iptables NAT rules set by openstack-l3-agent are incomplete for AiO setups
Bug #1079926 reported by
Martin Gerhard Loschwitz
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Expired
|
Undecided
|
Unassigned |
Bug Description
In order to allow access to the metadata service (169.254.169.254), quantum-l3-agent sets NAT rules for the affected router namespace:
-t nat -A quantum-
For setups where all services are running on the same host, this is insufficient. The rule above is simply skipped for packages that were generated by local processes. To make it work, the following rule is required:
-t nat -A quantum-
With that rule in place, VMs can reach the metadata service nicely.
That would redirect all port 80 traffic to port 8775, which seems improbably broad.