yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1648643] Re: nova-api-metadata ignores firewall driver

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tom Fifield <1648643@xxxxxxxxxxxxxxxxxx>
Date: Tue, 17 Jan 2017 02:14:30 -0000
Reply-to: Bug 1648643 <1648643@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Confirmed by Jens Rosenboom  on the ML:


I agree with Sam on this. Looking a bit into the code, the mangling part of the
iptables rules is only called in nova/network/l3.py, which seems to happen only
when nova-network is being used. The installation of the global nova-iptables
setup however happens unconditionally in nova/api/manager.py as soon as the
nova-api-metadata service is started, which doesn't make much sense in a
Neutron environment. So I would propose to either make this setup happen
only when nova-network is used or at least allow an deployer to turn it off via
a config option.

** Changed in: nova
       Status: Won't Fix => New

** Changed in: nova
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1648643

Title:
  nova-api-metadata ignores firewall driver

Status in OpenStack Compute (nova):
  Confirmed

Bug description:
  In my nova.conf I have

  firewall_driver = nova.virt.firewall.NoopFirewallDriver

  When I start nova-api-metadata it installs some iptables rules (and
  blows away what is already there)

  I want to make it not manage any iptables rules by using the noop
  driver however it has no affect on nova-api-metadata.

  I'm using stable/mitaka although a look at the code in master would
  indicate this affects master too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1648643/+subscriptions

References

[Bug 1648643] [NEW] nova-api-metadata ignores firewall driver
From: Sam Morrison, 2016-12-08