12:42 p.m.
On 02/05/2018 07:34 PM, iain MacDonnell wrote:
Hi,
Is there a reason for this to be in /usr/share/nova/nova-dist.conf ?
firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
From
https://docs.openstack.org/nova/pike/configuration/config.html#DEFAULT.fi...
:
"firewall_driver Type:string
Default:nova.virt.firewall.NoopFirewallDriver
Firewall driver to use with nova-network service. This option only
applies when using the nova-network service. When using another
networking services, such as Neutron, this should be to set to the
nova.virt.firewall.NoopFirewallDriver. Possible values: *
nova.virt.firewall.IptablesFirewallDriver *
nova.virt.firewall.NoopFirewallDriver *
nova.virt.libvirt.firewall.IptablesFirewallDriver * […] Related
options: * use_neutron: This must be set to False to enable
nova-network networking
Warning This option is deprecated for removal since 16.0.0. Its value
may be silently ignored in the future. Reason: nova-network is
deprecated, as are any related configuration options."
Since "use_neutron" is default, it appears to be inappropriate to
set firewall_driver at all, and especially to set it to the Iptables
one.
For my Ocata deployments, I had explicitly set firewall_driver to
the Noop one (in nova.conf), but when I went to Pike, I decided to
clean up some of the deprecated options in my config, and, according
to the docs (above), it seemed like firewall_driver should be
removed completely.... then I ran into an obscure issue (sometimes
when an instance got terminated, all other instances on the same
compute node became unreachable), which turned out to be nova and
neutron fighting over the content of the iptables "FORWARD" chain. I
was unaware of the setting in nova-dist.conf (which led to a "fun"
diagnostic process)
If there's not a good reason for the option to be there, I suppose I
can submit a bug report....?
Good point, you can submit bug report or fix it directly :)
Here's the file in the packaging repository:
https://github.com/rdo-packages/nova-distgit/blob/rpm-master/nova-dist.conf
Fix it, commit it and then submit it through gerrit.
As *-dist.conf are rarely touched, feel free to review it and submit
other changes you feel worthy to be discussed.
Regards,
H.
~iain _______________________________________________ users mailing
list users(a)lists.rdoproject.org
http://lists.rdoproject.org/mailman/listinfo/users
To unsubscribe: users-unsubscribe(a)lists.rdoproject.org