Add ebtables to neutron agent configuration
Neutron now uses ebtables as an extra security layer for ARP spoof filtering. This patch adds the ebtables package and rootwrap to the neutron role to ensure that the agent is able to use this subsystem. Without it the networking from the instances to the L3 router will fail. Co-Authored-By: Evan Callicoat <diopter@gmail.com> Closes-Bug: #1482756 Change-Id: Ibc960564a3acfbb10cfbc3cfe0ad60d3366d2443
This commit is contained in:
parent
4734142ab3
commit
ae11efc9ca
|
@ -239,6 +239,7 @@ neutron_apt_packages:
|
|||
- iputils-arping
|
||||
- keepalived
|
||||
- libpq-dev
|
||||
- ebtables
|
||||
|
||||
neutron_apt_remove_packages:
|
||||
- conntrackd
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
# neutron-rootwrap command filters for nodes on which neutron is
|
||||
# expected to control network
|
||||
#
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
# format seems to be
|
||||
# cmd-name: filter-name, raw-command, user, args
|
||||
|
||||
[Filters]
|
||||
|
||||
# neutron/agent/linux/ebtables_driver.py
|
||||
ebtables: CommandFilter, ebtables, root
|
||||
ebtablesEnv: EnvFilter, ebtables, root, EBTABLES_ATOMIC_FILE=
|
|
@ -79,6 +79,7 @@
|
|||
- { src: "rootwrap.d/linuxbridge-plugin.filters", dest: "/etc/neutron/rootwrap.d/linuxbridge-plugin.filters" }
|
||||
- { src: "rootwrap.d/l3.filters", dest: "/etc/neutron/rootwrap.d/l3.filters" }
|
||||
- { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" }
|
||||
- { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
|
||||
notify:
|
||||
- Restart neutron services
|
||||
tags:
|
||||
|
|
|
@ -76,8 +76,11 @@ physical_interface_mappings = {{ neutron_provider_networks.network_mappings }}
|
|||
|
||||
{% endif %}
|
||||
|
||||
# Agent (empty for Linux bridge agent)
|
||||
# Agent
|
||||
[agent]
|
||||
# TODO: Allow this to be the default of True once the upstream issue
|
||||
# with access through floating IP's is fixed (odyssey4me re: liberty-2)
|
||||
prevent_arp_spoofing = False
|
||||
|
||||
# L2 population
|
||||
[l2pop]
|
||||
|
|
Loading…
Reference in New Issue