It makes no sense to have nova-network add an iptables rule for the EC2
metadata service, since they may not actually be on the same host.
Instead, nova-api should add it directly. In order to do that, we add a
manager class for API services and allow the EC2 manager use the network
driver to add the rule.
Reviewed: https:/ /review. openstack. org/558 github. com/openstack/ nova/commit/ d503dd6de4f45f1 49dfa295fd3137f 4944ed7f66
Committed: http://
Submitter: Jenkins
Branch: master
status fixcommitted
done
commit d503dd6de4f45f1 49dfa295fd3137f 4944ed7f66
Author: Mark McLoughlin <email address hidden>
Date: Mon Sep 5 07:10:52 2011 +0100
Add INPUT chain rule for EC2 metadata requests (lp:856385)
On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that EC2 metadata requests from guests get dropped.
Add this rule to let it through:
$> sudo iptables -t filter -A nova-network-INPUT \
-s 0.0.0.0/0 -d $ec2_dmz_host \
-m tcp -p tcp --dport $ec2_port -j ACCEPT
It makes no sense to have nova-network add an iptables rule for the EC2
metadata service, since they may not actually be on the same host.
Instead, nova-api should add it directly. In order to do that, we add a
manager class for API services and allow the EC2 manager use the network
driver to add the rule.
Change-Id: I7c1f973c662a6d 290e555b6a2ce8f c301f27b543