Support Ironic Inspector dnsmasq PXE filter

The dnsmasq PXE filter [1] provides far better scalability than the iptables filter typically used. Inspector manages files in a dhcp-hostsdir directory that is watched by dnsmasq via inotify. Dnsmasq then either whitelists or blacklists MAC addresses based on the contents of these files. This change adds a new variable, ironic_inspector_pxe_filter, that can be used to configure the PXE filter for ironic inspector. Currently supported values are 'iptables' and 'dnsmasq', with 'iptables' being the default for backwards compatibility. [1] https://docs.openstack.org/ironic-inspector/latest/admin/dnsmasq-pxe-filter.html Implements: blueprint ironic-inspector-dnsmasq-pxe-filter Change-Id: I73cae9c33b49972342cf1984372a5c784df5cbc2
2018-07-27 15:01:43 +01:00 · 2018-07-27 15:01:43 +01:00 · 4418c1641b
parent 7598edca5b
commit 4418c1641b
4 changed files with 22 additions and 4 deletions
--- a/ansible/roles/ironic/defaults/main.yml
+++ b/ansible/roles/ironic/defaults/main.yml
@ -53,6 +53,7 @@ ironic_services:
      - "{{ node_config_directory }}/ironic-inspector/:{{ container_config_directory }}/:ro"
      - "/etc/localtime:/etc/localtime:ro"
      - "kolla_logs:/var/log/kolla"
+      - "ironic_inspector_dhcp_hosts:/var/lib/ironic-inspector/dhcp-hostsdir"
      - "{{ kolla_dev_repos_directory ~ '/ironic-inspector/ironic_inspector:/var/lib/kolla/venv/lib/python2.7/site-packages/ironic_inspector' if ironic_dev_mode | bool else '' }}"
    dimensions: "{{ ironic_inspector_dimensions }}"
    haproxy:
@ -99,6 +100,7 @@ ironic_services:
      - "{{ node_config_directory }}/ironic-dnsmasq/:{{ container_config_directory }}/:ro"
      - "/etc/localtime:/etc/localtime:ro"
      - "kolla_logs:/var/log/kolla"
+      - "ironic_inspector_dhcp_hosts:/etc/dnsmasq/dhcp-hostsdir:ro"
    dimensions: "{{ ironic_dnsmasq_dimensions }}"


@ -180,6 +182,7 @@ ironic_console_serial_speed: "115200n8"
 ironic_ipxe_url: http://{{ api_interface_address }}:{{ ironic_ipxe_port }}
 ironic_enable_rolling_upgrade: "yes"
 ironic_inspector_kernel_cmdline_extras: []
+ironic_inspector_pxe_filter: iptables

 ####################
 ## Kolla
--- a/ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2
+++ b/ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2
@ -20,4 +20,6 @@ dhcp-option=tag:ipxe,option:bootfile-name,{{ ironic_ipxe_url }}/inspector.ipxe
 dhcp-option=tag:efi,tag:!ipxe,option:bootfile-name,ipxe.efi
 {% endif %}
 dhcp-option=option:bootfile-name,{{ ironic_dnsmasq_boot_file }}
-
+{% if ironic_inspector_pxe_filter == 'dnsmasq' %}
+dhcp-hostsdir=/etc/dnsmasq/dhcp-hostsdir
+{% endif %}
--- a/ansible/roles/ironic/templates/ironic-inspector.conf.j2
+++ b/ansible/roles/ironic/templates/ironic-inspector.conf.j2
@ -34,11 +34,16 @@ memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansi
 policy_file = {{ ironic_policy_file }}
 {% endif %}

-[iptables]
-dnsmasq_interface = {{ ironic_dnsmasq_interface }}
-
 [database]
 connection = mysql+pymysql://{{ ironic_inspector_database_user }}:{{ ironic_inspector_database_password }}@{{ ironic_inspector_database_address }}/{{ ironic_inspector_database_name }}

 [processing]
 ramdisk_logs_dir = /var/log/kolla/ironic-inspector
+
+[pxe_filter]
+driver = {{ ironic_inspector_pxe_filter }}
+
+{% if ironic_inspector_pxe_filter == 'iptables' %}
+[iptables]
+dnsmasq_interface = {{ ironic_dnsmasq_interface }}
+{% endif %}
--- a/releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml
+++ b/releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Adds support for the `Ironic Inspector dnsmasq PXE filter
+    <https://docs.openstack.org/ironic-inspector/latest/admin/dnsmasq-pxe-filter.html>`__
+    that provides improved scalability over the default IPTables PXE filter.
+    This can be enabled by setting ``ironic_inspector_pxe_filter`` to
+    ``dnsmasq``.