On Mon, Feb 5, 2018 at 1:42 PM, Haïkel Guémar <[email protected]> wrote: > On 02/05/2018 07:34 PM, iain MacDonnell wrote: >> >> Hi, >> >> Is there a reason for this to be in /usr/share/nova/nova-dist.conf ? >> >> firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver >> >> From >> >> https://docs.openstack.org/nova/pike/configuration/config.html#DEFAULT.firewall_driver >> >> > : >> >> >> "firewall_driver Type:string Default:nova.virt.firewall.NoopFirewallDriver >> >> Firewall driver to use with nova-network service. This option only applies >> when using the nova-network service. When using another networking services, >> such as Neutron, this should be to set to the >> nova.virt.firewall.NoopFirewallDriver. Possible values: * >> nova.virt.firewall.IptablesFirewallDriver * >> nova.virt.firewall.NoopFirewallDriver * >> nova.virt.libvirt.firewall.IptablesFirewallDriver * […] Related options: * >> use_neutron: This must be set to False to enable nova-network networking >> >> Warning This option is deprecated for removal since 16.0.0. Its value >> may be silently ignored in the future. Reason: nova-network is >> deprecated, as are any related configuration options." >> >> >> Since "use_neutron" is default, it appears to be inappropriate to >> set firewall_driver at all, and especially to set it to the Iptables >> one. >> >> For my Ocata deployments, I had explicitly set firewall_driver to >> the Noop one (in nova.conf), but when I went to Pike, I decided to >> clean up some of the deprecated options in my config, and, according >> to the docs (above), it seemed like firewall_driver should be >> removed completely.... then I ran into an obscure issue (sometimes >> when an instance got terminated, all other instances on the same >> compute node became unreachable), which turned out to be nova and >> neutron fighting over the content of the iptables "FORWARD" chain. I >> was unaware of the setting in nova-dist.conf (which led to a "fun" >> diagnostic process) >> >> If there's not a good reason for the option to be there, I suppose I can >> submit a bug report....? >> > > Good point, you can submit bug report or fix it directly :) > > Here's the file in the packaging repository: > https://github.com/rdo-packages/nova-distgit/blob/rpm-master/nova-dist.conf
Looking at the file, network_manager also seems wrong and defaults to a Nova Network setting. It should be stated that the impact of defaulting to a nova-network-era firewall driver is catastrophic because every time you restart nova-compute it takes over iptables rules, fighting with Neutron's OVS agent that also implements the security groups API. > > Fix it, commit it and then submit it through gerrit. > > > As *-dist.conf are rarely touched, feel free to review it and submit > other changes you feel worthy to be discussed. > > > Regards, > H. > > >> ~iain _______________________________________________ users mailing >> list [email protected] >> http://lists.rdoproject.org/mailman/listinfo/users >> >> To unsubscribe: [email protected] >> > _______________________________________________ > users mailing list > [email protected] > http://lists.rdoproject.org/mailman/listinfo/users > > To unsubscribe: [email protected] _______________________________________________ users mailing list [email protected] http://lists.rdoproject.org/mailman/listinfo/users To unsubscribe: [email protected]
