From bea2df1b3fce8d7618c52d1b4c9d4864f0f2a4c9 Mon Sep 17 00:00:00 2001
From: dparalen <vetrisko@gmail.com>
Date: Mon, 27 Nov 2017 19:59:28 +0100
Subject: [PATCH] fix dvsm config deprecations

The [firewall] group was deprecated but our devstack still uses it.  This
patch replaces the IRONIC_INSPECTOR_MANAGE_FIREWALL=True/False variable
with an IRONIC_INSPECTOR_DHCP_FILTER variable with a default of 'iptables'
and sets the [pxe_filter]driver config value. The
IRONIC_INSPECTOR_INTERFACE is now set in the [iptables] config section.

Change-Id: Icf6fe6c6a98ab815edefe3c0e1ec3ce9a064bf2e
---
 devstack/plugin.sh                            | 36 ++++++++++++++-----
 devstack/upgrade/shutdown.sh                  |  2 +-
 devstack/upgrade/upgrade.sh                   |  7 ++--
 .../ironic-inspector-grenade-dsvm/run.yaml    |  2 +-
 .../run.yaml                                  |  2 +-
 .../run.yaml                                  |  3 ++
 6 files changed, 37 insertions(+), 15 deletions(-)

diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index adfbbc1b7..0e22d2b29 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -16,7 +16,22 @@ IRONIC_INSPECTOR_DHCP_CONF_FILE=$IRONIC_INSPECTOR_CONF_DIR/dnsmasq.conf
 IRONIC_INSPECTOR_ROOTWRAP_CONF_FILE=$IRONIC_INSPECTOR_CONF_DIR/rootwrap.conf
 IRONIC_INSPECTOR_ADMIN_USER=${IRONIC_INSPECTOR_ADMIN_USER:-ironic-inspector}
 IRONIC_INSPECTOR_AUTH_CACHE_DIR=${IRONIC_INSPECTOR_AUTH_CACHE_DIR:-/var/cache/ironic-inspector}
-IRONIC_INSPECTOR_MANAGE_FIREWALL=$(trueorfalse True IRONIC_INSPECTOR_MANAGE_FIREWALL)
+IRONIC_INSPECTOR_DHCP_FILTER=${IRONIC_INSPECTOR_DHCP_FILTER:-iptables}
+if [[ -n ${IRONIC_INSPECTOR_MANAGE_FIREWALL} ]] ; then
+    echo "IRONIC_INSPECTOR_MANAGE_FIREWALL is deprecated." >&2
+    echo "Please, use IRONIC_INSPECTOR_DHCP_FILTER == noop/iptables/dnsmasq instead." >&2
+    if [[ "$IRONIC_INSPECTOR_DHCP_FILTER" != "iptables" ]] ; then
+        # both manage firewall and filter driver set together but driver isn't iptables
+        echo "Inconsistent configuration: IRONIC_INSPECTOR_MANAGE_FIREWALL used while" >&2
+        echo "IRONIC_INSPECTOR_DHCP_FILTER == $IRONIC_INSPECTOR_DHCP_FILTER" >&2
+        exit 1
+    fi
+    if [[ $(trueorfalse True IRONIC_INSPECTOR_MANAGE_FIREWALL) == "False" ]] ; then
+        echo "IRONIC_INSPECTOR_MANAGE_FIREWALL == False" >&2
+        echo "Setting IRONIC_INSPECTOR_DHCP_FILTER=noop" >&2
+        IRONIC_INSPECTOR_DHCP_FILTER=noop
+    fi
+fi
 IRONIC_INSPECTOR_HOST=$HOST_IP
 IRONIC_INSPECTOR_PORT=5050
 IRONIC_INSPECTOR_URI="http://$IRONIC_INSPECTOR_HOST:$IRONIC_INSPECTOR_PORT"
@@ -81,6 +96,11 @@ function start_inspector {
     run_process ironic-inspector "$IRONIC_INSPECTOR_CMD"
 }
 
