conf: Deprecated 'defer_iptables_apply'

This is *mostly* used for nova-network and therefore can be deprecated.
There is one corner case where we could conceivably use this with
neutron and the libvirt driver, but it's only ever going to work with
with Linux bridge, is probably broken and should just be removed in
favour of neutron variants of this functionality. A note is included
detailing this, just in case people do want to spend the time getting to
the bottom of this, but I wouldn't recommend that.

The help text for this option is improved based on information I found
while researching the option and mostly taken from the commit message
for commit 8f1c54ce.

Change-Id: I33607453b3174192a33d9d56e203227bc9237f31

nova/conf/compute.py

@@ -497,12 +497,6 @@ Possible values:
 
 * None (default)
 * Any string representing network name.
-"""),
-    cfg.BoolOpt('defer_iptables_apply',
-        default=False,
-        help="""
-Whether to batch up the application of IPTables rules during a host restart
-and apply all at the end of the init phase.
 """),
     cfg.StrOpt('instances_path',
         default=paths.state_path_def('instances'),

nova/conf/network.py

@@ -874,6 +874,12 @@ Related options:
 
 * iptables_top_regex
 """),
+    # NOTE(sfinucan): While this is predominantly used by nova-network, there
+    # appears to be a very limited use case where iptables rules are also used
+    # with neutron. Namely, when neutron's port filtering is disabled, security
+    # groups are disabled, and the 'firewall_driver' has been set to the
+    # libvirt IPTables driver. We may wish to remove this functionality in
+    # favour of neutron in the future.
     cfg.StrOpt("iptables_drop_action",
         default="DROP",
         deprecated_for_removal=True,
@@ -890,6 +896,32 @@ going on, or LOGDROP in order to record the blocked traffic before DROPping.
 Possible values:
 
 * A string representing an iptables chain. The default is DROP.
+"""),
+    # NOTE(sfinucan): While this is predominantly used by nova-network, there
+    # appears to be a very limited use case where iptables rules are also used
+    # with neutron. Namely, when neutron's port filtering is disabled, security
+    # groups are disabled, and the 'firewall_driver' has been set to the
+    # libvirt IPTables driver. We may wish to remove this functionality in
+    # favour of neutron in the future.
+    cfg.BoolOpt('defer_iptables_apply',
+        default=False,
+        deprecated_for_removal=True,
+        deprecated_since="19.0.0",
+        deprecated_reason="""
+nova-network is deprecated, as are any related configuration options.
+""",
+        help="""
+Defer application of IPTables rules until after init phase.
+
+When a compute service is restarted each instance running on the host has its
+iptables rules built and applied sequentially during the host init stage. The
+impact of this, especially on a host running many instances, can be observed as
+a period where some instances are not accessible as the existing iptables rules
+have been torn down and not yet re-applied.
+
+This is a workaround that prevents the application of the iptables rules until
+all instances on the host had been initialised then the rules for all instances
+are applied all at once preventing a 'blackout' period.
 """),
     cfg.IntOpt("ovs_vsctl_timeout",
         default=120,

releasenotes/notes/deprecate-yet-another-nova-network-opt-b23b7bd9c31383eb.yaml

@@ -0,0 +1,7 @@
+---
+deprecations:
+  - |
+    The following options, found in ``DEFAULT``, were only used for configuring
+    nova-network and are, like nova-network itself, now deprecated.
+
+    - ``defer_iptables_apply``