Implement a generic distributed sync of the DHCP blacklist, ironic, and inspector. This will be part of the inspector-side of the DHCP filter driver interface but open for a driver to override as needed. See the HA Spec[1] for details (the generic parts rather than iptables). [1] http://specs.openstack.org/openstack/ironic-inspector-specs/specs/HA_inspector.html#ha-firewall-decomposition
Hi Milan, is this RFE also a leaf-spine (BZ#1214284) requirement?
(In reply to Ramon Acedo from comment #1) > Hi Milan, is this RFE also a leaf-spine (BZ#1214284) requirement? It's not a requirement for the basic use case, but will be required for some topologies where bare metal to tenant is provided across routed spine/leaf.
The sync itself needn't be a hard dependency there.
(In reply to Dan Sneddon from comment #2) > (In reply to Ramon Acedo from comment #1) > > Hi Milan, is this RFE also a leaf-spine (BZ#1214284) requirement? > > It's not a requirement for the basic use case, but will be required for some > topologies where bare metal to tenant is provided across routed spine/leaf. Note that this is also a blocker requirement for HA undercloud, but I don't have a BZ# handy for that RFE.
We've deprecated the iptables PXE filter driver in upstream ironic-inspector and replaced it with the direct dnsmasq configuration filter driver. This filter driver doesn't require synchronization of blacklists between all the active inspector instances in the deployment esp. if the DHCP IP address pools of particular ironic-inspecor-dhcp service instances (dnsmasq) are disjoint[1]. [1] https://tools.ietf.org/html/draft-ietf-dhc-failover-12#section-5.4