+function is_inspector_dhcp_required {
+    [[ "$IRONIC_INSPECTOR_MANAGE_FIREWALL" == "True" ]] || \
+    [[ "${IRONIC_INSPECTOR_DHCP_FILTER:-iptables}" != "noop" ]]
+}
+
 function start_inspector_dhcp {
     # NOTE(dtantsur): USE_SYSTEMD requires an absolute path
     run_process ironic-inspector-dhcp \
@@ -181,8 +201,8 @@ function configure_inspector {
     inspector_iniset DEFAULT listen_port $IRONIC_INSPECTOR_PORT
     inspector_iniset DEFAULT listen_address 0.0.0.0  # do not change
 
-    inspector_iniset firewall manage_firewall $IRONIC_INSPECTOR_MANAGE_FIREWALL
-    inspector_iniset firewall dnsmasq_interface $IRONIC_INSPECTOR_INTERFACE
+    inspector_iniset pxe_filter driver $IRONIC_INSPECTOR_DHCP_FILTER
+    inspector_iniset iptables dnsmasq_interface $IRONIC_INSPECTOR_INTERFACE
     inspector_iniset database connection `database_connection_url ironic_inspector`
 
     # FIXME(ankit) Remove this when swift supports python3
@@ -298,7 +318,7 @@ function cleanup_inspector {
     sudo rm -rf $IRONIC_INSPECTOR_AUTH_CACHE_DIR
     sudo rm -rf "$IRONIC_INSPECTOR_RAMDISK_LOGDIR"
 
-    # Try to clean up firewall rules
+    # Always try to clean up firewall rules, no matter filter driver used
     sudo iptables -D INPUT -i $IRONIC_INSPECTOR_INTERFACE -p udp \
         --dport 69 -j ACCEPT | true
     sudo iptables -D INPUT -i $IRONIC_INSPECTOR_INTERFACE -p tcp \
@@ -324,7 +344,7 @@ function sync_inspector_database {
 
 if [[ "$1" == "stack" && "$2" == "install" ]]; then
     echo_summary "Installing ironic-inspector"
-    if [[ "$IRONIC_INSPECTOR_MANAGE_FIREWALL" == "True" ]]; then
+    if is_inspector_dhcp_required; then
         install_inspector_dhcp
     fi
     install_inspector
@@ -332,7 +352,7 @@ if [[ "$1" == "stack" && "$2" == "install" ]]; then
 elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
     echo_summary "Configuring ironic-inspector"
     cleanup_inspector
-    if [[ "$IRONIC_INSPECTOR_MANAGE_FIREWALL" == "True" ]]; then
+    if is_inspector_dhcp_required; then
         configure_inspector_dhcp
     fi
     configure_inspector
@@ -340,7 +360,7 @@ elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
 elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
     echo_summary "Initializing ironic-inspector"
     prepare_environment
-    if [[ "$IRONIC_INSPECTOR_MANAGE_FIREWALL" == "True" ]]; then
+    if is_inspector_dhcp_required; then
         start_inspector_dhcp
     fi
     start_inspector
@@ -355,7 +375,7 @@ fi
 
 if [[ "$1" == "unstack" ]]; then
     stop_inspector
-    if [[ "$IRONIC_INSPECTOR_MANAGE_FIREWALL" == "True" ]]; then
+    if is_inspector_dhcp_required; then
         stop_inspector_dhcp
     fi
     cleanup_inspector
diff --git a/devstack/upgrade/shutdown.sh b/devstack/upgrade/shutdown.sh
index 59e0caee9..819e57c4b 100755
--- a/devstack/upgrade/shutdown.sh
+++ b/devstack/upgrade/shutdown.sh
@@ -24,6 +24,6 @@ source $INSPECTOR_DEVSTACK_DIR/plugin.sh
 set -o xtrace
 
 stop_inspector
-if [[ "$IRONIC_INSPECTOR_MANAGE_FIREWALL" == "True" ]]; then
+if is_inspector_dhcp_required; then
     stop_inspector_dhcp
 fi
diff --git a/devstack/upgrade/upgrade.sh b/devstack/upgrade/upgrade.sh
index 5880f3b28..7138f2d86 100755
--- a/devstack/upgrade/upgrade.sh
+++ b/devstack/upgrade/upgrade.sh
@@ -75,7 +75,7 @@ fi
 # https://github.com/openstack-dev/devstack/blob/dec121114c3ea6f9e515a452700e5015d1e34704/lib/stack#L32
 stack_install_service inspector
 
