diff --git a/ansible/group_vars/all/inspector b/ansible/group_vars/all/inspector index 45ad265fd..8a6e4ca63 100644 --- a/ansible/group_vars/all/inspector +++ b/ansible/group_vars/all/inspector @@ -26,9 +26,6 @@ inspector_ipa_ramdisk_checksum_algorithm: "{{ ipa_ramdisk_checksum_algorithm }}" ############################################################################### # Ironic inspector processing configuration. -# Whether inspector should manage the firewall. -inspector_manage_firewall: True - # List of of default inspector processing plugins. inspector_processing_hooks_default: - ramdisk_error diff --git a/ansible/kolla-openstack.yml b/ansible/kolla-openstack.yml index eaae5c991..dfeabbabf 100644 --- a/ansible/kolla-openstack.yml +++ b/ansible/kolla-openstack.yml @@ -189,7 +189,6 @@ roles: - role: kolla-openstack # Ironic inspector configuration. - kolla_inspector_manage_firewall: "{{ inspector_manage_firewall }}" kolla_inspector_processing_hooks: "{{ inspector_processing_hooks }}" kolla_inspector_add_ports: "{{ inspector_add_ports }}" kolla_inspector_keep_ports: "{{ inspector_keep_ports }}" diff --git a/ansible/roles/kolla-openstack/defaults/main.yml b/ansible/roles/kolla-openstack/defaults/main.yml index 78273ac0f..dc5e3ebe9 100644 --- a/ansible/roles/kolla-openstack/defaults/main.yml +++ b/ansible/roles/kolla-openstack/defaults/main.yml @@ -204,9 +204,6 @@ kolla_enable_ironic_ipxe: ############################################################################### # Ironic inspector configuration. -# Whether inspector should manage the firewall. -kolla_inspector_manage_firewall: - # Comma-separated list of inspector processing plugins. kolla_inspector_processing_hooks: diff --git a/ansible/roles/kolla-openstack/templates/ironic-inspector.conf.j2 b/ansible/roles/kolla-openstack/templates/ironic-inspector.conf.j2 index da48d2542..b3852bb9f 100644 --- a/ansible/roles/kolla-openstack/templates/ironic-inspector.conf.j2 +++ b/ansible/roles/kolla-openstack/templates/ironic-inspector.conf.j2 @@ -1,10 +1,5 @@ [DEFAULT] -[pxe_filter] -# The filter ironic inspector will use to prevent nodes from undergoing -# inspection unless explicitly requested. -driver = {{ 'iptables' if kolla_inspector_manage_firewall else 'noop' }} - [processing] {% if kolla_inspector_processing_hooks %} # Comma-separated list of inspector processing plugins. diff --git a/dev/functions b/dev/functions index 6c0bbe4e4..f9ee17d5a 100644 --- a/dev/functions +++ b/dev/functions @@ -644,6 +644,9 @@ function configure_iptables { sudo iptables -I FORWARD -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true # allow IPA to connect to ironic inspector sudo iptables -I FORWARD -p tcp --dport $IRONIC_INSPECTOR_PORT -j ACCEPT || true + # Docker CE has added a default DROP policy to the FORWARD chain. Allow + # DHCP packets to be forwarded across the bridge. + sudo iptables -I FORWARD -p udp --dport 67:68 --sport 67:68 -j ACCEPT || true # agent ramdisk gets instance image from swift sudo iptables -I INPUT -d $INTERNAL_VIP -p tcp --dport ${SWIFT_DEFAULT_BIND_PORT:-8080} -j ACCEPT || true diff --git a/etc/kayobe/inspector.yml b/etc/kayobe/inspector.yml index ac83dd32e..b99780e30 100644 --- a/etc/kayobe/inspector.yml +++ b/etc/kayobe/inspector.yml @@ -26,9 +26,6 @@ ############################################################################### # Ironic inspector processing configuration. -# Whether inspector should manage the firewall. -#inspector_manage_firewall: - # List of of default inspector processing plugins. #inspector_processing_hooks_default: diff --git a/releasenotes/notes/remove-inspector-manage-firewall-b1117b04a0f6904d.yaml b/releasenotes/notes/remove-inspector-manage-firewall-b1117b04a0f6904d.yaml new file mode 100644 index 000000000..41b19b260 --- /dev/null +++ b/releasenotes/notes/remove-inspector-manage-firewall-b1117b04a0f6904d.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + Removes the ``inspector_manage_firewall`` variable. This is supported in + Kolla Ansible via the ``ironic_inspector_pxe_filter`` variable, which can + be added to ``${KAYOBE_CONFIG_PATH}/kolla/globals.yml``. The default value + for that variable changed in the Stein release from 'iptables' to + 'dnsmasq', since the iptables filter `does not work with Docker CE + `__.