Open Stack

Razique,

Thanks for the response.

If I understand you correctly, you're saying that the iptables rules are redone 
by nova-compute or the quantum agents every time a network is added or removed 
and because of that, static rules will be lost. Is that correct?

The installation I'm working with provides pre-configured networks for 
instances to use. If the available networks is stable, should not the static 
rules survive?

Craig

On 08/29/2013 03:36 PM, Razique Mahroua wrote:
> That means you shouldn't use iptables for your custom rules since OpenStack
> manages iptables and everytime the network is updated, iptables is impacted. If
> you restart nova-netork for instance, then all the iptables rules are flushed
> and recreated according to your network topology.
> The iptables service doesn't need to be turned off (is that even possible?),
> just make sure not to create routing rules manually that might conflict with the
> rules OpenStack sets :)
>
> *Razique Mahroua** - **Nuage & Co*
> razique.mahroua at gmail.com <mailto:razique.mahroua at gmail.com>
> Tel : +33 9 72 37 94 15
>
>
> Le 28 août 2013 à 19:08, Craig E. Ward <cward at isi.edu <mailto:cward at isi.edu>> a
> écrit :
>
>> I have an OpenStack Folsom, with Quantum networking, installation that I'm
>> having trouble getting additional rules into the iptables on nova-compute
>> nodes. The online manual
>> (http://docs.openstack.org/trunk/openstack-ops/content/iptables.html) states
>> that "You must use OpenStack to manage iptables." What it doesn't include is
>> any indication of how that is done. How can iptables be managed with OpenStack?
>>
>> When I add rules to the file /etc/sysconfig/iptables, sometimes the
>> nova-compute service fails to work properly. A new instance on the node may
>> not get an IP address or the vnc service in Horizon does not respond. The
>> instance is listed in the database with an assigned IP, but the address is not
>> reachable.
>>
>> Does the iptables service need to be "off" in the context of chkconfig? That
>> is, don't let it start through the rc sequence, but let nova-compute start it
>> and populate the rules?
>>
>> If iptables is started in the rc sequence, then are there some rules that
>> should not be in /etc/sysconfig/iptables?
>>
>> If the rc sequence is not used, how do ports unrelated to OpenStack services
>> get enabled?
>>
>> Does the default response for a packet sent to non-OpenStack related port drop
>> the packet or let it pass?
>>
>> Thanks,
>>
>> Craig
>>
>>
>> --
>> Craig E. Ward
>> Information Sciences Institute
>> University of Southern California
>> cward at ISI.EDU <mailto:cward at ISI.EDU>
>>
>>
>> _______________________________________________
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>

-- 
Craig E. Ward
Information Sciences Institute
University of Southern California
cward at ISI.EDU