[openstack-dev] [nova] Network issue with libvirt-xen driver, iptables race
Anthony PERARD
anthony.perard at citrix.com
Tue Jun 30 14:02:54 UTC 2015
Hi all,
We have an issue with the driver libvirt-xen. When a guest is started by
Nova, nova-network is going to do some network setup and call
iptables-{save,restore}, and the Xen toolstack is going to setup the
vif of the guest, via a script, which also update the iptables.
The Xen script is simply calling those commands:
ip link set dev ${dev} down
ip link set dev ${dev} address fe:ff:ff:ff:ff:ff
ip address flush dev ${dev}
brctl addif ${bridge} ${dev}
ip link set dev ${dev} up
iptables -I FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" -j ACCEPT
iptables -I FORWARD -m physdev --physdev-is-bridged --physdev-out "$dev" -j ACCEPT
$dev been by default vif$domid.$devid.
Only the call to iptables is an issue and fail fairly often when it looses
the race against iptables-{save,restore}.
It is possible to have Nova asking to run a different script that would not
call iptables. But that script would need to be store somewhere, in the
nova repo would be best.
Any though on that?
Is `iptables` call necessary for the vif with OpenStack?
If so, can nova-network do the update? Or the script called by the Xen
toolstack could take an OpenStack lock before calling iptables?
Bug report: https://bugs.launchpad.net/nova/+bug/1461642
Thanks,
--
Anthony PERARD
More information about the OpenStack-dev
mailing list