diff options
| author | Mark McLoughlin <markmc@redhat.com> | 2011-09-05 07:10:52 +0100 |
|---|---|---|
| committer | Mark McLoughlin <markmc@redhat.com> | 2011-10-13 08:46:23 +0100 |
| commit | d503dd6de4f45f149dfa295fd3137f4944ed7f66 (patch) | |
| tree | cd929ab692b44c1e30f436fe1f9af0a049749a0c /nova/flags.py | |
| parent | 8010ab4e31a1487375d4d01b18a0f56434fba15d (diff) | |
| download | nova-d503dd6de4f45f149dfa295fd3137f4944ed7f66.tar.gz nova-d503dd6de4f45f149dfa295fd3137f4944ed7f66.tar.xz nova-d503dd6de4f45f149dfa295fd3137f4944ed7f66.zip | |
Add INPUT chain rule for EC2 metadata requests (lp:856385)
On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that EC2 metadata requests from guests get dropped.
Add this rule to let it through:
$> sudo iptables -t filter -A nova-network-INPUT \
-s 0.0.0.0/0 -d $ec2_dmz_host \
-m tcp -p tcp --dport $ec2_port -j ACCEPT
It makes no sense to have nova-network add an iptables rule for the EC2
metadata service, since they may not actually be on the same host.
Instead, nova-api should add it directly. In order to do that, we add a
manager class for API services and allow the EC2 manager use the network
driver to add the rule.
Change-Id: I7c1f973c662a6d290e555b6a2ce8fc301f27b543
Diffstat (limited to 'nova/flags.py')
| -rw-r--r-- | nova/flags.py | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/nova/flags.py b/nova/flags.py index 58e8570b1..5d066566e 100644 --- a/nova/flags.py +++ b/nova/flags.py @@ -415,6 +415,9 @@ DEFINE_bool('resume_guests_state_on_host_boot', False, DEFINE_string('root_helper', 'sudo', 'Command prefix to use for running commands as root') +DEFINE_string('network_driver', 'nova.network.linux_net', + 'Driver to use for network creation') + DEFINE_bool('use_ipv6', False, 'use ipv6') DEFINE_integer('password_length', 12, |