From a1eebe6afd0f042eaa161d41d9bab4ac3c2bfe77 Mon Sep 17 00:00:00 2001 From: Jesse Pretorius Date: Fri, 7 Aug 2015 20:57:02 +0100 Subject: [PATCH] Add ebtables to neutron agent configuration Neutron now uses ebtables as an extra security layer for ARP spoof filtering. This patch adds the ebtables package and rootwrap to the neutron role to ensure that the agent is able to use this subsystem. Without it the networking from the instances to the L3 router will fail. Co-Authored-By: Evan Callicoat Closes-Bug: #1482756 Change-Id: Ibc960564a3acfbb10cfbc3cfe0ad60d3366d2443 --- playbooks/roles/os_neutron/defaults/main.yml | 1 + .../os_neutron/files/rootwrap.d/ebtables.filters | 13 +++++++++++++ .../roles/os_neutron/tasks/neutron_post_install.yml | 1 + .../templates/plugins/ml2/ml2_conf.ini.j2 | 5 ++++- 4 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 playbooks/roles/os_neutron/files/rootwrap.d/ebtables.filters diff --git a/playbooks/roles/os_neutron/defaults/main.yml b/playbooks/roles/os_neutron/defaults/main.yml index f5ee973b23..60fd4edb2a 100644 --- a/playbooks/roles/os_neutron/defaults/main.yml +++ b/playbooks/roles/os_neutron/defaults/main.yml @@ -239,6 +239,7 @@ neutron_apt_packages: - iputils-arping - keepalived - libpq-dev + - ebtables neutron_apt_remove_packages: - conntrackd diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/ebtables.filters b/playbooks/roles/os_neutron/files/rootwrap.d/ebtables.filters new file mode 100644 index 0000000000..2c3c338db4 --- /dev/null +++ b/playbooks/roles/os_neutron/files/rootwrap.d/ebtables.filters @@ -0,0 +1,13 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# neutron/agent/linux/ebtables_driver.py +ebtables: CommandFilter, ebtables, root +ebtablesEnv: EnvFilter, ebtables, root, EBTABLES_ATOMIC_FILE= diff --git a/playbooks/roles/os_neutron/tasks/neutron_post_install.yml b/playbooks/roles/os_neutron/tasks/neutron_post_install.yml index 22210ca50b..7027e4063f 100644 --- a/playbooks/roles/os_neutron/tasks/neutron_post_install.yml +++ b/playbooks/roles/os_neutron/tasks/neutron_post_install.yml @@ -79,6 +79,7 @@ - { src: "rootwrap.d/linuxbridge-plugin.filters", dest: "/etc/neutron/rootwrap.d/linuxbridge-plugin.filters" } - { src: "rootwrap.d/l3.filters", dest: "/etc/neutron/rootwrap.d/l3.filters" } - { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" } + - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" } notify: - Restart neutron services tags: diff --git a/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2 b/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2 index 3a82320258..28457ca111 100644 --- a/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2 +++ b/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2 @@ -76,8 +76,11 @@ physical_interface_mappings = {{ neutron_provider_networks.network_mappings }} {% endif %} -# Agent (empty for Linux bridge agent) +# Agent [agent] +# TODO: Allow this to be the default of True once the upstream issue +# with access through floating IP's is fixed (odyssey4me re: liberty-2) +prevent_arp_spoofing = False # L2 population [l2pop]