Merge "Use ironic inspector 'dnsmasq' PXE filter by default"

This commit is contained in:
Zuul 2019-04-10 09:17:41 +00:00 committed by Gerrit Code Review
commit 7eb0da0d71
3 changed files with 29 additions and 3 deletions

View File

@ -186,7 +186,7 @@ ironic_console_serial_speed: "115200n8"
ironic_ipxe_url: http://{{ api_interface_address }}:{{ ironic_ipxe_port }}
ironic_enable_rolling_upgrade: "yes"
ironic_inspector_kernel_cmdline_extras: []
ironic_inspector_pxe_filter: "{% if enable_neutron | bool %}iptables{% else %}none{% endif %}"
ironic_inspector_pxe_filter: "{% if enable_neutron | bool %}dnsmasq{% else %}none{% endif %}"
####################
## Kolla

View File

@ -21,3 +21,20 @@
- name: Flush handlers
meta: flush_handlers
# NOTE(mgoddard): If inspector was previously configured to use the iptables
# PXE filter, it may leave rules in place that block inspection. Clean them up.
# The iptables Ansible module is not idempotent - it fails if the chain does
# not exist, so use a command instead.
- name: Flush and delete ironic-inspector iptables chain
become: true
command: iptables --{{ item }} ironic-inspector
register: ironic_inspector_chain
with_items:
- flush
- delete-chain
when: ironic_inspector_pxe_filter != 'iptables'
changed_when: ironic_inspector_chain.rc == 0
failed_when:
- ironic_inspector_chain.rc != 0
- "'No chain/target/match by that name' not in ironic_inspector_chain.stderr"

View File

@ -4,5 +4,14 @@ features:
Adds support for the `Ironic Inspector dnsmasq PXE filter
<https://docs.openstack.org/ironic-inspector/latest/admin/dnsmasq-pxe-filter.html>`__
that provides improved scalability over the default IPTables PXE filter.
This can be enabled by setting ``ironic_inspector_pxe_filter`` to
``dnsmasq``.
This is now used by default instead of the ``iptables`` PXE filter.
The ``iptables`` filter can be enabled by setting
``ironic_inspector_pxe_filter`` to ``iptables``.
upgrade:
- |
The default PXE filter used by Ironic Inspector is now ``dnsmasq`` rather
than ``iptables``. This change has been made to work around an issue
introduced by moving to Docker CE, where the daemon sets the default
policy on the ``iptables`` ``FORWARD`` chain to ``DROP``. This policy can
interact with the Ironic Inspector ``iptables`` PXE filter to cause DHCP
packets from bare metal nodes to get dropped, which prevents provisioning.