From a1a2048d47a1de41e7b9f17de126a4243712c07c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kov=C3=A1=C4=8Dik?= <mkovacik@redhat.com>
Date: Wed, 29 Nov 2017 16:17:10 +0100
Subject: [PATCH] Enable inspector dnsmasq dhcp filter
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Modify both the inspector and dnsmasq containers for the inspector to be
able to modify dnsmasq configuration on the fly to filter the dhcp
traffic.

The upgrade_tasks moved to the puppet service in order to be shared
between both the containerised and regular deployment.  The upgrade_tasks
were amended with steps to clean-up the iptables inspector chain&rules.

With inspector no longer managing iptables rules, create new rules to
allow DHCP traffic on IronicInspectorInterface.

Co-Authored-By: Harald Jensås <hjensas@redhat.com>
Change-Id: Ic7e32acb8559a7a12cd8767dc68c343872a6a4e3
Depends-On: I056cdadc025f35d8b6fd22f510a7c0a8e259a1f0
---
 docker/services/ironic-inspector.yaml | 19 ++++++++++++++-
 puppet/services/ironic-inspector.yaml | 33 +++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/docker/services/ironic-inspector.yaml b/docker/services/ironic-inspector.yaml
index 3c10ea2982..8e3ca726cd 100644
--- a/docker/services/ironic-inspector.yaml
+++ b/docker/services/ironic-inspector.yaml
@@ -86,6 +86,7 @@ outputs:
         config_image: {get_param: DockerIronicInspectorConfigImage}
         volumes:
           - /var/lib/ironic:/var/lib/ironic
+          - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir
       kolla_config:
         /var/lib/kolla/config_files/ironic_inspector.json:
           command: /usr/bin/ironic-inspector --config-file /etc/ironic-inspector/inspector-dist.conf --config-file /etc/ironic-inspector/inspector.conf
@@ -100,6 +101,8 @@ outputs:
               recurse: true
             - path: /var/lib/ironic
               owner: ironic:ironic
+            - path: /var/lib/ironic-inspector/dhcp-hostsdir
+              owner: ironic-inspector:ironic-inspector
               recurse: true
         /var/lib/kolla/config_files/ironic_inspector_dnsmasq.json:
           config_files:
@@ -118,9 +121,17 @@ outputs:
             volumes:
               - /var/log/containers/ironic-inspector:/var/log/ironic-inspector
             command: ['/bin/bash', '-c', 'chown -R ironic-inspector:ironic-inspector /var/log/ironic-inspector']
-          ironic_inspector_db_sync:
+
+          ironic_inspector_init_dnsmasq_dhcp_hostsdir:
             start_order: 1
             image: *ironic_inspector_image
+            user: root
+            volumes:
+            - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir
+            command: ['/bin/bash', '-c', 'chown -R ironic-inspector:ironic-inspector /var/lib/ironic-inspector/dhcp-hostsdir']
+          ironic_inspector_db_sync:
+            start_order: 2
+            image: *ironic_inspector_image
             net: host
             user: root
             privileged: false
@@ -175,6 +186,7 @@ outputs:
                   - /var/lib/config-data/puppet-generated/ironic_inspector/:/var/lib/kolla/config_files/src:ro
                   - /var/lib/ironic:/var/lib/ironic
                   - /var/log/containers/ironic-inspector:/var/log/ironic-inspector
+                  - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
           ironic_inspector_dnsmasq:
@@ -191,6 +203,7 @@ outputs:
                   - /var/lib/kolla/config_files/ironic_inspector_dnsmasq.json:/var/lib/kolla/config_files/config.json:ro
                   - /var/lib/config-data/puppet-generated/ironic_inspector/:/var/lib/kolla/config_files/src:ro
                   - /var/log/containers/ironic-inspector:/var/log/ironic-inspector
+                  - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
       host_prep_tasks:
@@ -205,6 +218,10 @@ outputs:
               Log files from ironic-inspector container can be found under
               /var/log/containers/ironic-inspector.
           ignore_errors: true
+        - name: create persistent ironic-inspector dnsmasq dhcp hostsdir
+          file:
+            path: /var/lib/ironic-inspector/dhcp-hostsdir
+            state: directory
       upgrade_tasks:
         - when: step|int == 2
           block:
diff --git a/puppet/services/ironic-inspector.yaml b/puppet/services/ironic-inspector.yaml
index bec7b14834..b40a720799 100644
--- a/puppet/services/ironic-inspector.yaml
+++ b/puppet/services/ironic-inspector.yaml
@@ -153,6 +153,8 @@ outputs:
               - [{ip_range: {get_param: IronicInspectorIpRange}}]
               - get_param: IronicInspectorSubnets
             ironic::inspector::dnsmasq_interface: {get_param: IronicInspectorInterface}
+            ironic::inspector::dnsmasq_dhcp_hostsdir: /var/lib/ironic-inspector/dhcp-hostsdir
+            ironic::inspector::pxe_filter::driver: dnsmasq
             ironic::inspector::debug: {get_param: Debug}
             ironic::inspector::always_store_ramdisk_logs: {get_param: Debug}
             ironic::inspector::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
@@ -171,6 +173,15 @@ outputs:
               '137 ironic-inspector':
                 dport:
                   - 5050
+              '137 ironic-inspector dhcp input':
+                iniface: {get_param: IronicInspectorInterface}
+                proto: 'udp'
+                chain: 'INPUT'
+                dport: 67
+              '137 ironic-inspector dhcp output':
+                proto: 'udp'
+                chain: 'OUTPUT'
+                dport: 68
             ironic::inspector::ironic_username: 'ironic'
             ironic::inspector::ironic_password: {get_param: IronicPassword}
             ironic::inspector::ironic_tenant_name: 'service'
@@ -234,3 +245,25 @@ outputs:
           ironic::inspector::db::mysql::allowed_hosts:
             - '%'
             - "%{hiera('mysql_bind_host')}"
+      upgrade_tasks:
+        - name: Stop and disable ironic_inspector service
+          when: step|int == 2
+          service: name=openstack-ironic-inspector state=stopped enabled=no
+        - name: Stop and disable ironic_inspector dnsmasq service
+          when: step|int == 2
+          service: name=openstack-ironic-inspector-dnsmasq state=stopped enabled=no
+        - name: purge iptables port 67 jump rule
+          when: step|int == 2
+          iptables:
+            chain: INPUT
+            interface: {get_param: IronicInspectorInterface}
+            protocol: udp
+            destination_port: 67
+            jump: ironic-inspector
+            state: absent
+        - name: purge iptables ironic-inspector chain
+          when: step|int == 2
+          iptables:
+            chain: ironic-inspector
+            flush: true
+            state: absent