conf: Deprecated 'defer_iptables_apply'

This is *mostly* used for nova-network and therefore can be deprecated.
There is one corner case where we could conceivably use this with
neutron and the libvirt driver, but it's only ever going to work with
with Linux bridge, is probably broken and should just be removed in
favour of neutron variants of this functionality. A note is included
detailing this, just in case people do want to spend the time getting to
the bottom of this, but I wouldn't recommend that.

The help text for this option is improved based on information I found
while researching the option and mostly taken from the commit message
for commit 8f1c54ce.

Change-Id: I33607453b3174192a33d9d56e203227bc9237f31
This commit is contained in:
Stephen Finucane 2017-03-13 16:33:25 +00:00
parent e37de17701
commit 5a00272043
3 changed files with 39 additions and 6 deletions

View File

@ -497,12 +497,6 @@ Possible values:
* None (default)
* Any string representing network name.
"""),
cfg.BoolOpt('defer_iptables_apply',
default=False,
help="""
Whether to batch up the application of IPTables rules during a host restart
and apply all at the end of the init phase.
"""),
cfg.StrOpt('instances_path',
default=paths.state_path_def('instances'),

View File

@ -874,6 +874,12 @@ Related options:
* iptables_top_regex
"""),
# NOTE(sfinucan): While this is predominantly used by nova-network, there
# appears to be a very limited use case where iptables rules are also used
# with neutron. Namely, when neutron's port filtering is disabled, security
# groups are disabled, and the 'firewall_driver' has been set to the
# libvirt IPTables driver. We may wish to remove this functionality in
# favour of neutron in the future.
cfg.StrOpt("iptables_drop_action",
default="DROP",
deprecated_for_removal=True,
@ -890,6 +896,32 @@ going on, or LOGDROP in order to record the blocked traffic before DROPping.
Possible values:
* A string representing an iptables chain. The default is DROP.
"""),
# NOTE(sfinucan): While this is predominantly used by nova-network, there
# appears to be a very limited use case where iptables rules are also used
# with neutron. Namely, when neutron's port filtering is disabled, security
# groups are disabled, and the 'firewall_driver' has been set to the
# libvirt IPTables driver. We may wish to remove this functionality in
# favour of neutron in the future.
cfg.BoolOpt('defer_iptables_apply',
default=False,
deprecated_for_removal=True,
deprecated_since="19.0.0",
deprecated_reason="""
nova-network is deprecated, as are any related configuration options.
""",
help="""
Defer application of IPTables rules until after init phase.
When a compute service is restarted each instance running on the host has its
iptables rules built and applied sequentially during the host init stage. The
impact of this, especially on a host running many instances, can be observed as
a period where some instances are not accessible as the existing iptables rules
have been torn down and not yet re-applied.
This is a workaround that prevents the application of the iptables rules until
all instances on the host had been initialised then the rules for all instances
are applied all at once preventing a 'blackout' period.
"""),
cfg.IntOpt("ovs_vsctl_timeout",
default=120,

View File

@ -0,0 +1,7 @@
---
deprecations:
- |
The following options, found in ``DEFAULT``, were only used for configuring
nova-network and are, like nova-network itself, now deprecated.
- ``defer_iptables_apply``