Remove inspector_manage_firewall variable
This is supported in kolla-ansible via the ironic_inspector_pxe_filter variable, which can be added to globals.yml. The default value for that variable changed in the Stein release from 'iptables' to 'dnsmasq', since the iptables filter does not work with Docker CE [1]. This change removes the inspector_manage_firewall variable. This change also adds an iptables rule in CI tests to allow DHCP packets to be forwarded, to ensure bare metal servers can be deployed. [1] https://bugs.launchpad.net/kolla-ansible/+bug/1823044 Depends-On: https://review.openstack.org/649673 Change-Id: Idac6777b4d97fbd17698fc2086ceb068d7b2e326 Related-Bug: #1823044
This commit is contained in:
parent
08bb1441eb
commit
c2a35ce211
@ -26,9 +26,6 @@ inspector_ipa_ramdisk_checksum_algorithm: "{{ ipa_ramdisk_checksum_algorithm }}"
|
||||
###############################################################################
|
||||
# Ironic inspector processing configuration.
|
||||
|
||||
# Whether inspector should manage the firewall.
|
||||
inspector_manage_firewall: True
|
||||
|
||||
# List of of default inspector processing plugins.
|
||||
inspector_processing_hooks_default:
|
||||
- ramdisk_error
|
||||
|
@ -189,7 +189,6 @@
|
||||
roles:
|
||||
- role: kolla-openstack
|
||||
# Ironic inspector configuration.
|
||||
kolla_inspector_manage_firewall: "{{ inspector_manage_firewall }}"
|
||||
kolla_inspector_processing_hooks: "{{ inspector_processing_hooks }}"
|
||||
kolla_inspector_add_ports: "{{ inspector_add_ports }}"
|
||||
kolla_inspector_keep_ports: "{{ inspector_keep_ports }}"
|
||||
|
@ -204,9 +204,6 @@ kolla_enable_ironic_ipxe:
|
||||
###############################################################################
|
||||
# Ironic inspector configuration.
|
||||
|
||||
# Whether inspector should manage the firewall.
|
||||
kolla_inspector_manage_firewall:
|
||||
|
||||
# Comma-separated list of inspector processing plugins.
|
||||
kolla_inspector_processing_hooks:
|
||||
|
||||
|
@ -1,10 +1,5 @@
|
||||
[DEFAULT]
|
||||
|
||||
[pxe_filter]
|
||||
# The filter ironic inspector will use to prevent nodes from undergoing
|
||||
# inspection unless explicitly requested.
|
||||
driver = {{ 'iptables' if kolla_inspector_manage_firewall else 'noop' }}
|
||||
|
||||
[processing]
|
||||
{% if kolla_inspector_processing_hooks %}
|
||||
# Comma-separated list of inspector processing plugins.
|
||||
|
@ -644,6 +644,9 @@ function configure_iptables {
|
||||
sudo iptables -I FORWARD -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
|
||||
# allow IPA to connect to ironic inspector
|
||||
sudo iptables -I FORWARD -p tcp --dport $IRONIC_INSPECTOR_PORT -j ACCEPT || true
|
||||
# Docker CE has added a default DROP policy to the FORWARD chain. Allow
|
||||
# DHCP packets to be forwarded across the bridge.
|
||||
sudo iptables -I FORWARD -p udp --dport 67:68 --sport 67:68 -j ACCEPT || true
|
||||
|
||||
# agent ramdisk gets instance image from swift
|
||||
sudo iptables -I INPUT -d $INTERNAL_VIP -p tcp --dport ${SWIFT_DEFAULT_BIND_PORT:-8080} -j ACCEPT || true
|
||||
|
@ -26,9 +26,6 @@
|
||||
###############################################################################
|
||||
# Ironic inspector processing configuration.
|
||||
|
||||
# Whether inspector should manage the firewall.
|
||||
#inspector_manage_firewall:
|
||||
|
||||
# List of of default inspector processing plugins.
|
||||
#inspector_processing_hooks_default:
|
||||
|
||||
|
@ -0,0 +1,9 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
Removes the ``inspector_manage_firewall`` variable. This is supported in
|
||||
Kolla Ansible via the ``ironic_inspector_pxe_filter`` variable, which can
|
||||
be added to ``${KAYOBE_CONFIG_PATH}/kolla/globals.yml``. The default value
|
||||
for that variable changed in the Stein release from 'iptables' to
|
||||
'dnsmasq', since the iptables filter `does not work with Docker CE
|
||||
<https://bugs.launchpad.net/kolla-ansible/+bug/1823044>`__.
|
Loading…
Reference in New Issue
Block a user