Hi, Is there a reason for this to be in /usr/share/nova/nova-dist.conf ?
firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver From https://docs.openstack.org/nova/pike/configuration/config.html#DEFAULT.firewall_driver : "firewall_driver Type:string Default:nova.virt.firewall.NoopFirewallDriver Firewall driver to use with nova-network service. This option only applies when using the nova-network service. When using another networking services, such as Neutron, this should be to set to the nova.virt.firewall.NoopFirewallDriver. Possible values: * nova.virt.firewall.IptablesFirewallDriver * nova.virt.firewall.NoopFirewallDriver * nova.virt.libvirt.firewall.IptablesFirewallDriver * […] Related options: * use_neutron: This must be set to False to enable nova-network networking Warning This option is deprecated for removal since 16.0.0. Its value may be silently ignored in the future. Reason: nova-network is deprecated, as are any related configuration options." Since "use_neutron" is default, it appears to be inappropriate to set firewall_driver at all, and especially to set it to the Iptables one. For my Ocata deployments, I had explicitly set firewall_driver to the Noop one (in nova.conf), but when I went to Pike, I decided to clean up some of the deprecated options in my config, and, according to the docs (above), it seemed like firewall_driver should be removed completely.... then I ran into an obscure issue (sometimes when an instance got terminated, all other instances on the same compute node became unreachable), which turned out to be nova and neutron fighting over the content of the iptables "FORWARD" chain. I was unaware of the setting in nova-dist.conf (which led to a "fun" diagnostic process) If there's not a good reason for the option to be there, I suppose I can submit a bug report....? ~iain _______________________________________________ users mailing list [email protected] http://lists.rdoproject.org/mailman/listinfo/users To unsubscribe: [email protected]
