From e3c606d4ef46ad2c36749b6513a57e7b0c800ba0 Mon Sep 17 00:00:00 2001
From: Riccardo Pittau <elfosardo@gmail.com>
Date: Tue, 19 Mar 2019 10:58:13 +0100
Subject: [PATCH] Add release note on conntrack issue on bionic

Adding a release note explaining the issue with Ironic CI
and conntrack on ubuntu bionic.

Change-Id: Ie25c8d9117072020bb84a5c6e6f63191ff632870
---
 .../issue-conntrack-bionic-7483671771cf2e82.yaml    | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 releasenotes/notes/issue-conntrack-bionic-7483671771cf2e82.yaml

diff --git a/releasenotes/notes/issue-conntrack-bionic-7483671771cf2e82.yaml b/releasenotes/notes/issue-conntrack-bionic-7483671771cf2e82.yaml
new file mode 100644
index 0000000000..dc84206659
--- /dev/null
+++ b/releasenotes/notes/issue-conntrack-bionic-7483671771cf2e82.yaml
@@ -0,0 +1,13 @@
+---
+issues:
+  - |
+    As good security practice[0], in Ubuntu Bionic the ``nf_conntrack_helper``
+    is disabled.
+    This causes an issue when using the ``pxe`` boot interface with the PXE
+    environment that breaks some of the Ironic CI tests, since Ironic needs
+    conntrack for TFTP traffic.
+    It's still possible to use Ironic with PXE on Ubuntu Xenial, and it's also
+    possible to use Ironic with PXE on Ubuntu Bionic using a workaround based
+    on custom firewall rules as shown in [0].
+
+    [0] https://home.regit.org/netfilter-en/secure-use-of-helpers/