[rdo-users] firewall_driver in nova-dist.conf

Haïkel Guémar hguemar at redhat.com
Mon Feb 5 18:42:20 UTC 2018 

On 02/05/2018 07:34 PM, iain MacDonnell wrote:
> Hi,
> 
> Is there a reason for this to be in /usr/share/nova/nova-dist.conf ?
> 
> firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
> 
> From
> https://docs.openstack.org/nova/pike/configuration/config.html#DEFAULT.firewall_driver
>
> 
:
> 
> "firewall_driver Type:string 
> Default:nova.virt.firewall.NoopFirewallDriver
> 
> Firewall driver to use with nova-network service. This option only 
> applies when using the nova-network service. When using another 
> networking services, such as Neutron, this should be to set to the 
> nova.virt.firewall.NoopFirewallDriver. Possible values: * 
> nova.virt.firewall.IptablesFirewallDriver * 
> nova.virt.firewall.NoopFirewallDriver * 
> nova.virt.libvirt.firewall.IptablesFirewallDriver * […] Related 
> options: * use_neutron: This must be set to False to enable 
> nova-network networking
> 
> Warning This option is deprecated for removal since 16.0.0. Its value
> may be silently ignored in the future. Reason: nova-network is
> deprecated, as are any related configuration options."
> 
> 
> Since "use_neutron" is default, it appears to be inappropriate to
> set firewall_driver at all, and especially to set it to the Iptables
> one.
> 
> For my Ocata deployments, I had explicitly set firewall_driver to
> the Noop one (in nova.conf), but when I went to Pike, I decided to
> clean up some of the deprecated options in my config, and, according
> to the docs (above), it seemed like firewall_driver should be
> removed completely.... then I ran into an obscure issue (sometimes
> when an instance got terminated, all other instances on the same
> compute node became unreachable), which turned out to be nova and
> neutron fighting over the content of the iptables "FORWARD" chain. I
> was unaware of the setting in nova-dist.conf (which led to a "fun"
> diagnostic process)
> 
> If there's not a good reason for the option to be there, I suppose I 
> can submit a bug report....?
> 

Good point, you can submit bug report or fix it directly :)

Here's the file in the packaging repository:
https://github.com/rdo-packages/nova-distgit/blob/rpm-master/nova-dist.conf

Fix it, commit it and then submit it through gerrit.


As *-dist.conf are rarely touched, feel free to review it and submit
other changes you feel worthy to be discussed.


Regards,
H.

> ~iain _______________________________________________ users mailing
> list users at lists.rdoproject.org 
> http://lists.rdoproject.org/mailman/listinfo/users
> 
> To unsubscribe: users-unsubscribe at lists.rdoproject.org
>

More information about the users mailing list