Configure bifrost to use firewalld trusted zone

Without this setting, bifrost creates a bifrost firewalld zone only allowing network traffic for Ironic services and assigns the provisioning network interface to it, potentially causing loss of connectivity. Using the public zone is suggested as a workaround [1] but is not sufficient: it allows SSH traffic, but blocks other services deployed on the seed, such as Docker registry traffic. [1] https://review.opendev.org/#/c/754406/ Change-Id: I80f9d95f02e11fda5916f9a9dd257b688a9db7e2 Story: 2008153 Task: 40899

Configure bifrost to use firewalld trusted zone
9df0f00b · Pierre Riteau · 02c03839 · 9df0f00b · 9df0f00b · 9df0f00b
Commit 9df0f00b authored 4 years ago by Pierre Riteau
--- a/ansible/group_vars/all/bifrost
+++ b/ansible/group_vars/all/bifrost
@@ -11,6 +11,10 @@ kolla_bifrost_source_url: "https://opendev.org/openstack/bifrost"
 # {{ openstack_branch }}.
 kolla_bifrost_source_version: "{{ openstack_branch }}"

+# Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other
+# services running on the seed host.
+kolla_bifrost_firewalld_internal_zone: trusted
+
 ###############################################################################
 # Diskimage-builder configuration.


--- a/ansible/roles/kolla-bifrost/templates/bifrost.yml.j2
+++ b/ansible/roles/kolla-bifrost/templates/bifrost.yml.j2
@@ -64,6 +64,9 @@ ipa_ramdisk_upstream_checksum_url: "{{ kolla_bifrost_ipa_ramdisk_checksum_url }}
 # Algorithm of checksum of Ironic Python Agent (IPA) ramdisk image.
 ipa_ramdisk_upstream_checksum_algo: "{{ kolla_bifrost_ipa_ramdisk_checksum_algorithm }}"

+# Firewalld zone used by Bifrost.
+firewalld_internal_zone: "{{ kolla_bifrost_firewalld_internal_zone }}"
+
 {% if kolla_bifrost_extra_globals %}
 ###############################################################################
 # Extra configuration

--- a/etc/kayobe/bifrost.yml
+++ b/etc/kayobe/bifrost.yml
@@ -11,6 +11,10 @@
 # {{ openstack_branch }}.
 #kolla_bifrost_source_version:

+# Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other
+# services running on the seed host.
+#kolla_bifrost_firewalld_internal_zone:
+
 ###############################################################################
 # Diskimage-builder configuration.


--- a/releasenotes/notes/bifrost-firewalld-zone-09a29651a058531a.yaml
+++ b/releasenotes/notes/bifrost-firewalld-zone-09a29651a058531a.yaml
+---
+upgrade:
+  - |
+    Kayobe configures Bifrost to use the ``trusted`` zone of ``firewalld``,
+    ensuring that all services running on the seed host are accessible.
+    Deployments with stricter firewall policies can select another zone by
+    setting the ``kolla_bifrost_firewalld_internal_zone`` variable in
+    ``${KAYOBE_CONFIG_PATH}/bifrost.yml``. To avoid loss of connectivity to the
+    seed host, ensure that ``firewalld`` is already configured on the seed host
+    before deploying seed services.
+fixes:
+  - |
+    Fixes loss of connectivity to the seed host after deploying seed services,
+    when using a shared provisioning and admin network. This was caused by
+    Bifrost configuring ``firewalld`` to only allow Ironic traffic. Kayobe now
+    configures Bifrost to use the ``trusted`` zone, which allows all traffic.