Hi,
Is there a reason for this to be in /usr/share/nova/nova-dist.conf ?
firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
:
"firewall_driver
Type:string
Default:nova.virt.firewall.NoopFirewallDriver
Firewall driver to use with nova-network service. This option only
applies when using the nova-network service. When using another
networking services, such as Neutron, this should be to set to the
nova.virt.firewall.NoopFirewallDriver. Possible values: *
nova.virt.firewall.IptablesFirewallDriver *
nova.virt.firewall.NoopFirewallDriver *
nova.virt.libvirt.firewall.IptablesFirewallDriver * […] Related
options: * use_neutron: This must be set to False to enable
nova-network networking
Warning
This option is deprecated for removal since 16.0.0. Its value may be
silently ignored in the future.
Reason: nova-network is deprecated, as are any related configuration options."
Since "use_neutron" is default, it appears to be inappropriate to set
firewall_driver at all, and especially to set it to the Iptables one.
For my Ocata deployments, I had explicitly set firewall_driver to the
Noop one (in nova.conf), but when I went to Pike, I decided to clean
up some of the deprecated options in my config, and, according to the
docs (above), it seemed like firewall_driver should be removed
completely.... then I ran into an obscure issue (sometimes when an
instance got terminated, all other instances on the same compute node
became unreachable), which turned out to be nova and neutron fighting
over the content of the iptables "FORWARD" chain. I was unaware of the
setting in nova-dist.conf (which led to a "fun" diagnostic process)
If there's not a good reason for the option to be there, I suppose I
can submit a bug report....?
~iain