From 86e83faeb1fd088d44c5108a5ec835eba6316b2d Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Wed, 3 Apr 2019 17:33:04 +0100 Subject: [PATCH] Use ironic inspector 'dnsmasq' PXE filter by default With Docker CE, the daemon sets the default policy of the iptables FORWARD chain to DROP. This causes problems for provisioning bare metal servers when ironic inspector is used with the 'iptables' PXE filter. It's not entirely clear why these two things interact in this way, but switching to the 'dnsmasq' filter works around the issue, and is probably a good move anyway because it is more efficient. We have added a migration task here to flush and remove the ironic-inspector iptables chain since inspector does not do this itself currently. Change-Id: Iceed5a096819203eb2b92466d39575d3adf8e218 Closes-Bug: #1823044 --- ansible/roles/ironic/defaults/main.yml | 2 +- ansible/roles/ironic/tasks/deploy.yml | 17 +++++++++++++++++ ...tor-dnsmasq-pxe-filter-ab012028bcd7d332.yaml | 13 +++++++++++-- 3 files changed, 29 insertions(+), 3 deletions(-) diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml index e8ae8590e0..e66eba2c6e 100644 --- a/ansible/roles/ironic/defaults/main.yml +++ b/ansible/roles/ironic/defaults/main.yml @@ -186,7 +186,7 @@ ironic_console_serial_speed: "115200n8" ironic_ipxe_url: http://{{ api_interface_address }}:{{ ironic_ipxe_port }} ironic_enable_rolling_upgrade: "yes" ironic_inspector_kernel_cmdline_extras: [] -ironic_inspector_pxe_filter: "{% if enable_neutron | bool %}iptables{% else %}none{% endif %}" +ironic_inspector_pxe_filter: "{% if enable_neutron | bool %}dnsmasq{% else %}none{% endif %}" #################### ## Kolla diff --git a/ansible/roles/ironic/tasks/deploy.yml b/ansible/roles/ironic/tasks/deploy.yml index 0d80b23c11..f4c0d8ca64 100644 --- a/ansible/roles/ironic/tasks/deploy.yml +++ b/ansible/roles/ironic/tasks/deploy.yml @@ -21,3 +21,20 @@ - name: Flush handlers meta: flush_handlers + +# NOTE(mgoddard): If inspector was previously configured to use the iptables +# PXE filter, it may leave rules in place that block inspection. Clean them up. +# The iptables Ansible module is not idempotent - it fails if the chain does +# not exist, so use a command instead. +- name: Flush and delete ironic-inspector iptables chain + become: true + command: iptables --{{ item }} ironic-inspector + register: ironic_inspector_chain + with_items: + - flush + - delete-chain + when: ironic_inspector_pxe_filter != 'iptables' + changed_when: ironic_inspector_chain.rc == 0 + failed_when: + - ironic_inspector_chain.rc != 0 + - "'No chain/target/match by that name' not in ironic_inspector_chain.stderr" diff --git a/releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml b/releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml index 9b0fad9e02..99a8b66bb4 100644 --- a/releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml +++ b/releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml @@ -4,5 +4,14 @@ features: Adds support for the `Ironic Inspector dnsmasq PXE filter `__ that provides improved scalability over the default IPTables PXE filter. - This can be enabled by setting ``ironic_inspector_pxe_filter`` to - ``dnsmasq``. + This is now used by default instead of the ``iptables`` PXE filter. + The ``iptables`` filter can be enabled by setting + ``ironic_inspector_pxe_filter`` to ``iptables``. +upgrade: + - | + The default PXE filter used by Ironic Inspector is now ``dnsmasq`` rather + than ``iptables``. This change has been made to work around an issue + introduced by moving to Docker CE, where the daemon sets the default + policy on the ``iptables`` ``FORWARD`` chain to ``DROP``. This policy can + interact with the Ironic Inspector ``iptables`` PXE filter to cause DHCP + packets from bare metal nodes to get dropped, which prevents provisioning.