From caf33be54b3a4c5f2cdd756e122de6aee891154d Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Fri, 4 Mar 2022 15:02:57 +0000 Subject: [PATCH] Explicitly unset net.ipv4.ip_forward sysctl While I8bb398e299aa68147004723a18d3a1ec459011e5 stopped setting the net.ipv4.ip_forward sysctl, this change explicitly removes the option from the Kolla sysctl config file. In the absence of another source for this sysctl, it should revert to the default of 0 after the next reboot. A deployer looking to more aggressively change the value may set neutron_l3_agent_host_ipv4_ip_forward to 0. Any deployments still relying on the previous value may set neutron_l3_agent_host_ipv4_ip_forward to 1. Related-Bug: #1945453 Change-Id: I9b39307ad8d6c51e215fe3d3bc56aab998d218ec --- ansible/roles/neutron/defaults/main.yml | 1 + ansible/roles/neutron/tasks/config-host.yml | 2 ++ .../notes/bug-1945453-2-287bfcaf060689d8.yaml | 16 ++++++++++++++++ 3 files changed, 19 insertions(+) create mode 100644 releasenotes/notes/bug-1945453-2-287bfcaf060689d8.yaml diff --git a/ansible/roles/neutron/defaults/main.yml b/ansible/roles/neutron/defaults/main.yml index 87bc023a27..09020522a4 100644 --- a/ansible/roles/neutron/defaults/main.yml +++ b/ansible/roles/neutron/defaults/main.yml @@ -564,6 +564,7 @@ openstack_neutron_auth: "{{ openstack_auth }}" # Set to KOLLA_SKIP to skip setting these (even if set already - total ignore). # Set to KOLLA_UNSET to make Kolla unset these in the managed sysctl.conf file. +neutron_l3_agent_host_ipv4_ip_forward: KOLLA_UNSET neutron_l3_agent_host_rp_filter_mode: KOLLA_SKIP neutron_l3_agent_host_ipv4_neigh_gc_thresh1: 128 neutron_l3_agent_host_ipv4_neigh_gc_thresh2: 28672 diff --git a/ansible/roles/neutron/tasks/config-host.yml b/ansible/roles/neutron/tasks/config-host.yml index 79ed2a4483..80dfefca27 100644 --- a/ansible/roles/neutron/tasks/config-host.yml +++ b/ansible/roles/neutron/tasks/config-host.yml @@ -25,6 +25,8 @@ sysctl_set: "{{ should_set }}" sysctl_file: "{{ kolla_sysctl_conf_path }}" with_items: + # TODO(mgoddard): Remove net.ipv4.ip_forward from this list in Zed cycle. + - { name: "net.ipv4.ip_forward", value: "{{ neutron_l3_agent_host_ipv4_ip_forward }}"} - { name: "net.ipv4.conf.all.rp_filter", value: "{{ neutron_l3_agent_host_rp_filter_mode }}"} - { name: "net.ipv4.conf.default.rp_filter", value: "{{ neutron_l3_agent_host_rp_filter_mode }}"} - { name: "net.ipv4.neigh.default.gc_thresh1", value: "{{ neutron_l3_agent_host_ipv4_neigh_gc_thresh1 }}"} diff --git a/releasenotes/notes/bug-1945453-2-287bfcaf060689d8.yaml b/releasenotes/notes/bug-1945453-2-287bfcaf060689d8.yaml new file mode 100644 index 0000000000..7fc4d6d32f --- /dev/null +++ b/releasenotes/notes/bug-1945453-2-287bfcaf060689d8.yaml @@ -0,0 +1,16 @@ +--- +security: + - | + Explicitly removes the ``net.ipv4.ip_forward`` sysctl from + ``/etc/sysctl.conf`` on hosts with Neutron L3 Agent. In the absence of + another source for this sysctl, it should revert to the default of 0 after + the next reboot. This is a follow up to a previous change which stopped + setting the sysctl, but leaves existing systems with the original value of + 1 set. + + A deployer looking to more aggressively change the value may set + ``neutron_l3_agent_host_ipv4_ip_forward`` to 0 using a Yoga release of + Kolla Ansible. This option will be removed in future. Any deployments + still relying on the previous value may set + ``neutron_l3_agent_host_ipv4_ip_forward`` to 1. + `LP#1945453 `__