9df0f00bc5
Without this setting, bifrost creates a bifrost firewalld zone only allowing network traffic for Ironic services and assigns the provisioning network interface to it, potentially causing loss of connectivity. Using the public zone is suggested as a workaround [1] but is not sufficient: it allows SSH traffic, but blocks other services deployed on the seed, such as Docker registry traffic. [1] https://review.opendev.org/#/c/754406/ Change-Id: I80f9d95f02e11fda5916f9a9dd257b688a9db7e2 Story: 2008153 Task: 40899
17 lines
832 B
YAML
17 lines
832 B
YAML
---
|
|
upgrade:
|
|
- |
|
|
Kayobe configures Bifrost to use the ``trusted`` zone of ``firewalld``,
|
|
ensuring that all services running on the seed host are accessible.
|
|
Deployments with stricter firewall policies can select another zone by
|
|
setting the ``kolla_bifrost_firewalld_internal_zone`` variable in
|
|
``${KAYOBE_CONFIG_PATH}/bifrost.yml``. To avoid loss of connectivity to the
|
|
seed host, ensure that ``firewalld`` is already configured on the seed host
|
|
before deploying seed services.
|
|
fixes:
|
|
- |
|
|
Fixes loss of connectivity to the seed host after deploying seed services,
|
|
when using a shared provisioning and admin network. This was caused by
|
|
Bifrost configuring ``firewalld`` to only allow Ironic traffic. Kayobe now
|
|
configures Bifrost to use the ``trusted`` zone, which allows all traffic.
|