[openstack-dev] [tripleo] FFE - Feuture Freeze Exception request for Routed Spine and Leaf Deployment
hjensas at redhat.com
hjensas at redhat.com
Thu Mar 15 13:05:40 UTC 2018
Hi,
It has come to my attention that I missed one detail for the routed
spine and leaf support.
There is an issue with introspection and the filtering used to ensure
only specified nodes are introspected. Apparently we are still using
the iptables based PXE filtering in ironic-inspecter. (I tought the new
dnsmasq based filter was the default already.)
The problem:
When using iptables to filter on mac addresses we won't be able to
filter PXE DHCP requests coming in via the dhcp-relay agent, e.g the
nodes in remote L2 segments will not be filtered. So while
introspection works, we have no way to ensure that nodes we do not
intend to introspect ends up running introspection by accident.
The solution:
Switch to use the dnsmasq based filter available in ironic-inspector.
The question is where do we go from here?
* Do we declare introspection unsupported for Queens when using routed
networks?
* Can we continue the feature work, and backport something to
stable/queens that use the dnsmasq based filter? Maby with a
conditional to use the new filtering if, and only if, routed networks
support is enabled in the undercloud?
The work to start using the new filtering is on-going in the following
patches:
puppet-ironic: https://review.openstack.org/523922
puppet-tripleo: https://review.openstack.org/525203/
instack-undercloud: https://review.openstack.org/523944/
This one for overcloud and containers based undercloud. (This would not
be a backport requirement.)
https://review.openstack.org/523909/
Best Regars
Harald Jensås
More information about the OpenStack-dev
mailing list