Include custom ci firewall rule in deployment

We noticed some packet drops on Overcloud node after switching to nftables [1] in periodic-tripleo-ci-centos-9-scenario007- multinode-oooq-container-master job. In order to properly get VXLAN support, We create a yaml ci_custom_firewall_rules.yaml during overcloud-deploy rule which add some custom ci firewall rules to the Overcloud node. This is especially true for a lab environment, or on the upstream CI infrastructure. This patch include yaml: ci_custom_firewall_rules.yaml in the deployment. Please refer to the documentation [2] to know more about the requirement of these additional rules. [1] https://logserver.rdoproject.org/54/31954/69/check/periodic-tripleo-ci-centos-9-scenario007-multinode-oooq-container-master/863a967/logs/subnode-1/var/log/extra/dropped-packets.txt.gz [2] https://opendev.org/openstack/tripleo-docs/src/branch/master/deploy-guide/source/features/security_hardening.rst#vxlan-and-nftables Depends-On: https://review.opendev.org/c/openstack/tripleo-quickstart-extras/+/857096 Change-Id: I9c856506331a7c511e1457d72b9922de78c2f403
2022-09-12 18:22:38 +05:30 · 2022-09-12 18:22:38 +05:30 · 0c7ca14e76
parent b10da3f993
commit 0c7ca14e76
9 changed files with 27 additions and 0 deletions
--- a/config/general_config/featureset001.yml
+++ b/config/general_config/featureset001.yml
@ -49,6 +49,9 @@ extra_args: >-
   --disable-validations
   {% endif %}
   -e {{ overcloud_templates_path }}/ci/environments/neutron_dns_domain.yaml
+   {% if release not in ['train','wallaby'] %}
+   -e {{ working_dir }}/ci_custom_firewall_rules.yaml
+   {% endif %}
   {% if release not in ['train','ussuri','victoria'] and
   job is defined and
   job.enable_secure_rbac is defined and
--- a/config/general_config/featureset002.yml
+++ b/config/general_config/featureset002.yml
@ -74,6 +74,9 @@ telemetry_args: >-

 extra_args: >-
   -e {{ overcloud_templates_path }}/ci/environments/ovb-ha.yaml
+   {% if release not in ['train','wallaby'] %}
+   -e {{ working_dir }}/ci_custom_firewall_rules.yaml
+   {% endif %}
   {% if release not in ['train'] -%}
   --disable-validations
   {%- endif -%}
--- a/config/general_config/featureset010.yml
+++ b/config/general_config/featureset010.yml
@ -68,6 +68,9 @@ extra_args: >-
   {%- if release not in ['train','wallaby'] -%}
   -e /usr/share/openstack-tripleo-heat-templates/environments/auditd.yaml
   {% endif %}
+   {% if release not in ['train','wallaby'] %}
+   -e {{ working_dir }}/ci_custom_firewall_rules.yaml
+   {% endif %}
   {%- if release not in ['train','ussuri','victoria'] -%}
   --disable-protected-resource-types
   --baremetal-deployment
--- a/config/general_config/featureset020.yml
+++ b/config/general_config/featureset020.yml
@ -104,6 +104,9 @@ extra_args: >-
   enable_secure_rbac|default(false)|bool -%}
   -e {{ overcloud_templates_path }}/environments/enable-secure-rbac.yaml
   {% endif %}
+   {% if release not in ['train','wallaby'] %}
+   -e {{ working_dir }}/ci_custom_firewall_rules.yaml
+   {% endif %}
   {%- if release not in ['train','ussuri','victoria'] -%}
   --disable-protected-resource-types
   {%- endif -%}
--- a/config/general_config/featureset030.yml
+++ b/config/general_config/featureset030.yml
@ -37,6 +37,9 @@ telemetry_args: >-

 extra_args: >-
  -e {{ overcloud_templates_path }}/environments/services/neutron-ovs.yaml
+  {% if release not in ['train','wallaby'] %}
+  -e {{ working_dir }}/ci_custom_firewall_rules.yaml
+  {% endif %}
  {% if release not in ['train','ussuri','victoria'] -%}
  --disable-protected-resource-types
  --baremetal-deployment
--- a/config/general_config/featureset035.yml
+++ b/config/general_config/featureset035.yml
@ -77,6 +77,9 @@ telemetry_args: >-
   {% endif %}

 extra_args: >-
+   {% if release not in ['train','wallaby'] %}
+   -e {{ working_dir }}/ci_custom_firewall_rules.yaml
+   {% endif %}
   -e {{ overcloud_templates_path }}/environments/memcached-use-ips.yaml
   {% if release not in ['newton', 'ocata', 'pike'] %}
   -e {{ overcloud_templates_path }}/ci/environments/ovb-ha.yaml
--- a/config/general_config/featureset037.yml
+++ b/config/general_config/featureset037.yml
@ -93,6 +93,9 @@ ephemeral_heat: "{{ (release not in ['queens', 'stein','train','ussuri','victori
 ephemeral_heat_args: "{{ '--heat-type pod' if ephemeral_heat|bool else '' }}"

 extra_args: >-
+   {% if release not in ['train','wallaby'] %}
+   -e {{ working_dir }}/ci_custom_firewall_rules.yaml
+   {% endif %}
   {%- if release not in ['train','ussuri','victoria'] -%}
   --disable-protected-resource-types
   --baremetal-deployment
--- a/config/general_config/featureset039.yml
+++ b/config/general_config/featureset039.yml
@ -75,6 +75,9 @@ extra_args: >-
   {% if release not in ['newton', 'ocata', 'pike'] %}
   -e {{ overcloud_templates_path }}/ci/environments/ovb-ha.yaml
   {% endif %}
+   {% if release not in ['train','wallaby'] %}
+   -e {{ working_dir }}/ci_custom_firewall_rules.yaml
+   {% endif %}
   {% if release in ['ussuri', 'victoria'] -%}
   --disable-validations
   {% endif %}
--- a/config/general_config/featureset064.yml
+++ b/config/general_config/featureset064.yml
@ -39,6 +39,9 @@ network_isolation_args: >-

 extra_args: >-
   -e {{ overcloud_templates_path }}/ci/environments/ovb-ha.yaml
+   {% if release not in ['train','wallaby'] %}
+   -e {{ working_dir }}/ci_custom_firewall_rules.yaml
+   {% endif %}

 undercloud_ntp_servers: pool.ntp.org
 # keep the doc gen settings at the bottom of the config file.