Merge "Fix bootstrap NAT" into stable/ocata

elements/puppet-stack-config/puppet-stack-config.pp

@@ -19,6 +19,17 @@ class { '::tripleo::network::os_net_config':
   stage => 'setup',
 }
 
+# enable ip forwarding for the overcloud nodes to access the outside internet
+# in cases where they are on an isolated network
+ensure_resource('sysctl::value', 'net.ipv4.ip_forward', { 'value' => 1 })
+# NOTE(aschultz): clear up old file as this used to be managed via DIB
+file { '/etc/sysctl.d/ip-forward.conf':
+  ensure => absent
+}
+# NOTE(aschultz): LP#1750194 - docker will switch FORWARD to DROP if ip_forward
+# is not enabled first.
+Sysctl::Value['net.ipv4.ip_forward'] -> Package<| title == 'docker' |>
+
 # Run  OpenStack db-sync at every puppet run, in any case.
 Exec<| title == 'neutron-db-sync' |> { refreshonly => false }
 Exec<| title == 'keystone-manage db_sync' |> { refreshonly => false }

elements/puppet-stack-config/puppet-stack-config.yaml.template

@@ -899,9 +899,16 @@ tripleo::firewall::firewall_rules:
       - 13787
   '139 apache vhost':
     dport: "%{hiera('ironic_ipxe_port')}"
-  '140 network cidr nat':
+  '140 destination network cidr nat':
     chain: FORWARD
     destination: {{NETWORK_CIDR}}
+    proto: all
+    action: accept
+  '140 source network cidr nat':
+    chain: FORWARD
+    source: {{NETWORK_CIDR}}
+    proto: all
+    action: accept
   # TODO: Do we still want this?
   '141 libvirt network nat':
     chain: FORWARD

elements/undercloud-install/os-refresh-config/post-configure.d/98-undercloud-setup

@@ -101,8 +101,3 @@ for workbook in $(ls /usr/share/openstack-tripleo-common/workbooks/*); do
     mistral workbook-create $workbook
 done
 
-# IP forwarding is needed to allow the overcloud nodes access to the outside
-# internet in cases where they are on an isolated network.
-sysctl -w net.ipv4.ip_forward=1
-# Make it persistent
-echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/ip-forward.conf