diff --git a/nova/conf/compute.py b/nova/conf/compute.py index 016d77802ad9..e75d60dcf7f9 100644 --- a/nova/conf/compute.py +++ b/nova/conf/compute.py @@ -497,12 +497,6 @@ Possible values: * None (default) * Any string representing network name. -"""), - cfg.BoolOpt('defer_iptables_apply', - default=False, - help=""" -Whether to batch up the application of IPTables rules during a host restart -and apply all at the end of the init phase. """), cfg.StrOpt('instances_path', default=paths.state_path_def('instances'), diff --git a/nova/conf/network.py b/nova/conf/network.py index d6d04ca5a24f..4ab64c1c7baf 100644 --- a/nova/conf/network.py +++ b/nova/conf/network.py @@ -874,6 +874,12 @@ Related options: * iptables_top_regex """), + # NOTE(sfinucan): While this is predominantly used by nova-network, there + # appears to be a very limited use case where iptables rules are also used + # with neutron. Namely, when neutron's port filtering is disabled, security + # groups are disabled, and the 'firewall_driver' has been set to the + # libvirt IPTables driver. We may wish to remove this functionality in + # favour of neutron in the future. cfg.StrOpt("iptables_drop_action", default="DROP", deprecated_for_removal=True, @@ -890,6 +896,32 @@ going on, or LOGDROP in order to record the blocked traffic before DROPping. Possible values: * A string representing an iptables chain. The default is DROP. +"""), + # NOTE(sfinucan): While this is predominantly used by nova-network, there + # appears to be a very limited use case where iptables rules are also used + # with neutron. Namely, when neutron's port filtering is disabled, security + # groups are disabled, and the 'firewall_driver' has been set to the + # libvirt IPTables driver. We may wish to remove this functionality in + # favour of neutron in the future. + cfg.BoolOpt('defer_iptables_apply', + default=False, + deprecated_for_removal=True, + deprecated_since="19.0.0", + deprecated_reason=""" +nova-network is deprecated, as are any related configuration options. +""", + help=""" +Defer application of IPTables rules until after init phase. + +When a compute service is restarted each instance running on the host has its +iptables rules built and applied sequentially during the host init stage. The +impact of this, especially on a host running many instances, can be observed as +a period where some instances are not accessible as the existing iptables rules +have been torn down and not yet re-applied. + +This is a workaround that prevents the application of the iptables rules until +all instances on the host had been initialised then the rules for all instances +are applied all at once preventing a 'blackout' period. """), cfg.IntOpt("ovs_vsctl_timeout", default=120, diff --git a/releasenotes/notes/deprecate-yet-another-nova-network-opt-b23b7bd9c31383eb.yaml b/releasenotes/notes/deprecate-yet-another-nova-network-opt-b23b7bd9c31383eb.yaml new file mode 100644 index 000000000000..910b6a423878 --- /dev/null +++ b/releasenotes/notes/deprecate-yet-another-nova-network-opt-b23b7bd9c31383eb.yaml @@ -0,0 +1,7 @@ +--- +deprecations: + - | + The following options, found in ``DEFAULT``, were only used for configuring + nova-network and are, like nova-network itself, now deprecated. + + - ``defer_iptables_apply``