openstack-ansible-openstack_hosts

History

Kevin Carter 394be21880 Set kernel params to ensure iptables are never left open The current settings within this role set the kernel params for iptables on bridges to 0. While this was originally done in the liberty timeframe for performance reasons, it can cause a flapping problem should this role be executed "stand alone" on an existing OpenStack deployment. If these values get set to 0 it could allow traffic to bypass neutron security groups which has the potential to expose workloads even when port security and security groups were previously protecting them. It should be noted that the agent will ensure the kernel params are set correctly at start time however it does not monitor the values at runtime so running this role on an existing deployment could have adverse effects if the neutron agent is never restarted. This patch sets the "net.bridge.bridge-nf-call-*" kernel params to 1 from the very beginning which will ensure no deployment is effected by the potential flapping values. Change-Id: I4d5139a6016e75ebec84994ac3555600d65a3f7c Signed-off-by: Kevin Carter <kevin.carter@rackspace.com> (cherry picked from commit `acfb458ea8`)	2017-08-02 16:44:28 -05:00
..
main.yml	Set kernel params to ensure iptables are never left open	2017-08-02 16:44:28 -05:00

Kevin Carter 394be21880 Set kernel params to ensure iptables are never left open

The current settings within this role set the kernel params for iptables
on bridges to 0. While this was originally done in the liberty timeframe
for performance reasons, it can cause a flapping problem should this role
be executed "stand alone" on an existing OpenStack deployment. If these
values get set to 0 it could allow traffic to bypass neutron security groups
which has the potential to expose workloads even when port security and security
groups were previously protecting them. It should be noted that the
agent will ensure the kernel params are set correctly at start time
however it does not monitor the values at runtime so running this role
on an existing deployment could have adverse effects if the neutron
agent is never restarted.

This patch sets the "net.bridge.bridge-nf-call-*" kernel params to 1
from the very beginning which will ensure no deployment is effected by
the potential flapping values.

Change-Id: I4d5139a6016e75ebec84994ac3555600d65a3f7c
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
(cherry picked from commit acfb458ea8)

2017-08-02 16:44:28 -05:00

main.yml Set kernel params to ensure iptables are never left open 2017-08-02 16:44:28 -05:00