Merge "Set bridge-nf-call-* values to 1" into stable/queens

This commit is contained in:
Zuul 2019-10-31 22:25:32 +00:00 committed by Gerrit Code Review
commit f2e945dd6a
2 changed files with 25 additions and 0 deletions

View File

@ -72,6 +72,18 @@ parameters:
default: 1024 default: 1024
description: Configures sysctl fs.inotify.max_user_instances key description: Configures sysctl fs.inotify.max_user_instances key
type: number type: number
BridgeNfCallArpTables:
default: 1
description: Configures sysctl net.bridge.bridge-nf-call-arptables key
type: number
BridgeNfCallIpTables:
default: 1
description: Configures sysctl net.bridge.bridge-nf-call-iptables key
type: number
BridgeNfCallIp6Tables:
default: 1
description: Configures sysctl net.bridge.bridge-nf-call-ip6tables key
type: number
ExtraKernelModules: ExtraKernelModules:
default: {} default: {}
description: Hash of extra Kernel modules to load. description: Hash of extra Kernel modules to load.
@ -126,6 +138,7 @@ outputs:
- 'localhost' - 'localhost'
kernel_modules: kernel_modules:
map_merge: map_merge:
- br_netfilter: {}
- nf_conntrack: {} - nf_conntrack: {}
nf_conntrack_proto_sctp: {} nf_conntrack_proto_sctp: {}
- {get_attr: [RoleParametersValue, value, extra_kernel_modules]} - {get_attr: [RoleParametersValue, value, extra_kernel_modules]}
@ -204,6 +217,12 @@ outputs:
value: {get_param: NeighbourGcThreshold2} value: {get_param: NeighbourGcThreshold2}
net.ipv4.neigh.default.gc_thresh3: net.ipv4.neigh.default.gc_thresh3:
value: {get_param: NeighbourGcThreshold3} value: {get_param: NeighbourGcThreshold3}
net.bridge.bridge-nf-call-arptables:
value: {get_param: BridgeNfCallArpTables}
net.bridge.bridge-nf-call-iptables:
value: {get_param: BridgeNfCallIpTables}
net.bridge.bridge-nf-call-ip6tables:
value: {get_param: BridgeNfCallIp6Tables}
# set inotify value for neutron/dnsmasq scale # set inotify value for neutron/dnsmasq scale
fs.inotify.max_user_instances: fs.inotify.max_user_instances:
value: {get_param: InotifyIntancesMax} value: {get_param: InotifyIntancesMax}

View File

@ -0,0 +1,6 @@
---
fixes:
- |
Sets the bridge-nf-call-* values to 1, overriding any distro defaults that
may not be applied due to br_netfilter not being loaded. These values must
be 1 for security groups to work.