2017-01-10 4:33 GMT+01:00 Sam Morrison <sorri...@gmail.com>: > Hi nova-devs, > > I raised a bug about nova-api-metadata messing with iptables on a host > > https://bugs.launchpad.net/nova/+bug/1648643 > > It got closed as won’t fix but I think it could do with a little more > discussion. > > Currently nova-api-metadata will create an iptable rule and also delete > other rules on the host. This was needed for back in the nova-network days > as there was some trickery going on there. > Now with neutron and neutron-metadata-proxy nova-api-metadata is little more > that a web server much like nova-api. > > I may be missing some use case but I don’t think nova-api-metadata needs to > care about firewall rules (much like nova-api doesn’t care about firewall > rules)
I agree with Sam on this. Looking a bit into the code, the mangling part of the iptables rules is only called in nova/network/l3.py, which seems to happen only when nova-network is being used. The installation of the global nova-iptables setup however happens unconditionally in nova/api/manager.py as soon as the nova-api-metadata service is started, which doesn't make much sense in a Neutron environment. So I would propose to either make this setup happen only when nova-network is used or at least allow an deployer to turn it off via a config option. __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev