kolla-ansible/ansible/roles/ironic/tasks/deploy.yml

---
- include_tasks: register.yml
  when: enable_keystone | bool and
        (inventory_hostname in groups['ironic-api'] or
        inventory_hostname in groups['ironic-inspector'])

- include_tasks: config-host.yml

- include_tasks: config.yml
  when: inventory_hostname in groups['ironic-api'] or
        inventory_hostname in groups['ironic-conductor'] or
        inventory_hostname in groups['ironic-inspector'] or
        inventory_hostname in groups['ironic-pxe'] or
        inventory_hostname in groups['ironic-ipxe']

- include_tasks: clone.yml
  when: ironic_dev_mode | bool

- include_tasks: bootstrap.yml
  when: inventory_hostname in groups['ironic-api'] or
        inventory_hostname in groups['ironic-inspector'] or
        inventory_hostname in groups['ironic-pxe']

- name: Flush handlers
  meta: flush_handlers

# NOTE(mgoddard): If inspector was previously configured to use the iptables
# PXE filter, it may leave rules in place that block inspection. Clean them up.
# The iptables Ansible module is not idempotent - it fails if the chain does
# not exist, so use a command instead.
- name: Flush and delete ironic-inspector iptables chain
  become: true
  command: iptables --{{ item }} ironic-inspector
  register: ironic_inspector_chain
  with_items:
    - flush
    - delete-chain
  when: ironic_inspector_pxe_filter != 'iptables'
  changed_when: ironic_inspector_chain.rc == 0
  failed_when:
    - ironic_inspector_chain.rc != 0
    - "'No chain/target/match by that name' not in ironic_inspector_chain.stderr"