Add iptables rule to neutron agents containers

When running in an AIO environment, we need to drop an iptables rule to ensure that communication between instances and the neutron metadata service works. Change-Id: Icc081fe83712ce883baa88f99db60c52dcc4c1ae Closes-Bug: #1483603
2015-08-12 10:12:57 +01:00 · 2015-08-12 10:12:57 +01:00 · d879994e13
commit d879994e13
parent e65066cf12
2 changed files with 18 additions and 0 deletions
--- a/scripts/bootstrap-aio.sh
+++ b/scripts/bootstrap-aio.sh
@ -20,6 +20,7 @@ set -e -u -x

 ## Vars ----------------------------------------------------------------------
 DEFAULT_PASSWORD=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 32)
+export BOOTSTRAP_AIO="yes"
 export ADMIN_PASSWORD=${ADMIN_PASSWORD:-$DEFAULT_PASSWORD}
 export SERVICE_REGION=${SERVICE_REGION:-"RegionOne"}
 export DEPLOY_SWIFT=${DEPLOY_SWIFT:-"yes"}
--- a/scripts/run-playbooks.sh
+++ b/scripts/run-playbooks.sh
@ -27,6 +27,7 @@ DEPLOY_SWIFT=${DEPLOY_SWIFT:-"yes"}
 DEPLOY_CEILOMETER=${DEPLOY_CEILOMETER:-"yes"}
 DEPLOY_TEMPEST=${DEPLOY_TEMPEST:-"no"}
 COMMAND_LOGS=${COMMAND_LOGS:-"/openstack/log/ansible_cmd_logs/"}
+ADD_NEUTRON_AGENT_CHECKSUM_RULE=${BOOTSTRAP_AIO:-"no"}


 ## Functions -----------------------------------------------------------------
@ -109,6 +110,22 @@ pushd "playbooks"
                           --forks ${FORKS} \
                           -t "${COMMAND_LOGS}/force_apt_update" \
                           &> ${COMMAND_LOGS}/force_apt_update.log
+
+    # When running in an AIO, we need to drop the following iptables rule in any neutron_agent containers
+    # to that ensure instances can communicate with the neutron metadata service.
+    # This is necessary because in an AIO environment there are no physical interfaces involved in
+    # instance -> metadata requests, and this results in the checksums being incorrect.
+    if [ "${ADD_NEUTRON_AGENT_CHECKSUM_RULE}" == "yes" ]; then
+      mkdir -p "${COMMAND_LOGS}/add_neutron_agent_checksum_rule"
+      ansible neutron_agent -m command \
+                            -a '/sbin/iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j CHECKSUM --checksum-fill' \
+                            -t "${COMMAND_LOGS}/add_neutron_agent_checksum_rule" \
+                            &> ${COMMAND_LOGS}/add_neutron_agent_checksum_rule.log
+      ansible neutron_agent -m shell \
+                            -a 'DEBIAN_FRONTEND=noninteractive apt-get install iptables-persistent' \
+                            -t "${COMMAND_LOGS}/add_neutron_agent_checksum_rule" \
+                            &> ${COMMAND_LOGS}/add_neutron_agent_checksum_rule.log
+    fi
  fi

  if [ "${DEPLOY_LB}" == "yes" ]; then