openstack/kayobe
Code Issues Proposed changes

Fix kayobe-overcloud-centos CI job flakiness

Browse Source 
Docker CE has added a default DROP policy to the FORWARD chain.  When
nova-compute runs on the controller, kolla ansible sets the
net.bridge.bridge-nf-call-iptables sysctl to 1, which causes iptables to
process frames forwarded across bridges.

Currently, the kayobe-overcloud-centos job is failing quite frequently
with timeouts when deploying bare metal compute. Experimentation with
iptables hasn't revealed why this only happens sometimes, or exactly
what traffic is being blocked, but opening up the firewall does seem to
fix the issue. We won't see this in production since control and compute
services are on separate hosts.

This change updates the iptables configuration used in CI to forward all
frames on the bridge, breth1.

Change-Id: If96437b73b9b5c58600ba1b004f53ee0c1f14398
Story: 2006534
Task: 36590
This commit is contained in:
Mark Goddard 2019-09-12 11:16:22 +01:00
parent 7321205c06
commit 4b180502a5
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
dev/functions
View File

@ -664,13 +664,13 @@ function configure_iptables {
sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
# open ironic API on baremetal network # open ironic API on baremetal network
sudo iptables -I INPUT -d $IRONIC_HTTP_SERVER -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true sudo iptables -I INPUT -d $IRONIC_HTTP_SERVER -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true
# allow IPA to connect to ironic API
sudo iptables -I FORWARD -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true # Docker CE has added a default DROP policy to the FORWARD chain.
# allow IPA to connect to ironic inspector # When nova-compute runs on the controller, kolla ansible sets the
sudo iptables -I FORWARD -p tcp --dport $IRONIC_INSPECTOR_PORT -j ACCEPT || true # net.bridge.bridge-nf-call-iptables sysctl to 1, which causes iptables to
# Docker CE has added a default DROP policy to the FORWARD chain. Allow # process frames forwarded across bridges. Forward all frames on the main
# DHCP packets to be forwarded across the bridge. # bridge, breth1.
sudo iptables -I FORWARD -p udp --dport 67:68 --sport 67:68 -j ACCEPT || true sudo iptables -A FORWARD -i breth1 -j ACCEPT || true
# agent ramdisk gets instance image from swift # agent ramdisk gets instance image from swift
sudo iptables -I INPUT -d $INTERNAL_VIP -p tcp --dport ${SWIFT_DEFAULT_BIND_PORT:-8080} -j ACCEPT || true sudo iptables -I INPUT -d $INTERNAL_VIP -p tcp --dport ${SWIFT_DEFAULT_BIND_PORT:-8080} -j ACCEPT || true