Bug 1441800 - [RFE][overcloud-inspector] distributed dhcp filter blacklist sync
Summary: [RFE][overcloud-inspector] distributed dhcp filter blacklist sync
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-ironic-inspector
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: mkovacik
QA Contact: mlammon
URL:
Whiteboard:
Depends On: 1441780 1441794
Blocks: 1288035 1480137
TreeView+ depends on / blocked
 
Reported: 2017-04-12 18:18 UTC by mkovacik
Modified: 2017-12-12 13:59 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-12 13:59:03 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description mkovacik 2017-04-12 18:18:57 UTC
Implement a generic distributed sync of the DHCP blacklist, ironic, and inspector.
This will be part of the inspector-side of the DHCP filter driver interface but open for a driver to override as needed.
See the HA Spec[1] for details (the generic parts rather than iptables).

[1] http://specs.openstack.org/openstack/ironic-inspector-specs/specs/HA_inspector.html#ha-firewall-decomposition

Comment 1 Ramon Acedo 2017-04-13 09:40:17 UTC
Hi Milan, is this RFE also a leaf-spine (BZ#1214284) requirement?

Comment 2 Dan Sneddon 2017-04-19 17:14:32 UTC
(In reply to Ramon Acedo from comment #1)
> Hi Milan, is this RFE also a leaf-spine (BZ#1214284) requirement?

It's not a requirement for the basic use case, but will be required for some topologies where bare metal to tenant is provided across routed spine/leaf.

Comment 3 mkovacik 2017-04-25 16:18:34 UTC
The sync itself needn't be a hard dependency there.

Comment 4 Dan Sneddon 2017-08-11 20:14:43 UTC
(In reply to Dan Sneddon from comment #2)
> (In reply to Ramon Acedo from comment #1)
> > Hi Milan, is this RFE also a leaf-spine (BZ#1214284) requirement?
> 
> It's not a requirement for the basic use case, but will be required for some
> topologies where bare metal to tenant is provided across routed spine/leaf.

Note that this is also a blocker requirement for HA undercloud, but I don't have a BZ# handy for that RFE.

Comment 7 mkovacik 2017-12-12 13:59:03 UTC
We've deprecated the iptables PXE filter driver in upstream ironic-inspector and replaced it with the direct dnsmasq configuration filter driver.
This filter driver doesn't require synchronization of blacklists between all the active inspector instances in the deployment esp. if the DHCP IP address pools of particular ironic-inspecor-dhcp service instances (dnsmasq) are disjoint[1].

[1] https://tools.ietf.org/html/draft-ietf-dhc-failover-12#section-5.4


Note You need to log in before you can comment on or make changes to this bug.