-if [[ "$IRONIC_INSPECTOR_MANAGE_FIREWALL" == "True" ]]; then
+if is_inspector_dhcp_required; then
     stack_install_service inspector_dhcp
 fi
 
@@ -86,15 +86,14 @@ upgrade_project ironic-inspector $RUN_DIR $BASE_DEVSTACK_BRANCH $TARGET_DEVSTACK
 
 
 start_inspector
-
-if [[ "$IRONIC_INSPECTOR_MANAGE_FIREWALL" == "True" ]]; then
+if is_inspector_dhcp_required; then
     start_inspector_dhcp
 fi
 
 # Don't succeed unless the services come up
 ensure_services_started ironic-inspector
 
-if [[ "$IRONIC_INSPECTOR_MANAGE_FIREWALL" == "True" ]]; then
+if is_inspector_dhcp_required; then
     ensure_services_started dnsmasq
 fi
 
diff --git a/playbooks/legacy/ironic-inspector-grenade-dsvm/run.yaml b/playbooks/legacy/ironic-inspector-grenade-dsvm/run.yaml
index 5b47c2972..7437e7c54 100644
--- a/playbooks/legacy/ironic-inspector-grenade-dsvm/run.yaml
+++ b/playbooks/legacy/ironic-inspector-grenade-dsvm/run.yaml
@@ -133,7 +133,7 @@
           # Make IPXE configuration consistent between Mitaka and Master
           export DEVSTACK_LOCAL_CONFIG+=$'\n'"IRONIC_IPXE_ENABLED=True"
           export DEVSTACK_LOCAL_CONFIG+=$'\n'"IRONIC_INSPECTOR_RAMDISK_ELEMENT=ironic-agent"
-          export DEVSTACK_LOCAL_CONFIG+=$'\n'"IRONIC_INSPECTOR_MANAGE_FIREWALL=True"
+          export DEVSTACK_LOCAL_CONFIG+=$'\n'"IRONIC_INSPECTOR_DHCP_FILTER=iptables"
 
           EOF
         chdir: '{{ ansible_user_dir }}/workspace'
diff --git a/playbooks/legacy/ironic-inspector-tempest-dsvm-discovery/run.yaml b/playbooks/legacy/ironic-inspector-tempest-dsvm-discovery/run.yaml
index a5860eac9..11387fd3d 100644
--- a/playbooks/legacy/ironic-inspector-tempest-dsvm-discovery/run.yaml
+++ b/playbooks/legacy/ironic-inspector-tempest-dsvm-discovery/run.yaml
@@ -92,7 +92,7 @@
           # Make IPXE configuration consistent between Mitaka and Master
           export DEVSTACK_LOCAL_CONFIG+=$'\n'"IRONIC_IPXE_ENABLED=True"
           export DEVSTACK_LOCAL_CONFIG+=$'\n'"IRONIC_INSPECTOR_RAMDISK_ELEMENT=ironic-agent"
-          export DEVSTACK_LOCAL_CONFIG+=$'\n'"IRONIC_INSPECTOR_MANAGE_FIREWALL=True"
+          export DEVSTACK_LOCAL_CONFIG+=$'\n'"IRONIC_INSPECTOR_DHCP_FILTER=iptables"
 
           EOF
         chdir: '{{ ansible_user_dir }}/workspace'
diff --git a/playbooks/legacy/ironic-inspector-tempest-dsvm-python3/run.yaml b/playbooks/legacy/ironic-inspector-tempest-dsvm-python3/run.yaml
index 2aa444184..158380e86 100644
--- a/playbooks/legacy/ironic-inspector-tempest-dsvm-python3/run.yaml
+++ b/playbooks/legacy/ironic-inspector-tempest-dsvm-python3/run.yaml
@@ -97,6 +97,9 @@
                export DEVSTACK_LOCAL_CONFIG+=$'\n'"IRONIC_INSPECTOR_CLEAN_UP_PERIOD=5"
           fi
 
+          # PXE Filter Driver
+          export DEVSTACK_LOCAL_CONFIG+=$'\n'"IRONIC_INSPECTOR_DHCP_FILTER=iptables"
+
           EOF
         chdir: '{{ ansible_user_dir }}/workspace'
       environment: '{{ zuul | zuul_legacy_vars }}'