From 9f6c912b3418b21c06f53860e786b5b56daddff6 Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Mon, 27 Sep 2021 11:40:49 +0200
Subject: [PATCH] Prevent Bifrost from using firewalld

This is to avoid conflicting with iptables rules configured on the seed
host by Kayobe.

A new variable kolla_bifrost_use_firewalld is introduced to configure
whether Bifrost uses firewalld.

Change-Id: I7049eae6518f818f9e180dfdb6f515d527644808
Story: 2009252
Task: 43442
---
 ansible/group_vars/all/bifrost                   |  4 ++++
 .../templates/kolla/config/bifrost/bifrost.yml   |  3 +++
 etc/kayobe/bifrost.yml                           |  4 ++++
 .../bifrost-use-firewalld-90b69e2ac6eead67.yaml  | 16 ++++++++++++++++
 4 files changed, 27 insertions(+)
 create mode 100644 releasenotes/notes/bifrost-use-firewalld-90b69e2ac6eead67.yaml

diff --git a/ansible/group_vars/all/bifrost b/ansible/group_vars/all/bifrost
index b5136719..c4c68c05 100644
--- a/ansible/group_vars/all/bifrost
+++ b/ansible/group_vars/all/bifrost
@@ -11,6 +11,10 @@ kolla_bifrost_source_url: "https://opendev.org/openstack/bifrost"
 # {{ openstack_branch }}.
 kolla_bifrost_source_version: "{{ openstack_branch }}"
 
+# Whether Bifrost uses firewalld. Default value is false to avoid conflicting
+# with iptables rules configured on the seed host by Kayobe.
+kolla_bifrost_use_firewalld: False
+
 # Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other
 # services running on the seed host.
 kolla_bifrost_firewalld_internal_zone: trusted
diff --git a/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml b/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml
index cb1291f1..e8accf4f 100644
--- a/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml
+++ b/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml
@@ -64,6 +64,9 @@ ipa_ramdisk_upstream_checksum_url: "{{ kolla_bifrost_ipa_ramdisk_checksum_url }}
 # Algorithm of checksum of Ironic Python Agent (IPA) ramdisk image.
 ipa_ramdisk_upstream_checksum_algo: "{{ kolla_bifrost_ipa_ramdisk_checksum_algorithm }}"
 
+# Whether Bifrost uses firewalld.
+use_firewalld: "{{ kolla_bifrost_use_firewalld }}"
+
 # Firewalld zone used by Bifrost.
 firewalld_internal_zone: "{{ kolla_bifrost_firewalld_internal_zone }}"
 
diff --git a/etc/kayobe/bifrost.yml b/etc/kayobe/bifrost.yml
index 275d80bc..0bfcec72 100644
--- a/etc/kayobe/bifrost.yml
+++ b/etc/kayobe/bifrost.yml
@@ -11,6 +11,10 @@
 # {{ openstack_branch }}.
 #kolla_bifrost_source_version:
 
+# Whether Bifrost uses firewalld. Default value is false to avoid conflicting
+# with iptables rules configured on the seed host by Kayobe.
+#kolla_bifrost_use_firewalld:
+
 # Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other
 # services running on the seed host.
 #kolla_bifrost_firewalld_internal_zone:
diff --git a/releasenotes/notes/bifrost-use-firewalld-90b69e2ac6eead67.yaml b/releasenotes/notes/bifrost-use-firewalld-90b69e2ac6eead67.yaml
new file mode 100644
index 00000000..ad10a9c5
--- /dev/null
+++ b/releasenotes/notes/bifrost-use-firewalld-90b69e2ac6eead67.yaml
@@ -0,0 +1,16 @@
+---
+features:
+  - |
+    Adds a new ``kolla_bifrost_use_firewalld`` variable used to define whether
+    Bifrost uses firewalld, which is now disabled by default.
+upgrade:
+  - |
+    Bifrost is now configured to avoid using firewalld, to prevent conflicts
+    with firewall rules set by Kayobe on the seed host. The existing behaviour
+    can be retained by setting ``kolla_bifrost_use_firewalld`` to ``True`` in
+    ``bifrost.yml``.
+fixes:
+  - |
+    Prevents Bifrost from using firewalld to avoid conflicts with firewall
+    rules set by Kayobe on the seed host. See `story 2009252
+    <https://storyboard.openstack.org/#!/story/2009252>`__ for more details.
-- 
GitLab