[openstack-dev] [nova] nova-api-metadata managing firewall
Jens Rosenboom
j.rosenboom at x-ion.de
Tue Jan 10 11:52:35 UTC 2017
2017-01-10 4:33 GMT+01:00 Sam Morrison <sorrison at gmail.com>:
> Hi nova-devs,
>
> I raised a bug about nova-api-metadata messing with iptables on a host
>
> https://bugs.launchpad.net/nova/+bug/1648643
>
> It got closed as won’t fix but I think it could do with a little more
> discussion.
>
> Currently nova-api-metadata will create an iptable rule and also delete
> other rules on the host. This was needed for back in the nova-network days
> as there was some trickery going on there.
> Now with neutron and neutron-metadata-proxy nova-api-metadata is little more
> that a web server much like nova-api.
>
> I may be missing some use case but I don’t think nova-api-metadata needs to
> care about firewall rules (much like nova-api doesn’t care about firewall
> rules)
I agree with Sam on this. Looking a bit into the code, the mangling part of the
iptables rules is only called in nova/network/l3.py, which seems to happen only
when nova-network is being used. The installation of the global nova-iptables
setup however happens unconditionally in nova/api/manager.py as soon as the
nova-api-metadata service is started, which doesn't make much sense in a
Neutron environment. So I would propose to either make this setup happen
only when nova-network is used or at least allow an deployer to turn it off via
a config option.
More information about the OpenStack-dev
mailing list