nova-api should add iptables rules to accept metadata API requests
Bug #856385 reported by
Mark McLoughlin
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Mark McLoughlin |
Bug Description
On systems where the default policy for the iptables INPUT filter is DROP, I'm seeing metadata requests being dropped.
Something similar to:
$> sudo iptables -t filter -A nova-network-INPUT \
fixes it for me
To explain fully, this on Fedora where the the default policy is actually ACCEPT but the last rule in the INPUT chain is:
-A INPUT -j REJECT --reject-with icmp-host-
See also:
Related branches
lp:~markmc/nova/metadata-accept-rule
On hold
for merging
into
lp:~hudson-openstack/nova/trunk
- Vish Ishaya (community): Needs Fixing
-
Diff: 157 lines (+84/-2)5 files modifiednova/api/manager.py (+42/-0)
nova/flags.py (+3/-0)
nova/network/linux_net.py (+11/-0)
nova/network/manager.py (+0/-2)
nova/service.py (+28/-0)
Changed in nova: | |
assignee: | nobody → Mark McLoughlin (markmc) |
status: | New → In Progress |
Changed in nova: | |
importance: | Undecided → Medium |
Changed in nova: | |
status: | In Progress → Fix Committed |
Changed in nova: | |
milestone: | none → essex-1 |
Changed in nova: | |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | essex-1 → 2012.1 |
To post a comment you must log in.
Reviewed: https:/ /review. openstack. org/558 github. com/openstack/ nova/commit/ d503dd6de4f45f1 49dfa295fd3137f 4944ed7f66
Committed: http://
Submitter: Jenkins
Branch: master
status fixcommitted
done
commit d503dd6de4f45f1 49dfa295fd3137f 4944ed7f66
Author: Mark McLoughlin <email address hidden>
Date: Mon Sep 5 07:10:52 2011 +0100
Add INPUT chain rule for EC2 metadata requests (lp:856385)
On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that EC2 metadata requests from guests get dropped.
Add this rule to let it through:
$> sudo iptables -t filter -A nova-network-INPUT \
-s 0.0.0.0/0 -d $ec2_dmz_host \
-m tcp -p tcp --dport $ec2_port -j ACCEPT
It makes no sense to have nova-network add an iptables rule for the EC2
metadata service, since they may not actually be on the same host.
Instead, nova-api should add it directly. In order to do that, we add a
manager class for API services and allow the EC2 manager use the network
driver to add the rule.
Change-Id: I7c1f973c662a6d 290e555b6a2ce8f c301f27b543