[rdo-users] firewall_driver in nova-dist.conf
Haïkel Guémar
hguemar at redhat.com
Tue Feb 6 19:23:10 UTC 2018
On 02/06/2018 07:38 PM, iain MacDonnell wrote:
> Thanks for the confirmation! I submitted rhbz# 1542667. I'm not setup
> to contribute changes at the moment. Maybe some day :)
>
> ~iain
>
No pressure, thanks for opening that ticket :)
H.
>
>
> On Mon, Feb 5, 2018 at 10:57 AM, Assaf Muller <assaf at redhat.com> wrote:
>> On Mon, Feb 5, 2018 at 1:42 PM, Haïkel Guémar <hguemar at redhat.com> wrote:
>>> On 02/05/2018 07:34 PM, iain MacDonnell wrote:
>>>>
>>>> Hi,
>>>>
>>>> Is there a reason for this to be in /usr/share/nova/nova-dist.conf ?
>>>>
>>>> firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
>>>>
>>>> From
>>>>
>>>> https://docs.openstack.org/nova/pike/configuration/config.html#DEFAULT.firewall_driver
>>>>
>>>>
>>> :
>>>>
>>>>
>>>> "firewall_driver Type:string Default:nova.virt.firewall.NoopFirewallDriver
>>>>
>>>> Firewall driver to use with nova-network service. This option only applies
>>>> when using the nova-network service. When using another networking services,
>>>> such as Neutron, this should be to set to the
>>>> nova.virt.firewall.NoopFirewallDriver. Possible values: *
>>>> nova.virt.firewall.IptablesFirewallDriver *
>>>> nova.virt.firewall.NoopFirewallDriver *
>>>> nova.virt.libvirt.firewall.IptablesFirewallDriver * […] Related options: *
>>>> use_neutron: This must be set to False to enable nova-network networking
>>>>
>>>> Warning This option is deprecated for removal since 16.0.0. Its value
>>>> may be silently ignored in the future. Reason: nova-network is
>>>> deprecated, as are any related configuration options."
>>>>
>>>>
>>>> Since "use_neutron" is default, it appears to be inappropriate to
>>>> set firewall_driver at all, and especially to set it to the Iptables
>>>> one.
>>>>
>>>> For my Ocata deployments, I had explicitly set firewall_driver to
>>>> the Noop one (in nova.conf), but when I went to Pike, I decided to
>>>> clean up some of the deprecated options in my config, and, according
>>>> to the docs (above), it seemed like firewall_driver should be
>>>> removed completely.... then I ran into an obscure issue (sometimes
>>>> when an instance got terminated, all other instances on the same
>>>> compute node became unreachable), which turned out to be nova and
>>>> neutron fighting over the content of the iptables "FORWARD" chain. I
>>>> was unaware of the setting in nova-dist.conf (which led to a "fun"
>>>> diagnostic process)
>>>>
>>>> If there's not a good reason for the option to be there, I suppose I can
>>>> submit a bug report....?
>>>>
>>>
>>> Good point, you can submit bug report or fix it directly :)
>>>
>>> Here's the file in the packaging repository:
>>> https://github.com/rdo-packages/nova-distgit/blob/rpm-master/nova-dist.conf
>>
>> Looking at the file, network_manager also seems wrong and defaults to
>> a Nova Network setting.
>>
>> It should be stated that the impact of defaulting to a
>> nova-network-era firewall driver is catastrophic because every time
>> you restart nova-compute it takes over iptables rules, fighting with
>> Neutron's OVS agent that also implements the security groups API.
>>
>>>
>>> Fix it, commit it and then submit it through gerrit.
>>>
>>>
>>> As *-dist.conf are rarely touched, feel free to review it and submit
>>> other changes you feel worthy to be discussed.
>>>
>>>
>>> Regards,
>>> H.
>>>
>>>
>>>> ~iain _______________________________________________ users mailing
>>>> list users at lists.rdoproject.org
>>>> http://lists.rdoproject.org/mailman/listinfo/users
>>>>
>>>> To unsubscribe: users-unsubscribe at lists.rdoproject.org
>>>>
>>> _______________________________________________
>>> users mailing list
>>> users at lists.rdoproject.org
>>> http://lists.rdoproject.org/mailman/listinfo/users
>>>
>>> To unsubscribe: users-unsubscribe at lists.rdoproject.org
>> _______________________________________________
>> users mailing list
>> users at lists.rdoproject.org
>> http://lists.rdoproject.org/mailman/listinfo/users
>>
>> To unsubscribe: users-unsubscribe at lists.rdoproject.org
More information about the users
mailing list