From 74b28bc43b9570496f2b67688e0c4c04aa273733 Mon Sep 17 00:00:00 2001
From: Jim Rollenhagen <jim@jimrollenhagen.com>
Date: Wed, 29 Oct 2014 14:15:22 -0700
Subject: [PATCH] Add iptables rule for Ironic VMs -> Swift

The agent ramdisk gets instance images from swift, set firewall
rules to allow this.

Also configure Ironic API port using the correct variable, and
use SWIFT_DEFAULT_BIND_PORT for Swift ports everywhere.

Change-Id: Ieec8cc64e504b04a21daa49e90e2d4925f4838ee
---
 lib/ironic | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/lib/ironic b/lib/ironic
index 0a84e47ebc..cf005a74d6 100644
--- a/lib/ironic
+++ b/lib/ironic
@@ -279,7 +279,7 @@ function configure_ironic_conductor {
         else
             die $LINENO "SWIFT_ENABLE_TEMPURLS must be True to use agent_ssh driver in Ironic."
         fi
-        iniset $IRONIC_CONF_FILE glance swift_endpoint_url http://${HOST_IP}:8080
+        iniset $IRONIC_CONF_FILE glance swift_endpoint_url http://${HOST_IP}:${SWIFT_DEFAULT_BIND_PORT:-8080}
         iniset $IRONIC_CONF_FILE glance swift_api_version v1
         local tenant_id=$(get_or_create_project $SERVICE_TENANT_NAME)
         iniset $IRONIC_CONF_FILE glance swift_account AUTH_${tenant_id}
@@ -523,7 +523,11 @@ function configure_iptables {
     sudo modprobe nf_nat_tftp
     # nodes boot from TFTP and callback to the API server listening on $HOST_IP
     sudo iptables -I INPUT -d $HOST_IP -p udp --dport 69 -j ACCEPT || true
-    sudo iptables -I INPUT -d $HOST_IP -p tcp --dport 6385 -j ACCEPT || true
+    sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $IRONIC_HOSTPORT -j ACCEPT || true
+    if [ "$IRONIC_DEPLOY_DRIVER" == "agent_ssh" ]; then
+        # agent ramdisk gets instance image from swift
+        sudo iptables -I INPUT -d $HOST_IP -p tcp --dport ${SWIFT_DEFAULT_BIND_PORT:-8080} -j ACCEPT || true
+    fi
 }
 
 function configure_tftpd {
@@ -678,6 +682,10 @@ function cleanup_baremetal_basic_ops {
     restart_service xinetd
     sudo iptables -D INPUT -d $HOST_IP -p udp --dport 69 -j ACCEPT || true
     sudo iptables -D INPUT -d $HOST_IP -p tcp --dport 6385 -j ACCEPT || true
+    if [ "$IRONIC_DEPLOY_DRIVER" == "agent_ssh" ]; then
+        # agent ramdisk gets instance image from swift
+        sudo iptables -D INPUT -d $HOST_IP -p tcp --dport ${SWIFT_DEFAULT_BIND_PORT:-8080} -j ACCEPT || true
+    fi
     sudo rmmod nf_conntrack_tftp || true
     sudo rmmod nf_nat_tftp || true
 }