Merge "Remove inspector_manage_firewall variable"

2019-04-10 11:30:31 +00:00 · 2019-04-10 11:30:31 +00:00 · 0a2c13accb
commit 0a2c13accb
parent 68277e2670 c2a35ce211
7 changed files with 12 additions and 15 deletions
--- a/ansible/group_vars/all/inspector
+++ b/ansible/group_vars/all/inspector
@ -26,9 +26,6 @@ inspector_ipa_ramdisk_checksum_algorithm: "{{ ipa_ramdisk_checksum_algorithm }}"
 ###############################################################################
 # Ironic inspector processing configuration.

-# Whether inspector should manage the firewall.
-inspector_manage_firewall: True
-
 # List of of default inspector processing plugins.
 inspector_processing_hooks_default:
  - ramdisk_error
--- a/ansible/kolla-openstack.yml
+++ b/ansible/kolla-openstack.yml
@ -189,7 +189,6 @@
  roles:
    - role: kolla-openstack
      # Ironic inspector configuration.
-      kolla_inspector_manage_firewall: "{{ inspector_manage_firewall }}"
      kolla_inspector_processing_hooks: "{{ inspector_processing_hooks }}"
      kolla_inspector_add_ports: "{{ inspector_add_ports }}"
      kolla_inspector_keep_ports: "{{ inspector_keep_ports }}"
--- a/ansible/roles/kolla-openstack/defaults/main.yml
+++ b/ansible/roles/kolla-openstack/defaults/main.yml
@ -204,9 +204,6 @@ kolla_enable_ironic_ipxe:
 ###############################################################################
 # Ironic inspector configuration.

-# Whether inspector should manage the firewall.
-kolla_inspector_manage_firewall:
-
 # Comma-separated list of inspector processing plugins.
 kolla_inspector_processing_hooks:

--- a/ansible/roles/kolla-openstack/templates/ironic-inspector.conf.j2
+++ b/ansible/roles/kolla-openstack/templates/ironic-inspector.conf.j2
@ -1,10 +1,5 @@
 [DEFAULT]

-[pxe_filter]
-# The filter ironic inspector will use to prevent nodes from undergoing
-# inspection unless explicitly requested.
-driver = {{ 'iptables' if kolla_inspector_manage_firewall else 'noop' }}
-
 [processing]
 {% if kolla_inspector_processing_hooks %}
 # Comma-separated list of inspector processing plugins.
--- a/dev/functions
+++ b/dev/functions
@ -644,6 +644,9 @@ function configure_iptables {
    sudo iptables -I FORWARD -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
    # allow IPA to connect to ironic inspector
    sudo iptables -I FORWARD -p tcp --dport $IRONIC_INSPECTOR_PORT -j ACCEPT || true
+    # Docker CE has added a default DROP policy to the FORWARD chain. Allow
+    # DHCP packets to be forwarded across the bridge.
+    sudo iptables -I FORWARD -p udp --dport 67:68 --sport 67:68 -j ACCEPT || true

    # agent ramdisk gets instance image from swift
    sudo iptables -I INPUT -d $INTERNAL_VIP -p tcp --dport ${SWIFT_DEFAULT_BIND_PORT:-8080} -j ACCEPT || true
--- a/etc/kayobe/inspector.yml
+++ b/etc/kayobe/inspector.yml
@ -26,9 +26,6 @@
 ###############################################################################
 # Ironic inspector processing configuration.

-# Whether inspector should manage the firewall.
-#inspector_manage_firewall:
-
 # List of of default inspector processing plugins.
 #inspector_processing_hooks_default:

--- a/releasenotes/notes/remove-inspector-manage-firewall-b1117b04a0f6904d.yaml
+++ b/releasenotes/notes/remove-inspector-manage-firewall-b1117b04a0f6904d.yaml
@ -0,0 +1,9 @@
+---
+upgrade:
+  - |
+    Removes the ``inspector_manage_firewall`` variable. This is supported in
+    Kolla Ansible via the ``ironic_inspector_pxe_filter`` variable, which can
+    be added to ``${KAYOBE_CONFIG_PATH}/kolla/globals.yml``. The default value
+    for that variable changed in the Stein release from 'iptables' to
+    'dnsmasq', since the iptables filter `does not work with Docker CE
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1823044>`__.