Explicitly unset net.ipv4.ip_forward sysctl

While I8bb398e299aa68147004723a18d3a1ec459011e5 stopped setting
the net.ipv4.ip_forward sysctl, this change explicitly removes the
option from the Kolla sysctl config file. In the absence of another
source for this sysctl, it should revert to the default of 0 after the
next reboot.

A deployer looking to more aggressively change the value may set
neutron_l3_agent_host_ipv4_ip_forward to 0. Any deployments still
relying on the previous value may set
neutron_l3_agent_host_ipv4_ip_forward to 1.

Related-Bug: #1945453

Change-Id: I9b39307ad8d6c51e215fe3d3bc56aab998d218ec
This commit is contained in:
Mark Goddard 2022-03-04 15:02:57 +00:00
parent 68bc4f8f52
commit caf33be54b
3 changed files with 19 additions and 0 deletions

View File

@ -564,6 +564,7 @@ openstack_neutron_auth: "{{ openstack_auth }}"
# Set to KOLLA_SKIP to skip setting these (even if set already - total ignore).
# Set to KOLLA_UNSET to make Kolla unset these in the managed sysctl.conf file.
neutron_l3_agent_host_ipv4_ip_forward: KOLLA_UNSET
neutron_l3_agent_host_rp_filter_mode: KOLLA_SKIP
neutron_l3_agent_host_ipv4_neigh_gc_thresh1: 128
neutron_l3_agent_host_ipv4_neigh_gc_thresh2: 28672

View File

@ -25,6 +25,8 @@
sysctl_set: "{{ should_set }}"
sysctl_file: "{{ kolla_sysctl_conf_path }}"
with_items:
# TODO(mgoddard): Remove net.ipv4.ip_forward from this list in Zed cycle.
- { name: "net.ipv4.ip_forward", value: "{{ neutron_l3_agent_host_ipv4_ip_forward }}"}
- { name: "net.ipv4.conf.all.rp_filter", value: "{{ neutron_l3_agent_host_rp_filter_mode }}"}
- { name: "net.ipv4.conf.default.rp_filter", value: "{{ neutron_l3_agent_host_rp_filter_mode }}"}
- { name: "net.ipv4.neigh.default.gc_thresh1", value: "{{ neutron_l3_agent_host_ipv4_neigh_gc_thresh1 }}"}

View File

@ -0,0 +1,16 @@
---
security:
- |
Explicitly removes the ``net.ipv4.ip_forward`` sysctl from
``/etc/sysctl.conf`` on hosts with Neutron L3 Agent. In the absence of
another source for this sysctl, it should revert to the default of 0 after
the next reboot. This is a follow up to a previous change which stopped
setting the sysctl, but leaves existing systems with the original value of
1 set.
A deployer looking to more aggressively change the value may set
``neutron_l3_agent_host_ipv4_ip_forward`` to 0 using a Yoga release of
Kolla Ansible. This option will be removed in future. Any deployments
still relying on the previous value may set
``neutron_l3_agent_host_ipv4_ip_forward`` to 1.
`LP#1945453 <https://launchpad.net/bugs/1945453>`__