Merge "Explicitly unset net.ipv4.ip_forward sysctl"

ansible/roles/neutron/defaults/main.yml

@@ -564,6 +564,7 @@ openstack_neutron_auth: "{{ openstack_auth }}"
 
 # Set to KOLLA_SKIP to skip setting these (even if set already - total ignore).
 # Set to KOLLA_UNSET to make Kolla unset these in the managed sysctl.conf file.
+neutron_l3_agent_host_ipv4_ip_forward: KOLLA_UNSET
 neutron_l3_agent_host_rp_filter_mode: KOLLA_SKIP
 neutron_l3_agent_host_ipv4_neigh_gc_thresh1: 128
 neutron_l3_agent_host_ipv4_neigh_gc_thresh2: 28672

ansible/roles/neutron/tasks/config-host.yml

@@ -25,6 +25,8 @@
     sysctl_set: "{{ should_set }}"
     sysctl_file: "{{ kolla_sysctl_conf_path }}"
   with_items:
+    # TODO(mgoddard): Remove net.ipv4.ip_forward from this list in Zed cycle.
+    - { name: "net.ipv4.ip_forward", value: "{{ neutron_l3_agent_host_ipv4_ip_forward }}"}
     - { name: "net.ipv4.conf.all.rp_filter", value: "{{ neutron_l3_agent_host_rp_filter_mode }}"}
     - { name: "net.ipv4.conf.default.rp_filter", value: "{{ neutron_l3_agent_host_rp_filter_mode }}"}
     - { name: "net.ipv4.neigh.default.gc_thresh1", value: "{{ neutron_l3_agent_host_ipv4_neigh_gc_thresh1 }}"}

releasenotes/notes/bug-1945453-2-287bfcaf060689d8.yaml

@@ -0,0 +1,16 @@
+---
+security:
+  - |
+    Explicitly removes the ``net.ipv4.ip_forward`` sysctl from
+    ``/etc/sysctl.conf`` on hosts with Neutron L3 Agent. In the absence of
+    another source for this sysctl, it should revert to the default of 0 after
+    the next reboot. This is a follow up to a previous change which stopped
+    setting the sysctl, but leaves existing systems with the original value of
+    1 set.
+
+    A deployer looking to more aggressively change the value may set
+    ``neutron_l3_agent_host_ipv4_ip_forward`` to 0 using a Yoga release of
+    Kolla Ansible. This option will be removed in future. Any deployments
+    still relying on the previous value may set
+    ``neutron_l3_agent_host_ipv4_ip_forward`` to 1.
+    `LP#1945453 <https://launchpad.net/bugs/1945453>`__