[OVN] Prevent OVS to OVN migration if firewall "iptables_hybrid"

Prevent the OVS to OVN migration if any node has the OVS agent firewall set to "iptables_hybrid". If present, the migration will exit. This check is implemented in the OVN migration script for TripleO environments. Closes-Bug: #1951272 Change-Id: I55f25f56f87bfa2a5e330cdf4c1087e8d4082b29
2021-11-17 15:25:34 +00:00 · 2021-11-17 15:25:34 +00:00 · 2aa1bbabe3
commit 2aa1bbabe3
parent 63f8a39d75
2 changed files with 19 additions and 0 deletions
--- a/tools/ovn_migration/tripleo_environment/playbooks/ovn-migration.yml
+++ b/tools/ovn_migration/tripleo_environment/playbooks/ovn-migration.yml
@ -13,6 +13,15 @@
  tags:
    - pre-migration

+
+- name: Pre migration checks in the OVN controllers
+  hosts: ovn-controllers
+  roles:
+    - pre-checks/ovn-controllers
+  tags:
+    - pre-migration
+
+
 #
 # This step is executed before migration, and will backup some config
 # files related to containers before those get lost.
--- a/tools/ovn_migration/tripleo_environment/playbooks/roles/pre-checks/ovn-controllers/tasks/main.yml
+++ b/tools/ovn_migration/tripleo_environment/playbooks/roles/pre-checks/ovn-controllers/tasks/main.yml
@ -0,0 +1,10 @@
+---
+- name: Read OVS configuration file and extract "firewall_driver" variable.
+  set_fact:
+    firewall_driver: "{{ lookup('ini', 'firewall_driver section=securitygroup file=/var/lib/config-data/puppet-generated/neutron/etc/neutron/plugins/ml2/openvswitch_agent.ini', allow_no_value=True) }}"
+
+- name: Check OVS agent firewall is not using "iptables_hybrid" option
+  assert:
+    that:
+      - "'iptables_hybrid' != firewall_driver"
+    fail_msg: "OVS agent firewall cannot be 'iptables_hybrid', migration will not continue"