Merge "Enable inspector dnsmasq dhcp filter"

2018-06-05 11:16:28 +00:00 · 2018-06-05 11:16:28 +00:00 · 68c3856b83
commit 68c3856b83
parent e3d6a47a31 a1a2048d47
2 changed files with 51 additions and 1 deletions
--- a/docker/services/ironic-inspector.yaml
+++ b/docker/services/ironic-inspector.yaml
@ -86,6 +86,7 @@ outputs:
        config_image: {get_param: DockerIronicInspectorConfigImage}
        volumes:
          - /var/lib/ironic:/var/lib/ironic
+          - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir
      kolla_config:
        /var/lib/kolla/config_files/ironic_inspector.json:
          command: /usr/bin/ironic-inspector --config-file /etc/ironic-inspector/inspector-dist.conf --config-file /etc/ironic-inspector/inspector.conf
@ -100,6 +101,8 @@ outputs:
              recurse: true
            - path: /var/lib/ironic
              owner: ironic:ironic
+            - path: /var/lib/ironic-inspector/dhcp-hostsdir
+              owner: ironic-inspector:ironic-inspector
              recurse: true
        /var/lib/kolla/config_files/ironic_inspector_dnsmasq.json:
          config_files:
@ -118,9 +121,17 @@ outputs:
            volumes:
              - /var/log/containers/ironic-inspector:/var/log/ironic-inspector
            command: ['/bin/bash', '-c', 'chown -R ironic-inspector:ironic-inspector /var/log/ironic-inspector']
-          ironic_inspector_db_sync:
+
+          ironic_inspector_init_dnsmasq_dhcp_hostsdir:
            start_order: 1
            image: *ironic_inspector_image
+            user: root
+            volumes:
+            - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir
+            command: ['/bin/bash', '-c', 'chown -R ironic-inspector:ironic-inspector /var/lib/ironic-inspector/dhcp-hostsdir']
+          ironic_inspector_db_sync:
+            start_order: 2
+            image: *ironic_inspector_image
            net: host
            user: root
            privileged: false
@ -175,6 +186,7 @@ outputs:
                  - /var/lib/config-data/puppet-generated/ironic_inspector/:/var/lib/kolla/config_files/src:ro
                  - /var/lib/ironic:/var/lib/ironic
                  - /var/log/containers/ironic-inspector:/var/log/ironic-inspector
+                  - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir
            environment:
              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
          ironic_inspector_dnsmasq:
@ -191,6 +203,7 @@ outputs:
                  - /var/lib/kolla/config_files/ironic_inspector_dnsmasq.json:/var/lib/kolla/config_files/config.json:ro
                  - /var/lib/config-data/puppet-generated/ironic_inspector/:/var/lib/kolla/config_files/src:ro
                  - /var/log/containers/ironic-inspector:/var/log/ironic-inspector
+                  - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir
            environment:
              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
      host_prep_tasks:
@ -205,6 +218,10 @@ outputs:
              Log files from ironic-inspector container can be found under
              /var/log/containers/ironic-inspector.
          ignore_errors: true
+        - name: create persistent ironic-inspector dnsmasq dhcp hostsdir
+          file:
+            path: /var/lib/ironic-inspector/dhcp-hostsdir
+            state: directory
      upgrade_tasks:
        - when: step|int == 2
          block:
--- a/puppet/services/ironic-inspector.yaml
+++ b/puppet/services/ironic-inspector.yaml
@ -153,6 +153,8 @@ outputs:
              - [{ip_range: {get_param: IronicInspectorIpRange}}]
              - get_param: IronicInspectorSubnets
            ironic::inspector::dnsmasq_interface: {get_param: IronicInspectorInterface}
+            ironic::inspector::dnsmasq_dhcp_hostsdir: /var/lib/ironic-inspector/dhcp-hostsdir
+            ironic::inspector::pxe_filter::driver: dnsmasq
            ironic::inspector::debug: {get_param: Debug}
            ironic::inspector::always_store_ramdisk_logs: {get_param: Debug}
            ironic::inspector::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
@ -171,6 +173,15 @@ outputs:
              '137 ironic-inspector':
                dport:
                  - 5050
+              '137 ironic-inspector dhcp input':
+                iniface: {get_param: IronicInspectorInterface}
+                proto: 'udp'
+                chain: 'INPUT'
+                dport: 67
+              '137 ironic-inspector dhcp output':
+                proto: 'udp'
+                chain: 'OUTPUT'
+                dport: 68
            ironic::inspector::ironic_username: 'ironic'
            ironic::inspector::ironic_password: {get_param: IronicPassword}
            ironic::inspector::ironic_tenant_name: 'service'
@ -234,3 +245,25 @@ outputs:
          ironic::inspector::db::mysql::allowed_hosts:
            - '%'
            - "%{hiera('mysql_bind_host')}"
+      upgrade_tasks:
+        - name: Stop and disable ironic_inspector service
+          when: step|int == 2
+          service: name=openstack-ironic-inspector state=stopped enabled=no
+        - name: Stop and disable ironic_inspector dnsmasq service
+          when: step|int == 2
+          service: name=openstack-ironic-inspector-dnsmasq state=stopped enabled=no
+        - name: purge iptables port 67 jump rule
+          when: step|int == 2
+          iptables:
+            chain: INPUT
+            interface: {get_param: IronicInspectorInterface}
+            protocol: udp
+            destination_port: 67
+            jump: ironic-inspector
+            state: absent
+        - name: purge iptables ironic-inspector chain
+          when: step|int == 2
+          iptables:
+            chain: ironic-inspector
+            flush: true
+            state: absent