tripleo-heat-templates/puppet/services/ironic-inspector.yaml
Milan Kováčik a1a2048d47 Enable inspector dnsmasq dhcp filter
Modify both the inspector and dnsmasq containers for the inspector to be
able to modify dnsmasq configuration on the fly to filter the dhcp
traffic.

The upgrade_tasks moved to the puppet service in order to be shared
between both the containerised and regular deployment.  The upgrade_tasks
were amended with steps to clean-up the iptables inspector chain&rules.

With inspector no longer managing iptables rules, create new rules to
allow DHCP traffic on IronicInspectorInterface.

Co-Authored-By: Harald Jensås <hjensas@redhat.com>
Change-Id: Ic7e32acb8559a7a12cd8767dc68c343872a6a4e3
Depends-On: I056cdadc025f35d8b6fd22f510a7c0a8e259a1f0
2018-06-04 16:36:14 +02:00

270 lines
12 KiB
YAML

heat_template_version: rocky
description: >
OpenStack Ironic Inspector configured with Puppet (EXPERIMENTAL)
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
MonitoringSubscriptionIronicInspector:
default: 'overcloud-ironic-inspector'
type: string
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
IronicInspectorDiscoveryDefaultDriver:
default: 'ipmi'
description: |
The default driver to use for newly discovered nodes
(requires IronicInspectorEnableNodeDiscovery set to True). This
driver is automatically added to enabled_drivers.
type: string
IronicInspectorEnableNodeDiscovery:
default: false
description: |
Makes ironic-inspector enroll any unknown node that PXE-boots
introspection ramdisk in Ironic. The default driver to use for new nodes
is specified by the IronicInspectorDiscoveryDefaultDriver parameter.
Introspection rules can also be used to specify it.
type: boolean
IronicInspectorCollectors:
default: default,logs
description: Comma-separated list of IPA inspection collectors
type: string
IronicInspectorExtraProcessingHooks:
default: extra_hardware,lldp_basic,local_link_connection
description: |
Comma-separated list of processing hooks to append to the default list.
type: string
IronicInspectorInterface:
default: br-ex
description: |
Network interface on which inspection dnsmasq will listen. Should allow
access to untagged traffic from nodes booted for inspection. The default
value only makes sense if you don't modify any networking configuration.
type: string
IronicInspectorIPXEEnabled:
default: true
description: Whether to use iPXE for inspection.
type: boolean
IronicInspectorKernelArgs:
default: 'ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 ipa-debug=1'
description: Kernel args for the Ironic inspector.
type: string
IronicInspectorIpRange:
description: |
DEPRECATED: Use IronicInspectorSubnets instead.
Temporary IP range that will be given to nodes during the inspection
process. This should not overlap with any range that Neutron's DHCP
gives away, but it has to be routeable back to ironic-inspector API.
This option has no meaningful defaults, and thus is required.
type: string
default: ''
IronicInspectorSubnets:
description: |
Temporary IP ranges that will be given to nodes during the inspection
process. This should not overlap with any range that Neutron's DHCP
gives away, but they need to be routeable back to ironic-inspector API.
This option has no meaningful defaults, and thus is required.
List of dictionaries with keys: 'tag', 'ip_range', 'netmask', and
'gateway'. 'ip_range' is the only required key. Assigning multiple
tagged subnets allow dnsmasq to serve dhcp request that came in via
dhcp relay/helper.
Example: - ip_range: 192.168.0.100,192.168.0.120
- ip_range: 192.168.1.100,192.168.1.200
netmask: 255.255.255.0
gateway: 192.168.1.254
tag: subnet1
type: json
default: {}
IronicInspectorUseSwift:
default: true
description: Whether to use Swift for storing introspection data.
type: boolean
IronicIPXEPort:
default: 8088
description: Port to use for serving images when iPXE is used.
type: string
IronicPassword:
description: The password for the Ironic service and db account, used by the Ironic services
type: string
hidden: true
conditions:
enable_ipxe: {equals : [{get_param: IronicInspectorIPXEEnabled}, true]}
use_swift: {equals : [{get_param: IronicInspectorUseSwift}, true]}
enable_node_discovery: {equals : [{get_param: IronicInspectorEnableNodeDiscovery}, true]}
ironic_inspection_subnets_not_set: {equals : [{get_param: IronicInspectorSubnets}, {}]}
outputs:
role_data:
description: Role data for the Ironic Inspector role.
value:
service_name: ironic_inspector
monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector}
config_settings:
map_merge:
- ironic::inspector::listen_address:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, IronicInspectorNetwork]}
ironic::inspector::dnsmasq_local_ip:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, IronicInspectorNetwork]}
