From 94cd5a9935db0859f666f19940f2344d7dfa6c64 Mon Sep 17 00:00:00 2001
From: Manuel Buil <mbuil@suse.com>
Date: Thu, 11 Jul 2019 13:22:06 +0200
Subject: [PATCH] Fix iptables locking in L3 neutron container

The L3 neutron agent uses the -W flag when adding new iptable rules.
That flag verifies if the lock is free to avoid race conditions. The
lock is normally /run/xtables.lock.

In iptables <1.6.2, if the file does not exist, iptables ignores the
lock and silently continues. Starting with 1.6.2, that behaviour changed
and if the file does not exist, iptables fails:

https://git.netfilter.org/iptables/commit/?id=80d8bfaac9e2430d710084a10ec78e68bd61e6ec

Leap 15.0 is using iptables 1.6.2 whereas Ubuntu Bionic uses 1.6.1.
That is why Ubuntu compute-kit gates where working whereas openSUSE
compute-kit gate was not

This patch fixes the gate problem by mounting /run/xtables.lock

Change-Id: Ia9c648cdf95c9824b34f40a6d9ed538a2cad5154
Signed-off-by: Manuel Buil <mbuil@suse.com>
---
 neutron/templates/daemonset-l3-agent.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/neutron/templates/daemonset-l3-agent.yaml b/neutron/templates/daemonset-l3-agent.yaml
index 6ebe91c39e..f2658374b4 100644
--- a/neutron/templates/daemonset-l3-agent.yaml
+++ b/neutron/templates/daemonset-l3-agent.yaml
@@ -160,6 +160,8 @@ spec:
             - name: libmodules
               mountPath: /lib/modules
               readOnly: true
+            - name: iptables-lockfile
+              mountPath: /run/xtables.lock
             - name: socket
               mountPath: /var/lib/neutron/openstack-helm
             {{- if .Values.network.share_namespaces }}
@@ -184,6 +186,9 @@ spec:
         - name: libmodules
           hostPath:
             path: /lib/modules
+        - name: iptables-lockfile
+          hostPath:
+            path: /run/xtables.lock
         - name: socket
           hostPath:
             path: /var/lib/neutron/openstack-helm