Update slave iptables for Ironic provisioning

The ironic devstack gate boots virtual baremetal 'nodes' on the Neutron tenant network. These nodes PXE boot and expect TFTP access and the ability to post a callback via Ironic's API at $HOST_IP:6385. This adds two new rules to the openstack-INPUT chain to allow these from the Devstack Neutron public network. Change-Id: I6aecc0f07641c09f696756b94398d1ccbe082548
2014-04-14 17:27:06 -07:00 · 2014-04-14 17:27:06 -07:00 · 75a1e34c3c
commit 75a1e34c3c
parent 546fb9eecd
1 changed files with 6 additions and 2 deletions
--- a/modules/openstack_project/manifests/single_use_slave.pp
+++ b/modules/openstack_project/manifests/single_use_slave.pp
@ -21,10 +21,14 @@ class openstack_project::single_use_slave (
    certname           => $certname,
    automatic_upgrades => $automatic_upgrades,
    install_users      => $install_users,
-    # Ports 8000, 8003, 8004 from the devstack neutron public net to allow
-    # nova servers to reach heat-api-cfn, heat-api-cloudwatch, heat-api
    iptables_rules4    =>
      [
+        # Ports 69 and 6385 allow to allow ironic VM nodes to reach tftp and
+        # the ironic API from the neutron public net
+        '-p udp --dport 69 -s 172.24.4.0/24 -j ACCEPT',
+        '-p tcp --dport 6385 -s 172.24.4.0/24 -j ACCEPT',
+        # Ports 8000, 8003, 8004 from the devstack neutron public net to allow
+        # nova servers to reach heat-api-cfn, heat-api-cloudwatch, heat-api
        '-p tcp --dport 8000 -s 172.24.4.0/24 -j ACCEPT',
        '-p tcp --dport 8003 -s 172.24.4.0/24 -j ACCEPT',
        '-p tcp --dport 8004 -s 172.24.4.0/24 -j ACCEPT',