OpenStack Compute (nova)

Merge lp:~markmc/nova/metadata-accept-rule into lp:~hudson-openstack/nova/trunk

  1. metadata-accept-rule
  2. Merge into trunk
Proposed by Mark McLoughlin
Status: Work in progress
Proposed branch: lp:~markmc/nova/metadata-accept-rule
Merge into: lp:~hudson-openstack/nova/trunk
Diff against target: 157 lines (+84/-2)
5 files modified
nova/api/manager.py (+42/-0)
nova/flags.py (+3/-0)
nova/network/linux_net.py (+11/-0)
nova/network/manager.py (+0/-2)
nova/service.py (+28/-0)
To merge this branch: bzr merge lp:~markmc/nova/metadata-accept-rule
Reviewer Review Type Date Requested Status
Vish Ishaya (community) Needs Fixing
Review via email: mp+74051@code.launchpad.net

Commit message

Add INPUT chain rule for EC2 metadata requests (lp:856385)

On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that EC2 metadata requests from guests get dropped.

We have nova-api add this rule to let it through:

$> sudo iptables -t filter -A nova-api-INPUT \
                 -s 0.0.0.0/0 -d $ec2_dmz_host \
                 -m tcp -p tcp --dport $ec2_port -j ACCEPT

To post a comment you must log in.
Revision history for this message
Vish Ishaya (vishvananda) wrote :

again, reasonable. Perhaps one bug for all of these.

review: Approve
Reply
Revision history for this message
Vish Ishaya (vishvananda) wrote :

actually, I'm not so sure about this. This rule really needs to go into nova-api to be useful.

review: Abstain
Reply
lp:~markmc/nova/metadata-accept-rule updated
1528. By Mark McLoughlin

Have nova-api add the INPUT rule for EC2 metadata

It makes no sense to have nova-network add an iptables rule for the EC2
metadata service, since they may not actually be on the same host.

Instead, nova-api should add it directly. In order to do that, we add a
manager class for API services and allow the EC2 manager use the network
driver to add the rule.

Revision history for this message
Mark McLoughlin (markmc) wrote :

> actually, I'm not so sure about this. This rule really needs to go into nova-
> api to be useful.

Okay, I've attempted to have nova-api add it

Reply
Revision history for this message
Vish Ishaya (vishvananda) wrote :

I'm a little worried about adding it in to diablo, so we might just have to mention in the release notes that the rule will have to be added manually for fedora.

Also, the construction of the manager class isn't quite right. Host is supposed to be FLAGS.host not the ip string for listen.

review: Needs Fixing
Reply
lp:~markmc/nova/metadata-accept-rule updated
1529. By Mark McLoughlin

Allow EC2 manager host param be set to default FLAGS.host

1530. By Mark McLoughlin

Fix pep8 issue

Revision history for this message
Mark McLoughlin (markmc) wrote :

> I'm a little worried about adding it in to diablo, so we might just have to
> mention in the release notes that the rule will have to be added manually for
> fedora.

Okay. I've included the original hacky patch in the Fedora Diablo packages.

> Also, the construction of the manager class isn't quite right. Host is
> supposed to be FLAGS.host not the ip string for listen.

Good catch, fixed now.

Reply
Revision history for this message
Thierry Carrez (ttx) wrote :

Could you split it in a separate bug ? The other part of this bug is now fixed

Reply
Revision history for this message
Mark McLoughlin (markmc) wrote :

> Could you split it in a separate bug ? The other part of this bug is now fixed

Done, sorry for the delay

Reply
Revision history for this message
Mark McLoughlin (markmc) wrote :

Moved to gerrit:

https://review.openstack.org/#q,status:open+project:openstack/nova+branch:master+topic:metadata-accept-rule,n,z

Reply

Unmerged revisions

1530. By Mark McLoughlin

Fix pep8 issue

1529. By Mark McLoughlin

Allow EC2 manager host param be set to default FLAGS.host

1528. By Mark McLoughlin

Have nova-api add the INPUT rule for EC2 metadata

It makes no sense to have nova-network add an iptables rule for the EC2
metadata service, since they may not actually be on the same host.

Instead, nova-api should add it directly. In order to do that, we add a
manager class for API services and allow the EC2 manager use the network
driver to add the rule.

1527. By Mark McLoughlin

Add INPUT chain rule for EC2 metadata requests

On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that EC2 metadata requests from guests get dropped.

Add this rule to let it through:

$> sudo iptables -t filter -A nova-network-INPUT \
                 -s 0.0.0.0/0 -d $ec2_dmz_host \
                 -m tcp -p tcp --dport $ec2_port -j ACCEPT

