diff --git a/ansible/group_vars/all/bifrost b/ansible/group_vars/all/bifrost index b51367199..c4c68c058 100644 --- a/ansible/group_vars/all/bifrost +++ b/ansible/group_vars/all/bifrost @@ -11,6 +11,10 @@ kolla_bifrost_source_url: "https://opendev.org/openstack/bifrost" # {{ openstack_branch }}. kolla_bifrost_source_version: "{{ openstack_branch }}" +# Whether Bifrost uses firewalld. Default value is false to avoid conflicting +# with iptables rules configured on the seed host by Kayobe. +kolla_bifrost_use_firewalld: False + # Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other # services running on the seed host. kolla_bifrost_firewalld_internal_zone: trusted diff --git a/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml b/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml index cb1291f12..e8accf4f6 100644 --- a/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml +++ b/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml @@ -64,6 +64,9 @@ ipa_ramdisk_upstream_checksum_url: "{{ kolla_bifrost_ipa_ramdisk_checksum_url }} # Algorithm of checksum of Ironic Python Agent (IPA) ramdisk image. ipa_ramdisk_upstream_checksum_algo: "{{ kolla_bifrost_ipa_ramdisk_checksum_algorithm }}" +# Whether Bifrost uses firewalld. +use_firewalld: "{{ kolla_bifrost_use_firewalld }}" + # Firewalld zone used by Bifrost. firewalld_internal_zone: "{{ kolla_bifrost_firewalld_internal_zone }}" diff --git a/etc/kayobe/bifrost.yml b/etc/kayobe/bifrost.yml index 275d80bc8..0bfcec726 100644 --- a/etc/kayobe/bifrost.yml +++ b/etc/kayobe/bifrost.yml @@ -11,6 +11,10 @@ # {{ openstack_branch }}. #kolla_bifrost_source_version: +# Whether Bifrost uses firewalld. Default value is false to avoid conflicting +# with iptables rules configured on the seed host by Kayobe. +#kolla_bifrost_use_firewalld: + # Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other # services running on the seed host. #kolla_bifrost_firewalld_internal_zone: diff --git a/releasenotes/notes/bifrost-use-firewalld-90b69e2ac6eead67.yaml b/releasenotes/notes/bifrost-use-firewalld-90b69e2ac6eead67.yaml new file mode 100644 index 000000000..ad10a9c51 --- /dev/null +++ b/releasenotes/notes/bifrost-use-firewalld-90b69e2ac6eead67.yaml @@ -0,0 +1,16 @@ +--- +features: + - | + Adds a new ``kolla_bifrost_use_firewalld`` variable used to define whether + Bifrost uses firewalld, which is now disabled by default. +upgrade: + - | + Bifrost is now configured to avoid using firewalld, to prevent conflicts + with firewall rules set by Kayobe on the seed host. The existing behaviour + can be retained by setting ``kolla_bifrost_use_firewalld`` to ``True`` in + ``bifrost.yml``. +fixes: + - | + Prevents Bifrost from using firewalld to avoid conflicts with firewall + rules set by Kayobe on the seed host. See `story 2009252 + `__ for more details.