[openstack-nova/f16] Add iptables rule to allow EC2 metadata requests (#734347)
Mark McLoughlin
markmc at fedoraproject.org
Mon Sep 5 06:23:35 UTC 2011
commit a2f20e0148be278f19cef70cc4306ee58dbf5fae
Author: Mark McLoughlin <markmc at redhat.com>
Date: Mon Sep 5 07:00:01 2011 +0100
Add iptables rule to allow EC2 metadata requests (#734347)
...nput-chain-rule-for-ec2-metadata-requests.patch | 38 ++++++++++++++++++++
openstack-nova.spec | 7 +++-
2 files changed, 44 insertions(+), 1 deletions(-)
---
diff --git a/nova-add-input-chain-rule-for-ec2-metadata-requests.patch b/nova-add-input-chain-rule-for-ec2-metadata-requests.patch
new file mode 100644
index 0000000..242cd48
--- /dev/null
+++ b/nova-add-input-chain-rule-for-ec2-metadata-requests.patch
@@ -0,0 +1,38 @@
+From 5b4ee4f6adca466d4c15d4661db10c8e7b2e6ae4 Mon Sep 17 00:00:00 2001
+From: Mark McLoughlin <markmc at redhat.com>
+Date: Mon, 5 Sep 2011 06:59:45 +0100
+Subject: [PATCH] Add INPUT chain rule for EC2 metadata requests
+
+On Fedora, the default policy for the INPUT chain in the filter table
+is DROP. This means that EC2 metadata requests from guests get dropped.
+
+Add this rule to let it through:
+
+ $> sudo iptables -t filter -A nova-network-INPUT \
+ -s 0.0.0.0/0 -d $ec2_dmz_host \
+ -m tcp -p tcp --dport $ec2_port -j ACCEPT
+
+However, this only works if nova-network and nova-api are on the same
+host.
+---
+ nova/network/linux_net.py | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
+index dc0d2ca..2a37780 100644
+--- a/nova/network/linux_net.py
++++ b/nova/network/linux_net.py
+@@ -376,6 +376,10 @@ def metadata_forward():
+ '-p tcp -m tcp --dport 80 -j DNAT '
+ '--to-destination %s:%s' % \
+ (FLAGS.ec2_dmz_host, FLAGS.ec2_port))
++ iptables_manager.ipv4['filter'].add_rule('INPUT',
++ '-s 0.0.0.0/0 -d %s '
++ '-p tcp -m tcp --dport %s -j ACCEPT' % \
++ (FLAGS.ec2_dmz_host, FLAGS.ec2_port))
+ iptables_manager.apply()
+
+
+--
+1.7.4.4
+
diff --git a/openstack-nova.spec b/openstack-nova.spec
index 1583e76..fa6b08c 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -4,7 +4,7 @@
Name: openstack-nova
Version: 2011.3
-Release: 0.7.%{milestone}%{?dist}
+Release: 0.8.%{milestone}%{?dist}
Summary: OpenStack Compute (nova)
Group: Applications/System
@@ -32,6 +32,7 @@ Patch1: nova-fix-flavorid-migration-failure.patch
Patch2: nova-fix-quotas-migration-failure.patch
Patch3: nova-do-not-require-bridge_interface-for-flatdhcpmanager.patch
Patch4: nova-add-filter-rules-for-dnsmasq-dhcp.patch
+Patch5: nova-add-input-chain-rule-for-ec2-metadata-requests.patch
BuildArch: noarch
BuildRequires: intltool
@@ -163,6 +164,7 @@ This package contains documentation files for nova.
%patch2 -p1
%patch3 -p1
%patch4 -p1
+%patch5 -p1
find . \( -name .gitignore -o -name .placeholder \) -delete
@@ -350,6 +352,9 @@ fi
%endif
%changelog
+* Mon Sep 5 2011 Mark McLoughlin <markmc at redhat.com> - 2011.3-0.8.d4
+- Add iptables rule to allow EC2 metadata requests (#734347)
+
* Sat Sep 3 2011 Mark McLoughlin <markmc at redhat.com> - 2011.3-0.7.d4
- Add iptables rules to allow requests to dnsmasq (#734347)
More information about the scm-commits
mailing list