However, this only works if nova-network and nova-api are on the same
host.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'nova/api/manager.py'
2--- nova/api/manager.py 1970-01-01 00:00:00 +0000
3+++ nova/api/manager.py 2011-09-17 07:06:27 +0000
4@@ -0,0 +1,42 @@
5+# vim: tabstop=4 shiftwidth=4 softtabstop=4
6+
7+# Copyright 2010 United States Government as represented by the
8+# Administrator of the National Aeronautics and Space Administration.
9+# All Rights Reserved.
10+#
11+# Licensed under the Apache License, Version 2.0 (the "License"); you may
12+# not use this file except in compliance with the License. You may obtain
13+# a copy of the License at
14+#
15+# http://www.apache.org/licenses/LICENSE-2.0
16+#
17+# Unless required by applicable law or agreed to in writing, software
18+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
19+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
20+# License for the specific language governing permissions and limitations
21+# under the License.
22+
23+from nova import flags
24+from nova import manager
25+from nova import utils
26+
27+FLAGS = flags.FLAGS
28+
29+
30+class EC2Manager(manager.Manager):
31+ """EC2 API manager.
32+
33+ This class manages the EC2 API service initialization. Currently, it
34+ just adds an iptables filter rule for the metadata service.
35+ """
36+ def __init__(self, *args, **kwargs):
37+ super(EC2Manager, self).__init__(*args, **kwargs)
38+ self.network_driver = utils.import_object(FLAGS.network_driver)
39+
40+ def init_host(self):
41+ """Perform any initialization.
42+
43+ Currently, we only add an iptables filter rule for the metadta
44+ service.
45+ """
46+ self.network_driver.metadata_accept()
47
48=== modified file 'nova/flags.py'
49--- nova/flags.py 2011-09-06 11:31:39 +0000
50+++ nova/flags.py 2011-09-17 07:06:27 +0000
51@@ -419,6 +419,9 @@
52 DEFINE_string('root_helper', 'sudo',
53 'Command prefix to use for running commands as root')
54
55+DEFINE_string('network_driver', 'nova.network.linux_net',
56+ 'Driver to use for network creation')
57+
58 DEFINE_bool('use_ipv6', False, 'use ipv6')
59
60 DEFINE_integer('password_length', 12,
61
62=== modified file 'nova/network/linux_net.py'
63--- nova/network/linux_net.py 2011-09-16 14:40:37 +0000
64+++ nova/network/linux_net.py 2011-09-17 07:06:27 +0000
65@@ -384,6 +384,17 @@
66 iptables_manager.apply()
67
68
69+def metadata_accept():
70+ """Create the filter accept rule for metadata."""
71+ iptables_manager.ipv4['filter'].add_rule('INPUT',
72+ '-s 0.0.0.0/0 -d %s '
73+ '-p tcp -m tcp --dport %s '
74+ '-j ACCEPT' % \
75+ (FLAGS.ec2_dmz_host,
76+ FLAGS.ec2_port))
77+ iptables_manager.apply()
78+
79+
80 def init_host():
81 """Basic networking setup goes here."""
82 # NOTE(devcamcar): Cloud public SNAT entries and the default
83
84=== modified file 'nova/network/manager.py'
85--- nova/network/manager.py 2011-09-14 20:57:15 +0000
86+++ nova/network/manager.py 2011-09-17 07:06:27 +0000
87@@ -96,8 +96,6 @@
88 flags.DEFINE_string('gateway_v6', None, 'Default IPv6 gateway')
89 flags.DEFINE_integer('cnt_vpn_clients', 0,
90 'Number of addresses reserved for vpn clients')
91-flags.DEFINE_string('network_driver', 'nova.network.linux_net',
92- 'Driver to use for network creation')
93 flags.DEFINE_bool('update_dhcp_on_disassociate', False,
94 'Whether to update dhcp when fixed_ip is disassociated')
95 flags.DEFINE_integer('fixed_ip_disassociate_timeout', 600,
96
97=== modified file 'nova/service.py'
98--- nova/service.py 2011-08-29 21:36:12 +0000
99+++ nova/service.py 2011-09-17 07:06:27 +0000
100@@ -45,9 +45,13 @@
101 flags.DEFINE_integer('periodic_interval', 60,
102 'seconds between running periodic tasks',
103 lower_bound=1)
104+flags.DEFINE_string('ec2_manager', 'nova.api.manager.EC2Manager',
105+ 'EC2 API service manager')
106 flags.DEFINE_string('ec2_listen', "0.0.0.0",
107 'IP address for EC2 API to listen')
108 flags.DEFINE_integer('ec2_listen_port', 8773, 'port for ec2 api to listen')
109+flags.DEFINE_string('osapi_manager', None,
110+ 'OpenStack API service manager')
111 flags.DEFINE_string('osapi_listen', "0.0.0.0",
112 'IP address for OpenStack API to listen')
113 flags.DEFINE_integer('osapi_listen_port', 8774, 'port for os api to listen')
114@@ -290,6 +294,7 @@
115
116 """
117 self.name = name
118+ self.manager = self._get_manager()
119 self.loader = loader or wsgi.Loader()
120 self.app = self.loader.load_app(name)
121 self.host = getattr(FLAGS, '%s_listen' % name, "0.0.0.0")
122@@ -299,6 +304,27 @@
123 host=self.host,
124 port=self.port)
125
126+ def _get_manager(self):
127+ """Initialize a Manager object appropriate for this service.
128+
129+ Use the service name to look up a Manager subclass from the
130+ configuration and initialize an instance. If no class name
131+ is configured, just return None.
132+
133+ :returns: a Manager instance, or None.
134+
135+ """
136+ fl = '%s_manager' % self.name
137+ if not fl in FLAGS:
138+ return None
139+
140+ manager_class_name = FLAGS.get(fl, None)
141+ if not manager_class_name:
142+ return None
143+
144+ manager_class = utils.import_class(manager_class_name)
145+ return manager_class()
146+
147 def start(self):
148 """Start serving this service using loaded configuration.
149
150@@ -308,6 +334,8 @@
151 :returns: None
152
153 """
154+ if self.manager:
155+ self.manager.init_host()
156 self.server.start()
157 self.port = self.server.port
158