Thanks Jens, Is someone able to change the status of the bug from won’t-fix to confirmed so its visible. Cheers, Sam > On 10 Jan 2017, at 10:52 pm, Jens Rosenboom <j.rosenboom at x-ion.de> wrote: > > 2017-01-10 4:33 GMT+01:00 Sam Morrison <sorrison at gmail.com <mailto:sorrison at gmail.com>>: >> Hi nova-devs, >> >> I raised a bug about nova-api-metadata messing with iptables on a host >> >> https://bugs.launchpad.net/nova/+bug/1648643 >> >> It got closed as won’t fix but I think it could do with a little more >> discussion. >> >> Currently nova-api-metadata will create an iptable rule and also delete >> other rules on the host. This was needed for back in the nova-network days >> as there was some trickery going on there. >> Now with neutron and neutron-metadata-proxy nova-api-metadata is little more >> that a web server much like nova-api. >> >> I may be missing some use case but I don’t think nova-api-metadata needs to >> care about firewall rules (much like nova-api doesn’t care about firewall >> rules) > > I agree with Sam on this. Looking a bit into the code, the mangling part of the > iptables rules is only called in nova/network/l3.py, which seems to happen only > when nova-network is being used. The installation of the global nova-iptables > setup however happens unconditionally in nova/api/manager.py as soon as the > nova-api-metadata service is started, which doesn't make much sense in a > Neutron environment. So I would propose to either make this setup happen > only when nova-network is used or at least allow an deployer to turn it off via > a config option. > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org <mailto:OpenStack-dev-request at lists.openstack.org>?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170117/60b33008/attachment.html>