OpenStack Compute (nova)

Merge lp://qastaging/~markmc/nova/metadata-accept-rule into lp://qastaging/~hudson-openstack/nova/trunk

  1. metadata-accept-rule
  2. Merge into trunk
Proposed by Mark McLoughlin
Status: Work in progress
Proposed branch: lp://qastaging/~markmc/nova/metadata-accept-rule
Merge into: lp://qastaging/~hudson-openstack/nova/trunk
Diff against target: 157 lines (+84/-2)
5 files modified
nova/api/manager.py (+42/-0)
nova/flags.py (+3/-0)
nova/network/linux_net.py (+11/-0)
nova/network/manager.py (+0/-2)
nova/service.py (+28/-0)
To merge this branch: bzr merge lp://qastaging/~markmc/nova/metadata-accept-rule
Reviewer Review Type Date Requested Status
Vish Ishaya (community) Needs Fixing
Review via email: mp+74051@code.qastaging.launchpad.net

Commit message

Add INPUT chain rule for EC2 metadata requests (lp:856385)

On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that EC2 metadata requests from guests get dropped.

We have nova-api add this rule to let it through:

$> sudo iptables -t filter -A nova-api-INPUT \
                 -s 0.0.0.0/0 -d $ec2_dmz_host \
                 -m tcp -p tcp --dport $ec2_port -j ACCEPT

To post a comment you must log in.
Revision history for this message
Vish Ishaya (vishvananda) wrote :

again, reasonable. Perhaps one bug for all of these.

review: Approve
Reply
Revision history for this message
Vish Ishaya (vishvananda) wrote :

actually, I'm not so sure about this. This rule really needs to go into nova-api to be useful.

review: Abstain
Reply
lp://qastaging/~markmc/nova/metadata-accept-rule updated
1528. By Mark McLoughlin

Have nova-api add the INPUT rule for EC2 metadata

It makes no sense to have nova-network add an iptables rule for the EC2
metadata service, since they may not actually be on the same host.

Instead, nova-api should add it directly. In order to do that, we add a
manager class for API services and allow the EC2 manager use the network
driver to add the rule.

Revision history for this message
Mark McLoughlin (markmc) wrote :

> actually, I'm not so sure about this. This rule really needs to go into nova-
> api to be useful.

Okay, I've attempted to have nova-api add it

Reply
Revision history for this message
Vish Ishaya (vishvananda) wrote :

I'm a little worried about adding it in to diablo, so we might just have to mention in the release notes that the rule will have to be added manually for fedora.

Also, the construction of the manager class isn't quite right. Host is supposed to be FLAGS.host not the ip string for listen.

review: Needs Fixing
Reply
lp://qastaging/~markmc/nova/metadata-accept-rule updated
1529. By Mark McLoughlin

Allow EC2 manager host param be set to default FLAGS.host

1530. By Mark McLoughlin

Fix pep8 issue

Revision history for this message
Mark McLoughlin (markmc) wrote :

> I'm a little worried about adding it in to diablo, so we might just have to
> mention in the release notes that the rule will have to be added manually for
> fedora.

Okay. I've included the original hacky patch in the Fedora Diablo packages.

> Also, the construction of the manager class isn't quite right. Host is
> supposed to be FLAGS.host not the ip string for listen.

Good catch, fixed now.

Reply
Revision history for this message
Thierry Carrez (ttx) wrote :

Could you split it in a separate bug ? The other part of this bug is now fixed

Reply
Revision history for this message
Mark McLoughlin (markmc) wrote :

> Could you split it in a separate bug ? The other part of this bug is now fixed

Done, sorry for the delay

Reply
Revision history for this message
Mark McLoughlin (markmc) wrote :

Moved to gerrit:

https://review.openstack.org/#q,status:open+project:openstack/nova+branch:master+topic:metadata-accept-rule,n,z

Reply

Unmerged revisions

1530. By Mark McLoughlin

Fix pep8 issue

1529. By Mark McLoughlin

Allow EC2 manager host param be set to default FLAGS.host

1528. By Mark McLoughlin

Have nova-api add the INPUT rule for EC2 metadata

It makes no sense to have nova-network add an iptables rule for the EC2
metadata service, since they may not actually be on the same host.

Instead, nova-api should add it directly. In order to do that, we add a
manager class for API services and allow the EC2 manager use the network
driver to add the rule.

1527. By Mark McLoughlin

Add INPUT chain rule for EC2 metadata requests

On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that EC2 metadata requests from guests get dropped.

Add this rule to let it through:

$> sudo iptables -t filter -A nova-network-INPUT \
                 -s 0.0.0.0/0 -d $ec2_dmz_host \
                 -m tcp -p tcp --dport $ec2_port -j ACCEPT

However, this only works if nova-network and nova-api are on the same
host.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
The diff is not available at this time. You can reload the page or download it.