On 02/06/2018 07:38 PM, iain MacDonnell wrote:
Thanks for the confirmation! I submitted rhbz# 1542667. I'm not setup
to contribute changes at the moment. Maybe some day :)
~iain
No pressure, thanks for opening that ticket :)
H.
On Mon, Feb 5, 2018 at 10:57 AM, Assaf Muller <as...@redhat.com> wrote:
On Mon, Feb 5, 2018 at 1:42 PM, Haïkel Guémar <hgue...@redhat.com> wrote:
On 02/05/2018 07:34 PM, iain MacDonnell wrote:
Hi,
Is there a reason for this to be in /usr/share/nova/nova-dist.conf ?
firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
From
https://docs.openstack.org/nova/pike/configuration/config.html#DEFAULT.firewall_driver
:
"firewall_driver Type:string Default:nova.virt.firewall.NoopFirewallDriver
Firewall driver to use with nova-network service. This option only applies
when using the nova-network service. When using another networking services,
such as Neutron, this should be to set to the
nova.virt.firewall.NoopFirewallDriver. Possible values: *
nova.virt.firewall.IptablesFirewallDriver *
nova.virt.firewall.NoopFirewallDriver *
nova.virt.libvirt.firewall.IptablesFirewallDriver * […] Related options: *
use_neutron: This must be set to False to enable nova-network networking
Warning This option is deprecated for removal since 16.0.0. Its value
may be silently ignored in the future. Reason: nova-network is
deprecated, as are any related configuration options."
Since "use_neutron" is default, it appears to be inappropriate to
set firewall_driver at all, and especially to set it to the Iptables
one.
For my Ocata deployments, I had explicitly set firewall_driver to
the Noop one (in nova.conf), but when I went to Pike, I decided to
clean up some of the deprecated options in my config, and, according
to the docs (above), it seemed like firewall_driver should be
removed completely.... then I ran into an obscure issue (sometimes
when an instance got terminated, all other instances on the same
compute node became unreachable), which turned out to be nova and
neutron fighting over the content of the iptables "FORWARD" chain. I
was unaware of the setting in nova-dist.conf (which led to a "fun"
diagnostic process)
If there's not a good reason for the option to be there, I suppose I can
submit a bug report....?
Good point, you can submit bug report or fix it directly :)
Here's the file in the packaging repository:
https://github.com/rdo-packages/nova-distgit/blob/rpm-master/nova-dist.conf
Looking at the file, network_manager also seems wrong and defaults to
a Nova Network setting.
It should be stated that the impact of defaulting to a
nova-network-era firewall driver is catastrophic because every time
you restart nova-compute it takes over iptables rules, fighting with
Neutron's OVS agent that also implements the security groups API.
Fix it, commit it and then submit it through gerrit.
As *-dist.conf are rarely touched, feel free to review it and submit
other changes you feel worthy to be discussed.
Regards,
H.
~iain _______________________________________________ users mailing
list users@lists.rdoproject.org
http://lists.rdoproject.org/mailman/listinfo/users
To unsubscribe: users-unsubscr...@lists.rdoproject.org
_______________________________________________
users mailing list
users@lists.rdoproject.org
http://lists.rdoproject.org/mailman/listinfo/users
To unsubscribe: users-unsubscr...@lists.rdoproject.org
_______________________________________________
users mailing list
users@lists.rdoproject.org
http://lists.rdoproject.org/mailman/listinfo/users
To unsubscribe: users-unsubscr...@lists.rdoproject.org
_______________________________________________
users mailing list
users@lists.rdoproject.org
http://lists.rdoproject.org/mailman/listinfo/users
To unsubscribe: users-unsubscr...@lists.rdoproject.org
