From 9f6c912b3418b21c06f53860e786b5b56daddff6 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 27 Sep 2021 11:40:49 +0200 Subject: [PATCH] Prevent Bifrost from using firewalld This is to avoid conflicting with iptables rules configured on the seed host by Kayobe. A new variable kolla_bifrost_use_firewalld is introduced to configure whether Bifrost uses firewalld. Change-Id: I7049eae6518f818f9e180dfdb6f515d527644808 Story: 2009252 Task: 43442 --- ansible/group_vars/all/bifrost | 4 ++++ .../templates/kolla/config/bifrost/bifrost.yml | 3 +++ etc/kayobe/bifrost.yml | 4 ++++ .../bifrost-use-firewalld-90b69e2ac6eead67.yaml | 16 ++++++++++++++++ 4 files changed, 27 insertions(+) create mode 100644 releasenotes/notes/bifrost-use-firewalld-90b69e2ac6eead67.yaml diff --git a/ansible/group_vars/all/bifrost b/ansible/group_vars/all/bifrost index b51367199..c4c68c058 100644 --- a/ansible/group_vars/all/bifrost +++ b/ansible/group_vars/all/bifrost @@ -11,6 +11,10 @@ kolla_bifrost_source_url: "https://opendev.org/openstack/bifrost" # {{ openstack_branch }}. kolla_bifrost_source_version: "{{ openstack_branch }}" +# Whether Bifrost uses firewalld. Default value is false to avoid conflicting +# with iptables rules configured on the seed host by Kayobe. +kolla_bifrost_use_firewalld: False + # Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other # services running on the seed host. kolla_bifrost_firewalld_internal_zone: trusted diff --git a/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml b/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml index cb1291f12..e8accf4f6 100644 --- a/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml +++ b/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml @@ -64,6 +64,9 @@ ipa_ramdisk_upstream_checksum_url: "{{ kolla_bifrost_ipa_ramdisk_checksum_url }} # Algorithm of checksum of Ironic Python Agent (IPA) ramdisk image. ipa_ramdisk_upstream_checksum_algo: "{{ kolla_bifrost_ipa_ramdisk_checksum_algorithm }}" +# Whether Bifrost uses firewalld. +use_firewalld: "{{ kolla_bifrost_use_firewalld }}" + # Firewalld zone used by Bifrost. firewalld_internal_zone: "{{ kolla_bifrost_firewalld_internal_zone }}" diff --git a/etc/kayobe/bifrost.yml b/etc/kayobe/bifrost.yml index 275d80bc8..0bfcec726 100644 --- a/etc/kayobe/bifrost.yml +++ b/etc/kayobe/bifrost.yml @@ -11,6 +11,10 @@ # {{ openstack_branch }}. #kolla_bifrost_source_version: +# Whether Bifrost uses firewalld. Default value is false to avoid conflicting +# with iptables rules configured on the seed host by Kayobe. +#kolla_bifrost_use_firewalld: + # Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other # services running on the seed host. #kolla_bifrost_firewalld_internal_zone: diff --git a/releasenotes/notes/bifrost-use-firewalld-90b69e2ac6eead67.yaml b/releasenotes/notes/bifrost-use-firewalld-90b69e2ac6eead67.yaml new file mode 100644 index 000000000..ad10a9c51 --- /dev/null +++ b/releasenotes/notes/bifrost-use-firewalld-90b69e2ac6eead67.yaml @@ -0,0 +1,16 @@ +--- +features: + - | + Adds a new ``kolla_bifrost_use_firewalld`` variable used to define whether + Bifrost uses firewalld, which is now disabled by default. +upgrade: + - | + Bifrost is now configured to avoid using firewalld, to prevent conflicts + with firewall rules set by Kayobe on the seed host. The existing behaviour + can be retained by setting ``kolla_bifrost_use_firewalld`` to ``True`` in + ``bifrost.yml``. +fixes: + - | + Prevents Bifrost from using firewalld to avoid conflicts with firewall + rules set by Kayobe on the seed host. See `story 2009252 + `__ for more details.