Bug 1800746: baremetal: only respond to dhcp for control plane mac's

[stbenjam]

Note: This is solving a similar problem for baremetal as
openshift/machine-config-operator#1421 did for MCO.

The bootstrap can now co-exist with machine-api being online. That
means there could be an instance of Ironic, dnsmasq, etc running in
both the cluster and the bootstrap. This causes problems, as it's not
deterministic which dnsmasq instance the worker provisioned by the
machine-api will use. If it uses the bootstrap, then the worker will not
come online.

This is causing a percentage of baremetal installs to fail, with the
worker being offline, ingress and other operators never come up.

This change blocks dhcp requests from anything but control plane hosts,
using iptables. DHCPv6 relies on DUID's instead which makes things more
complicated to use dnsmasq's dhcp-host abilities, which prefers DUIDS
for IPv6.

[stbenjam]

/label platform/baremetal

[stbenjam]

/retest

[stbenjam]

/cc @sadasu @hardys @dhellmann @wking

Result of our discussion on Slack.

[metal3ci]

Build SUCCESS, see build http://10.8.144.11:8080/job/dev-tools/1499/

[stbenjam]

/retitle Bug 1800746: baremetal: provide dnsmasq with allowlist for control plane mac's

[openshift-ci-robot]

@stbenjam: This pull request references Bugzilla bug 1800746, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Bug 1800746: baremetal: provide dnsmasq with allowlist for control plane mac's

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@stbenjam: This pull request references Bugzilla bug 1800746, which is valid.

Details

In response to this:

Bug 1800746: baremetal: provide dnsmasq with allowlist for control plane mac's

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[metal3ci]

Build FAILURE, see build http://10.8.144.11:8080/job/dev-tools/1503/

[derekhiggins]

Seems to be working, iptables rules are created and seem to be catching DHCP packets

[root@localhost core]# iptables-save -c | grep -i DHCP                                                                                                                                                             
:DHCP - [0:0]
[71:24812] -A PREROUTING -p udp -m udp --dport 67 -j DHCP
[0:0] -A PREROUTING -p udp -m udp --dport 546 -j DHCP
[18:6698] -A DHCP -m mac --mac-source 00:5D:B3:59:26:EF -j ACCEPT
[16:5706] -A DHCP -m mac --mac-source 00:5D:B3:59:26:F3 -j ACCEPT
[19:6918] -A DHCP -m mac --mac-source 00:5D:B3:59:26:F7 -j ACCEPT
[18:5490] -A DHCP -j DROP

[stbenjam]

/hold cancel

[stbenjam]

/cc @hardys PTAL

[openshift-ci-robot]

@stbenjam: GitHub didn't allow me to request PR reviews from the following users: PTAL.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc @hardys PTAL

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[metal3ci]

Build FAILURE, see build http://10.8.144.11:8080/job/dev-tools/1508/

[metal3ci]

Build FAILURE, see build http://10.8.144.11:8080/job/dev-tools/1509/

[openshift-ci-robot]

@stbenjam: The following tests failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-openstack	01f8849	link	/test e2e-openstack
ci/prow/e2e-aws-upgrade	01f8849	link	/test e2e-aws-upgrade
ci/prow/e2e-libvirt	01f8849	link	/test e2e-libvirt
ci/prow/e2e-aws-scaleup-rhel7	01f8849	link	/test e2e-aws-scaleup-rhel7

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[hardys]

/lgtm

[hardys]

/approve

[hardys]

Hmm seems we're missing an OWNERS file entry for one of the files touched?

[stbenjam]

Hm, every dir should have it. I fixed the missing ones a few days ago. Maybe it’s not looking at https://github.com/openshift/installer/blob/master/data/data/bootstrap/baremetal/OWNERS for startironic.sh?

[sdodson]

/approve

Need the baremetal OWNERS in installer/pkg/asset/ignition/bootstrap/baremetal/

[sdodson]

/overide ci/prow/e2e-aws-upgrade

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hardys, sdodson

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• data/data/bootstrap/baremetal/OWNERS [hardys,sdodson]
• pkg/asset/ignition/bootstrap/baremetal/OWNERS [hardys,sdodson]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sdodson]

/override ci/prow/e2e-aws-upgrade

[openshift-ci-robot]

@sdodson: Overrode contexts on behalf of sdodson: ci/prow/e2e-aws-upgrade

Details

In response to this:

/override ci/prow/e2e-aws-upgrade

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sdodson]

/override ci/prow/e2e-aws

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[stbenjam]

/cherry-pick release-4.4

[openshift-cherrypick-robot]

@stbenjam: once the present PR merges, I will cherry-pick it on top of release-4.4 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@stbenjam: All pull requests linked via external trackers have merged. Bugzilla bug 1800746 has been moved to the MODIFIED state.

Details

In response to this:

Bug 1800746: baremetal: only respond to dhcp for control plane mac's

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-cherrypick-robot]

@stbenjam: new pull request created: #3138

Details

In response to this:

/cherry-pick release-4.4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[yuvalk]

FWIW - This PR looks good on my BM env (1master+2workers)