From c96fe4146e25a5754c8439df04addfee0d60bff8 Mon Sep 17 00:00:00 2001
From: Paul Bourke <paul.bourke@oracle.com>
Date: Tue, 10 Apr 2018 19:24:29 +0100
Subject: [PATCH] Add cap NET_ADMIN for ironic_dnsmasq

When attempting to inspect a node with ironic, it seems at times
ironic_dnsmasq fails to process dhcp bootp requests, giving the
following error repeating:

dnsmasq-dhcp: DHCPDISCOVER(eth0) 52:54:00:ff:15:55
dnsmasq-dhcp: DHCPOFFER(eth0) 192.169.5.100 52:54:00:ff:15:55
dnsmasq-dhcp: ARP-cache injection failed: Operation not permitted

Adding NET_ADMIN fixes this.

Co-Authored-By: Mark Goddard <mark@stackhpc.com>
Closes-Bug: #1762805
Change-Id: I39acb81801710f849336380d3fde01c70cd8d8ce
---
 ansible/roles/ironic/defaults/main.yml | 2 ++
 ansible/roles/ironic/handlers/main.yml | 1 +
 ansible/roles/ironic/tasks/config.yml  | 1 +
 3 files changed, 4 insertions(+)

diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml
index e56eb25587..d20a4d0857 100644
--- a/ansible/roles/ironic/defaults/main.yml
+++ b/ansible/roles/ironic/defaults/main.yml
@@ -51,6 +51,8 @@ ironic_services:
     container_name: ironic_dnsmasq
     group: ironic-inspector
     enabled: true
+    cap_add:
+      - NET_ADMIN
     image: "{{ ironic_dnsmasq_image_full }}"
     volumes:
       - "{{ node_config_directory }}/ironic-dnsmasq/:{{ container_config_directory }}/:ro"
diff --git a/ansible/roles/ironic/handlers/main.yml b/ansible/roles/ironic/handlers/main.yml
index cca0a45ac4..f32e73ada2 100644
--- a/ansible/roles/ironic/handlers/main.yml
+++ b/ansible/roles/ironic/handlers/main.yml
@@ -103,6 +103,7 @@
     name: "{{ service.container_name }}"
     image: "{{ service.image }}"
     volumes: "{{ service.volumes }}"
+    cap_add: "{{ service.cap_add }}"
   when:
     - action != "config"
     - inventory_hostname in groups[service.group]
diff --git a/ansible/roles/ironic/tasks/config.yml b/ansible/roles/ironic/tasks/config.yml
index c91337d1c5..63e57c6cf7 100644
--- a/ansible/roles/ironic/tasks/config.yml
+++ b/ansible/roles/ironic/tasks/config.yml
@@ -196,6 +196,7 @@
     name: "{{ item.value.container_name }}"
     image: "{{ item.value.image }}"
     privileged: "{{ item.value.privileged|default(False) }}"
+    cap_add: "{{ item.value.cap_add|default([]) }}"
     volumes: "{{ item.value.volumes }}"
   register: check_ironic_containers
   when: