openstack/devstack
Code Issues Proposed changes

Insert required iptables rules for Ironic

Browse Source 
Devstack gate slaves have locked down local iptables firewalls.
Ironic nodes boot on an 'external' network and require TFTP
and Ironic API access back to the node via its HOST_IP.  This inserts
the required rules to the top of the INPUT chain.

Change-Id: I2e5dfa2346d45fdd549a3a3fbc255f190195cdd6
This commit is contained in:
Adam Gandelman 2014-04-14 13:21:22 -07:00
parent 3f2a7b75bb
commit c1f0db2b1d
3 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
files/apts/ironic
View File

@ -1,3 +1,4 @@
iptables
libguestfs0 libguestfs0
libvirt-bin libvirt-bin
openssh-client openssh-client

2
files/rpms/ironic
View File

@ -1,6 +1,8 @@
iptables
libguestfs libguestfs
libvirt libvirt
libvirt-python libvirt-python
net-tools
openssh-clients openssh-clients
openvswitch openvswitch
python-libguestfs python-libguestfs

14
lib/ironic
View File

@ -379,11 +379,16 @@ function enroll_vms {
neutron port-delete $PORT_ID neutron port-delete $PORT_ID
} }
function configure_tftpd { function configure_iptables {
# enable tftp natting for allowing connections to SERVICE_HOST's tftp server # enable tftp natting for allowing connections to HOST_IP's tftp server
sudo modprobe nf_conntrack_tftp sudo modprobe nf_conntrack_tftp
sudo modprobe nf_nat_tftp sudo modprobe nf_nat_tftp
# nodes boot from TFTP and callback to the API server listening on $HOST_IP
sudo iptables -I INPUT -d $HOST_IP -p udp --dport 69 -j ACCEPT || true
sudo iptables -I INPUT -d $HOST_IP -p tcp --dport 6385 -j ACCEPT || true
}
function configure_tftpd {
if is_ubuntu; then if is_ubuntu; then
PXEBIN=/usr/lib/syslinux/pxelinux.0 PXEBIN=/usr/lib/syslinux/pxelinux.0
elif is_fedora; then elif is_fedora; then
@ -527,6 +532,7 @@ function prepare_baremetal_basic_ops {
create_bridge_and_vms create_bridge_and_vms
enroll_vms enroll_vms
configure_tftpd configure_tftpd
configure_iptables
# restart nova-compute to ensure its resource tracking is up to # restart nova-compute to ensure its resource tracking is up to
# date with newly enrolled nodes # date with newly enrolled nodes
@ -546,6 +552,10 @@ function cleanup_baremetal_basic_ops {
sudo su $STACK_USER -c "$IRONIC_SCRIPTS_DIR/cleanup-nodes $IRONIC_VM_COUNT $IRONIC_VM_NETWORK_BRIDGE" sudo su $STACK_USER -c "$IRONIC_SCRIPTS_DIR/cleanup-nodes $IRONIC_VM_COUNT $IRONIC_VM_NETWORK_BRIDGE"
sudo rm -rf /etc/xinetd.d/tftp /etc/init/tftpd-hpa.override sudo rm -rf /etc/xinetd.d/tftp /etc/init/tftpd-hpa.override
restart_service xinetd restart_service xinetd
sudo iptables -D INPUT -d $HOST_IP -p udp --dport 69 -j ACCEPT || true
sudo iptables -D INPUT -d $HOST_IP -p tcp --dport 6385 -j ACCEPT || true
sudo rmmod nf_conntrack_tftp || true
sudo rmmod nf_nat_tftp || true
} }
# Restore xtrace + pipefail # Restore xtrace + pipefail