OpenStack Compute (nova)

metadata-api requires iptables-save/restore

Series ocata
Bug #1687187

Bug #1687187 reported by Sam Yaple on 2017-04-29

This bug affects 2 people

	Status	Importance	Assigned to
OpenStack Compute (nova)	Fix Released	High	Michael Still
Newton	Fix Committed	High	Sam Yaple
Ocata	Fix Committed	High	Sam Yaple

Bug Description

The metadata-api still loads pieces of nova-network even when using neutron=True.

Specifically, it is still loading linuxnet_interface_driver and it is adding in ACCEPT rules with iptables to allow the metadata port. While this may make sense with nova-network, it doesn't make sense for an api to be messing with iptables.

Since neutron uses metadata-api through its proxy, it cannot be said that the metadata-api is purely a nova-network thing.

The MetadataManager class that is loaded makes note of the fact that all the class does is add that ACCEPT rule [0]. Previously in Newton I was able to work around this by overriding the MetadataManager class with 'nova.manager.Manager', that that option was removed in Ocata [1]. Now the 'nova.api.manager.MetadataManager' name is hardcoded [2] and requires modifying nova source.

TL;DR when using the metadata-api, bits of nova-network are still loaded when they shouldn't be.

[0] https://github.com/openstack/nova/blob/4f91ed3a547965ed96a22520edcfb783e7936e95/nova/api/manager.py#L24

[1] https://github.com/openstack/nova/blob/stable/newton/nova/conf/service.py#L51

[2] https://github.com/openstack/nova/blob/065cd6a8d69c1ec862e5b402a3150131f35b2420/nova/service.py#L60

Tags:

Sean Dague (sdague) on 2017-06-14

tags:

added: api metadata

Revision history for this message

Sean Dague (sdague) wrote on 2017-06-14:

Should be fixed

Changed in nova:
status:	New → Confirmed
importance:	Undecided → High

Revision history for this message

Sean Dague (sdague) wrote on 2017-06-27:

Automatically discovered version newton in description. If this is incorrect, please update the description to include 'nova version: ...'

tags:

added: openstack-version.newton

Revision history for this message

Michael Still (mikal) wrote on 2017-07-05:

The problem here is that some parts of nova use the older style driver interface to configure networking (yet another pluggable python module thing), whereas most of nova uses the newer API interface. Antique remainders include the metadata server iptables thing, DHCP, and DNS.

The driver interface and API interface do not overlap however, so its not as simple as just replacing calls to one with calls to the other. Instead, we'll need to work through all the calls to the driver interface and decide what to do with them.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-05: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/480765

Changed in nova:
assignee:	nobody → Michael Still (mikal)
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-20: Fix merged to nova (master)

Reviewed: https://review.openstack.org/480765
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=b7cb3b7523b70dd94135f07b6307fa48563119f8
Submitter: Jenkins
Branch: master

commit b7cb3b7523b70dd94135f07b6307fa48563119f8
Author: Michael Still <email address hidden>
Date: Tue Jul 4 18:19:44 2017 +1000

Only setup iptables for metadata if using nova-net

    As discussed in the bug report, we setup iptables rules for the metadata
    service even if we're using neutron (which routes to metadata in a
    different way). This is because of the split-brain behaviour of the
    network driver interface versus the network API interface.

Instead, only setup iptables if we are _not_ using neutron.

Change-Id: I43df9200aba1018d2c7cd2f118864326af15fd42
Closes-Bug: #1687187

Changed in nova:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-22: Fix proposed to nova (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/486272

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-22: Fix proposed to nova (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/486273

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-28: Fix included in openstack/nova 16.0.0.0b3

This issue was fixed in the openstack/nova 16.0.0.0b3 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-11: Fix merged to nova (stable/newton)

Reviewed: https://review.openstack.org/486273
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=3d889bbfcee42aec08ed746163157f13ed36955f
Submitter: Jenkins
Branch: stable/newton

commit 3d889bbfcee42aec08ed746163157f13ed36955f
Author: Michael Still <email address hidden>
Date: Tue Jul 4 18:19:44 2017 +1000

Only setup iptables for metadata if using nova-net

Instead, only setup iptables if we are _not_ using neutron.

    Change-Id: I43df9200aba1018d2c7cd2f118864326af15fd42
    Closes-Bug: #1687187
    (cherry picked from commit b7cb3b7523b70dd94135f07b6307fa48563119f8)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-12: Fix merged to nova (stable/ocata)

#10

Reviewed: https://review.openstack.org/486272
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=16505d8e6e20159adc2bc6df81d2f415cffe83fe
Submitter: Jenkins
Branch: stable/ocata

commit 16505d8e6e20159adc2bc6df81d2f415cffe83fe
Author: Michael Still <email address hidden>
Date: Tue Jul 4 18:19:44 2017 +1000

Only setup iptables for metadata if using nova-net

Instead, only setup iptables if we are _not_ using neutron.

    Change-Id: I43df9200aba1018d2c7cd2f118864326af15fd42
    Closes-Bug: #1687187
    (cherry picked from commit b7cb3b7523b70dd94135f07b6307fa48563119f8)