Add INPUT chain rule for EC2 metadata requests (lp:856385)
On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that EC2 metadata requests from guests get dropped.
Add this rule to let it through:
$> sudo iptables -t filter -A nova-network-INPUT \
-s 0.0.0.0/0 -d $ec2_dmz_host \
-m tcp -p tcp --dport $ec2_port -j ACCEPT
It makes no sense to have nova-network add an iptables rule for the EC2
metadata service, since they may not actually be on the same host.
Instead, nova-api should add it directly. In order to do that, we add a
manager class for API services and allow the EC2 manager use the network
driver to add the rule.
Change-Id: I7c1f973c662a6d290e555b6a2ce8fc301f27b543
This commit is contained in:
Mark McLoughlin
@@ -415,6 +415,9 @@ DEFINE_bool('resume_guests_state_on_host_boot', False,
|
||||
DEFINE_string('root_helper', 'sudo',
|
||||
'Command prefix to use for running commands as root')
|
||||
|
||||
DEFINE_string('network_driver', 'nova.network.linux_net',
|
||||
'Driver to use for network creation')
|
||||
|
||||
DEFINE_bool('use_ipv6', False, 'use ipv6')
|
||||
|
||||
DEFINE_integer('password_length', 12,
|
||||
|
||||
Reference in New Issue
Block a user