From 2f91be9f391f3aa5ef80248ca821b3f34e73bf24 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Wed, 8 Jul 2020 10:51:17 +0100
Subject: [PATCH] Load br_netfilter module in nova-cell role

The nova-cell role sets the following sysctls on compute hosts, which
require the br_netfilter kernel module to be loaded:

    net.bridge.bridge-nf-call-iptables
    net.bridge.bridge-nf-call-ip6tables

If it is not loaded, then we see the following errors:

    Failed to reload sysctl:
    sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
    sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory

Loading the br_netfilter module resolves this issue.

Typically we do not see this since installing Docker and configuring it
to manage iptables rules causes the br_netfilter module to be loaded.
There are good reasons [1] to disable Docker's iptables management
however, in which case we are likely to hit this issue.

This change loads the br_netfilter module in the nova-cell role for
compute hosts.

[1] https://bugs.launchpad.net/kolla-ansible/+bug/1849275

Co-Authored-By: Dincer Celik <hello@dincercelik.com>

Change-Id: Id52668ba8dab460ad4c33fad430fc8611e70825e
---
 ansible/roles/nova-cell/tasks/config-host.yml            | 9 +++++++++
 .../notes/load-br-netfilter-4ce9facd93e96af7.yaml        | 6 ++++++
 2 files changed, 15 insertions(+)
 create mode 100644 releasenotes/notes/load-br-netfilter-4ce9facd93e96af7.yaml

diff --git a/ansible/roles/nova-cell/tasks/config-host.yml b/ansible/roles/nova-cell/tasks/config-host.yml
index 2737d4ab57..e6dcbb2eb9 100644
--- a/ansible/roles/nova-cell/tasks/config-host.yml
+++ b/ansible/roles/nova-cell/tasks/config-host.yml
@@ -1,4 +1,13 @@
 ---
+- name: Load and persist br_netfilter module
+  include_role:
+    name: module-load
+  vars:
+    modules:
+      - { name: br_netfilter }
+  when:
+    - inventory_hostname in groups[nova_cell_compute_group]
+
 - name: Setting sysctl values
   become: true
   sysctl:
diff --git a/releasenotes/notes/load-br-netfilter-4ce9facd93e96af7.yaml b/releasenotes/notes/load-br-netfilter-4ce9facd93e96af7.yaml
new file mode 100644
index 0000000000..c024f7b91d
--- /dev/null
+++ b/releasenotes/notes/load-br-netfilter-4ce9facd93e96af7.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixes an issue where the ``br_netfilter`` kernel module was not loaded on
+    compute hosts. `LP#1886796
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1886796>`__