Open Stack

On 06/14/2016 09:34 AM, Daniel Ruiz Molina wrote:
> Hello,
>
> I'm getting an important problem after deleting an instance. I'm running
> Openstack Juno in a server that acts as controller and network node (with 3
> nics). Computes have 2 nics. Because of computes are in an student laboratory,
> each compute has a local iptables with its rules. Then, when I launch an
> instance, some rules from neutron are automatically added. However, when I
> terminate that instaces, that rules are not automatically deleted, what it is
> causing me the problem because rule "neutron-openvswi-input" is added as first
> rule (like an "iptables -I", not an "iptables -A"), so some rules I had added
> are not executed...
>
> How can I solve this problem? How can I reconfigure openstack for deleting
> automatically that neutron rules?

Neutron should be deleting these rules, here are some suggestions:

1) Make sure you are not adding rules to any of the neutron-controlled chains, 
for example, those starting with "neutron-openvswi", since they can get 
re-written at any time by the agent.

2) Try to not add any rules while the agent is running.  The agent synchronizes 
access to iptables by taking a file lock, and if you don't also take that lock 
there will be a race, and the table could become corrupt.  Adding rules before 
the agent is started is the best option.

3) Upgrade to a later version of Openstack if possible, Juno is no longer 
supported, Mitaka or Liberty are the best options currently.  Could be you are 
hitting a bug that has been fixed.

-Brian