Add a note about security groups in install guide

This adds a note that network security must be disabled, or certain
ports must be allowed, for provisioning and cleaning networks.

Closes-Bug: #1622727
Change-Id: I8415591d31209f8e3fbd9a4dcce30bd64bf8b24b

1 files changed, 15 insertions, 1 deletions

diff --git a/doc/source/deploy/multitenancy.rst b/doc/source/deploy/multitenancy.rst
index dbf316b4b..6b7b19529 100644
--- a/doc/source/deploy/multitenancy.rst
+++ b/doc/source/deploy/multitenancy.rst
@@ -88,7 +88,21 @@ interface as stated above):
 
    .. note::
       The "provisioning" and "cleaning" networks may be the same neutron
-      provider network, or may be distinct networks.
+      provider network, or may be distinct networks. To ensure communication
+      between ironic and the deploy ramdisk works, it's important to ensure
+      that security groups are disabled for these networks, *or* the default
+      security groups allow:
+
+      * DHCP
+      * TFTP
+      * egress port used for ironic (6385 by default)
+      * ingress port used for ironic-python-agent (9999 by default)
+      * if using the iSCSI deploy method (``pxe_*`` and ``iscsi_*`` drivers),
+        the egress port used for iSCSI (3260 by default)
+      * if using the direct deploy method (``agent_*`` drivers), the egress
+        port used for swift (typically 80 or 443)
+      * if using iPXE, the egress port used for the HTTP server running
+        on the ironic conductor nodes (typically 80).
 
 #. Install and configure a compatible ML2 mechanism driver which supports bare
    metal provisioning for your switch. See `ML2 plugin configuration manual