Support an explicit allowlist for MAC's

[stbenjam]

In OpenShift, we have a pivot from a "bootstrap" VM to the cluster
Metal3 pod, but there's a short time where both could exist. The
bootstrap knows which mac's it needs to respond to, which is only the
k8s control plane hosts. This adds an optional feature to our dnsmasq
configuration that allows permitting an explicit list of mac's.

[metal3-io-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: stbenjam
To complete the pull request process, please assign hardys
You can assign the PR to them by writing /assign @hardys in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[stbenjam]

/test-integration

[stbenjam]

/test-centos-integration

[stbenjam]

/cc @hardys @dtantsur

Please take a look :)

[derekhiggins]

When I try a dnsmasq container using this on the bootstrap container I get multiple lines of

iptables v1.4.21: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I wonder if we need a iptable related package in the container? Failing that maybe we run these commands in startironic.sh.

[derekhiggins]

When I try a dnsmasq container using this on the bootstrap container I get multiple lines of

iptables v1.4.21: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I wonder if we need a iptable related package in the container? Failing that maybe we run these commands in startironic.sh.

This might be because of the base image I used (I cherry-picked your batch into downstream ironic image), trying again. but maybe if there are different behaviours in different images we should consider using startironic.sh anyways?

[hardys]

When I try a dnsmasq container using this on the bootstrap container I get multiple lines of

iptables v1.4.21: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I wonder if we need a iptable related package in the container? Failing that maybe we run these commands in startironic.sh.

This might be because of the base image I used (I cherry-picked your batch into downstream ironic image), trying again. but maybe if there are different behaviours in different images we should consider using startironic.sh anyways?

We did remove iptables from the image ref #104 because of similar errors IIRC?

Since this is specific to the bootstrap VM putting the logic into startironic.sh seems reasonable to me?

[stbenjam]

Thanks, I moved it over to openshift/installer#3079

[stbenjam]

I think we can close this since it can be solved only on the openshift/installer side.

/close

[metal3-io-bot]

@stbenjam: Closed this PR.

In response to this:

I think we can close this since it can be solved only on the openshift/installer side.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.