From d9bae4c5569a6c60a0c5562680c87c9e517f38cf Mon Sep 17 00:00:00 2001 From: Slawek Kaplonski Date: Fri, 15 May 2020 15:31:11 +0200 Subject: [PATCH] Deprecate old NeutronFirewallDriver option This option was used to configure firewall driver in the neutron server's config. That isn't really used in Neutron since around Newton release as since Newton agents are reporting to the server what firewall driver they are using and that is used in neutron ML2 plugin. Firewall driver can be configured on the agent's side using ``NeutronOVSFirewallDriver`` option which is still here. Neutron removes usage of this option on the server side with patch https://review.opendev.org/#/c/726351/ Change-Id: Ifd1527503926b9f86ed567d9396e696d86457715 --- deployment/neutron/neutron-plugin-ml2.yaml | 13 ++++++++----- environments/undercloud.yaml | 2 +- ...utronFirewallDriver-option-f4289b404abcc0b3.yaml | 12 ++++++++++++ 3 files changed, 21 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/Remove-NeutronFirewallDriver-option-f4289b404abcc0b3.yaml diff --git a/deployment/neutron/neutron-plugin-ml2.yaml b/deployment/neutron/neutron-plugin-ml2.yaml index 81bddb597e..99c98f6607 100644 --- a/deployment/neutron/neutron-plugin-ml2.yaml +++ b/deployment/neutron/neutron-plugin-ml2.yaml @@ -72,10 +72,6 @@ parameters: default: 'geneve' description: The tenant network type for Neutron. type: comma_delimited_list - NeutronFirewallDriver: - description: Firewall driver for realizing neutron security group function - type: string - default: 'iptables_hybrid' NeutronOverlayIPVersion: default: 4 description: IP version used for all overlay network endpoints. @@ -103,6 +99,14 @@ parameters: administratively prohibited by the SR-IOV mechanism driver. type: comma_delimited_list default: "" + # DEPRECATED: the NeutronFirewallDriver option is deprecated and is currently + # maintained for backwards compatibility. It has no any effect on the + # deployment and will be removed in the W release. + # Please use NeutronOVSFirewallDriver to configure driver in the ovs agent. + NeutronFirewallDriver: + description: Firewall driver for realizing neutron security group function + type: string + default: '' parameter_groups: - label: deprecated @@ -145,7 +149,6 @@ outputs: neutron::plugins::ml2::tunnel_id_ranges: {get_param: NeutronTunnelIdRanges} neutron::plugins::ml2::vni_ranges: {get_param: NeutronVniRanges} neutron::plugins::ml2::tenant_network_types: {get_param: NeutronNetworkType} - neutron::plugins::ml2::firewall_driver: {get_param: NeutronFirewallDriver} neutron::plugins::ml2::ovs_driver::vnic_type_blacklist: {get_param: NeutronOvsVnicTypeBlacklist} neutron::plugins::ml2::sriov_driver::vnic_type_blacklist: {get_param: NeutronSriovVnicTypeBlacklist} neutron::plugins::ml2::overlay_ip_version: diff --git a/environments/undercloud.yaml b/environments/undercloud.yaml index fe407fbcda..1de7e401ad 100644 --- a/environments/undercloud.yaml +++ b/environments/undercloud.yaml @@ -153,7 +153,7 @@ parameter_defaults: NeutronMechanismDrivers: ['openvswitch', 'baremetal'] NeutronNetworkVLANRanges: 'physnet1:1000:2999' NeutronPluginExtensions: port_security,dns_domain_ports - NeutronFirewallDriver: '' + NeutronOVSFirewallDriver: '' NeutronNetworkType: ['local','flat','vlan','gre','vxlan'] NeutronTunnelIdRanges: '20:100' NeutronTypeDrivers: ['local','flat','vlan','gre','vxlan'] diff --git a/releasenotes/notes/Remove-NeutronFirewallDriver-option-f4289b404abcc0b3.yaml b/releasenotes/notes/Remove-NeutronFirewallDriver-option-f4289b404abcc0b3.yaml new file mode 100644 index 0000000000..5c7f58bfb9 --- /dev/null +++ b/releasenotes/notes/Remove-NeutronFirewallDriver-option-f4289b404abcc0b3.yaml @@ -0,0 +1,12 @@ +--- +deprecations: + - | + Usage of the option ``NeutronFirewallDriver`` which was used to set + ``firewall_driver`` config option in the Neutron server's config is now + deprecated. + Firewall driver should be set per agent in the agent's config. + It can be done using ``NeutronOVSFirewallDriver`` option. + Option in the Neutron server was in there just for backward + compatybility reasons but since Newton release all Neutron agents are + reporting to the server what firewall driver is used so there is no need to + keep this legacy, server side option anymore.