OpenStack Compute (nova)

  1. Bug #856385
  2. Comment #1

Comment 1 for bug 856385

Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : A change has been merged to openstack/nova

Reviewed: https://review.openstack.org/558
Committed: http://github.com/openstack/nova/commit/d503dd6de4f45f149dfa295fd3137f4944ed7f66
Submitter: Jenkins
Branch: master

 status fixcommitted
 done

commit d503dd6de4f45f149dfa295fd3137f4944ed7f66
Author: Mark McLoughlin <email address hidden>
Date: Mon Sep 5 07:10:52 2011 +0100

    Add INPUT chain rule for EC2 metadata requests (lp:856385)

    On Fedora, the default policy for the INPUT chain in the filter table
    is DROP. This means that EC2 metadata requests from guests get dropped.

    Add this rule to let it through:

    $> sudo iptables -t filter -A nova-network-INPUT \
                     -s 0.0.0.0/0 -d $ec2_dmz_host \
                     -m tcp -p tcp --dport $ec2_port -j ACCEPT

    It makes no sense to have nova-network add an iptables rule for the EC2
    metadata service, since they may not actually be on the same host.

    Instead, nova-api should add it directly. In order to do that, we add a
    manager class for API services and allow the EC2 manager use the network
    driver to add the rule.

    Change-Id: I7c1f973c662a6d290e555b6a2ce8fc301f27b543