Browse Source

Merge "Use ironic inspector 'dnsmasq' PXE filter by default"

master
Zuul 1 month ago
parent
commit
7eb0da0d71

+ 1
- 1
ansible/roles/ironic/defaults/main.yml View File

@@ -186,7 +186,7 @@ ironic_console_serial_speed: "115200n8"
186 186
 ironic_ipxe_url: http://{{ api_interface_address }}:{{ ironic_ipxe_port }}
187 187
 ironic_enable_rolling_upgrade: "yes"
188 188
 ironic_inspector_kernel_cmdline_extras: []
189
-ironic_inspector_pxe_filter: "{% if enable_neutron | bool %}iptables{% else %}none{% endif %}"
189
+ironic_inspector_pxe_filter: "{% if enable_neutron | bool %}dnsmasq{% else %}none{% endif %}"
190 190
 
191 191
 ####################
192 192
 ## Kolla

+ 17
- 0
ansible/roles/ironic/tasks/deploy.yml View File

@@ -21,3 +21,20 @@
21 21
 
22 22
 - name: Flush handlers
23 23
   meta: flush_handlers
24
+
25
+# NOTE(mgoddard): If inspector was previously configured to use the iptables
26
+# PXE filter, it may leave rules in place that block inspection. Clean them up.
27
+# The iptables Ansible module is not idempotent - it fails if the chain does
28
+# not exist, so use a command instead.
29
+- name: Flush and delete ironic-inspector iptables chain
30
+  become: true
31
+  command: iptables --{{ item }} ironic-inspector
32
+  register: ironic_inspector_chain
33
+  with_items:
34
+    - flush
35
+    - delete-chain
36
+  when: ironic_inspector_pxe_filter != 'iptables'
37
+  changed_when: ironic_inspector_chain.rc == 0
38
+  failed_when:
39
+    - ironic_inspector_chain.rc != 0
40
+    - "'No chain/target/match by that name' not in ironic_inspector_chain.stderr"

+ 11
- 2
releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml View File

@@ -4,5 +4,14 @@ features:
4 4
     Adds support for the `Ironic Inspector dnsmasq PXE filter
5 5
     <https://docs.openstack.org/ironic-inspector/latest/admin/dnsmasq-pxe-filter.html>`__
6 6
     that provides improved scalability over the default IPTables PXE filter.
7
-    This can be enabled by setting ``ironic_inspector_pxe_filter`` to
8
-    ``dnsmasq``.
7
+    This is now used by default instead of the ``iptables`` PXE filter.
8
+    The ``iptables`` filter can be enabled by setting
9
+    ``ironic_inspector_pxe_filter`` to ``iptables``.
10
+upgrade:
11
+  - |
12
+    The default PXE filter used by Ironic Inspector is now ``dnsmasq`` rather
13
+    than ``iptables``.  This change has been made to work around an issue
14
+    introduced by moving to Docker CE, where the daemon sets the default
15
+    policy on the ``iptables`` ``FORWARD`` chain to ``DROP``. This policy can
16
+    interact with the Ironic Inspector ``iptables`` PXE filter to cause DHCP
17
+    packets from bare metal nodes to get dropped, which prevents provisioning.

Loading…
Cancel
Save