Browse Source

Merge "Set bridge-nf-call-* values to 1" into stable/queens

changes/79/692579/1
Zuul 3 months ago
parent
commit
f2e945dd6a
2 changed files with 25 additions and 0 deletions
  1. +19
    -0
      puppet/services/kernel.yaml
  2. +6
    -0
      releasenotes/notes/fix-bridge-nf-call-defaults.rst

+ 19
- 0
puppet/services/kernel.yaml View File

@@ -72,6 +72,18 @@ parameters:
default: 1024
description: Configures sysctl fs.inotify.max_user_instances key
type: number
BridgeNfCallArpTables:
default: 1
description: Configures sysctl net.bridge.bridge-nf-call-arptables key
type: number
BridgeNfCallIpTables:
default: 1
description: Configures sysctl net.bridge.bridge-nf-call-iptables key
type: number
BridgeNfCallIp6Tables:
default: 1
description: Configures sysctl net.bridge.bridge-nf-call-ip6tables key
type: number
ExtraKernelModules:
default: {}
description: Hash of extra Kernel modules to load.
@@ -126,6 +138,7 @@ outputs:
- 'localhost'
kernel_modules:
map_merge:
- br_netfilter: {}
- nf_conntrack: {}
nf_conntrack_proto_sctp: {}
- {get_attr: [RoleParametersValue, value, extra_kernel_modules]}
@@ -204,6 +217,12 @@ outputs:
value: {get_param: NeighbourGcThreshold2}
net.ipv4.neigh.default.gc_thresh3:
value: {get_param: NeighbourGcThreshold3}
net.bridge.bridge-nf-call-arptables:
value: {get_param: BridgeNfCallArpTables}
net.bridge.bridge-nf-call-iptables:
value: {get_param: BridgeNfCallIpTables}
net.bridge.bridge-nf-call-ip6tables:
value: {get_param: BridgeNfCallIp6Tables}
# set inotify value for neutron/dnsmasq scale
fs.inotify.max_user_instances:
value: {get_param: InotifyIntancesMax}

+ 6
- 0
releasenotes/notes/fix-bridge-nf-call-defaults.rst View File

@@ -0,0 +1,6 @@
---
fixes:
- |
Sets the bridge-nf-call-* values to 1, overriding any distro defaults that
may not be applied due to br_netfilter not being loaded. These values must
be 1 for security groups to work.

Loading…
Cancel
Save