← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #63696

[Bug 1687187] [NEW] metadata-api requires iptables-save/restore

  Thread PreviousDate PreviousThread Next 
Public bug reported:

The metadata-api still loads pieces of nova-network even when using
neutron=True.

Specifically, it is still loading linuxnet_interface_driver and it is
adding in ACCEPT rules with iptables to allow the metadata port. While
this may make sense with nova-network, it doesn't make sense for an api
to be messing with iptables.

Since neutron uses metadata-api through its proxy, it cannot be said
that the metadata-api is purely a nova-network thing.

The MetadataManager class that is loaded makes note of the fact that all
the class does is add that ACCEPT rule [0]. Previously in Newton I was
able to work around this by overriding the MetadataManager class with
'nova.manager.Manager', that that option was removed in Ocata [1]. Now
the 'nova.api.manager.MetadataManager' name is hardcoded [2] and
requires modifying nova source.

TL;DR when using the metadata-api, bits of nova-network are still loaded
when they shouldn't be.

[0]
https://github.com/openstack/nova/blob/4f91ed3a547965ed96a22520edcfb783e7936e95/nova/api/manager.py#L24

[1]
https://github.com/openstack/nova/blob/stable/newton/nova/conf/service.py#L51

[2]
https://github.com/openstack/nova/blob/065cd6a8d69c1ec862e5b402a3150131f35b2420/nova/service.py#L60

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1687187

Title:
  metadata-api requires iptables-save/restore

Status in OpenStack Compute (nova):
  New

Bug description:
  The metadata-api still loads pieces of nova-network even when using
  neutron=True.

  Specifically, it is still loading linuxnet_interface_driver and it is
  adding in ACCEPT rules with iptables to allow the metadata port. While
  this may make sense with nova-network, it doesn't make sense for an
  api to be messing with iptables.

  Since neutron uses metadata-api through its proxy, it cannot be said
  that the metadata-api is purely a nova-network thing.

  The MetadataManager class that is loaded makes note of the fact that
  all the class does is add that ACCEPT rule [0]. Previously in Newton I
  was able to work around this by overriding the MetadataManager class
  with 'nova.manager.Manager', that that option was removed in Ocata
  [1]. Now the 'nova.api.manager.MetadataManager' name is hardcoded [2]
  and requires modifying nova source.

  TL;DR when using the metadata-api, bits of nova-network are still
  loaded when they shouldn't be.

  [0]
  https://github.com/openstack/nova/blob/4f91ed3a547965ed96a22520edcfb783e7936e95/nova/api/manager.py#L24

  [1]
  https://github.com/openstack/nova/blob/stable/newton/nova/conf/service.py#L51

  [2]
  https://github.com/openstack/nova/blob/065cd6a8d69c1ec862e5b402a3150131f35b2420/nova/service.py#L60

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1687187/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next