From 13eff665f0ac1b43480ed06d8fad3ccbb9974e7a Mon Sep 17 00:00:00 2001
From: Vasyl Saienko <vsaienko@mirantis.com>
Date: Wed, 19 Apr 2017 19:54:57 +0300
Subject: [PATCH] [Devstack]: open firewall for ironic api on provision net

For grenade job we need to open firewall on provision network IP on
subnode. This needed for grenade job to setup redirect from primary
node to subnode.

Change-Id: I026121121059768aa74389add7eee6e63fdb214d
---
 devstack/lib/ironic | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/devstack/lib/ironic b/devstack/lib/ironic
index 2292da6e35..4474f63722 100644
--- a/devstack/lib/ironic
+++ b/devstack/lib/ironic
@@ -1612,6 +1612,8 @@ function configure_iptables {
     # nodes boot from TFTP and callback to the API server listening on $HOST_IP
     sudo iptables -I INPUT -d $IRONIC_TFTPSERVER_IP -p udp --dport 69 -j ACCEPT || true
     sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
+    sudo iptables -I INPUT -d $IRONIC_HTTP_SERVER -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
+    sudo iptables -I FORWARD -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
     if is_deployed_by_agent; then
         # agent ramdisk gets instance image from swift
         sudo iptables -I INPUT -d $HOST_IP -p tcp --dport ${SWIFT_DEFAULT_BIND_PORT:-8080} -j ACCEPT || true