Merge "Configure bifrost to use firewalld trusted zone"

38198be0 · Zuul · Gerrit Code Review · 1b48a713 · 9df0f00b · 38198be0
Commit 38198be0 authored 4 years ago by Zuul Committed by Gerrit Code Review 4 years ago
--- a/ansible/group_vars/all/bifrost
+++ b/ansible/group_vars/all/bifrost
@@ -11,6 +11,10 @@ kolla_bifrost_source_url: "https://opendev.org/openstack/bifrost"
 # {{ openstack_branch }}.
 kolla_bifrost_source_version: "{{ openstack_branch }}"

+# Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other
+# services running on the seed host.
+kolla_bifrost_firewalld_internal_zone: trusted
+
 ###############################################################################
 # Diskimage-builder configuration.


--- a/ansible/roles/kolla-bifrost/templates/bifrost.yml.j2
+++ b/ansible/roles/kolla-bifrost/templates/bifrost.yml.j2
@@ -64,6 +64,9 @@ ipa_ramdisk_upstream_checksum_url: "{{ kolla_bifrost_ipa_ramdisk_checksum_url }}
 # Algorithm of checksum of Ironic Python Agent (IPA) ramdisk image.
 ipa_ramdisk_upstream_checksum_algo: "{{ kolla_bifrost_ipa_ramdisk_checksum_algorithm }}"

+# Firewalld zone used by Bifrost.
+firewalld_internal_zone: "{{ kolla_bifrost_firewalld_internal_zone }}"
+
 {% if kolla_bifrost_extra_globals %}
 ###############################################################################
 # Extra configuration

--- a/etc/kayobe/bifrost.yml
+++ b/etc/kayobe/bifrost.yml
@@ -11,6 +11,10 @@
 # {{ openstack_branch }}.
 #kolla_bifrost_source_version:

+# Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other
+# services running on the seed host.
+#kolla_bifrost_firewalld_internal_zone:
+
 ###############################################################################
 # Diskimage-builder configuration.


--- a/releasenotes/notes/bifrost-firewalld-zone-09a29651a058531a.yaml
+++ b/releasenotes/notes/bifrost-firewalld-zone-09a29651a058531a.yaml
+---
+upgrade:
+  - |
+    Kayobe configures Bifrost to use the ``trusted`` zone of ``firewalld``,
+    ensuring that all services running on the seed host are accessible.
+    Deployments with stricter firewall policies can select another zone by
+    setting the ``kolla_bifrost_firewalld_internal_zone`` variable in
+    ``${KAYOBE_CONFIG_PATH}/bifrost.yml``. To avoid loss of connectivity to the
+    seed host, ensure that ``firewalld`` is already configured on the seed host
+    before deploying seed services.
+fixes:
+  - |
+    Fixes loss of connectivity to the seed host after deploying seed services,
+    when using a shared provisioning and admin network. This was caused by
+    Bifrost configuring ``firewalld`` to only allow Ironic traffic. Kayobe now
+    configures Bifrost to use the ``trusted`` zone, which allows all traffic.