Enable inspector dnsmasq dhcp filter
Modify both the inspector and dnsmasq containers for the inspector to be able to modify dnsmasq configuration on the fly to filter the dhcp traffic. The upgrade_tasks moved to the puppet service in order to be shared between both the containerised and regular deployment. The upgrade_tasks were amended with steps to clean-up the iptables inspector chain&rules. With inspector no longer managing iptables rules, create new rules to allow DHCP traffic on IronicInspectorInterface. Co-Authored-By: Harald Jensås <hjensas@redhat.com> Change-Id: Ic7e32acb8559a7a12cd8767dc68c343872a6a4e3 Depends-On: I056cdadc025f35d8b6fd22f510a7c0a8e259a1f0
This commit is contained in:
Milan Kováčik
Bogdan Dobrelya
parent
939a32f246
commit
a1a2048d47
|
|
@ -86,6 +86,7 @@ outputs:
|
|||
config_image: {get_param: DockerIronicInspectorConfigImage}
|
||||
volumes:
|
||||
- /var/lib/ironic:/var/lib/ironic
|
||||
- /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir
|
||||
kolla_config:
|
||||
/var/lib/kolla/config_files/ironic_inspector.json:
|
||||
command: /usr/bin/ironic-inspector --config-file /etc/ironic-inspector/inspector-dist.conf --config-file /etc/ironic-inspector/inspector.conf
|
||||
|
|
@ -100,6 +101,8 @@ outputs:
|
|||
recurse: true
|
||||
- path: /var/lib/ironic
|
||||
owner: ironic:ironic
|
||||
- path: /var/lib/ironic-inspector/dhcp-hostsdir
|
||||
owner: ironic-inspector:ironic-inspector
|
||||
recurse: true
|
||||
/var/lib/kolla/config_files/ironic_inspector_dnsmasq.json:
|
||||
config_files:
|
||||
|
|
@ -118,9 +121,17 @@ outputs:
|
|||
volumes:
|
||||
- /var/log/containers/ironic-inspector:/var/log/ironic-inspector
|
||||
command: ['/bin/bash', '-c', 'chown -R ironic-inspector:ironic-inspector /var/log/ironic-inspector']
|
||||
ironic_inspector_db_sync:
|
||||
|
||||
ironic_inspector_init_dnsmasq_dhcp_hostsdir:
|
||||
start_order: 1
|
||||
image: *ironic_inspector_image
|
||||
user: root
|
||||
volumes:
|
||||
- /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir
|
||||
command: ['/bin/bash', '-c', 'chown -R ironic-inspector:ironic-inspector /var/lib/ironic-inspector/dhcp-hostsdir']
|
||||
ironic_inspector_db_sync:
|
||||
start_order: 2
|
||||
image: *ironic_inspector_image
|
||||
net: host
|
||||
user: root
|
||||
privileged: false
|
||||
|
|
@ -175,6 +186,7 @@ outputs:
|
|||
- /var/lib/config-data/puppet-generated/ironic_inspector/:/var/lib/kolla/config_files/src:ro
|
||||
- /var/lib/ironic:/var/lib/ironic
|
||||
- /var/log/containers/ironic-inspector:/var/log/ironic-inspector
|
||||
- /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir
|
||||
environment:
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
ironic_inspector_dnsmasq:
|
||||
|
|
@ -191,6 +203,7 @@ outputs:
|
|||
- /var/lib/kolla/config_files/ironic_inspector_dnsmasq.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/ironic_inspector/:/var/lib/kolla/config_files/src:ro
|
||||
- /var/log/containers/ironic-inspector:/var/log/ironic-inspector
|
||||
- /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir
|
||||
environment:
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
host_prep_tasks:
|
||||
|
|
@ -205,6 +218,10 @@ outputs:
|
|||
Log files from ironic-inspector container can be found under
|
||||
/var/log/containers/ironic-inspector.
|
||||
ignore_errors: true
|
||||
- name: create persistent ironic-inspector dnsmasq dhcp hostsdir
|
||||
file:
|
||||
path: /var/lib/ironic-inspector/dhcp-hostsdir
|
||||
state: directory
|
||||
upgrade_tasks:
|
||||
- when: step|int == 2
|
||||
block:
|
||||
|
|
|
|||
|
|
@ -153,6 +153,8 @@ outputs:
|
|||
- [{ip_range: {get_param: IronicInspectorIpRange}}]
|
||||
- get_param: IronicInspectorSubnets
|
||||
ironic::inspector::dnsmasq_interface: {get_param: IronicInspectorInterface}
|
||||
ironic::inspector::dnsmasq_dhcp_hostsdir: /var/lib/ironic-inspector/dhcp-hostsdir
|
||||
ironic::inspector::pxe_filter::driver: dnsmasq
|
||||
ironic::inspector::debug: {get_param: Debug}
|
||||
ironic::inspector::always_store_ramdisk_logs: {get_param: Debug}
|
||||
ironic::inspector::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
|
||||
|
|
@ -171,6 +173,15 @@ outputs:
|
|||
'137 ironic-inspector':
|
||||
dport:
|
||||
- 5050
|
||||
'137 ironic-inspector dhcp input':
|
||||
iniface: {get_param: IronicInspectorInterface}
|
||||
proto: 'udp'
|
||||
chain: 'INPUT'
|
||||
dport: 67
|
||||
'137 ironic-inspector dhcp output':
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 68
|
||||
ironic::inspector::ironic_username: 'ironic'
|
||||
ironic::inspector::ironic_password: {get_param: IronicPassword}
|
||||
ironic::inspector::ironic_tenant_name: 'service'
|
||||
|
|
@ -234,3 +245,25 @@ outputs:
|
|||
ironic::inspector::db::mysql::allowed_hosts:
|
||||
- '%'
|
||||
- "%{hiera('mysql_bind_host')}"
|
||||
upgrade_tasks:
|
||||
- name: Stop and disable ironic_inspector service
|
||||
when: step|int == 2
|
||||
service: name=openstack-ironic-inspector state=stopped enabled=no
|
||||
- name: Stop and disable ironic_inspector dnsmasq service
|
||||
when: step|int == 2
|
||||
service: name=openstack-ironic-inspector-dnsmasq state=stopped enabled=no
|
||||
- name: purge iptables port 67 jump rule
|
||||
when: step|int == 2
|
||||
iptables:
|
||||
chain: INPUT
|
||||
interface: {get_param: IronicInspectorInterface}
|
||||
protocol: udp
|
||||
destination_port: 67
|
||||
jump: ironic-inspector
|
||||
state: absent
|
||||
- name: purge iptables ironic-inspector chain
|
||||
when: step|int == 2
|
||||
iptables:
|
||||
chain: ironic-inspector
|
||||
flush: true
|
||||
state: absent
|
||||
|
|
|
|||
Loading…
Reference in New Issue