From 50217d7a93dce7fdc17c0dfbb04260f86fd3ac7d Mon Sep 17 00:00:00 2001 From: Alex Schultz Date: Thu, 22 Feb 2018 23:01:49 -0700 Subject: [PATCH] Fix bootstrap NAT Docker will switch the FORWARD filter to DROP if it sets the ip_forward to 1. Previously we were doing this in a post configuration element rather than in the puppet run itself. This change moves the ip_forward=1 to puppet so it runs prior to docker being installed. Additionally we are ensuring that the full set of network rules are being added to the FORWARD filter because previously we were only setting half of them. This would allow us to actually not have to use ACCEPT as the default for the FORWARD filter but this would require additional testing. Conflicts: instack_undercloud/tests/test_undercloud.py instack_undercloud/undercloud.py Change-Id: Ieae6a74f7269bd64606fd80a2a08b2058c24d2c5 Closes-Bug: #1750194 Closes-Bug: #1750874 (cherry picked from commit bfb758b5e792c83e5cde9847bcad424fcfaf071d) --- elements/puppet-stack-config/puppet-stack-config.pp | 11 +++++++++++ .../puppet-stack-config.yaml.template | 9 ++++++++- .../post-configure.d/98-undercloud-setup | 6 ------ 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/elements/puppet-stack-config/puppet-stack-config.pp b/elements/puppet-stack-config/puppet-stack-config.pp index d01227bb5..977e48251 100644 --- a/elements/puppet-stack-config/puppet-stack-config.pp +++ b/elements/puppet-stack-config/puppet-stack-config.pp @@ -19,6 +19,17 @@ class { '::tripleo::network::os_net_config': stage => 'setup', } +# enable ip forwarding for the overcloud nodes to access the outside internet +# in cases where they are on an isolated network +ensure_resource('sysctl::value', 'net.ipv4.ip_forward', { 'value' => 1 }) +# NOTE(aschultz): clear up old file as this used to be managed via DIB +file { '/etc/sysctl.d/ip-forward.conf': + ensure => absent +} +# NOTE(aschultz): LP#1750194 - docker will switch FORWARD to DROP if ip_forward +# is not enabled first. +Sysctl::Value['net.ipv4.ip_forward'] -> Package<| title == 'docker' |> + # Run OpenStack db-sync at every puppet run, in any case. Exec<| title == 'neutron-db-sync' |> { refreshonly => false } Exec<| title == 'keystone-manage db_sync' |> { refreshonly => false } diff --git a/elements/puppet-stack-config/puppet-stack-config.yaml.template b/elements/puppet-stack-config/puppet-stack-config.yaml.template index ef17ad364..61c37f70c 100644 --- a/elements/puppet-stack-config/puppet-stack-config.yaml.template +++ b/elements/puppet-stack-config/puppet-stack-config.yaml.template @@ -979,9 +979,16 @@ tripleo::firewall::firewall_rules: - 13787 '139 apache vhost': dport: "%{hiera('ironic_ipxe_port')}" - '140 network cidr nat': + '140 destination network cidr nat': chain: FORWARD destination: {{NETWORK_CIDR}} + proto: all + action: accept + '140 source network cidr nat': + chain: FORWARD + source: {{NETWORK_CIDR}} + proto: all + action: accept '142 tripleo-ui': dport: - 3000 diff --git a/elements/undercloud-install/os-refresh-config/post-configure.d/98-undercloud-setup b/elements/undercloud-install/os-refresh-config/post-configure.d/98-undercloud-setup index 9d97d47b1..802caef37 100755 --- a/elements/undercloud-install/os-refresh-config/post-configure.d/98-undercloud-setup +++ b/elements/undercloud-install/os-refresh-config/post-configure.d/98-undercloud-setup @@ -101,9 +101,3 @@ openstack quota set --cores -1 --instances -1 --ram -1 $(openstack project show # instack-prepare-for-overcloud rm -rf $HOME/.novaclient - -# IP forwarding is needed to allow the overcloud nodes access to the outside -# internet in cases where they are on an isolated network. -sysctl -w net.ipv4.ip_forward=1 -# Make it persistent -echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/ip-forward.conf