From c92506e2e76ff72b0920545e4c42237ca912a98c Mon Sep 17 00:00:00 2001
From: Vijay Katam <vijkatam@cisco.com>
Date: Sun, 20 Aug 2017 04:01:09 -0700
Subject: [PATCH] Add calico variable that enables ignoring Kernel's RPF
 Setting (#1493)

---
 docs/calico.md                                            | 8 ++++++++
 roles/network_plugin/calico/defaults/main.yml             | 4 ++++
 .../calico/templates/calico-node.service.j2               | 3 +++
 3 files changed, 15 insertions(+)

diff --git a/docs/calico.md b/docs/calico.md
index 00ff748c1..7992e57eb 100644
--- a/docs/calico.md
+++ b/docs/calico.md
@@ -161,3 +161,11 @@ Cloud providers configuration
 =============================
 
 Please refer to the official documentation, for example [GCE configuration](http://docs.projectcalico.org/v1.5/getting-started/docker/installation/gce) requires a security rule for calico ip-ip tunnels. Note, calico is always configured with ``ipip: true`` if the cloud provider was defined.
+
+##### Optional : Ignore kernel's RPF check setting
+
+By default the felix agent(calico-node) will abort if the Kernel RPF setting is not 'strict'. If you want Calico to ignore the Kernel setting:
+
+```
+calico_node_ignorelooserpf: true
+```
diff --git a/roles/network_plugin/calico/defaults/main.yml b/roles/network_plugin/calico/defaults/main.yml
index d80ea0282..e09ab3e1e 100644
--- a/roles/network_plugin/calico/defaults/main.yml
+++ b/roles/network_plugin/calico/defaults/main.yml
@@ -30,3 +30,7 @@ calicoctl_memory_limit: 170M
 calicoctl_cpu_limit: 100m
 calicoctl_memory_requests: 32M
 calicoctl_cpu_requests: 50m
+
+# Should calico ignore kernel's RPF check setting,
+# see https://github.com/projectcalico/felix/blob/ab8799eaea66627e5db7717e62fca61fd9c08646/python/calico/felix/config.py#L198
+calico_node_ignorelooserpf: false
diff --git a/roles/network_plugin/calico/templates/calico-node.service.j2 b/roles/network_plugin/calico/templates/calico-node.service.j2
index e84ceaba0..015c91b08 100644
--- a/roles/network_plugin/calico/templates/calico-node.service.j2
+++ b/roles/network_plugin/calico/templates/calico-node.service.j2
@@ -20,6 +20,9 @@ ExecStart={{ docker_bin_dir }}/docker run --net=host --privileged \
  -e ETCD_CA_CERT_FILE=${ETCD_CA_CERT_FILE} \
  -e ETCD_CERT_FILE=${ETCD_CERT_FILE} \
  -e ETCD_KEY_FILE=${ETCD_KEY_FILE} \
+{% if calico_node_ignorelooserpf %}
+ -e FELIX_IGNORELOOSERPF=true \
+{% endif %}
  -v /var/log/calico:/var/log/calico \
  -v /run/docker/plugins:/run/docker/plugins \
  -v /lib/modules:/lib/modules \
-- 
GitLab