Include custom ci firewall rule in deployment
We noticed some packet drops on Overcloud node after switching to nftables [1] in periodic-tripleo-ci-centos-9-scenario007- multinode-oooq-container-master job. In order to properly get VXLAN support, We create a yaml ci_custom_firewall_rules.yaml during overcloud-deploy rule which add some custom ci firewall rules to the Overcloud node. This is especially true for a lab environment, or on the upstream CI infrastructure. This patch include yaml: ci_custom_firewall_rules.yaml in the deployment. Please refer to the documentation [2] to know more about the requirement of these additional rules. [1] https://logserver.rdoproject.org/54/31954/69/check/periodic-tripleo-ci-centos-9-scenario007-multinode-oooq-container-master/863a967/logs/subnode-1/var/log/extra/dropped-packets.txt.gz [2] https://opendev.org/openstack/tripleo-docs/src/branch/master/deploy-guide/source/features/security_hardening.rst#vxlan-and-nftables Depends-On: https://review.opendev.org/c/openstack/tripleo-quickstart-extras/+/857096 Change-Id: I9c856506331a7c511e1457d72b9922de78c2f403
This commit is contained in:
parent
b10da3f993
commit
0c7ca14e76
@ -49,6 +49,9 @@ extra_args: >-
|
|||||||
--disable-validations
|
--disable-validations
|
||||||
{% endif %}
|
{% endif %}
|
||||||
-e {{ overcloud_templates_path }}/ci/environments/neutron_dns_domain.yaml
|
-e {{ overcloud_templates_path }}/ci/environments/neutron_dns_domain.yaml
|
||||||
|
{% if release not in ['train','wallaby'] %}
|
||||||
|
-e {{ working_dir }}/ci_custom_firewall_rules.yaml
|
||||||
|
{% endif %}
|
||||||
{% if release not in ['train','ussuri','victoria'] and
|
{% if release not in ['train','ussuri','victoria'] and
|
||||||
job is defined and
|
job is defined and
|
||||||
job.enable_secure_rbac is defined and
|
job.enable_secure_rbac is defined and
|
||||||
|
@ -74,6 +74,9 @@ telemetry_args: >-
|
|||||||
|
|
||||||
extra_args: >-
|
extra_args: >-
|
||||||
-e {{ overcloud_templates_path }}/ci/environments/ovb-ha.yaml
|
-e {{ overcloud_templates_path }}/ci/environments/ovb-ha.yaml
|
||||||
|
{% if release not in ['train','wallaby'] %}
|
||||||
|
-e {{ working_dir }}/ci_custom_firewall_rules.yaml
|
||||||
|
{% endif %}
|
||||||
{% if release not in ['train'] -%}
|
{% if release not in ['train'] -%}
|
||||||
--disable-validations
|
--disable-validations
|
||||||
{%- endif -%}
|
{%- endif -%}
|
||||||
|
@ -68,6 +68,9 @@ extra_args: >-
|
|||||||
{%- if release not in ['train','wallaby'] -%}
|
{%- if release not in ['train','wallaby'] -%}
|
||||||
-e /usr/share/openstack-tripleo-heat-templates/environments/auditd.yaml
|
-e /usr/share/openstack-tripleo-heat-templates/environments/auditd.yaml
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if release not in ['train','wallaby'] %}
|
||||||
|
-e {{ working_dir }}/ci_custom_firewall_rules.yaml
|
||||||
|
{% endif %}
|
||||||
{%- if release not in ['train','ussuri','victoria'] -%}
|
{%- if release not in ['train','ussuri','victoria'] -%}
|
||||||
--disable-protected-resource-types
|
--disable-protected-resource-types
|
||||||
--baremetal-deployment
|
--baremetal-deployment
|
||||||
|
@ -104,6 +104,9 @@ extra_args: >-
|
|||||||
enable_secure_rbac|default(false)|bool -%}
|
enable_secure_rbac|default(false)|bool -%}
|
||||||
-e {{ overcloud_templates_path }}/environments/enable-secure-rbac.yaml
|
-e {{ overcloud_templates_path }}/environments/enable-secure-rbac.yaml
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if release not in ['train','wallaby'] %}
|
||||||
|
-e {{ working_dir }}/ci_custom_firewall_rules.yaml
|
||||||
|
{% endif %}
|
||||||
