OpenStack Compute (nova)

nova-api should add iptables rules to accept metadata API requests

Bug #856385 reported by Mark McLoughlin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Mark McLoughlin
OpenStack Compute (nova) 2012.1 "essex"

Bug Description

On systems where the default policy for the iptables INPUT filter is DROP, I'm seeing metadata requests being dropped.

Something similar to:

  $> sudo iptables -t filter -A nova-network-INPUT \
                   -s 0.0.0.0/0 -d $ec2_dmz_host \
                   -m tcp -p tcp --dport $ec2_port -j ACCEPT

fixes it for me

To explain fully, this on Fedora where the the default policy is actually ACCEPT but the last rule in the INPUT chain is:

  -A INPUT -j REJECT --reject-with icmp-host-prohibited

See also:

  https://bugs.launchpad.net/nova/+bug/844935

Related branches

lp:~markmc/nova/metadata-accept-rule
Vish Ishaya (community): Needs Fixing
Diff: 157 lines (+84/-2)
5 files modified
nova/api/manager.py (+42/-0)
nova/flags.py (+3/-0)
nova/network/linux_net.py (+11/-0)
nova/network/manager.py (+0/-2)
nova/service.py (+28/-0)
Mark McLoughlin (markmc)
Changed in nova:
assignee: nobody → Mark McLoughlin (markmc)
status: New → In Progress
Thierry Carrez (ttx)
Changed in nova:
importance: Undecided → Medium
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : A change has been merged to openstack/nova

Reviewed: https://review.openstack.org/558
Committed: http://github.com/openstack/nova/commit/d503dd6de4f45f149dfa295fd3137f4944ed7f66
Submitter: Jenkins
Branch: master

 status fixcommitted
 done

commit d503dd6de4f45f149dfa295fd3137f4944ed7f66
Author: Mark McLoughlin <email address hidden>
Date: Mon Sep 5 07:10:52 2011 +0100

    Add INPUT chain rule for EC2 metadata requests (lp:856385)

    On Fedora, the default policy for the INPUT chain in the filter table
    is DROP. This means that EC2 metadata requests from guests get dropped.

    Add this rule to let it through:

    $> sudo iptables -t filter -A nova-network-INPUT \
                     -s 0.0.0.0/0 -d $ec2_dmz_host \
                     -m tcp -p tcp --dport $ec2_port -j ACCEPT

    It makes no sense to have nova-network add an iptables rule for the EC2
    metadata service, since they may not actually be on the same host.

    Instead, nova-api should add it directly. In order to do that, we add a
    manager class for API services and allow the EC2 manager use the network
    driver to add the rule.

    Change-Id: I7c1f973c662a6d290e555b6a2ce8fc301f27b543

Openstack Gerrit (openstack-gerrit)
Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → essex-1
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: essex-1 → 2012.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.