review02: pin ipv6 configuration

As discussed in the thread mentioned inline, this pins the ipv6
configuration to avoid listening to RA's on the review02 server.

Change-Id: I17b0e049fcc1e975e8b4383957b020c11d9b89f0

playbooks/service-review.yaml

@@ -24,3 +24,38 @@
         state: present
         key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVuhTMAz1H2Jr9AC3py9A0vlNna6Sdt4yrvZOayxukPqQ7GPZd+Mo7MVyypxLD479N2mA09JAdsbq1eTiPP8ksEkB+dNxZzw8mY1653R/IXSW6J9xPcoDa88HF2s/xHN24IWzgiDjNNe79AQ+sKleByEQZ++xXny3MRpy258hKUvAtjjOLOnM1PBs8JNOzBL+UPgWRgSX6GG0qywJZqjD1Qx5kvH9RTRLi+tcMhEi4laN7BYvn4csY0sYzTzPG4ZTu3ootIJoRlQGtQ0LmoFO1vSwyEJUags6/ZZGjgy3jl3kwcU/b8ZnFlF4MDw1OB1QqMb4r6bMHbXNIupp4zJbz'
         key_options: 'command="/home/gerrit2/bin/rrsync -ro /home/gerrit2",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty'
+
+# NOTE(ianw) 2021-04-09 This is a workaround for RA leaks seen in
+# vexxhost which is currently unresolved. This pins the ipv6 config
+# and ensures we don't listen to RA's.  See:
+#  http://lists.opendev.org/pipermail/service-discuss/2021-April/000200.html
+#  https://launchpad.net/bugs/1844712
+- hosts: "review02.opendev.org"
+  tasks:
+    - name: Install RA rejection
+      copy:
+        dest: '/etc/netplan/50-cloud-init.yaml'
+        owner: 'root'
+        group: 'root'
+        mode: '0644'
+        content: |
+          network:
+            version: 2
+            ethernets:
+              ens3:
+                dhcp4: true
+                dhcp6: false
+                accept-ra: false
+                addresses:
+                  - '2604:e100:1:0:f816:3eff:fe52:22de/64'
+                routes:
+                  - to: '::/0'
+                    via: 'fe80::ce2d:e0ff:fe0f:74af'
+                    metric: 100
+                  - to: '::/0'
+                    via: 'fe80::ce2d:e0ff:fe5a:d84e'
+                    metric: 100
+                match:
+                    macaddress: fa:16:3e:52:22:de
+                mtu: 1500
+                set-name: ens3