From c2a35ce21198bc0e62af1867495f1ca0ebf36b93 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Fri, 15 Mar 2019 16:35:41 +0000 Subject: [PATCH] Remove inspector_manage_firewall variable This is supported in kolla-ansible via the ironic_inspector_pxe_filter variable, which can be added to globals.yml. The default value for that variable changed in the Stein release from 'iptables' to 'dnsmasq', since the iptables filter does not work with Docker CE [1]. This change removes the inspector_manage_firewall variable. This change also adds an iptables rule in CI tests to allow DHCP packets to be forwarded, to ensure bare metal servers can be deployed. [1] https://bugs.launchpad.net/kolla-ansible/+bug/1823044 Depends-On: https://review.openstack.org/649673 Change-Id: Idac6777b4d97fbd17698fc2086ceb068d7b2e326 Related-Bug: #1823044 --- ansible/group_vars/all/inspector | 3 --- ansible/kolla-openstack.yml | 1 - ansible/roles/kolla-openstack/defaults/main.yml | 3 --- .../kolla-openstack/templates/ironic-inspector.conf.j2 | 5 ----- dev/functions | 3 +++ etc/kayobe/inspector.yml | 3 --- ...emove-inspector-manage-firewall-b1117b04a0f6904d.yaml | 9 +++++++++ 7 files changed, 12 insertions(+), 15 deletions(-) create mode 100644 releasenotes/notes/remove-inspector-manage-firewall-b1117b04a0f6904d.yaml diff --git a/ansible/group_vars/all/inspector b/ansible/group_vars/all/inspector index 45ad265fd..8a6e4ca63 100644 --- a/ansible/group_vars/all/inspector +++ b/ansible/group_vars/all/inspector @@ -26,9 +26,6 @@ inspector_ipa_ramdisk_checksum_algorithm: "{{ ipa_ramdisk_checksum_algorithm }}" ############################################################################### # Ironic inspector processing configuration. -# Whether inspector should manage the firewall. -inspector_manage_firewall: True - # List of of default inspector processing plugins. inspector_processing_hooks_default: - ramdisk_error diff --git a/ansible/kolla-openstack.yml b/ansible/kolla-openstack.yml index eaae5c991..dfeabbabf 100644 --- a/ansible/kolla-openstack.yml +++ b/ansible/kolla-openstack.yml @@ -189,7 +189,6 @@ roles: - role: kolla-openstack # Ironic inspector configuration. - kolla_inspector_manage_firewall: "{{ inspector_manage_firewall }}" kolla_inspector_processing_hooks: "{{ inspector_processing_hooks }}" kolla_inspector_add_ports: "{{ inspector_add_ports }}" kolla_inspector_keep_ports: "{{ inspector_keep_ports }}" diff --git a/ansible/roles/kolla-openstack/defaults/main.yml b/ansible/roles/kolla-openstack/defaults/main.yml index 78273ac0f..dc5e3ebe9 100644 --- a/ansible/roles/kolla-openstack/defaults/main.yml +++ b/ansible/roles/kolla-openstack/defaults/main.yml @@ -204,9 +204,6 @@ kolla_enable_ironic_ipxe: ############################################################################### # Ironic inspector configuration. -# Whether inspector should manage the firewall. -kolla_inspector_manage_firewall: - # Comma-separated list of inspector processing plugins. kolla_inspector_processing_hooks: diff --git a/ansible/roles/kolla-openstack/templates/ironic-inspector.conf.j2 b/ansible/roles/kolla-openstack/templates/ironic-inspector.conf.j2 index da48d2542..b3852bb9f 100644 --- a/ansible/roles/kolla-openstack/templates/ironic-inspector.conf.j2 +++ b/ansible/roles/kolla-openstack/templates/ironic-inspector.conf.j2 @@ -1,10 +1,5 @@ [DEFAULT] -[pxe_filter] -# The filter ironic inspector will use to prevent nodes from undergoing -# inspection unless explicitly requested. -driver = {{ 'iptables' if kolla_inspector_manage_firewall else 'noop' }} - [processing] {% if kolla_inspector_processing_hooks %} # Comma-separated list of inspector processing plugins. diff --git a/dev/functions b/dev/functions index 6c0bbe4e4..f9ee17d5a 100644 --- a/dev/functions +++ b/dev/functions @@ -644,6 +644,9 @@ function configure_iptables { sudo iptables -I FORWARD -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true # allow IPA to connect to ironic inspector sudo iptables -I FORWARD -p tcp --dport $IRONIC_INSPECTOR_PORT -j ACCEPT || true + # Docker CE has added a default DROP policy to the FORWARD chain. Allow + # DHCP packets to be forwarded across the bridge. + sudo iptables -I FORWARD -p udp --dport 67:68 --sport 67:68 -j ACCEPT || true # agent ramdisk gets instance image from swift sudo iptables -I INPUT -d $INTERNAL_VIP -p tcp --dport ${SWIFT_DEFAULT_BIND_PORT:-8080} -j ACCEPT || true diff --git a/etc/kayobe/inspector.yml b/etc/kayobe/inspector.yml index ac83dd32e..b99780e30 100644 --- a/etc/kayobe/inspector.yml +++ b/etc/kayobe/inspector.yml @@ -26,9 +26,6 @@ ############################################################################### # Ironic inspector processing configuration. -# Whether inspector should manage the firewall. -#inspector_manage_firewall: - # List of of default inspector processing plugins. #inspector_processing_hooks_default: diff --git a/releasenotes/notes/remove-inspector-manage-firewall-b1117b04a0f6904d.yaml b/releasenotes/notes/remove-inspector-manage-firewall-b1117b04a0f6904d.yaml new file mode 100644 index 000000000..41b19b260 --- /dev/null +++ b/releasenotes/notes/remove-inspector-manage-firewall-b1117b04a0f6904d.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + Removes the ``inspector_manage_firewall`` variable. This is supported in + Kolla Ansible via the ``ironic_inspector_pxe_filter`` variable, which can + be added to ``${KAYOBE_CONFIG_PATH}/kolla/globals.yml``. The default value + for that variable changed in the Stein release from 'iptables' to + 'dnsmasq', since the iptables filter `does not work with Docker CE + `__.