From 2316016ccca5da89183756054a5a8e59454b3d13 Mon Sep 17 00:00:00 2001
From: "OTSUKA, Yuanying" <yuanying@fraction.jp>
Date: Thu, 12 Nov 2015 13:21:12 +0900
Subject: [PATCH] Add iptables rule to listen m-api

Bay will request Magnum API to get certificates, so
$MAGNUM_SERVICE_PORT must be opened.
This patch adds this rule to `devstack/lib/magnum`
instead of `magnum/tests/contrib/post_test_hook.sh`.

Ironic also adds same rules in devstack[1].

[1]: https://github.com/openstack-dev/devstack/blob/master/lib/ironic#L675

Change-Id: I24baf87475044a7f268811080b25032152152c39
Closes-Bug: #1515478
---
 devstack/lib/magnum                    |  2 ++
 magnum/tests/contrib/post_test_hook.sh | 10 ----------
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/devstack/lib/magnum b/devstack/lib/magnum
index 1e287a1b03..21361484b6 100644
--- a/devstack/lib/magnum
+++ b/devstack/lib/magnum
@@ -281,6 +281,8 @@ function configure_iptables {
         ROUTE_TO_INTERNET=$(ip route get 8.8.8.8)
         OBOUND_DEV=$(echo ${ROUTE_TO_INTERNET#*dev} | awk '{print $1}')
         sudo iptables -t nat -A POSTROUTING -o $OBOUND_DEV -j MASQUERADE
+        # bay nodes will access m-api (port $MAGNUM_SERVICE_PORT) to get CA certificate.
+        sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $MAGNUM_SERVICE_PORT -j ACCEPT || true
     fi
 }
 
diff --git a/magnum/tests/contrib/post_test_hook.sh b/magnum/tests/contrib/post_test_hook.sh
index 037b7a4198..a84dff9c83 100755
--- a/magnum/tests/contrib/post_test_hook.sh
+++ b/magnum/tests/contrib/post_test_hook.sh
@@ -99,16 +99,6 @@ nova keypair-add default
 echo_summary "Create a flavor"
 nova flavor-create  m1.magnum 100 2048 8 1
 
-# FIXME(eliqao): workaround for allow 9511 can be accessed from VM.
-# k8s nodes will access m-api (port 9511) to get CA certificate.
-sudo iptables -D openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
-sudo iptables -D openstack-INPUT -m limit --limit 2/min -j LOG --log-prefix "iptables dropped: "
-
-sudo iptables -A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 9511 -j ACCEPT
-sudo iptables -A openstack-INPUT -m limit --limit 2/min -j LOG --log-prefix "iptables dropped: "
-sudo iptables -A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
-
-
 # Run functional tests
 # Currently we support functional-api, functional-k8s, will support swarm,
 # mesos later.