From 4418c1641bf2016a3a99fcdc13149fd2a365d11f Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Fri, 27 Jul 2018 15:01:43 +0100 Subject: [PATCH] Support Ironic Inspector dnsmasq PXE filter The dnsmasq PXE filter [1] provides far better scalability than the iptables filter typically used. Inspector manages files in a dhcp-hostsdir directory that is watched by dnsmasq via inotify. Dnsmasq then either whitelists or blacklists MAC addresses based on the contents of these files. This change adds a new variable, ironic_inspector_pxe_filter, that can be used to configure the PXE filter for ironic inspector. Currently supported values are 'iptables' and 'dnsmasq', with 'iptables' being the default for backwards compatibility. [1] https://docs.openstack.org/ironic-inspector/latest/admin/dnsmasq-pxe-filter.html Implements: blueprint ironic-inspector-dnsmasq-pxe-filter Change-Id: I73cae9c33b49972342cf1984372a5c784df5cbc2 --- ansible/roles/ironic/defaults/main.yml | 3 +++ ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2 | 4 +++- .../roles/ironic/templates/ironic-inspector.conf.j2 | 11 ++++++++--- ...inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml | 8 ++++++++ 4 files changed, 22 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml index 6e1628ffa7..dd45736dea 100644 --- a/ansible/roles/ironic/defaults/main.yml +++ b/ansible/roles/ironic/defaults/main.yml @@ -53,6 +53,7 @@ ironic_services: - "{{ node_config_directory }}/ironic-inspector/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - "kolla_logs:/var/log/kolla" + - "ironic_inspector_dhcp_hosts:/var/lib/ironic-inspector/dhcp-hostsdir" - "{{ kolla_dev_repos_directory ~ '/ironic-inspector/ironic_inspector:/var/lib/kolla/venv/lib/python2.7/site-packages/ironic_inspector' if ironic_dev_mode | bool else '' }}" dimensions: "{{ ironic_inspector_dimensions }}" haproxy: @@ -99,6 +100,7 @@ ironic_services: - "{{ node_config_directory }}/ironic-dnsmasq/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - "kolla_logs:/var/log/kolla" + - "ironic_inspector_dhcp_hosts:/etc/dnsmasq/dhcp-hostsdir:ro" dimensions: "{{ ironic_dnsmasq_dimensions }}" @@ -180,6 +182,7 @@ ironic_console_serial_speed: "115200n8" ironic_ipxe_url: http://{{ api_interface_address }}:{{ ironic_ipxe_port }} ironic_enable_rolling_upgrade: "yes" ironic_inspector_kernel_cmdline_extras: [] +ironic_inspector_pxe_filter: iptables #################### ## Kolla diff --git a/ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2 b/ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2 index 95e5242c0a..89a54f9ba1 100644 --- a/ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2 +++ b/ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2 @@ -20,4 +20,6 @@ dhcp-option=tag:ipxe,option:bootfile-name,{{ ironic_ipxe_url }}/inspector.ipxe dhcp-option=tag:efi,tag:!ipxe,option:bootfile-name,ipxe.efi {% endif %} dhcp-option=option:bootfile-name,{{ ironic_dnsmasq_boot_file }} - +{% if ironic_inspector_pxe_filter == 'dnsmasq' %} +dhcp-hostsdir=/etc/dnsmasq/dhcp-hostsdir +{% endif %} diff --git a/ansible/roles/ironic/templates/ironic-inspector.conf.j2 b/ansible/roles/ironic/templates/ironic-inspector.conf.j2 index de883eeb6f..679e6a9d5f 100644 --- a/ansible/roles/ironic/templates/ironic-inspector.conf.j2 +++ b/ansible/roles/ironic/templates/ironic-inspector.conf.j2 @@ -34,11 +34,16 @@ memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansi policy_file = {{ ironic_policy_file }} {% endif %} -[iptables] -dnsmasq_interface = {{ ironic_dnsmasq_interface }} - [database] connection = mysql+pymysql://{{ ironic_inspector_database_user }}:{{ ironic_inspector_database_password }}@{{ ironic_inspector_database_address }}/{{ ironic_inspector_database_name }} [processing] ramdisk_logs_dir = /var/log/kolla/ironic-inspector + +[pxe_filter] +driver = {{ ironic_inspector_pxe_filter }} + +{% if ironic_inspector_pxe_filter == 'iptables' %} +[iptables] +dnsmasq_interface = {{ ironic_dnsmasq_interface }} +{% endif %} diff --git a/releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml b/releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml new file mode 100644 index 0000000000..9b0fad9e02 --- /dev/null +++ b/releasenotes/notes/ironic-inspector-dnsmasq-pxe-filter-ab012028bcd7d332.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Adds support for the `Ironic Inspector dnsmasq PXE filter + `__ + that provides improved scalability over the default IPTables PXE filter. + This can be enabled by setting ``ironic_inspector_pxe_filter`` to + ``dnsmasq``.