From 9df0f00bc5e38c37706eaf845f93754af7605528 Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Wed, 7 Oct 2020 17:38:43 +0200
Subject: [PATCH] Configure bifrost to use firewalld trusted zone
Without this setting, bifrost creates a bifrost firewalld zone only
allowing network traffic for Ironic services and assigns the
provisioning network interface to it, potentially causing loss of
connectivity.
Using the public zone is suggested as a workaround [1] but is not
sufficient: it allows SSH traffic, but blocks other services deployed on
the seed, such as Docker registry traffic.
[1] https://review.opendev.org/#/c/754406/
Change-Id: I80f9d95f02e11fda5916f9a9dd257b688a9db7e2
Story: 2008153
Task: 40899
---
ansible/group_vars/all/bifrost | 4 ++++
.../roles/kolla-bifrost/templates/bifrost.yml.j2 | 3 +++
etc/kayobe/bifrost.yml | 4 ++++
.../bifrost-firewalld-zone-09a29651a058531a.yaml | 16 ++++++++++++++++
4 files changed, 27 insertions(+)
create mode 100644 releasenotes/notes/bifrost-firewalld-zone-09a29651a058531a.yaml
diff --git a/ansible/group_vars/all/bifrost b/ansible/group_vars/all/bifrost
index 3c06e0bf..81224ed1 100644
--- a/ansible/group_vars/all/bifrost
+++ b/ansible/group_vars/all/bifrost
@@ -11,6 +11,10 @@ kolla_bifrost_source_url: "https://opendev.org/openstack/bifrost"
# {{ openstack_branch }}.
kolla_bifrost_source_version: "{{ openstack_branch }}"
+# Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other
+# services running on the seed host.
+kolla_bifrost_firewalld_internal_zone: trusted
+
###############################################################################
# Diskimage-builder configuration.
diff --git a/ansible/roles/kolla-bifrost/templates/bifrost.yml.j2 b/ansible/roles/kolla-bifrost/templates/bifrost.yml.j2
index 8ffbf2af..a4d64dd3 100644
--- a/ansible/roles/kolla-bifrost/templates/bifrost.yml.j2
+++ b/ansible/roles/kolla-bifrost/templates/bifrost.yml.j2
@@ -64,6 +64,9 @@ ipa_ramdisk_upstream_checksum_url: "{{ kolla_bifrost_ipa_ramdisk_checksum_url }}
# Algorithm of checksum of Ironic Python Agent (IPA) ramdisk image.
ipa_ramdisk_upstream_checksum_algo: "{{ kolla_bifrost_ipa_ramdisk_checksum_algorithm }}"
+# Firewalld zone used by Bifrost.
+firewalld_internal_zone: "{{ kolla_bifrost_firewalld_internal_zone }}"
+
{% if kolla_bifrost_extra_globals %}
###############################################################################
# Extra configuration
diff --git a/etc/kayobe/bifrost.yml b/etc/kayobe/bifrost.yml
index 9e7c9cf2..bd7e97e1 100644
--- a/etc/kayobe/bifrost.yml
+++ b/etc/kayobe/bifrost.yml
@@ -11,6 +11,10 @@
# {{ openstack_branch }}.
#kolla_bifrost_source_version:
+# Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other
+# services running on the seed host.
+#kolla_bifrost_firewalld_internal_zone:
+
###############################################################################
# Diskimage-builder configuration.
diff --git a/releasenotes/notes/bifrost-firewalld-zone-09a29651a058531a.yaml b/releasenotes/notes/bifrost-firewalld-zone-09a29651a058531a.yaml
new file mode 100644
index 00000000..b9cde15b
--- /dev/null
+++ b/releasenotes/notes/bifrost-firewalld-zone-09a29651a058531a.yaml
@@ -0,0 +1,16 @@
+---
+upgrade:
+ - |
+ Kayobe configures Bifrost to use the ``trusted`` zone of ``firewalld``,
+ ensuring that all services running on the seed host are accessible.
+ Deployments with stricter firewall policies can select another zone by
+ setting the ``kolla_bifrost_firewalld_internal_zone`` variable in
+ ``${KAYOBE_CONFIG_PATH}/bifrost.yml``. To avoid loss of connectivity to the
+ seed host, ensure that ``firewalld`` is already configured on the seed host
+ before deploying seed services.
+fixes:
+ - |
+ Fixes loss of connectivity to the seed host after deploying seed services,
+ when using a shared provisioning and admin network. This was caused by
+ Bifrost configuring ``firewalld`` to only allow Ironic traffic. Kayobe now
+ configures Bifrost to use the ``trusted`` zone, which allows all traffic.
--
GitLab