On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that EC2 metadata requests from guests get dropped.
Add this rule to let it through:
$> sudo iptables -t filter -A nova-network-INPUT \
-s 0.0.0.0/0 -d $ec2_dmz_host \
-m tcp -p tcp --dport $ec2_port -j ACCEPT
It makes no sense to have nova-network add an iptables rule for the EC2
metadata service, since they may not actually be on the same host.
Instead, nova-api should add it directly. In order to do that, we add a
manager class for API services and allow the EC2 manager use the network
driver to add the rule.
Change-Id: I7c1f973c662a6d290e555b6a2ce8fc301f27b543
4225c1c097