diff options
author | Jim Rollenhagen <jim@jimrollenhagen.com> | 2016-09-13 07:41:22 -0400 |
---|---|---|
committer | Jim Rollenhagen <jim@jimrollenhagen.com> | 2016-09-20 08:50:04 -0400 |
commit | e606256df9c33fb0faf91ee5557cd5701d109ca8 (patch) | |
tree | b337dca785e3a1a60d07966276a102ccd72beb7f | |
parent | 42bf32be9ea7bc7a8f0bfdc08d91c71f52af49de (diff) | |
download | ironic-e606256df9c33fb0faf91ee5557cd5701d109ca8.tar.gz |
Add a note about security groups in install guide
This adds a note that network security must be disabled, or certain
ports must be allowed, for provisioning and cleaning networks.
Closes-Bug: #1622727
Change-Id: I8415591d31209f8e3fbd9a4dcce30bd64bf8b24b
-rw-r--r-- | doc/source/deploy/multitenancy.rst | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/doc/source/deploy/multitenancy.rst b/doc/source/deploy/multitenancy.rst index dbf316b4b..6b7b19529 100644 --- a/doc/source/deploy/multitenancy.rst +++ b/doc/source/deploy/multitenancy.rst @@ -88,7 +88,21 @@ interface as stated above): .. note:: The "provisioning" and "cleaning" networks may be the same neutron - provider network, or may be distinct networks. + provider network, or may be distinct networks. To ensure communication + between ironic and the deploy ramdisk works, it's important to ensure + that security groups are disabled for these networks, *or* the default + security groups allow: + + * DHCP + * TFTP + * egress port used for ironic (6385 by default) + * ingress port used for ironic-python-agent (9999 by default) + * if using the iSCSI deploy method (``pxe_*`` and ``iscsi_*`` drivers), + the egress port used for iSCSI (3260 by default) + * if using the direct deploy method (``agent_*`` drivers), the egress + port used for swift (typically 80 or 443) + * if using iPXE, the egress port used for the HTTP server running + on the ironic conductor nodes (typically 80). #. Install and configure a compatible ML2 mechanism driver which supports bare metal provisioning for your switch. See `ML2 plugin configuration manual |