters", dest: "/etc/neutron/rootwrap.d/l3.filters" }
     - { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" }
+    - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
   notify:
     - Restart neutron services
   tags:

templates/plugins/ml2/ml2_conf.ini.j2

@@ -76,8 +76,11 @@ physical_interface_mappings = {{ neutron_provider_networks.network_mappings }}
 
 {% endif %}
 
-# Agent (empty for Linux bridge agent)
+# Agent
 [agent]
+# TODO: Allow this to be the default of True once the upstream issue
+# with access through floating IP's is fixed (odyssey4me re: liberty-2)
+prevent_arp_spoofing = False
 
 # L2 population
 [l2pop]