{%- if release not in ['train','ussuri','victoria'] -%}
|
{%- if release not in ['train','ussuri','victoria'] -%}
|
||||||
--disable-protected-resource-types
|
--disable-protected-resource-types
|
||||||
{%- endif -%}
|
{%- endif -%}
|
||||||
|
@ -37,6 +37,9 @@ telemetry_args: >-
|
|||||||
|
|
||||||
extra_args: >-
|
extra_args: >-
|
||||||
-e {{ overcloud_templates_path }}/environments/services/neutron-ovs.yaml
|
-e {{ overcloud_templates_path }}/environments/services/neutron-ovs.yaml
|
||||||
|
{% if release not in ['train','wallaby'] %}
|
||||||
|
-e {{ working_dir }}/ci_custom_firewall_rules.yaml
|
||||||
|
{% endif %}
|
||||||
{% if release not in ['train','ussuri','victoria'] -%}
|
{% if release not in ['train','ussuri','victoria'] -%}
|
||||||
--disable-protected-resource-types
|
--disable-protected-resource-types
|
||||||
--baremetal-deployment
|
--baremetal-deployment
|
||||||
|
@ -77,6 +77,9 @@ telemetry_args: >-
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
extra_args: >-
|
extra_args: >-
|
||||||
|
{% if release not in ['train','wallaby'] %}
|
||||||
|
-e {{ working_dir }}/ci_custom_firewall_rules.yaml
|
||||||
|
{% endif %}
|
||||||
-e {{ overcloud_templates_path }}/environments/memcached-use-ips.yaml
|
-e {{ overcloud_templates_path }}/environments/memcached-use-ips.yaml
|
||||||
{% if release not in ['newton', 'ocata', 'pike'] %}
|
{% if release not in ['newton', 'ocata', 'pike'] %}
|
||||||
-e {{ overcloud_templates_path }}/ci/environments/ovb-ha.yaml
|
-e {{ overcloud_templates_path }}/ci/environments/ovb-ha.yaml
|
||||||
|
@ -93,6 +93,9 @@ ephemeral_heat: "{{ (release not in ['queens', 'stein','train','ussuri','victori
|
|||||||
ephemeral_heat_args: "{{ '--heat-type pod' if ephemeral_heat|bool else '' }}"
|
ephemeral_heat_args: "{{ '--heat-type pod' if ephemeral_heat|bool else '' }}"
|
||||||
|
|
||||||
extra_args: >-
|
extra_args: >-
|
||||||
|
{% if release not in ['train','wallaby'] %}
|
||||||
|
-e {{ working_dir }}/ci_custom_firewall_rules.yaml
|
||||||
|
{% endif %}
|
||||||
{%- if release not in ['train','ussuri','victoria'] -%}
|
{%- if release not in ['train','ussuri','victoria'] -%}
|
||||||
--disable-protected-resource-types
|
--disable-protected-resource-types
|
||||||
--baremetal-deployment
|
--baremetal-deployment
|
||||||
|
@ -75,6 +75,9 @@ extra_args: >-
|
|||||||
{% if release not in ['newton', 'ocata', 'pike'] %}
|
{% if release not in ['newton', 'ocata', 'pike'] %}
|
||||||
-e {{ overcloud_templates_path }}/ci/environments/ovb-ha.yaml
|
-e {{ overcloud_templates_path }}/ci/environments/ovb-ha.yaml
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if release not in ['train','wallaby'] %}
|
||||||
|
-e {{ working_dir }}/ci_custom_firewall_rules.yaml
|
||||||
|
{% endif %}
|
||||||
{% if release in ['ussuri', 'victoria'] -%}
|
{% if release in ['ussuri', 'victoria'] -%}
|
||||||
--disable-validations
|
--disable-validations
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -39,6 +39,9 @@ network_isolation_args: >-
|
|||||||
|
|
||||||
extra_args: >-
|
extra_args: >-
|
||||||
-e {{ overcloud_templates_path }}/ci/environments/ovb-ha.yaml
|
-e {{ overcloud_templates_path }}/ci/environments/ovb-ha.yaml
|
||||||
|
{% if release not in ['train','wallaby'] %}
|
||||||
|
-e {{ working_dir }}/ci_custom_firewall_rules.yaml
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
undercloud_ntp_servers: pool.ntp.org
|
undercloud_ntp_servers: pool.ntp.org
|
||||||
# keep the doc gen settings at the bottom of the config file.
|
# keep the doc gen settings at the bottom of the config file.
|
||||||
|
Loading…
Reference in New Issue
Block a user