Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1441800

Summary: [RFE][overcloud-inspector] distributed dhcp filter blacklist sync
Product: Red Hat OpenStack Reporter: mkovacik
Component: openstack-ironic-inspectorAssignee: mkovacik
Status: CLOSED DEFERRED QA Contact: mlammon
Severity: high Docs Contact:
Priority: high    
Version: 7.0 (Kilo)CC: dsneddon, mburns, mkovacik, racedo, racedoro, slinaber
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-12 13:59:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1441780, 1441794    
Bug Blocks: 1288035, 1480137    

Description mkovacik 2017-04-12 18:18:57 UTC 
Implement a generic distributed sync of the DHCP blacklist, ironic, and inspector.
This will be part of the inspector-side of the DHCP filter driver interface but open for a driver to override as needed.
See the HA Spec[1] for details (the generic parts rather than iptables).

[1] http://specs.openstack.org/openstack/ironic-inspector-specs/specs/HA_inspector.html#ha-firewall-decomposition
Comment 1 Ramon Acedo 2017-04-13 09:40:17 UTC 
Hi Milan, is this RFE also a leaf-spine (BZ#1214284) requirement?
Comment 2 Dan Sneddon 2017-04-19 17:14:32 UTC 
(In reply to Ramon Acedo from comment #1)
> Hi Milan, is this RFE also a leaf-spine (BZ#1214284) requirement?

It's not a requirement for the basic use case, but will be required for some topologies where bare metal to tenant is provided across routed spine/leaf.
Comment 3 mkovacik 2017-04-25 16:18:34 UTC 
The sync itself needn't be a hard dependency there.
Comment 4 Dan Sneddon 2017-08-11 20:14:43 UTC 
(In reply to Dan Sneddon from comment #2)
> (In reply to Ramon Acedo from comment #1)
> > Hi Milan, is this RFE also a leaf-spine (BZ#1214284) requirement?
> 
> It's not a requirement for the basic use case, but will be required for some
> topologies where bare metal to tenant is provided across routed spine/leaf.

Note that this is also a blocker requirement for HA undercloud, but I don't have a BZ# handy for that RFE.
Comment 7 mkovacik 2017-12-12 13:59:03 UTC 
We've deprecated the iptables PXE filter driver in upstream ironic-inspector and replaced it with the direct dnsmasq configuration filter driver.
This filter driver doesn't require synchronization of blacklists between all the active inspector instances in the deployment esp. if the DHCP IP address pools of particular ironic-inspecor-dhcp service instances (dnsmasq) are disjoint[1].

[1] https://tools.ietf.org/html/draft-ietf-dhc-failover-12#section-5.4