diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2 index 8eb5dbf9ab..0d3900f8f1 100644 --- a/docker/base/Dockerfile.j2 +++ b/docker/base/Dockerfile.j2 @@ -160,7 +160,6 @@ RUN rm -f /etc/rpm/macros.image-language-conf \ {% set base_centos_yum_repos_to_disable = [ 'centos-ceph-squid', 'centos-nfv-openvswitch', - 'epel', 'influxdb', 'opensearch-2.x', 'opensearch-dashboards-2.x', @@ -170,7 +169,6 @@ RUN rm -f /etc/rpm/macros.image-language-conf \ 'centos-ceph-reef', 'centos-nfv-openvswitch', 'centos-opstools', - 'epel', 'influxdb', 'opensearch-2.x', 'opensearch-dashboards-2.x', @@ -194,8 +192,8 @@ RUN {{ macros.install_packages(base_centos_yum_repo_packages | customizable("cen {% block base_redhat_binary_versionlock %}{% endblock %} -{# NOTE(mnasiadka): In EL10 we install dumb-init from epel #} -{% if base_distro_tag.startswith('10') or base_distro_tag.startswith('stream10') %} +{# NOTE(mnasiadka): In EL10 we install dumb-init from epel. In EL9 we install iptables-legacy. #} +{% if base_package_type == 'rpm' %} RUN dnf config-manager --enable epel {% endif %} diff --git a/docker/neutron/neutron-base/Dockerfile.j2 b/docker/neutron/neutron-base/Dockerfile.j2 index 1224a2b495..1c942d9a17 100644 --- a/docker/neutron/neutron-base/Dockerfile.j2 +++ b/docker/neutron/neutron-base/Dockerfile.j2 @@ -12,6 +12,9 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% if base_package_type == 'rpm' %} + # FIXME(wszumski): iptables-nft is deprecated. We need to advise users + # to migrate to some other firewall driver as we cannot rely on this + # package forever, see: https://access.redhat.com/solutions/6739041 {% set neutron_base_packages = [ 'conntrack-tools', 'dnsmasq', @@ -21,6 +24,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'iproute-tc', 'ipset', 'iptables', + 'iptables-nft', 'iputils', 'keepalived', 'net-tools', @@ -33,9 +37,12 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'python3-openvswitch3.5' ] %} {% else %} + # NOTE(wszumski): iptables-legacy lets us check and clear out legacy + # iptables rules due to LP#2144562 {% set neutron_base_packages = neutron_base_packages + [ 'openvswitch', - 'python3-openvswitch' + 'python3-openvswitch', + 'iptables-legacy', ] %} {% endif %} @@ -64,6 +71,18 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {{ macros.install_packages(neutron_base_packages | customizable("packages")) }} +{% if base_distro_tag.startswith('9') or base_distro_tag.startswith('stream9') %} +# NOTE(wszumski): Without this iptables-legacy is selected as default. This +# increases the priority from 10 to 200. +RUN update-alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables-nft 200 \ + --slave /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-nft \ + --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-nft-restore \ + --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-nft-save \ + --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-nft-restore \ + --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-nft-save \ + && update-alternatives --auto iptables +{% endif %} + ADD neutron-base-archive /neutron-base-source ADD plugins-archive / diff --git a/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml b/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml new file mode 100644 index 0000000000..d6bf64da0f --- /dev/null +++ b/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml @@ -0,0 +1,37 @@ +upgrade: + - | + On Rocky9 on CentOS Stream 9 based installations, VMs may be using legacy + iptables rules if you installed or upgraded before this release. You can + check by running ``iptables-legacy-save`` inside of the + ``neutron_openvswitch_agent`` container and looking for neutron rules. + + After upgrading you will need to clear out the old iptables rules to + prevent conflicts:: + + iptables-legacy -P INPUT ACCEPT + iptables-legacy -P FORWARD ACCEPT + iptables-legacy -P OUTPUT ACCEPT + iptables-legacy -t nat -F + iptables-legacy -t nat -X + iptables-legacy -t mangle -F + iptables-legacy -t mangle -X + iptables-legacy -t raw -F + iptables-legacy -t raw -X + iptables-legacy -t filter -F + iptables-legacy -t filter -X + iptables-legacy -F + iptables-legacy -X + + If you are updating to this release or newer, no action is required. + + For more information, please see + `LP#2144562 `__. + +fixes: + - | + Fixes an issue where firewall rules were being implemented via legacy + iptables rules. This differed from the behaviour in previous releases, + where iptables-nft was used to create these as nftables rules. On upgrade, + this could lead to mixture of iptables and nftables rules based on whether + the VM was booted before or after the upgrade. For more information, please + see `LP#2144562 `__.