Merge "Remove inspector_manage_firewall variable"

ansible/group_vars/all/inspector

@@ -26,9 +26,6 @@ inspector_ipa_ramdisk_checksum_algorithm: "{{ ipa_ramdisk_checksum_algorithm }}"
 ###############################################################################
 # Ironic inspector processing configuration.
 
-# Whether inspector should manage the firewall.
-inspector_manage_firewall: True
-
 # List of of default inspector processing plugins.
 inspector_processing_hooks_default:
   - ramdisk_error

ansible/kolla-openstack.yml

@@ -189,7 +189,6 @@
   roles:
     - role: kolla-openstack
       # Ironic inspector configuration.
-      kolla_inspector_manage_firewall: "{{ inspector_manage_firewall }}"
       kolla_inspector_processing_hooks: "{{ inspector_processing_hooks }}"
       kolla_inspector_add_ports: "{{ inspector_add_ports }}"
       kolla_inspector_keep_ports: "{{ inspector_keep_ports }}"

ansible/roles/kolla-openstack/defaults/main.yml

@@ -204,9 +204,6 @@ kolla_enable_ironic_ipxe:
 ###############################################################################
 # Ironic inspector configuration.
 
-# Whether inspector should manage the firewall.
-kolla_inspector_manage_firewall:
-
 # Comma-separated list of inspector processing plugins.
 kolla_inspector_processing_hooks:
 

ansible/roles/kolla-openstack/templates/ironic-inspector.conf.j2

@@ -1,10 +1,5 @@
 [DEFAULT]
 
-[pxe_filter]
-# The filter ironic inspector will use to prevent nodes from undergoing
-# inspection unless explicitly requested.
-driver = {{ 'iptables' if kolla_inspector_manage_firewall else 'noop' }}
-
 [processing]
 {% if kolla_inspector_processing_hooks %}
 # Comma-separated list of inspector processing plugins.

dev/functions

@@ -644,6 +644,9 @@ function configure_iptables {
     sudo iptables -I FORWARD -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
     # allow IPA to connect to ironic inspector
     sudo iptables -I FORWARD -p tcp --dport $IRONIC_INSPECTOR_PORT -j ACCEPT || true
+    # Docker CE has added a default DROP policy to the FORWARD chain. Allow
+    # DHCP packets to be forwarded across the bridge.
+    sudo iptables -I FORWARD -p udp --dport 67:68 --sport 67:68 -j ACCEPT || true
 
     # agent ramdisk gets instance image from swift
     sudo iptables -I INPUT -d $INTERNAL_VIP -p tcp --dport ${SWIFT_DEFAULT_BIND_PORT:-8080} -j ACCEPT || true

etc/kayobe/inspector.yml

@@ -26,9 +26,6 @@
 ###############################################################################
 # Ironic inspector processing configuration.
 
-# Whether inspector should manage the firewall.
-#inspector_manage_firewall:
-
 # List of of default inspector processing plugins.
 #inspector_processing_hooks_default:
 

releasenotes/notes/remove-inspector-manage-firewall-b1117b04a0f6904d.yaml

@@ -0,0 +1,9 @@
+---
+upgrade:
+  - |
+    Removes the ``inspector_manage_firewall`` variable. This is supported in
+    Kolla Ansible via the ``ironic_inspector_pxe_filter`` variable, which can
+    be added to ``${KAYOBE_CONFIG_PATH}/kolla/globals.yml``. The default value
+    for that variable changed in the Stein release from 'iptables' to
+    'dnsmasq', since the iptables filter `does not work with Docker CE
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1823044>`__.