Browse Source

Use ironic inspector 'dnsmasq' PXE filter by default

With Docker CE, the daemon sets the default policy of the iptables
FORWARD chain to DROP. This causes problems for provisioning bare metal
servers when ironic inspector is used with the 'iptables' PXE filter.
It's not entirely clear why these two things interact in this way,
but switching to the 'dnsmasq' filter works around the issue, and is
probably a good move anyway because it is more efficient.

We have added a migration task here to flush and remove the ironic-inspector
iptables chain since inspector does not do this itself currently.

Change-Id: Iceed5a096819203eb2b92466d39575d3adf8e218
Closes-Bug: #1823044
changes/73/649673/2
Mark Goddard 1 month ago
parent
commit
86e83faeb1

+ 1
- 1
ansible/roles/ironic/defaults/main.yml View File

@@ -186,7 +186,7 @@ ironic_console_serial_speed: "115200n8"
186 186
 ironic_ipxe_url: http://{{ api_interface_address }}:{{ ironic_ipxe_port }}
187 187
 ironic_enable_rolling_upgrade: "yes"
188 188
 ironic_inspector_kernel_cmdline_extras: []
189
-ironic_inspector_pxe_filter: "{% if enable_neutron | bool %}iptables{% else %}none{% endif %}"
189
+ironic_inspector_pxe_filter: "{% if enable_neutron | bool %}dnsmasq{% else %}none{% endif %}"
190 190
 
191 191
 ####################
192 192
 ## Kolla

+ 17
- 0
ansible/roles/ironic/tasks/deploy.yml View File

@@ -21,3 +21,20 @@
21 21
 
22 22
 - name: Flush handlers
23 23
   meta: flush_handlers
24
+
25
+# NOTE(mgoddard): If inspector was previously configured to use the iptables
26
+# PXE filter, it may leave rules in place that block inspection. Clean them up.
27
+# The iptables Ansible module is not idempotent - it fails if the chain does
28
+# not exist, so use a command instead.
29
+- name: Flush and delete ironic-inspector iptables chain
30
+  become: true
31
+  command: iptables --{{ item }} ironic-inspector
32
+  register: ironic_inspector_chain
33
+  with_items:
34
+    - flush
35
+    - delete-chain
36
+  when: ironic_inspector_pxe_filter != 'iptables'
37
+  changed_when: ironic_inspector_chain.rc == 0
38
+  failed_when:
39
+    - ironic_inspector_chain.rc != 0
40
+    - "'No chain/target/match by that name' not in ironic_inspector_chain.stderr"

+ 11
- 2
releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml View File

@@ -4,5 +4,14 @@ features:
4 4
     Adds support for the `Ironic Inspector dnsmasq PXE filter
5 5
     <https://docs.openstack.org/ironic-inspector/latest/admin/dnsmasq-pxe-filter.html>`__
6 6
     that provides improved scalability over the default IPTables PXE filter.
7
-    This can be enabled by setting ``ironic_inspector_pxe_filter`` to
8
-    ``dnsmasq``.
7
+    This is now used by default instead of the ``iptables`` PXE filter.
8
+    The ``iptables`` filter can be enabled by setting
9
+    ``ironic_inspector_pxe_filter`` to ``iptables``.
10
+upgrade:
11
+  - |
12
+    The default PXE filter used by Ironic Inspector is now ``dnsmasq`` rather
13
+    than ``iptables``.  This change has been made to work around an issue
14
+    introduced by moving to Docker CE, where the daemon sets the default
15
+    policy on the ``iptables`` ``FORWARD`` chain to ``DROP``. This policy can
16
+    interact with the Ironic Inspector ``iptables`` PXE filter to cause DHCP
17
+    packets from bare metal nodes to get dropped, which prevents provisioning.

Loading…
Cancel
Save