Merge "Use ironic inspector 'dnsmasq' PXE filter by default"

2019-04-10 09:17:41 +00:00 · 2019-04-10 09:17:41 +00:00 · 7eb0da0d71
commit 7eb0da0d71
parent 416d840094 86e83faeb1
3 changed files with 29 additions and 3 deletions
--- a/ansible/roles/ironic/defaults/main.yml
+++ b/ansible/roles/ironic/defaults/main.yml
@ -186,7 +186,7 @@ ironic_console_serial_speed: "115200n8"
 ironic_ipxe_url: http://{{ api_interface_address }}:{{ ironic_ipxe_port }}
 ironic_enable_rolling_upgrade: "yes"
 ironic_inspector_kernel_cmdline_extras: []
-ironic_inspector_pxe_filter: "{% if enable_neutron | bool %}iptables{% else %}none{% endif %}"
+ironic_inspector_pxe_filter: "{% if enable_neutron | bool %}dnsmasq{% else %}none{% endif %}"

 ####################
 ## Kolla
--- a/ansible/roles/ironic/tasks/deploy.yml
+++ b/ansible/roles/ironic/tasks/deploy.yml
@ -21,3 +21,20 @@

 - name: Flush handlers
  meta: flush_handlers
+
+# NOTE(mgoddard): If inspector was previously configured to use the iptables
+# PXE filter, it may leave rules in place that block inspection. Clean them up.
+# The iptables Ansible module is not idempotent - it fails if the chain does
+# not exist, so use a command instead.
+- name: Flush and delete ironic-inspector iptables chain
+  become: true
+  command: iptables --{{ item }} ironic-inspector
+  register: ironic_inspector_chain
+  with_items:
+    - flush
+    - delete-chain
+  when: ironic_inspector_pxe_filter != 'iptables'
+  changed_when: ironic_inspector_chain.rc == 0
+  failed_when:
+    - ironic_inspector_chain.rc != 0
+    - "'No chain/target/match by that name' not in ironic_inspector_chain.stderr"
--- a/releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml
+++ b/releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml
@ -4,5 +4,14 @@ features:
    Adds support for the `Ironic Inspector dnsmasq PXE filter
    <https://docs.openstack.org/ironic-inspector/latest/admin/dnsmasq-pxe-filter.html>`__
    that provides improved scalability over the default IPTables PXE filter.
-    This can be enabled by setting ``ironic_inspector_pxe_filter`` to
-    ``dnsmasq``.
+    This is now used by default instead of the ``iptables`` PXE filter.
+    The ``iptables`` filter can be enabled by setting
+    ``ironic_inspector_pxe_filter`` to ``iptables``.
+upgrade:
+  - |
+    The default PXE filter used by Ironic Inspector is now ``dnsmasq`` rather
+    than ``iptables``.  This change has been made to work around an issue
+    introduced by moving to Docker CE, where the daemon sets the default
+    policy on the ``iptables`` ``FORWARD`` chain to ``DROP``. This policy can
+    interact with the Ironic Inspector ``iptables`` PXE filter to cause DHCP
+    packets from bare metal nodes to get dropped, which prevents provisioning.