ironic::inspector::dnsmasq_ip_subnets:
if:
- ironic_inspection_subnets_not_set
- [{ip_range: {get_param: IronicInspectorIpRange}}]
- get_param: IronicInspectorSubnets
ironic::inspector::dnsmasq_interface: {get_param: IronicInspectorInterface}
ironic::inspector::dnsmasq_dhcp_hostsdir: /var/lib/ironic-inspector/dhcp-hostsdir
ironic::inspector::pxe_filter::driver: dnsmasq
ironic::inspector::debug: {get_param: Debug}
ironic::inspector::always_store_ramdisk_logs: {get_param: Debug}
ironic::inspector::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
ironic::inspector::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ironic::inspector::authtoken::username: 'ironic'
ironic::inspector::authtoken::password: {get_param: IronicPassword}
ironic::inspector::authtoken::project_name: 'service'
ironic::inspector::authtoken::user_domain_name: 'Default'
ironic::inspector::authtoken::project_domain_name: 'Default'
ironic::inspector::cors::allowed_origin: '*'
ironic::inspector::cors::max_age: 3600
ironic::inspector::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
ironic::inspector::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
ironic::inspector::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
tripleo.ironic_inspector.firewall_rules:
'137 ironic-inspector':
dport:
- 5050
'137 ironic-inspector dhcp input':
iniface: {get_param: IronicInspectorInterface}
proto: 'udp'
chain: 'INPUT'
dport: 67
'137 ironic-inspector dhcp output':
proto: 'udp'
chain: 'OUTPUT'
dport: 68
ironic::inspector::ironic_username: 'ironic'
ironic::inspector::ironic_password: {get_param: IronicPassword}
ironic::inspector::ironic_tenant_name: 'service'
ironic::inspector::ironic_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ironic::inspector::ipxe_timeout: 60
ironic::inspector::ironic_max_retries: 6
ironic::inspector::ironic_retry_interval: 10
ironic::inspector::ironic_user_domain_name: 'Default'
ironic::inspector::ironic_project_domain_name: 'Default'
ironic::inspector::http_port: {get_param: IronicIPXEPort}
ironic::inspector::additional_processing_hooks: {get_param: IronicInspectorExtraProcessingHooks}
ironic::inspector::ramdisk_collectors: {get_param: IronicInspectorCollectors}
ironic::inspector::ramdisk_kernel_args: {get_param: IronicInspectorKernelArgs}
ironic::inspector::db::database_connection:
list_join:
- ''
- - {get_param: [EndpointMap, MysqlInternal, protocol]}
- '://ironic-inspector:'
- {get_param: IronicPassword}
- '@'
- {get_param: [EndpointMap, MysqlInternal, host]}
- '/ironic-inspector'
- '?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo'
-
if:
- enable_ipxe
- ironic::inspector::pxe_transfer_protocol: 'http'
- {}
-
if:
- use_swift
- ironic::inspector::store_data: 'swift'
ironic::inspector::swift_username: 'ironic'
ironic::inspector::swift_password: {get_param: IronicPassword}
ironic::inspector::swift_tenant_name: 'service'
ironic::inspector::swift_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
ironic::inspector::swift_user_domain_name: 'Default'
ironic::inspector::swift_project_domain_name: 'Default'
- {}
-
if:
- enable_node_discovery
- ironic::inspector::node_not_found_hook: 'enroll'
ironic::inspector::discovery_default_driver: {get_param: IronicInspectorDiscoveryDefaultDriver}
- {}
step_config: |
include ::tripleo::profile::base::ironic_inspector
service_config_settings:
keystone:
ironic::keystone::auth_inspector::tenant: 'service'
ironic::keystone::auth_inspector::public_url: {get_param: [EndpointMap, IronicInspectorPublic, uri]}
ironic::keystone::auth_inspector::internal_url: {get_param: [EndpointMap, IronicInspectorInternal, uri]}
ironic::keystone::auth_inspector::admin_url: {get_param: [EndpointMap, IronicInspectorAdmin, uri]}
ironic::keystone::auth_inspector::password: {get_param: IronicPassword}
ironic::keystone::auth_inspector::region: {get_param: KeystoneRegion}
mysql:
ironic::inspector::db::mysql::password: {get_param: IronicPassword}
ironic::inspector::db::mysql::user: ironic-inspector
ironic::inspector::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
ironic::inspector::db::mysql::dbname: ironic-inspector
ironic::inspector::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
upgrade_tasks:
- name: Stop and disable ironic_inspector service
when: step|int == 2
service: name=openstack-ironic-inspector state=stopped enabled=no
- name: Stop and disable ironic_inspector dnsmasq service
when: step|int == 2
service: name=openstack-ironic-inspector-dnsmasq state=stopped enabled=no
- name: purge iptables port 67 jump rule
when: step|int == 2
iptables:
chain: INPUT
interface: {get_param: IronicInspectorInterface}
protocol: udp
destination_port: 67
jump: ironic-inspector
state: absent
- name: purge iptables ironic-inspector chain
when: step|int == 2
iptables:
chain: ironic-inspector
flush: true
state: absent