metadata-api requires iptables-save/restore

Bug #1687187 reported by Sam Yaple on 2017-04-29
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
High
Michael Still
Newton
High
Sam Yaple
Ocata
High
Sam Yaple

Bug Description

The metadata-api still loads pieces of nova-network even when using neutron=True.

Specifically, it is still loading linuxnet_interface_driver and it is adding in ACCEPT rules with iptables to allow the metadata port. While this may make sense with nova-network, it doesn't make sense for an api to be messing with iptables.

Since neutron uses metadata-api through its proxy, it cannot be said that the metadata-api is purely a nova-network thing.

The MetadataManager class that is loaded makes note of the fact that all the class does is add that ACCEPT rule [0]. Previously in Newton I was able to work around this by overriding the MetadataManager class with 'nova.manager.Manager', that that option was removed in Ocata [1]. Now the 'nova.api.manager.MetadataManager' name is hardcoded [2] and requires modifying nova source.

TL;DR when using the metadata-api, bits of nova-network are still loaded when they shouldn't be.

[0] https://github.com/openstack/nova/blob/4f91ed3a547965ed96a22520edcfb783e7936e95/nova/api/manager.py#L24

[1] https://github.com/openstack/nova/blob/stable/newton/nova/conf/service.py#L51

[2] https://github.com/openstack/nova/blob/065cd6a8d69c1ec862e5b402a3150131f35b2420/nova/service.py#L60

Sean Dague (sdague) on 2017-06-14
tags: added: api metadata
Sean Dague (sdague) wrote :

Should be fixed

Changed in nova:
status: New → Confirmed
importance: Undecided → High
Sean Dague (sdague) wrote :

Automatically discovered version newton in description. If this is incorrect, please update the description to include 'nova version: ...'

tags: added: openstack-version.newton
Michael Still (mikal) wrote :

The problem here is that some parts of nova use the older style driver interface to configure networking (yet another pluggable python module thing), whereas most of nova uses the newer API interface. Antique remainders include the metadata server iptables thing, DHCP, and DNS.

The driver interface and API interface do not overlap however, so its not as simple as just replacing calls to one with calls to the other. Instead, we'll need to work through all the calls to the driver interface and decide what to do with them.

Fix proposed to branch: master
Review: https://review.openstack.org/480765

Changed in nova:
assignee: nobody → Michael Still (mikal)
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/480765
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=b7cb3b7523b70dd94135f07b6307fa48563119f8
Submitter: Jenkins
Branch: master

commit b7cb3b7523b70dd94135f07b6307fa48563119f8
Author: Michael Still <email address hidden>
Date: Tue Jul 4 18:19:44 2017 +1000

    Only setup iptables for metadata if using nova-net

    As discussed in the bug report, we setup iptables rules for the metadata
    service even if we're using neutron (which routes to metadata in a
    different way). This is because of the split-brain behaviour of the
    network driver interface versus the network API interface.

    Instead, only setup iptables if we are _not_ using neutron.

    Change-Id: I43df9200aba1018d2c7cd2f118864326af15fd42
    Closes-Bug: #1687187

Changed in nova:
status: In Progress → Fix Released

This issue was fixed in the openstack/nova 16.0.0.0b3 development milestone.

Reviewed: https://review.openstack.org/486273
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=3d889bbfcee42aec08ed746163157f13ed36955f
Submitter: Jenkins
Branch: stable/newton

commit 3d889bbfcee42aec08ed746163157f13ed36955f
Author: Michael Still <email address hidden>
Date: Tue Jul 4 18:19:44 2017 +1000

    Only setup iptables for metadata if using nova-net

    As discussed in the bug report, we setup iptables rules for the metadata
    service even if we're using neutron (which routes to metadata in a
    different way). This is because of the split-brain behaviour of the
    network driver interface versus the network API interface.

    Instead, only setup iptables if we are _not_ using neutron.

    Change-Id: I43df9200aba1018d2c7cd2f118864326af15fd42
    Closes-Bug: #1687187
    (cherry picked from commit b7cb3b7523b70dd94135f07b6307fa48563119f8)

Reviewed: https://review.openstack.org/486272
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=16505d8e6e20159adc2bc6df81d2f415cffe83fe
Submitter: Jenkins
Branch: stable/ocata

commit 16505d8e6e20159adc2bc6df81d2f415cffe83fe
Author: Michael Still <email address hidden>
Date: Tue Jul 4 18:19:44 2017 +1000

    Only setup iptables for metadata if using nova-net

    As discussed in the bug report, we setup iptables rules for the metadata
    service even if we're using neutron (which routes to metadata in a
    different way). This is because of the split-brain behaviour of the
    network driver interface versus the network API interface.

    Instead, only setup iptables if we are _not_ using neutron.

    Change-Id: I43df9200aba1018d2c7cd2f118864326af15fd42
    Closes-Bug: #1687187
    (cherry picked from commit b7cb3b7523b70dd94135f07b6307fa48563119f8)

This issue was fixed in the openstack/nova 15.0.7 release.

This issue was fixed in the openstack/nova 14.0.8 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers