From 6a7e6a25bc11776078091fc84babaaa3dd4951d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= <radoslaw.piliszek@gmail.com>
Date: Tue, 30 Aug 2022 16:27:04 +0000
Subject: [PATCH] Remove deprecated sysctl knobs

Kolla Ansible stopped setting them as they turned out to be
unnecessary for its operations, yet may have conflicted with
security policies of the hosts. [1] [2]

[1] https://launchpad.net/bugs/1837551
[2] https://launchpad.net/bugs/1945453

Change-Id: Ie8ccd3ab6f22a6f548b1da8d3acd334068dc48f5
---
 ansible/roles/neutron/defaults/main.yml       |  2 --
 ansible/roles/neutron/tasks/config-host.yml   |  4 ----
 ansible/roles/nova-cell/defaults/main.yml     |  4 ----
 ansible/roles/nova-cell/tasks/config-host.yml | 21 +++++++------------
 ...recated-sysctl-knobs-0a10224e1b21d6f5.yaml |  5 +++++
 5 files changed, 13 insertions(+), 23 deletions(-)
 create mode 100644 releasenotes/notes/remove-deprecated-sysctl-knobs-0a10224e1b21d6f5.yaml

diff --git a/ansible/roles/neutron/defaults/main.yml b/ansible/roles/neutron/defaults/main.yml
index d0e0e7d075..6960112025 100644
--- a/ansible/roles/neutron/defaults/main.yml
+++ b/ansible/roles/neutron/defaults/main.yml
@@ -575,8 +575,6 @@ openstack_neutron_auth: "{{ openstack_auth }}"
 
 # Set to KOLLA_SKIP to skip setting these (even if set already - total ignore).
 # Set to KOLLA_UNSET to make Kolla unset these in the managed sysctl.conf file.
-neutron_l3_agent_host_ipv4_ip_forward: KOLLA_UNSET
-neutron_l3_agent_host_rp_filter_mode: KOLLA_SKIP
 neutron_l3_agent_host_ipv4_neigh_gc_thresh1: 128
 neutron_l3_agent_host_ipv4_neigh_gc_thresh2: 28672
 neutron_l3_agent_host_ipv4_neigh_gc_thresh3: 32768
diff --git a/ansible/roles/neutron/tasks/config-host.yml b/ansible/roles/neutron/tasks/config-host.yml
index 9ffd4cd7c6..b0b1c6fc38 100644
--- a/ansible/roles/neutron/tasks/config-host.yml
+++ b/ansible/roles/neutron/tasks/config-host.yml
@@ -25,10 +25,6 @@
     sysctl_set: "{{ should_set }}"
     sysctl_file: "{{ kolla_sysctl_conf_path }}"
   with_items:
-    # TODO(mgoddard): Remove net.ipv4.ip_forward from this list in Zed cycle.
-    - { name: "net.ipv4.ip_forward", value: "{{ neutron_l3_agent_host_ipv4_ip_forward }}"}
-    - { name: "net.ipv4.conf.all.rp_filter", value: "{{ neutron_l3_agent_host_rp_filter_mode }}"}
-    - { name: "net.ipv4.conf.default.rp_filter", value: "{{ neutron_l3_agent_host_rp_filter_mode }}"}
     - { name: "net.ipv4.neigh.default.gc_thresh1", value: "{{ neutron_l3_agent_host_ipv4_neigh_gc_thresh1 }}"}
     - { name: "net.ipv4.neigh.default.gc_thresh2", value: "{{ neutron_l3_agent_host_ipv4_neigh_gc_thresh2 }}"}
     - { name: "net.ipv4.neigh.default.gc_thresh3", value: "{{ neutron_l3_agent_host_ipv4_neigh_gc_thresh3 }}"}
diff --git a/ansible/roles/nova-cell/defaults/main.yml b/ansible/roles/nova-cell/defaults/main.yml
index 5fc0a79f91..a976c769e4 100644
--- a/ansible/roles/nova-cell/defaults/main.yml
+++ b/ansible/roles/nova-cell/defaults/main.yml
@@ -462,10 +462,6 @@ nova_libvirt_logging_debug: "{{ nova_logging_debug }}"
 
 openstack_nova_auth: "{{ openstack_auth }}"
 
-# Set to KOLLA_SKIP to skip setting these (even if set already - total ignore).
-# Set to KOLLA_UNSET to make Kolla unset these in the managed sysctl.conf file.
-nova_compute_host_rp_filter_mode: KOLLA_SKIP
-
 nova_libvirt_port: "{{ '16514' if libvirt_tls | bool else '16509' }}"
 nova_ssh_port: "8022"
 
diff --git a/ansible/roles/nova-cell/tasks/config-host.yml b/ansible/roles/nova-cell/tasks/config-host.yml
index deca40f415..1101134277 100644
--- a/ansible/roles/nova-cell/tasks/config-host.yml
+++ b/ansible/roles/nova-cell/tasks/config-host.yml
@@ -8,24 +8,19 @@
   when:
     - inventory_hostname in groups[nova_cell_compute_group]
 
-- name: Setting sysctl values
+- name: Enable bridge-nf-call sysctl variables
   become: true
-  vars:
-    should_set: "{{ item.value != 'KOLLA_UNSET' }}"
   sysctl:
-    name: "{{ item.name }}"
-    state: "{{ should_set | ternary('present', 'absent') }}"
-    value: "{{ should_set | ternary(item.value, omit) }}"
-    sysctl_set: "{{ should_set }}"
+    name: "{{ item }}"
+    state: present
+    value: "1"
+    sysctl_set: true
     sysctl_file: "{{ kolla_sysctl_conf_path }}"
-  with_items:
-    - { name: "net.bridge.bridge-nf-call-iptables", value: 1}
-    - { name: "net.bridge.bridge-nf-call-ip6tables", value: 1}
-    - { name: "net.ipv4.conf.all.rp_filter", value: "{{ nova_compute_host_rp_filter_mode }}"}
-    - { name: "net.ipv4.conf.default.rp_filter", value: "{{ nova_compute_host_rp_filter_mode }}"}
+  loop:
+    - net.bridge.bridge-nf-call-iptables
+    - net.bridge.bridge-nf-call-ip6tables
   when:
     - set_sysctl | bool
-    - item.value != 'KOLLA_SKIP'
     - inventory_hostname in groups[nova_cell_compute_group]
 
 # NOTE(yoctozepto): Part of bug #1681461 fix.
diff --git a/releasenotes/notes/remove-deprecated-sysctl-knobs-0a10224e1b21d6f5.yaml b/releasenotes/notes/remove-deprecated-sysctl-knobs-0a10224e1b21d6f5.yaml
new file mode 100644
index 0000000000..c74076e7e4
--- /dev/null
+++ b/releasenotes/notes/remove-deprecated-sysctl-knobs-0a10224e1b21d6f5.yaml
@@ -0,0 +1,5 @@
+---
+upgrade:
+  - |
+    Deprecated sysctl knobs related to ``ip_forward`` and ``rp_filter``
+    were removed.