From a1a2048d47a1de41e7b9f17de126a4243712c07c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kov=C3=A1=C4=8Dik?= <mkovacik@redhat.com> Date: Wed, 29 Nov 2017 16:17:10 +0100 Subject: [PATCH] Enable inspector dnsmasq dhcp filter MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Modify both the inspector and dnsmasq containers for the inspector to be able to modify dnsmasq configuration on the fly to filter the dhcp traffic. The upgrade_tasks moved to the puppet service in order to be shared between both the containerised and regular deployment. The upgrade_tasks were amended with steps to clean-up the iptables inspector chain&rules. With inspector no longer managing iptables rules, create new rules to allow DHCP traffic on IronicInspectorInterface. Co-Authored-By: Harald Jensås <hjensas@redhat.com> Change-Id: Ic7e32acb8559a7a12cd8767dc68c343872a6a4e3 Depends-On: I056cdadc025f35d8b6fd22f510a7c0a8e259a1f0 --- docker/services/ironic-inspector.yaml | 19 ++++++++++++++- puppet/services/ironic-inspector.yaml | 33 +++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 1 deletion(-) diff --git a/docker/services/ironic-inspector.yaml b/docker/services/ironic-inspector.yaml index 3c10ea2982..8e3ca726cd 100644 --- a/docker/services/ironic-inspector.yaml +++ b/docker/services/ironic-inspector.yaml @@ -86,6 +86,7 @@ outputs: config_image: {get_param: DockerIronicInspectorConfigImage} volumes: - /var/lib/ironic:/var/lib/ironic + - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir kolla_config: /var/lib/kolla/config_files/ironic_inspector.json: command: /usr/bin/ironic-inspector --config-file /etc/ironic-inspector/inspector-dist.conf --config-file /etc/ironic-inspector/inspector.conf @@ -100,6 +101,8 @@ outputs: recurse: true - path: /var/lib/ironic owner: ironic:ironic + - path: /var/lib/ironic-inspector/dhcp-hostsdir + owner: ironic-inspector:ironic-inspector recurse: true /var/lib/kolla/config_files/ironic_inspector_dnsmasq.json: config_files: @@ -118,9 +121,17 @@ outputs: volumes: - /var/log/containers/ironic-inspector:/var/log/ironic-inspector command: ['/bin/bash', '-c', 'chown -R ironic-inspector:ironic-inspector /var/log/ironic-inspector'] - ironic_inspector_db_sync: + + ironic_inspector_init_dnsmasq_dhcp_hostsdir: start_order: 1 image: *ironic_inspector_image + user: root + volumes: + - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir + command: ['/bin/bash', '-c', 'chown -R ironic-inspector:ironic-inspector /var/lib/ironic-inspector/dhcp-hostsdir'] + ironic_inspector_db_sync: + start_order: 2 + image: *ironic_inspector_image net: host user: root privileged: false @@ -175,6 +186,7 @@ outputs: - /var/lib/config-data/puppet-generated/ironic_inspector/:/var/lib/kolla/config_files/src:ro - /var/lib/ironic:/var/lib/ironic - /var/log/containers/ironic-inspector:/var/log/ironic-inspector + - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS ironic_inspector_dnsmasq: @@ -191,6 +203,7 @@ outputs: - /var/lib/kolla/config_files/ironic_inspector_dnsmasq.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/ironic_inspector/:/var/lib/kolla/config_files/src:ro - /var/log/containers/ironic-inspector:/var/log/ironic-inspector + - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -205,6 +218,10 @@ outputs: Log files from ironic-inspector container can be found under /var/log/containers/ironic-inspector. ignore_errors: true + - name: create persistent ironic-inspector dnsmasq dhcp hostsdir + file: + path: /var/lib/ironic-inspector/dhcp-hostsdir + state: directory upgrade_tasks: - when: step|int == 2 block: diff --git a/puppet/services/ironic-inspector.yaml b/puppet/services/ironic-inspector.yaml index bec7b14834..b40a720799 100644 --- a/puppet/services/ironic-inspector.yaml +++ b/puppet/services/ironic-inspector.yaml @@ -153,6 +153,8 @@ outputs: - [{ip_range: {get_param: IronicInspectorIpRange}}] - get_param: IronicInspectorSubnets ironic::inspector::dnsmasq_interface: {get_param: IronicInspectorInterface} + ironic::inspector::dnsmasq_dhcp_hostsdir: /var/lib/ironic-inspector/dhcp-hostsdir + ironic::inspector::pxe_filter::driver: dnsmasq ironic::inspector::debug: {get_param: Debug} ironic::inspector::always_store_ramdisk_logs: {get_param: Debug} ironic::inspector::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } @@ -171,6 +173,15 @@ outputs: '137 ironic-inspector': dport: - 5050 + '137 ironic-inspector dhcp input': + iniface: {get_param: IronicInspectorInterface} + proto: 'udp' + chain: 'INPUT' + dport: 67 + '137 ironic-inspector dhcp output': + proto: 'udp' + chain: 'OUTPUT' + dport: 68 ironic::inspector::ironic_username: 'ironic' ironic::inspector::ironic_password: {get_param: IronicPassword} ironic::inspector::ironic_tenant_name: 'service' @@ -234,3 +245,25 @@ outputs: ironic::inspector::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + upgrade_tasks: + - name: Stop and disable ironic_inspector service + when: step|int == 2 + service: name=openstack-ironic-inspector state=stopped enabled=no + - name: Stop and disable ironic_inspector dnsmasq service + when: step|int == 2 + service: name=openstack-ironic-inspector-dnsmasq state=stopped enabled=no + - name: purge iptables port 67 jump rule + when: step|int == 2 + iptables: + chain: INPUT + interface: {get_param: IronicInspectorInterface} + protocol: udp + destination_port: 67 + jump: ironic-inspector + state: absent + - name: purge iptables ironic-inspector chain + when: step|int == 2 + iptables: + chain: ironic-inspector + flush: true + state: absent