Add custom CI rules to the Undercloud Firewall

We noticed some packet drops on undercloud node after switching to nftables [1] and [2] In order to properly get VXLAN support, We have to add a couple of rules to the Undercloud firewall. This is especially true for a lab environment, or on the upstream CI infrastructure. Also, Port 19885 is for console log streaming. Patch[3] add this requirement in the documentation as well. Testproject[4] works well, We can check the rendered undercloud-parameter-defaults.yaml[5] its is correctly poppulated with right rules. [1] https://logserver.rdoproject.org/54/31954/58/check/periodic-tripleo-ci-centos-9-ovb-3ctlr_1comp_1supp-featureset039-master/490510a/logs/undercloud/var/log/extra/dropped-packets.txt.gz [2] https://logserver.rdoproject.org/54/31954/49/check/periodic-tripleo-ci-centos-9-containers-multinode-master/66bb894/logs/undercloud/var/log/extra/dropped-packets.txt.gz [3] https://review.opendev.org/c/openstack/tripleo-docs/+/851849 [4] https://review.rdoproject.org/r/c/testproject/+/31954/61#message-6f6b2fe65899192fd18eb110665d2361bd38682d [5] https://logserver.rdoproject.org/54/31954/61/check/periodic-tripleo-ci-centos-9-ovb-3ctlr_1comp-featureset001-master/27d2796/logs/undercloud/home/zuul/undercloud-parameter-defaults.yaml.txt.gz Change-Id: Ic19ed9b8e95dbe2d3ad7efce7221a28dc8526be4
2022-08-04 17:08:09 +05:30 · 2022-08-04 17:08:09 +05:30 · 37a150f5ed
parent bbd3ad9f78
commit 37a150f5ed
1 changed files with 31 additions and 0 deletions
--- a/roles/undercloud-deploy/tasks/create-scripts.yml
+++ b/roles/undercloud-deploy/tasks/create-scripts.yml
@ -13,6 +13,37 @@
    virthost_nameservers: "{{ virthost_nameservers_output.stdout_lines }}"
  when: nameserver_from_virthost|bool

+- name: Add custom rules needed in CI infra after switch to nftables.
+  when: release not in ['train', 'wallaby']
+  block:
+    - name: Find the default network on the undercloud node
+      set_fact:
+        source_ci_ip_address: "{{ ansible_default_ipv4.address }}/{{ ansible_default_ipv4.netmask }}"
+
+    - name: Convert to obtain the network address in CIDR notation format.
+      set_fact:
+        source_ci_network: "{{ source_ci_ip_address | ipaddr('network/prefix') }}"
+
+    - name: Set undercloud_network_environment_args to add custom CI rules for VXLAN support and console Streaming
+      set_fact:
+        undercloud_network_environment_args:
+          ExtraFirewallRules:
+            '020 Allow VXLan from CI infra network':
+              proto: "udp"
+              dport: 4789
+              source: "{{ source_ci_network }}"
+              state: []
+            '021 Allow OTV for vxlan from CI infra network':
+              proto: 'udp'
+              dport: 8472
+              source: "{{ source_ci_network }}"
+              state: []
+            '022 Allow CI console stream from CI infra network':
+              proto: 'tcp'
+              dport: 19885
+              source: "{{ source_ci_network }}"
+              state: []
+
 - when: undercloud_hieradata_override_file is defined
  block:
    - name: deprecation message