Remove inspector_manage_firewall variable

This is supported in kolla-ansible via the ironic_inspector_pxe_filter
variable, which can be added to globals.yml. The default value for that
variable changed in the Stein release from 'iptables' to 'dnsmasq',
since the iptables filter does not work with Docker CE [1].

This change removes the inspector_manage_firewall variable.

This change also adds an iptables rule in CI tests to allow DHCP packets
to be forwarded, to ensure bare metal servers can be deployed.

[1] https://bugs.launchpad.net/kolla-ansible/+bug/1823044

Depends-On: https://review.openstack.org/649673
Change-Id: Idac6777b4d97fbd17698fc2086ceb068d7b2e326
Related-Bug: #1823044

ansible/group_vars/all/inspector

@@ -26,9 +26,6 @@ inspector_ipa_ramdisk_checksum_algorithm: "{{ ipa_ramdisk_checksum_algorithm }}"
 ###############################################################################
 # Ironic inspector processing configuration.
 
-# Whether inspector should manage the firewall.
-inspector_manage_firewall: True
-
 # List of of default inspector processing plugins.
 inspector_processing_hooks_default:
   - ramdisk_error

ansible/kolla-openstack.yml

@@ -189,7 +189,6 @@
   roles:
     - role: kolla-openstack
       # Ironic inspector configuration.
-      kolla_inspector_manage_firewall: "{{ inspector_manage_firewall }}"
       kolla_inspector_processing_hooks: "{{ inspector_processing_hooks }}"
       kolla_inspector_add_ports: "{{ inspector_add_ports }}"
       kolla_inspector_keep_ports: "{{ inspector_keep_ports }}"

ansible/roles/kolla-openstack/defaults/main.yml

@@ -204,9 +204,6 @@ kolla_enable_ironic_ipxe:
 ###############################################################################
 # Ironic inspector configuration.
 
-# Whether inspector should manage the firewall.
-kolla_inspector_manage_firewall:
-
 # Comma-separated list of inspector processing plugins.
 kolla_inspector_processing_hooks:
 

ansible/roles/kolla-openstack/templates/ironic-inspector.conf.j2

@@ -1,10 +1,5 @@
 [DEFAULT]
 
-[pxe_filter]
-# The filter ironic inspector will use to prevent nodes from undergoing
-# inspection unless explicitly requested.
-driver = {{ 'iptables' if kolla_inspector_manage_firewall else 'noop' }}
-
 [processing]
 {% if kolla_inspector_processing_hooks %}
 # Comma-separated list of inspector processing plugins.

dev/functions

@@ -644,6 +644,9 @@ function configure_iptables {
     sudo iptables -I FORWARD -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
     # allow IPA to connect to ironic inspector
     sudo iptables -I FORWARD -p tcp --dport $IRONIC_INSPECTOR_PORT -j ACCEPT || true
+    # Docker CE has added a default DROP policy to the FORWARD chain. Allow
+    # DHCP packets to be forwarded across the bridge.
+    sudo iptables -I FORWARD -p udp --dport 67:68 --sport 67:68 -j ACCEPT || true
 
     # agent ramdisk gets instance image from swift
     sudo iptables -I INPUT -d $INTERNAL_VIP -p tcp --dport ${SWIFT_DEFAULT_BIND_PORT:-8080} -j ACCEPT || true

etc/kayobe/inspector.yml

@@ -26,9 +26,6 @@
 ###############################################################################
 # Ironic inspector processing configuration.
 
-# Whether inspector should manage the firewall.
-#inspector_manage_firewall:
-
 # List of of default inspector processing plugins.
 #inspector_processing_hooks_default:
 

releasenotes/notes/remove-inspector-manage-firewall-b1117b04a0f6904d.yaml

@@ -0,0 +1,9 @@
+---
+upgrade:
+  - |
+    Removes the ``inspector_manage_firewall`` variable. This is supported in
+    Kolla Ansible via the ``ironic_inspector_pxe_filter`` variable, which can
+    be added to ``${KAYOBE_CONFIG_PATH}/kolla/globals.yml``. The default value
+    for that variable changed in the Stein release from 'iptables' to
+    'dnsmasq', since the iptables filter `does not work with Docker CE
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1823044>`__.