Firewall rules are not updated if you restart nova-compute
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
IptablesFirewal
When nova-compute starts this is empty. It is not loaded at start in some way, instead
it is filled using the prepare_
This method is called from the virt drivers in a few scenarios that are different on
libvirt and xenapi (these are the ones I checked).
On xenapi it only happens during spawn, on libvirt it also happens during hard reboot.
This means that if you have some running instances using some security group, and then for
some reason restart the nova-compute service - updates to the security group (i.e.
adding/removing some rule) will not be propagated to iptables correctly. On libvirt
you can "fix" this by rebooting an instance hard. On xenapi you can't fix it.
I added an ugly hack to make xenapi work like I want it to (but I can see that it is
not fit for inclusion). I would be happy to fix this in some less ugly way if someone
gave me a helpful hint of what the core devs would consider be a good way to solve it.
To me perhaps the reasonable thing would be for IptablesFirewal
self.instances as a cache and if some instance is not there, then check if it is running
and if so - fetch the network_info + do prepare_
Anyway, here is my ugly hack patch, perhaps it helps someone or gives more insight into
what I mean :-):
--- /home/atomia/
+++ /usr/lib/
@@ -32,6 +32,7 @@
from nova.compute import api as compute
from nova.compute import power_state
+from nova.compute import utils as compute_utils
from nova import context as nova_context
from nova import db
from nova import exception
@@ -1749,6 +1750,16 @@
def refresh_
""" recreates security group rules for every instance """
+ LOG.debug("JMA: refresh_
+
+ import nova.network
+ nw_api = nova.network.API()
+ context = nova_context.
+ security_group = db.security_
+ for instance in security_
+ nw_info = compute_
+ self.firewall_
+
def refresh_
Changed in nova: | |
status: | Triaged → Fix Released |
Seems like iptables rules should be refreshed on restart of nova-compute.