diff options
| author | Mark McLoughlin <markmc@redhat.com> | 2011-09-05 07:10:52 +0100 |
|---|---|---|
| committer | Mark McLoughlin <markmc@redhat.com> | 2011-10-13 08:46:23 +0100 |
| commit | d503dd6de4f45f149dfa295fd3137f4944ed7f66 (patch) | |
| tree | cd929ab692b44c1e30f436fe1f9af0a049749a0c /nova/api | |
| parent | 8010ab4e31a1487375d4d01b18a0f56434fba15d (diff) | |
| download | nova-d503dd6de4f45f149dfa295fd3137f4944ed7f66.tar.gz nova-d503dd6de4f45f149dfa295fd3137f4944ed7f66.tar.xz nova-d503dd6de4f45f149dfa295fd3137f4944ed7f66.zip | |
Add INPUT chain rule for EC2 metadata requests (lp:856385)
On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that EC2 metadata requests from guests get dropped.
Add this rule to let it through:
$> sudo iptables -t filter -A nova-network-INPUT \
-s 0.0.0.0/0 -d $ec2_dmz_host \
-m tcp -p tcp --dport $ec2_port -j ACCEPT
It makes no sense to have nova-network add an iptables rule for the EC2
metadata service, since they may not actually be on the same host.
Instead, nova-api should add it directly. In order to do that, we add a
manager class for API services and allow the EC2 manager use the network
driver to add the rule.
Change-Id: I7c1f973c662a6d290e555b6a2ce8fc301f27b543
Diffstat (limited to 'nova/api')
| -rw-r--r-- | nova/api/manager.py | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/nova/api/manager.py b/nova/api/manager.py new file mode 100644 index 000000000..b3fcf9352 --- /dev/null +++ b/nova/api/manager.py @@ -0,0 +1,42 @@ +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright 2010 United States Government as represented by the +# Administrator of the National Aeronautics and Space Administration. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from nova import flags +from nova import manager +from nova import utils + +FLAGS = flags.FLAGS + + +class EC2Manager(manager.Manager): + """EC2 API manager. + + This class manages the EC2 API service initialization. Currently, it + just adds an iptables filter rule for the metadata service. + """ + def __init__(self, *args, **kwargs): + super(EC2Manager, self).__init__(*args, **kwargs) + self.network_driver = utils.import_object(FLAGS.network_driver) + + def init_host(self): + """Perform any initialization. + + Currently, we only add an iptables filter rule for the metadta + service. + """ + self.network_driver.metadata_accept() |