From 9df0f00bc5e38c37706eaf845f93754af7605528 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 7 Oct 2020 17:38:43 +0200 Subject: [PATCH] Configure bifrost to use firewalld trusted zone Without this setting, bifrost creates a bifrost firewalld zone only allowing network traffic for Ironic services and assigns the provisioning network interface to it, potentially causing loss of connectivity. Using the public zone is suggested as a workaround [1] but is not sufficient: it allows SSH traffic, but blocks other services deployed on the seed, such as Docker registry traffic. [1] https://review.opendev.org/#/c/754406/ Change-Id: I80f9d95f02e11fda5916f9a9dd257b688a9db7e2 Story: 2008153 Task: 40899 --- ansible/group_vars/all/bifrost | 4 ++++ .../roles/kolla-bifrost/templates/bifrost.yml.j2 | 3 +++ etc/kayobe/bifrost.yml | 4 ++++ .../bifrost-firewalld-zone-09a29651a058531a.yaml | 16 ++++++++++++++++ 4 files changed, 27 insertions(+) create mode 100644 releasenotes/notes/bifrost-firewalld-zone-09a29651a058531a.yaml diff --git a/ansible/group_vars/all/bifrost b/ansible/group_vars/all/bifrost index 3c06e0bf5..81224ed1e 100644 --- a/ansible/group_vars/all/bifrost +++ b/ansible/group_vars/all/bifrost @@ -11,6 +11,10 @@ kolla_bifrost_source_url: "https://opendev.org/openstack/bifrost" # {{ openstack_branch }}. kolla_bifrost_source_version: "{{ openstack_branch }}" +# Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other +# services running on the seed host. +kolla_bifrost_firewalld_internal_zone: trusted + ############################################################################### # Diskimage-builder configuration. diff --git a/ansible/roles/kolla-bifrost/templates/bifrost.yml.j2 b/ansible/roles/kolla-bifrost/templates/bifrost.yml.j2 index 8ffbf2af8..a4d64dd3f 100644 --- a/ansible/roles/kolla-bifrost/templates/bifrost.yml.j2 +++ b/ansible/roles/kolla-bifrost/templates/bifrost.yml.j2 @@ -64,6 +64,9 @@ ipa_ramdisk_upstream_checksum_url: "{{ kolla_bifrost_ipa_ramdisk_checksum_url }} # Algorithm of checksum of Ironic Python Agent (IPA) ramdisk image. ipa_ramdisk_upstream_checksum_algo: "{{ kolla_bifrost_ipa_ramdisk_checksum_algorithm }}" +# Firewalld zone used by Bifrost. +firewalld_internal_zone: "{{ kolla_bifrost_firewalld_internal_zone }}" + {% if kolla_bifrost_extra_globals %} ############################################################################### # Extra configuration diff --git a/etc/kayobe/bifrost.yml b/etc/kayobe/bifrost.yml index 9e7c9cf25..bd7e97e1d 100644 --- a/etc/kayobe/bifrost.yml +++ b/etc/kayobe/bifrost.yml @@ -11,6 +11,10 @@ # {{ openstack_branch }}. #kolla_bifrost_source_version: +# Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other +# services running on the seed host. +#kolla_bifrost_firewalld_internal_zone: + ############################################################################### # Diskimage-builder configuration. diff --git a/releasenotes/notes/bifrost-firewalld-zone-09a29651a058531a.yaml b/releasenotes/notes/bifrost-firewalld-zone-09a29651a058531a.yaml new file mode 100644 index 000000000..b9cde15b9 --- /dev/null +++ b/releasenotes/notes/bifrost-firewalld-zone-09a29651a058531a.yaml @@ -0,0 +1,16 @@ +--- +upgrade: + - | + Kayobe configures Bifrost to use the ``trusted`` zone of ``firewalld``, + ensuring that all services running on the seed host are accessible. + Deployments with stricter firewall policies can select another zone by + setting the ``kolla_bifrost_firewalld_internal_zone`` variable in + ``${KAYOBE_CONFIG_PATH}/bifrost.yml``. To avoid loss of connectivity to the + seed host, ensure that ``firewalld`` is already configured on the seed host + before deploying seed services. +fixes: + - | + Fixes loss of connectivity to the seed host after deploying seed services, + when using a shared provisioning and admin network. This was caused by + Bifrost configuring ``firewalld`` to only allow Ironic traffic. Kayobe now + configures Bifrost to use the ``trusted`` zone, which allows all traffic.