From 2aa1bbabe355243e109d898eabf87acded2fef2f Mon Sep 17 00:00:00 2001 From: Rodolfo Alonso Hernandez Date: Wed, 17 Nov 2021 15:25:34 +0000 Subject: [PATCH] [OVN] Prevent OVS to OVN migration if firewall "iptables_hybrid" Prevent the OVS to OVN migration if any node has the OVS agent firewall set to "iptables_hybrid". If present, the migration will exit. This check is implemented in the OVN migration script for TripleO environments. Closes-Bug: #1951272 Change-Id: I55f25f56f87bfa2a5e330cdf4c1087e8d4082b29 --- .../tripleo_environment/playbooks/ovn-migration.yml | 9 +++++++++ .../roles/pre-checks/ovn-controllers/tasks/main.yml | 10 ++++++++++ 2 files changed, 19 insertions(+) create mode 100644 tools/ovn_migration/tripleo_environment/playbooks/roles/pre-checks/ovn-controllers/tasks/main.yml diff --git a/tools/ovn_migration/tripleo_environment/playbooks/ovn-migration.yml b/tools/ovn_migration/tripleo_environment/playbooks/ovn-migration.yml index 724c182a73d..9b504ef59c7 100644 --- a/tools/ovn_migration/tripleo_environment/playbooks/ovn-migration.yml +++ b/tools/ovn_migration/tripleo_environment/playbooks/ovn-migration.yml @@ -13,6 +13,15 @@ tags: - pre-migration + +- name: Pre migration checks in the OVN controllers + hosts: ovn-controllers + roles: + - pre-checks/ovn-controllers + tags: + - pre-migration + + # # This step is executed before migration, and will backup some config # files related to containers before those get lost. diff --git a/tools/ovn_migration/tripleo_environment/playbooks/roles/pre-checks/ovn-controllers/tasks/main.yml b/tools/ovn_migration/tripleo_environment/playbooks/roles/pre-checks/ovn-controllers/tasks/main.yml new file mode 100644 index 00000000000..7f8ebc410e9 --- /dev/null +++ b/tools/ovn_migration/tripleo_environment/playbooks/roles/pre-checks/ovn-controllers/tasks/main.yml @@ -0,0 +1,10 @@ +--- +- name: Read OVS configuration file and extract "firewall_driver" variable. + set_fact: + firewall_driver: "{{ lookup('ini', 'firewall_driver section=securitygroup file=/var/lib/config-data/puppet-generated/neutron/etc/neutron/plugins/ml2/openvswitch_agent.ini', allow_no_value=True) }}" + +- name: Check OVS agent firewall is not using "iptables_hybrid" option + assert: + that: + - "'iptables_hybrid' != firewall_driver" + fail_msg: "OVS agent firewall cannot be 'iptables_hybrid', migration will not continue"