Merge "conf: Deprecated 'defer_iptables_apply'"

2019-02-25 21:13:03 +00:00 · 2019-02-25 21:13:03 +00:00 · 29e5b0ad7b
parent 7524a21527 5a00272043
commit 29e5b0ad7b
3 changed files with 39 additions and 6 deletions
--- a/nova/conf/compute.py
+++ b/nova/conf/compute.py
@ -550,12 +550,6 @@ Possible values:

 * None (default)
 * Any string representing network name.
-"""),
-    cfg.BoolOpt('defer_iptables_apply',
-        default=False,
-        help="""
-Whether to batch up the application of IPTables rules during a host restart
-and apply all at the end of the init phase.
 """),
    cfg.StrOpt('instances_path',
        default=paths.state_path_def('instances'),
--- a/nova/conf/network.py
+++ b/nova/conf/network.py
@ -874,6 +874,12 @@ Related options:

 * iptables_top_regex
 """),
+    # NOTE(sfinucan): While this is predominantly used by nova-network, there
+    # appears to be a very limited use case where iptables rules are also used
+    # with neutron. Namely, when neutron's port filtering is disabled, security
+    # groups are disabled, and the 'firewall_driver' has been set to the
+    # libvirt IPTables driver. We may wish to remove this functionality in
+    # favour of neutron in the future.
    cfg.StrOpt("iptables_drop_action",
        default="DROP",
        deprecated_for_removal=True,
@ -890,6 +896,32 @@ going on, or LOGDROP in order to record the blocked traffic before DROPping.
 Possible values:

 * A string representing an iptables chain. The default is DROP.
+"""),
+    # NOTE(sfinucan): While this is predominantly used by nova-network, there
+    # appears to be a very limited use case where iptables rules are also used
+    # with neutron. Namely, when neutron's port filtering is disabled, security
+    # groups are disabled, and the 'firewall_driver' has been set to the
+    # libvirt IPTables driver. We may wish to remove this functionality in
+    # favour of neutron in the future.
+    cfg.BoolOpt('defer_iptables_apply',
+        default=False,
+        deprecated_for_removal=True,
+        deprecated_since="19.0.0",
+        deprecated_reason="""
+nova-network is deprecated, as are any related configuration options.
+""",
+        help="""
+Defer application of IPTables rules until after init phase.
+
+When a compute service is restarted each instance running on the host has its
+iptables rules built and applied sequentially during the host init stage. The
+impact of this, especially on a host running many instances, can be observed as
+a period where some instances are not accessible as the existing iptables rules
+have been torn down and not yet re-applied.
+
+This is a workaround that prevents the application of the iptables rules until
+all instances on the host had been initialised then the rules for all instances
+are applied all at once preventing a 'blackout' period.
 """),
    cfg.IntOpt("ovs_vsctl_timeout",
        default=120,
--- a/releasenotes/notes/deprecate-yet-another-nova-network-opt-b23b7bd9c31383eb.yaml
+++ b/releasenotes/notes/deprecate-yet-another-nova-network-opt-b23b7bd9c31383eb.yaml
@ -0,0 +1,7 @@
+---
+deprecations:
+  - |
+    The following options, found in ``DEFAULT``, were only used for configuring
+    nova-network and are, like nova-network itself, now deprecated.
+
+    - ``defer_iptables_apply``