Merge "Configure bifrost to use firewalld trusted zone"
This commit is contained in:
Zuul
Gerrit Code Review
commit
38198be0bd
@ -11,6 +11,10 @@ kolla_bifrost_source_url: "https://opendev.org/openstack/bifrost"
|
|||||||
# {{ openstack_branch }}.
|
# {{ openstack_branch }}.
|
||||||
kolla_bifrost_source_version: "{{ openstack_branch }}"
|
kolla_bifrost_source_version: "{{ openstack_branch }}"
|
||||||
|
|
||||||
|
# Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other
|
||||||
|
# services running on the seed host.
|
||||||
|
kolla_bifrost_firewalld_internal_zone: trusted
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Diskimage-builder configuration.
|
# Diskimage-builder configuration.
|
||||||
|
|
||||||
|
|||||||
@ -64,6 +64,9 @@ ipa_ramdisk_upstream_checksum_url: "{{ kolla_bifrost_ipa_ramdisk_checksum_url }}
|
|||||||
# Algorithm of checksum of Ironic Python Agent (IPA) ramdisk image.
|
# Algorithm of checksum of Ironic Python Agent (IPA) ramdisk image.
|
||||||
ipa_ramdisk_upstream_checksum_algo: "{{ kolla_bifrost_ipa_ramdisk_checksum_algorithm }}"
|
ipa_ramdisk_upstream_checksum_algo: "{{ kolla_bifrost_ipa_ramdisk_checksum_algorithm }}"
|
||||||
|
|
||||||
|
# Firewalld zone used by Bifrost.
|
||||||
|
firewalld_internal_zone: "{{ kolla_bifrost_firewalld_internal_zone }}"
|
||||||
|
|
||||||
{% if kolla_bifrost_extra_globals %}
|
{% if kolla_bifrost_extra_globals %}
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Extra configuration
|
# Extra configuration
|
||||||
|
|||||||
@ -11,6 +11,10 @@
|
|||||||
# {{ openstack_branch }}.
|
# {{ openstack_branch }}.
|
||||||
#kolla_bifrost_source_version:
|
#kolla_bifrost_source_version:
|
||||||
|
|
||||||
|
# Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other
|
||||||
|
# services running on the seed host.
|
||||||
|
#kolla_bifrost_firewalld_internal_zone:
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Diskimage-builder configuration.
|
# Diskimage-builder configuration.
|
||||||
|
|
||||||
|
|||||||
@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
Kayobe configures Bifrost to use the ``trusted`` zone of ``firewalld``,
|
||||||
|
ensuring that all services running on the seed host are accessible.
|
||||||
|
Deployments with stricter firewall policies can select another zone by
|
||||||
|
setting the ``kolla_bifrost_firewalld_internal_zone`` variable in
|
||||||
|
``${KAYOBE_CONFIG_PATH}/bifrost.yml``. To avoid loss of connectivity to the
|
||||||
|
seed host, ensure that ``firewalld`` is already configured on the seed host
|
||||||
|
before deploying seed services.
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Fixes loss of connectivity to the seed host after deploying seed services,
|
||||||
|
when using a shared provisioning and admin network. This was caused by
|
||||||
|
Bifrost configuring ``firewalld`` to only allow Ironic traffic. Kayobe now
|
||||||
|
configures Bifrost to use the ``trusted`` zone, which allows all traffic.
|
||||||
Loading…
Reference in New Issue
Block a user