OpenStack Compute (Nova)

instances in multi node mode can't reach metadata_host

Reported by Peng Yong on 2012-03-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Low
Peng Yong

Bug Description

i install multi node openstack on centos. the instance on computes would connect to metadata_host for metadata.

ec2_host=192.168.28.6 # public interface of controller
metadata_host=10.9.0.100 #internal interface of controller
my_ip=192.168.28.7 # compute node

the instance can't connect to metadata_host, here is iptables:
-A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.9.0.100:8775
-A nova-network-snat -s 10.9.0.0/16 -j SNAT --to-source 192.168.28.7

i modify the ipfilter, and it works:
-A nova-network-snat -s 10.9.0.0/16 -o eth0 -j SNAT --to-source 192.168.28.7

Peng Yong (ppyy) on 2012-03-29
Changed in nova:
assignee: nobody → Peng Yong (ppyy)
status: New → In Progress
Vish Ishaya (vishvananda) wrote :

This can be done with dmz_cidr. Since dmz_cidr is not obvious, perhaps a change like the following is actually better:

diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
index 7258e62..908c96b 100755
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -442,6 +442,10 @@ def init_host(ip_range=None):
     add_snat_rule(ip_range)

     iptables_manager.ipv4['nat'].add_rule('POSTROUTING',
+ '-s %s -d %s/32 -j ACCEPT' %
+ (ip_range, FLAGS.metadata_host))
+
+ iptables_manager.ipv4['nat'].add_rule('POSTROUTING',
                                           '-s %s -d %s -j ACCEPT' %
                                           (ip_range, FLAGS.dmz_cidr))

Peng Yong (ppyy) wrote :

thanks vish, upload another patch

Vish Ishaya (vishvananda) wrote :

Marking this release potential because it is a very small change that has some user facing benefit. I have had multiple times where I've had to explain to people to set dmz_cidr because metadata is on another host. This makes it automatic and means people don't have to manually change a config option.

Changed in nova:
importance: Undecided → Low
tags: added: essex-rc-potential
Changed in nova:
assignee: Peng Yong (ppyy) → Vish Ishaya (vishvananda)
Changed in nova:
assignee: Vish Ishaya (vishvananda) → Peng Yong (ppyy)

Reviewed: https://review.openstack.org/5961
Committed: http://github.com/openstack/nova/commit/b302e41785920a910013b07b40c0384b2294172c
Submitter: Jenkins
Branch: master

commit b302e41785920a910013b07b40c0384b2294172c
Author: Peng Yong <email address hidden>
Date: Fri Mar 30 23:25:32 2012 +0800

    Acccept metadata ip so packets aren't snatted

     * fixes bug 968453

    Change-Id: I12a7967bb711fe5fd9a7ebc2473209833d33f546

Changed in nova:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/6028
Committed: http://github.com/openstack/nova/commit/6ecb3c2d2df7f58cb33d7d274200b9768d7dce81
Submitter: Jenkins
Branch: milestone-proposed

commit 6ecb3c2d2df7f58cb33d7d274200b9768d7dce81
Author: Peng Yong <email address hidden>
Date: Fri Mar 30 23:25:32 2012 +0800

    Acccept metadata ip so packets aren't snatted

     * fixes bug 968453

    Change-Id: I12a7967bb711fe5fd9a7ebc2473209833d33f546

Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in nova:
milestone: none → 2012.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers