OpenStack Compute (nova)

Merge lp:~markmc/nova/dnsmasq-accept-rules into lp:~hudson-openstack/nova/trunk

  1. dnsmasq-accept-rules
  2. Merge into trunk
Proposed by Mark McLoughlin
Status: Merged
Approved by: Vish Ishaya
Approved revision: 1529
Merged at revision: 1603
Proposed branch: lp:~markmc/nova/dnsmasq-accept-rules
Merge into: lp:~hudson-openstack/nova/trunk
Diff against target: 31 lines (+14/-0)
1 file modified
nova/network/linux_net.py (+14/-0)
To merge this branch: bzr merge lp:~markmc/nova/dnsmasq-accept-rules
Reviewer Review Type Date Requested Status
Josh Kearney (community) Approve
Vish Ishaya (community) Approve
Review via email: mp+74050@code.launchpad.net

Commit message

Add iptables filter rules for dnsmasq (lp:844935)

On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that DHCP and DNS request packets from the guest
get dropped.

Add these rules to allow the traffic through:

 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 67 -j ACCEPT
 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 67 -j ACCEPT
 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 53 -j ACCEPT

To post a comment you must log in.
Revision history for this message
Vish Ishaya (vishvananda) wrote :

seems totally reasonable. A linked bug would be nice.

review: Approve
Revision history for this message
Dan Prince (dan-prince) wrote :

Hi Mark,

Looks good. I get conflicts when merging with lp:nova.

Text conflict in nova/network/linux_net.py

Revision history for this message
Mark McLoughlin (markmc) wrote :

> Hi Mark,
>
> Looks good. I get conflicts when merging with lp:nova.
>
> Text conflict in nova/network/linux_net.py

Thanks Dan, fixed now.

Revision history for this message
Josh Kearney (jk0) wrote :

LGTM.

review: Approve
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

The attempt to merge lp:~markmc/nova/dnsmasq-accept-rules into lp:nova failed. Below is the output from the failed tests.

Revision history for this message
Mark McLoughlin (markmc) wrote :

Weird, no info on which results failed?

I've just run the tests locally after merging trunk again and they pass. Just a random passing failure?

Revision history for this message
Vish Ishaya (vishvananda) wrote :

trying again

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :
Download full text (135.5 KiB)

The attempt to merge lp:~markmc/nova/dnsmasq-accept-rules into lp:nova failed. Below is the output from the failed tests.

CloudTestCase
    test_ajax_console OK 1.86
    test_allocate_address OK 0.27
    test_associate_disassociate_address OK 1.38
    test_authorize_revoke_security_group_ingress_by_id OK 0.35
    test_authorize_security_group_fail_missing_source_group OK 0.27
    test_authorize_security_group_ingress OK 0.27
    test_authorize_security_group_ingress_already_exists OK 0.32
    test_authorize_security_group_ingress_ip_permissions_groups OK 0.47
    test_authorize_security_group_ingress_ip_permissions_ip_rangesOK 0.29
    test_authorize_security_group_ingress_missing_group_name_or_idOK 0.18
    test_authorize_security_group_ingress_missing_protocol_paramsOK 0.26
    test_console_output OK 1.27
    test_create_delete_security_group OK 0.27
    test_create_image OK 5.23
    test_create_snapshot OK 0.46
    test_create_volume_from_snapshot OK 0.46
    test_delete_key_pair OK 0.41
    test_delete_security_group_by_id OK 0.23
    test_delete_security_group_no_params OK 0.18
    test_delete_security_group_with_bad_group_id OK 0.20
    test_delete_security_group_with_bad_name OK 0.21
    test_delete_snapshot OK 0.43
    test_deregister_image OK 0.19
    test_deregister_image_wrong_container_type OK 0.19
    test_describe_addresses OK 0.48
    test_describe_availability_zones OK 0.23
    test_describe_image_attribute OK 0.20
    test_describe_image_attribute_block_device_mapping OK 0.39
    test_describe_image_attribute_root_device_name OK 0.20
    test_describe_image_mapping OK 0.19
    test_describe_images OK 0.19
    test_describe_instance_attribute OK 0.19
    test_describe_instances ERROR
    test_describe_instances_bdm OK 1.24
    test_describe_instances_deleted OK 0.23
    test_describe_key_pairs OK 0.70
    test_describe_regions OK 0.21
    test_describe_security_group_ingress_groups OK 0.44
    test_describe_security_groups OK 0.27
    test_describe_security_groups_by_id OK 0.32
    test_describe_snapshots OK 0.22
    test_describe_volumes OK ...

Revision history for this message
Vish Ishaya (vishvananda) wrote :

weird issue here. Manually checking with trunk merge

Revision history for this message
Vish Ishaya (vishvananda) wrote :

tests pass for me. Trying this again. That might be a heisenbug.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'nova/network/linux_net.py'
2--- nova/network/linux_net.py 2011-09-16 14:40:37 +0000
3+++ nova/network/linux_net.py 2011-09-17 07:31:24 +0000
4@@ -524,6 +524,18 @@
5 return '\n'.join(hosts)
6
7
8+def _add_dnsmasq_accept_rules(dev):
9+ """Allow DHCP and DNS traffic through to dnsmasq."""
10+ table = iptables_manager.ipv4['filter']
11+ for port in [67, 53]:
12+ for proto in ['udp', 'tcp']:
13+ args = {'dev': dev, 'port': port, 'proto': proto}
14+ table.add_rule('INPUT',
15+ '-i %(dev)s -p %(proto)s -m %(proto)s '
16+ '--dport %(port)s -j ACCEPT' % args)
17+ iptables_manager.apply()
18+
19+
20 def get_dhcp_opts(context, network_ref):
21 """Get network's hosts config in dhcp-opts format."""
22 hosts = []
23@@ -613,6 +625,8 @@
24
25 _execute(*cmd, run_as_root=True)
26
27+ _add_dnsmasq_accept_rules(dev)
28+
29
30 @utils.synchronized('radvd_start')
31 def update_ra(context, dev, network_ref):