lp:~markmc/nova/metadata-accept-rule

Branch merges

Propose for merging

No branches dependent on this one.

On hold for merging into lp:~hudson-openstack/nova/trunk

Vish Ishaya (community): Needs Fixing on 2011-09-11

Diff: 157 lines (+84/-2)

5 files modified

nova/api/manager.py (+42/-0)
nova/flags.py (+3/-0)
nova/network/linux_net.py (+11/-0)
nova/network/manager.py (+0/-2)
nova/service.py (+28/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Bug #844935: Nova should not assume the default iptables INPUT filter policy is accept	Medium	Fix Released
Bug #856385: nova-api should add iptables rules to accept metadata API requests	Medium	Fix Released

Link a bug report

Related blueprints

1530. By Mark McLoughlin on 2011-09-17

Fix pep8 issue

1529. By Mark McLoughlin on 2011-09-17

Allow EC2 manager host param be set to default FLAGS.host

1528. By Mark McLoughlin on 2011-09-08

Have nova-api add the INPUT rule for EC2 metadata

It makes no sense to have nova-network add an iptables rule for the EC2
metadata service, since they may not actually be on the same host.

Instead, nova-api should add it directly. In order to do that, we add a
manager class for API services and allow the EC2 manager use the network
driver to add the rule.

1527. By Mark McLoughlin on 2011-09-05

Add INPUT chain rule for EC2 metadata requests

On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that EC2 metadata requests from guests get dropped.

Add this rule to let it through:

$> sudo iptables -t filter -A nova-network-INPUT \
                 -s 0.0.0.0/0 -d $ec2_dmz_host \
                 -m tcp -p tcp --dport $ec2_port -j ACCEPT

However, this only works if nova-network and nova-api are on the same
host.

1526. By Tushar Patil on 2011-09-03

Instance record is not inserted in db if the security group passed to the RunInstances API doesn't exists.

1525. By Tushar Patil on 2011-09-02

Added list of security groups to the newly added extension (Createserverext) for the Create Server and Get Server detail responses.

1524. By Kevin L. Mitchell on 2011-09-02

Fixes a small bug which causes filters to not work at all. Also reworks a bit of exception handling to allow the exception related to the bug to propagate up.

1523. By Kevin L. Mitchell on 2011-09-01

Glance can now perform its own authentication/authorization checks when we're using keystone.

1522. By Vish Ishaya on 2011-09-01

Fix a few references to state_description that slipped through.

1521. By Brian Waldon on 2011-09-01

- implements changes-since for servers resource
- default sort is now created_at desc for instances