Re: [openstack-dev] [nova] nova-api-metadata managing firewall

2017-01-16 Thread Sam Morrison 
Thanks Jens,

Is someone able to change the status of the bug from won’t-fix to confirmed so 
its visible.

Cheers,
Sam


> On 10 Jan 2017, at 10:52 pm, Jens Rosenboom  wrote:
> 
> 2017-01-10 4:33 GMT+01:00 Sam Morrison  >:
>> Hi nova-devs,
>> 
>> I raised a bug about nova-api-metadata messing with iptables on a host
>> 
>> https://bugs.launchpad.net/nova/+bug/1648643
>> 
>> It got closed as won’t fix but I think it could do with a little more
>> discussion.
>> 
>> Currently nova-api-metadata will create an iptable rule and also delete
>> other rules on the host. This was needed for back in the nova-network days
>> as there was some trickery going on there.
>> Now with neutron and neutron-metadata-proxy nova-api-metadata is little more
>> that a web server much like nova-api.
>> 
>> I may be missing some use case but I don’t think nova-api-metadata needs to
>> care about firewall rules (much like nova-api doesn’t care about firewall
>> rules)
> 
> I agree with Sam on this. Looking a bit into the code, the mangling part of 
> the
> iptables rules is only called in nova/network/l3.py, which seems to happen 
> only
> when nova-network is being used. The installation of the global nova-iptables
> setup however happens unconditionally in nova/api/manager.py as soon as the
> nova-api-metadata service is started, which doesn't make much sense in a
> Neutron environment. So I would propose to either make this setup happen
> only when nova-network is used or at least allow an deployer to turn it off 
> via
> a config option.
> 
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org 
> ?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev 
> 
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] nova-api-metadata managing firewall

2017-01-10 Thread Jens Rosenboom 
2017-01-10 4:33 GMT+01:00 Sam Morrison :
> Hi nova-devs,
>
> I raised a bug about nova-api-metadata messing with iptables on a host
>
> https://bugs.launchpad.net/nova/+bug/1648643
>
> It got closed as won’t fix but I think it could do with a little more
> discussion.
>
> Currently nova-api-metadata will create an iptable rule and also delete
> other rules on the host. This was needed for back in the nova-network days
> as there was some trickery going on there.
> Now with neutron and neutron-metadata-proxy nova-api-metadata is little more
> that a web server much like nova-api.
>
> I may be missing some use case but I don’t think nova-api-metadata needs to
> care about firewall rules (much like nova-api doesn’t care about firewall
> rules)

I agree with Sam on this. Looking a bit into the code, the mangling part of the
iptables rules is only called in nova/network/l3.py, which seems to happen only
when nova-network is being used. The installation of the global nova-iptables
setup however happens unconditionally in nova/api/manager.py as soon as the
nova-api-metadata service is started, which doesn't make much sense in a
Neutron environment. So I would propose to either make this setup happen
only when nova-network is used or at least allow an deployer to turn it off via
a config option.

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [nova] nova-api-metadata managing firewall

2017-01-09 Thread Sam Morrison 
Hi nova-devs,

I raised a bug about nova-api-metadata messing with iptables on a host 

https://bugs.launchpad.net/nova/+bug/1648643 


It got closed as won’t fix but I think it could do with a little more 
discussion.

Currently nova-api-metadata will create an iptable rule and also delete other 
rules on the host. This was needed for back in the nova-network days as there 
was some trickery going on there.
Now with neutron and neutron-metadata-proxy nova-api-metadata is little more 
that a web server much like nova-api.

I may be missing some use case but I don’t think nova-api-metadata needs to 
care about firewall rules (much like nova-api doesn’t care about firewall rules)

Thanks,
Sam

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev