From e54edb55e4e8583e1a5ba92c21e8e6b82d3faee6 Mon Sep 17 00:00:00 2001
From: Jan Vondra <jan.vondra@ultimum.io>
Date: Tue, 1 Oct 2019 15:11:16 +0200
Subject: [PATCH] Neutron: add support to use legacy iptables

neutron_legacy_iptables option sets the KOLLA_LEGACY_IPTABLES
environment variable in the neutron-l3-agent, neutron-linuxbridge-agent
and neutron_openvswich_agent container where it should be consumed
by kolla_extended_start script resulting in setting iptables-legacy.

Depends-On: https://review.opendev.org/#/c/683679/
Change-Id: Iaa8b46a2227b61a729b8d54bbe4b20f389f251d1
---
 ansible/group_vars/all.yml              | 3 +++
 ansible/roles/neutron/defaults/main.yml | 5 +++++
 ansible/roles/neutron/handlers/main.yml | 2 ++
 3 files changed, 10 insertions(+)

diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index f71ddafa41..0297d41090 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -910,6 +910,9 @@ computes_need_external_bridge: "{{ enable_neutron_dvr | bool and neutron_compute
 # Default DNS resolvers for virtual networks
 neutron_dnsmasq_dns_servers: "1.1.1.1,8.8.8.8,8.8.4.4"
 
+# Set legacy iptables to allow kernels not supporting iptables-nft
+neutron_legacy_iptables: "no"
+
 #######################
 # Nova options
 #######################
diff --git a/ansible/roles/neutron/defaults/main.yml b/ansible/roles/neutron/defaults/main.yml
index c0b5557b34..09f64a4faf 100644
--- a/ansible/roles/neutron/defaults/main.yml
+++ b/ansible/roles/neutron/defaults/main.yml
@@ -30,6 +30,8 @@ neutron_services:
     image: "{{ neutron_openvswitch_agent_image_full }}"
     enabled: "{{ neutron_plugin_agent == 'openvswitch' and not enable_onos | bool }}"
     privileged: True
+    environment:
+      KOLLA_LEGACY_IPTABLES: "{{ neutron_legacy_iptables | bool | lower }}"
     host_in_groups: >-
       {{
       ( (inventory_hostname in groups['compute'] and nova_compute_virt_type != 'xenapi')
@@ -67,6 +69,7 @@ neutron_services:
       KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
       NEUTRON_BRIDGE: "br-ex"
       NEUTRON_INTERFACE: "{{ neutron_external_interface }}"
+      KOLLA_LEGACY_IPTABLES: "{{ neutron_legacy_iptables | bool | lower }}"
     host_in_groups: >-
       {{
       inventory_hostname in groups['compute']
@@ -91,6 +94,8 @@ neutron_services:
     image: "{{ neutron_l3_agent_image_full }}"
     privileged: True
     enabled: "{{ neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs'] and not enable_opendaylight_l3 | bool and not enable_onos | bool }}"
+    environment:
+      KOLLA_LEGACY_IPTABLES: "{{ neutron_legacy_iptables | bool | lower }}"
     host_in_groups: >-
       {{
       inventory_hostname in groups['neutron-l3-agent']
diff --git a/ansible/roles/neutron/handlers/main.yml b/ansible/roles/neutron/handlers/main.yml
index b3748279f3..fcde345072 100644
--- a/ansible/roles/neutron/handlers/main.yml
+++ b/ansible/roles/neutron/handlers/main.yml
@@ -25,6 +25,7 @@
     common_options: "{{ docker_common_options }}"
     name: "{{ service.container_name }}"
     image: "{{ service.image }}"
+    environment: "{{ service.environment }}"
     volumes: "{{ service.volumes|reject('equalto', '')|list }}"
     dimensions: "{{ service.dimensions }}"
     privileged: "{{ service.privileged | default(False) }}"
@@ -107,6 +108,7 @@
     common_options: "{{ docker_common_options }}"
     name: "{{ service.container_name }}"
     image: "{{ service.image }}"
+    environment: "{{ service.environment }}"
     volumes: "{{ service.volumes|reject('equalto', '')|list }}"
     dimensions: "{{ service.dimensions }}"
     privileged: "{{ service.privileged | default(False) }}"