From e606256df9c33fb0faf91ee5557cd5701d109ca8 Mon Sep 17 00:00:00 2001 From: Jim Rollenhagen Date: Tue, 13 Sep 2016 07:41:22 -0400 Subject: Add a note about security groups in install guide This adds a note that network security must be disabled, or certain ports must be allowed, for provisioning and cleaning networks. Closes-Bug: #1622727 Change-Id: I8415591d31209f8e3fbd9a4dcce30bd64bf8b24b --- doc/source/deploy/multitenancy.rst | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/doc/source/deploy/multitenancy.rst b/doc/source/deploy/multitenancy.rst index dbf316b4b..6b7b19529 100644 --- a/doc/source/deploy/multitenancy.rst +++ b/doc/source/deploy/multitenancy.rst @@ -88,7 +88,21 @@ interface as stated above): .. note:: The "provisioning" and "cleaning" networks may be the same neutron - provider network, or may be distinct networks. + provider network, or may be distinct networks. To ensure communication + between ironic and the deploy ramdisk works, it's important to ensure + that security groups are disabled for these networks, *or* the default + security groups allow: + + * DHCP + * TFTP + * egress port used for ironic (6385 by default) + * ingress port used for ironic-python-agent (9999 by default) + * if using the iSCSI deploy method (``pxe_*`` and ``iscsi_*`` drivers), + the egress port used for iSCSI (3260 by default) + * if using the direct deploy method (``agent_*`` drivers), the egress + port used for swift (typically 80 or 443) + * if using iPXE, the egress port used for the HTTP server running + on the ironic conductor nodes (typically 80). #. Install and configure a compatible ML2 mechanism driver which supports bare metal provisioning for your switch. See `ML2 plugin configuration manual -- cgit v1.2.1