Merge "Use ironic inspector 'dnsmasq' PXE filter by default"

7eb0da0d · Zuul · Gerrit Code Review · 416d8400 · 86e83fae · 7eb0da0d
Commit 7eb0da0d authored 5 years ago by Zuul Committed by Gerrit Code Review 5 years ago
--- a/ansible/roles/ironic/defaults/main.yml
+++ b/ansible/roles/ironic/defaults/main.yml
@@ -186,7 +186,7 @@ ironic_console_serial_speed: "115200n8"
 ironic_ipxe_url: http://{{ api_interface_address }}:{{ ironic_ipxe_port }}
 ironic_enable_rolling_upgrade: "yes"
 ironic_inspector_kernel_cmdline_extras: []
-ironic_inspector_pxe_filter: "{% if enable_neutron | bool %}iptables{% else %}none{% endif %}"
+ironic_inspector_pxe_filter: "{% if enable_neutron | bool %}dnsmasq{% else %}none{% endif %}"

 ####################
 ## Kolla

--- a/ansible/roles/ironic/tasks/deploy.yml
+++ b/ansible/roles/ironic/tasks/deploy.yml
@@ -21,3 +21,20 @@

 - name: Flush handlers
  meta: flush_handlers
+
+# NOTE(mgoddard): If inspector was previously configured to use the iptables
+# PXE filter, it may leave rules in place that block inspection. Clean them up.
+# The iptables Ansible module is not idempotent - it fails if the chain does
+# not exist, so use a command instead.
+- name: Flush and delete ironic-inspector iptables chain
+  become: true
+  command: iptables --{{ item }} ironic-inspector
+  register: ironic_inspector_chain
+  with_items:
+    - flush
+    - delete-chain
+  when: ironic_inspector_pxe_filter != 'iptables'
+  changed_when: ironic_inspector_chain.rc == 0
+  failed_when:
+    - ironic_inspector_chain.rc != 0
+    - "'No chain/target/match by that name' not in ironic_inspector_chain.stderr"
--- a/releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml
+++ b/releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml
@@ -4,5 +4,14 @@ features:
    Adds support for the `Ironic Inspector dnsmasq PXE filter
    <https://docs.openstack.org/ironic-inspector/latest/admin/dnsmasq-pxe-filter.html>`__
    that provides improved scalability over the default IPTables PXE filter.
-    This can be enabled by setting ``ironic_inspector_pxe_filter`` to
-    ``dnsmasq``.
+    This is now used by default instead of the ``iptables`` PXE filter.
+    The ``iptables`` filter can be enabled by setting
+    ``ironic_inspector_pxe_filter`` to ``iptables``.
+upgrade:
+  - |
+    The default PXE filter used by Ironic Inspector is now ``dnsmasq`` rather
+    than ``iptables``.  This change has been made to work around an issue
+    introduced by moving to Docker CE, where the daemon sets the default
+    policy on the ``iptables`` ``FORWARD`` chain to ``DROP``. This policy can
+    interact with the Ironic Inspector ``iptables`` PXE filter to cause DHCP
+    packets from bare metal nodes to get dropped, which prevents provisioning.