31 Mar 2013 mikal   » (Journeyer)

Merged in Havana: configurable iptables drop actions in nova

LaunchPad bug 1013893 asked nicely if the drop action for iptables rules created by nova-network could be configured. The idea here is that you might want to do something other than a plain old drop -- for example logging before dropping. This has now been implemented in Havana.

To configure the drop action, set the iptables_drop_action to the name of an already existing iptables target. Creating this target is not managed by nova, and you'll need to do it on every compute node. When iptables creates or deletes rules on compute nodes it will now use this new target. There's a bit of an upgrade problem here in that this will stop nova from deleting rules which use the old hard coded drop target. However, if an instance is torn down then all of its tables are torn down as well and rules will be deleted correctly, so this is only a problem if a security group is changed while the instance is running.

It occurs to me that we can do better here, so I've sent off this review to handle the case where a rule is being removed and used the default drop action.

For safety, I would recommend only using this flag on new compute nodes that have no instances running in order to make this simple.

Tags for this post: openstack havana nova iptables
Related posts: Further adventures with base images in OpenStack; Havana Nova PTL elections; Upgrade problems with the new Fixed IP quota; Openstack compute node cleanup

Comment

Syndicated 2013-03-30 21:13:00 from stillhq.com : Mikal, a geek from Canberra living in Silicon Valley (no blather posts)

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!