Merge "conf: Deprecated 'defer_iptables_apply'"
This commit is contained in:
commit
29e5b0ad7b
|
@ -550,12 +550,6 @@ Possible values:
|
||||||
|
|
||||||
* None (default)
|
* None (default)
|
||||||
* Any string representing network name.
|
* Any string representing network name.
|
||||||
"""),
|
|
||||||
cfg.BoolOpt('defer_iptables_apply',
|
|
||||||
default=False,
|
|
||||||
help="""
|
|
||||||
Whether to batch up the application of IPTables rules during a host restart
|
|
||||||
and apply all at the end of the init phase.
|
|
||||||
"""),
|
"""),
|
||||||
cfg.StrOpt('instances_path',
|
cfg.StrOpt('instances_path',
|
||||||
default=paths.state_path_def('instances'),
|
default=paths.state_path_def('instances'),
|
||||||
|
|
|
@ -874,6 +874,12 @@ Related options:
|
||||||
|
|
||||||
* iptables_top_regex
|
* iptables_top_regex
|
||||||
"""),
|
"""),
|
||||||
|
# NOTE(sfinucan): While this is predominantly used by nova-network, there
|
||||||
|
# appears to be a very limited use case where iptables rules are also used
|
||||||
|
# with neutron. Namely, when neutron's port filtering is disabled, security
|
||||||
|
# groups are disabled, and the 'firewall_driver' has been set to the
|
||||||
|
# libvirt IPTables driver. We may wish to remove this functionality in
|
||||||
|
# favour of neutron in the future.
|
||||||
cfg.StrOpt("iptables_drop_action",
|
cfg.StrOpt("iptables_drop_action",
|
||||||
default="DROP",
|
default="DROP",
|
||||||
deprecated_for_removal=True,
|
deprecated_for_removal=True,
|
||||||
|
@ -890,6 +896,32 @@ going on, or LOGDROP in order to record the blocked traffic before DROPping.
|
||||||
Possible values:
|
Possible values:
|
||||||
|
|
||||||
* A string representing an iptables chain. The default is DROP.
|
* A string representing an iptables chain. The default is DROP.
|
||||||
|
"""),
|
||||||
|
# NOTE(sfinucan): While this is predominantly used by nova-network, there
|
||||||
|
# appears to be a very limited use case where iptables rules are also used
|
||||||
|
# with neutron. Namely, when neutron's port filtering is disabled, security
|
||||||
|
# groups are disabled, and the 'firewall_driver' has been set to the
|
||||||
|
# libvirt IPTables driver. We may wish to remove this functionality in
|
||||||
|
# favour of neutron in the future.
|
||||||
|
cfg.BoolOpt('defer_iptables_apply',
|
||||||
|
default=False,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_since="19.0.0",
|
||||||
|
deprecated_reason="""
|
||||||
|
nova-network is deprecated, as are any related configuration options.
|
||||||
|
""",
|
||||||
|
help="""
|
||||||
|
Defer application of IPTables rules until after init phase.
|
||||||
|
|
||||||
|
When a compute service is restarted each instance running on the host has its
|
||||||
|
iptables rules built and applied sequentially during the host init stage. The
|
||||||
|
impact of this, especially on a host running many instances, can be observed as
|
||||||
|
a period where some instances are not accessible as the existing iptables rules
|
||||||
|
have been torn down and not yet re-applied.
|
||||||
|
|
||||||
|
This is a workaround that prevents the application of the iptables rules until
|
||||||
|
all instances on the host had been initialised then the rules for all instances
|
||||||
|
are applied all at once preventing a 'blackout' period.
|
||||||
"""),
|
"""),
|
||||||
cfg.IntOpt("ovs_vsctl_timeout",
|
cfg.IntOpt("ovs_vsctl_timeout",
|
||||||
default=120,
|
default=120,
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
The following options, found in ``DEFAULT``, were only used for configuring
|
||||||
|
nova-network and are, like nova-network itself, now deprecated.
|
||||||
|
|
||||||
|
- ``defer_iptables_apply``
|
Loading…
Reference in New Issue