Add iptables rule for Ironic VMs -> Swift
The agent ramdisk gets instance images from swift, set firewall
rules to allow this.
Also configure Ironic API port using the correct variable, and
use SWIFT_DEFAULT_BIND_PORT for Swift ports everywhere.
Change-Id: Ieec8cc64e504b04a21daa49e90e2d4925f4838ee
diff --git a/lib/ironic b/lib/ironic
index 0a84e47..cf005a7 100644
--- a/lib/ironic
+++ b/lib/ironic
@@ -279,7 +279,7 @@
else
die $LINENO "SWIFT_ENABLE_TEMPURLS must be True to use agent_ssh driver in Ironic."
fi
- iniset $IRONIC_CONF_FILE glance swift_endpoint_url http://${HOST_IP}:8080
+ iniset $IRONIC_CONF_FILE glance swift_endpoint_url http://${HOST_IP}:${SWIFT_DEFAULT_BIND_PORT:-8080}
iniset $IRONIC_CONF_FILE glance swift_api_version v1
local tenant_id=$(get_or_create_project $SERVICE_TENANT_NAME)
iniset $IRONIC_CONF_FILE glance swift_account AUTH_${tenant_id}
@@ -523,7 +523,11 @@
sudo modprobe nf_nat_tftp
# nodes boot from TFTP and callback to the API server listening on $HOST_IP
sudo iptables -I INPUT -d $HOST_IP -p udp --dport 69 -j ACCEPT || true
- sudo iptables -I INPUT -d $HOST_IP -p tcp --dport 6385 -j ACCEPT || true
+ sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $IRONIC_HOSTPORT -j ACCEPT || true
+ if [ "$IRONIC_DEPLOY_DRIVER" == "agent_ssh" ]; then
+ # agent ramdisk gets instance image from swift
+ sudo iptables -I INPUT -d $HOST_IP -p tcp --dport ${SWIFT_DEFAULT_BIND_PORT:-8080} -j ACCEPT || true
+ fi
}
function configure_tftpd {
@@ -678,6 +682,10 @@
restart_service xinetd
sudo iptables -D INPUT -d $HOST_IP -p udp --dport 69 -j ACCEPT || true
sudo iptables -D INPUT -d $HOST_IP -p tcp --dport 6385 -j ACCEPT || true
+ if [ "$IRONIC_DEPLOY_DRIVER" == "agent_ssh" ]; then
+ # agent ramdisk gets instance image from swift
+ sudo iptables -D INPUT -d $HOST_IP -p tcp --dport ${SWIFT_DEFAULT_BIND_PORT:-8080} -j ACCEPT || true
+ fi
sudo rmmod nf_conntrack_tftp || true
sudo rmmod nf_nat_tftp || true
}