Thanks Jens, Is someone able to change the status of the bug from won’t-fix to confirmed so its visible.
Cheers, Sam > On 10 Jan 2017, at 10:52 pm, Jens Rosenboom <j.rosenb...@x-ion.de> wrote: > > 2017-01-10 4:33 GMT+01:00 Sam Morrison <sorri...@gmail.com > <mailto:sorri...@gmail.com>>: >> Hi nova-devs, >> >> I raised a bug about nova-api-metadata messing with iptables on a host >> >> https://bugs.launchpad.net/nova/+bug/1648643 >> >> It got closed as won’t fix but I think it could do with a little more >> discussion. >> >> Currently nova-api-metadata will create an iptable rule and also delete >> other rules on the host. This was needed for back in the nova-network days >> as there was some trickery going on there. >> Now with neutron and neutron-metadata-proxy nova-api-metadata is little more >> that a web server much like nova-api. >> >> I may be missing some use case but I don’t think nova-api-metadata needs to >> care about firewall rules (much like nova-api doesn’t care about firewall >> rules) > > I agree with Sam on this. Looking a bit into the code, the mangling part of > the > iptables rules is only called in nova/network/l3.py, which seems to happen > only > when nova-network is being used. The installation of the global nova-iptables > setup however happens unconditionally in nova/api/manager.py as soon as the > nova-api-metadata service is started, which doesn't make much sense in a > Neutron environment. So I would propose to either make this setup happen > only when nova-network is used or at least allow an deployer to turn it off > via > a config option. > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org > <mailto:openstack-dev-requ...@lists.openstack.org>?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
