Insert required iptables rules for Ironic

Devstack gate slaves have locked down local iptables firewalls. Ironic nodes boot on an 'external' network and require TFTP and Ironic API access back to the node via its HOST_IP. This inserts the required rules to the top of the INPUT chain. Change-Id: I2e5dfa2346d45fdd549a3a3fbc255f190195cdd6
2014-04-14 13:21:22 -07:00 · 2014-04-14 13:21:22 -07:00 · c1f0db2b1d
parent 3f2a7b75bb
commit c1f0db2b1d
3 changed files with 15 additions and 2 deletions
--- a/files/apts/ironic
+++ b/files/apts/ironic
@ -1,3 +1,4 @@
+iptables
 libguestfs0
 libvirt-bin
 openssh-client
--- a/files/rpms/ironic
+++ b/files/rpms/ironic
@ -1,6 +1,8 @@
+iptables
 libguestfs
 libvirt
 libvirt-python
+net-tools
 openssh-clients
 openvswitch
 python-libguestfs
--- a/lib/ironic
+++ b/lib/ironic
@ -379,11 +379,16 @@ function enroll_vms {
    neutron port-delete $PORT_ID
 }

-function configure_tftpd {
-    # enable tftp natting for allowing connections to SERVICE_HOST's tftp server
+function configure_iptables {
+    # enable tftp natting for allowing connections to HOST_IP's tftp server
    sudo modprobe nf_conntrack_tftp
    sudo modprobe nf_nat_tftp
+    # nodes boot from TFTP and callback to the API server listening on $HOST_IP
+    sudo iptables -I INPUT -d $HOST_IP -p udp --dport 69 -j ACCEPT || true
+    sudo iptables -I INPUT -d $HOST_IP -p tcp --dport 6385 -j ACCEPT || true
+}

+function configure_tftpd {
    if is_ubuntu; then
        PXEBIN=/usr/lib/syslinux/pxelinux.0
    elif is_fedora; then
@ -527,6 +532,7 @@ function prepare_baremetal_basic_ops {
    create_bridge_and_vms
    enroll_vms
    configure_tftpd
+    configure_iptables

    # restart nova-compute to ensure its resource tracking is up to
    # date with newly enrolled nodes
@ -546,6 +552,10 @@ function cleanup_baremetal_basic_ops {
    sudo su $STACK_USER -c "$IRONIC_SCRIPTS_DIR/cleanup-nodes $IRONIC_VM_COUNT $IRONIC_VM_NETWORK_BRIDGE"
    sudo rm -rf /etc/xinetd.d/tftp /etc/init/tftpd-hpa.override
    restart_service xinetd
+    sudo iptables -D INPUT -d $HOST_IP -p udp --dport 69 -j ACCEPT || true
+    sudo iptables -D INPUT -d $HOST_IP -p tcp --dport 6385 -j ACCEPT || true
+    sudo rmmod nf_conntrack_tftp || true
+    sudo rmmod nf_nat_tftp || true
 }

 # Restore xtrace + pipefail