Prevent Bifrost from using firewalld

This is to avoid conflicting with iptables rules configured on the seed host by Kayobe. A new variable kolla_bifrost_use_firewalld is introduced to configure whether Bifrost uses firewalld. Change-Id: I7049eae6518f818f9e180dfdb6f515d527644808 Story: 2009252 Task: 43442
2021-09-27 11:40:49 +02:00 · 2021-09-27 11:40:49 +02:00 · 9f6c912b34
commit 9f6c912b34
parent 96a9d861cf
4 changed files with 27 additions and 0 deletions
--- a/ansible/group_vars/all/bifrost
+++ b/ansible/group_vars/all/bifrost
@ -11,6 +11,10 @@ kolla_bifrost_source_url: "https://opendev.org/openstack/bifrost"
 # {{ openstack_branch }}.
 kolla_bifrost_source_version: "{{ openstack_branch }}"

+# Whether Bifrost uses firewalld. Default value is false to avoid conflicting
+# with iptables rules configured on the seed host by Kayobe.
+kolla_bifrost_use_firewalld: False
+
 # Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other
 # services running on the seed host.
 kolla_bifrost_firewalld_internal_zone: trusted
--- a/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml
+++ b/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml
@ -64,6 +64,9 @@ ipa_ramdisk_upstream_checksum_url: "{{ kolla_bifrost_ipa_ramdisk_checksum_url }}
 # Algorithm of checksum of Ironic Python Agent (IPA) ramdisk image.
 ipa_ramdisk_upstream_checksum_algo: "{{ kolla_bifrost_ipa_ramdisk_checksum_algorithm }}"

+# Whether Bifrost uses firewalld.
+use_firewalld: "{{ kolla_bifrost_use_firewalld }}"
+
 # Firewalld zone used by Bifrost.
 firewalld_internal_zone: "{{ kolla_bifrost_firewalld_internal_zone }}"

--- a/etc/kayobe/bifrost.yml
+++ b/etc/kayobe/bifrost.yml
@ -11,6 +11,10 @@
 # {{ openstack_branch }}.
 #kolla_bifrost_source_version:

+# Whether Bifrost uses firewalld. Default value is false to avoid conflicting
+# with iptables rules configured on the seed host by Kayobe.
+#kolla_bifrost_use_firewalld:
+
 # Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other
 # services running on the seed host.
 #kolla_bifrost_firewalld_internal_zone:
--- a/releasenotes/notes/bifrost-use-firewalld-90b69e2ac6eead67.yaml
+++ b/releasenotes/notes/bifrost-use-firewalld-90b69e2ac6eead67.yaml
@ -0,0 +1,16 @@
+---
+features:
+  - |
+    Adds a new ``kolla_bifrost_use_firewalld`` variable used to define whether
+    Bifrost uses firewalld, which is now disabled by default.
+upgrade:
+  - |
+    Bifrost is now configured to avoid using firewalld, to prevent conflicts
+    with firewall rules set by Kayobe on the seed host. The existing behaviour
+    can be retained by setting ``kolla_bifrost_use_firewalld`` to ``True`` in
+    ``bifrost.yml``.
+fixes:
+  - |
+    Prevents Bifrost from using firewalld to avoid conflicts with firewall
+    rules set by Kayobe on the seed host. See `story 2009252
+    <https://storyboard.openstack.org/#!/story/2009252>`__ for more details.