From d503dd6de4f45f149dfa295fd3137f4944ed7f66 Mon Sep 17 00:00:00 2001
From: Mark McLoughlin <markmc@redhat.com>
Date: Mon, 5 Sep 2011 07:10:52 +0100
Subject: Add INPUT chain rule for EC2 metadata requests (lp:856385)

On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that EC2 metadata requests from guests get dropped.

Add this rule to let it through:

$> sudo iptables -t filter -A nova-network-INPUT \
                 -s 0.0.0.0/0 -d $ec2_dmz_host \
                 -m tcp -p tcp --dport $ec2_port -j ACCEPT

It makes no sense to have nova-network add an iptables rule for the EC2
metadata service, since they may not actually be on the same host.

Instead, nova-api should add it directly. In order to do that, we add a
manager class for API services and allow the EC2 manager use the network
driver to add the rule.

Change-Id: I7c1f973c662a6d290e555b6a2ce8fc301f27b543
---
 nova/api/manager.py | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 nova/api/manager.py

(limited to 'nova/api')

diff --git a/nova/api/manager.py b/nova/api/manager.py
new file mode 100644
index 000000000..b3fcf9352
--- /dev/null
+++ b/nova/api/manager.py
@@ -0,0 +1,42 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2010 United States Government as represented by the
+# Administrator of the National Aeronautics and Space Administration.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from nova import flags
+from nova import manager
+from nova import utils
+
+FLAGS = flags.FLAGS
+
+
+class EC2Manager(manager.Manager):
+    """EC2 API manager.
+
+    This class manages the EC2 API service initialization. Currently, it
+    just adds an iptables filter rule for the metadata service.
+    """
+    def __init__(self, *args, **kwargs):
+        super(EC2Manager, self).__init__(*args, **kwargs)
+        self.network_driver = utils.import_object(FLAGS.network_driver)
+
+    def init_host(self):
+        """Perform any initialization.
+
+        Currently, we only add an iptables filter rule for the metadta
+        service.
+        """
+        self.network_driver.metadata_accept()
-- 
cgit