Fix kayobe-overcloud-centos CI job flakiness

Docker CE has added a default DROP policy to the FORWARD chain. When nova-compute runs on the controller, kolla ansible sets the net.bridge.bridge-nf-call-iptables sysctl to 1, which causes iptables to process frames forwarded across bridges. Currently, the kayobe-overcloud-centos job is failing quite frequently with timeouts when deploying bare metal compute. Experimentation with iptables hasn't revealed why this only happens sometimes, or exactly what traffic is being blocked, but opening up the firewall does seem to fix the issue. We won't see this in production since control and compute services are on separate hosts. This change updates the iptables configuration used in CI to forward all frames on the bridge, breth1. Change-Id: If96437b73b9b5c58600ba1b004f53ee0c1f14398 Story: 2006534 Task: 36590

Fix kayobe-overcloud-centos CI job flakiness
4b180502 · Mark Goddard · 7321205c · 4b180502
Commit 4b180502 authored 5 years ago by Mark Goddard
--- a/dev/functions
+++ b/dev/functions
@@ -664,13 +664,13 @@ function configure_iptables {
    sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
    # open ironic API on baremetal network
    sudo iptables -I INPUT -d $IRONIC_HTTP_SERVER -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
-    # allow IPA to connect to ironic API
-    sudo iptables -I FORWARD -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
-    # allow IPA to connect to ironic inspector
-    sudo iptables -I FORWARD -p tcp --dport $IRONIC_INSPECTOR_PORT -j ACCEPT || true
-    # Docker CE has added a default DROP policy to the FORWARD chain. Allow
-    # DHCP packets to be forwarded across the bridge.
-    sudo iptables -I FORWARD -p udp --dport 67:68 --sport 67:68 -j ACCEPT || true
+
+    # Docker CE has added a default DROP policy to the FORWARD chain.
+    # When nova-compute runs on the controller, kolla ansible sets the
+    # net.bridge.bridge-nf-call-iptables sysctl to 1, which causes iptables to
+    # process frames forwarded across bridges. Forward all frames on the main
+    # bridge, breth1.
+    sudo iptables -A FORWARD -i breth1 -j ACCEPT || true

    # agent ramdisk gets instance image from swift
    sudo iptables -I INPUT -d $INTERNAL_VIP -p tcp --dport ${SWIFT_DEFAULT_BIND_PORT:-8080} -j ACCEPT || true