← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #04697

[Bug 1202356] Re: Setting metadata_host to 127.0.0.1 results in incorrect iptables filter rules

  Thread PreviousDate PreviousThread Next 
** Changed in: nova
       Status: Fix Committed => Fix Released

** Changed in: nova
    Milestone: None => havana-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1202356

Title:
  Setting metadata_host to 127.0.0.1 results in incorrect iptables
  filter rules

Status in OpenStack Compute (Nova):
  Fix Released

Bug description:
  The metadata_host option is used by nova-network to setup an iptables
  rules for handling requests from VMs to the metadata service hosted by
  nova-api.

  In normal operation metadata_host defaults to the local IP of the node
  running nova-network. In this case (or any case where the IP is not
  127.0.0.1) nova-network creates an iptables entry in the NAT table to
  DNAT requests for the metadata server (169.254.169.254) to the ip
  specified in metadata_host. Additionally when nova-api started up it
  creates an iptables entry in the filter table to allow requests from
  VMs to the metadata server.

  nova-network nat entry:
  -A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.1.1.1:8775

  nova-api filter entry:
  -A nova-api-INPUT -d 10.1.1.1/32 -p tcp -m tcp --dport 8775 -j ACCEPT

  The problem is that if metadata_host is set to 127.0.0.1 nova-network
  will use the REDIRECT target instead of the DNAT target in its
  iptables rule. The resulting iptables rule looks like the following.

  -A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport
  80 -j REDIRECT --to-ports 8775

  The issue is that REDIRECT results in an implicit DNAT the primary
  address of the incoming  interface. As a result requests coming in
  from VMs will have a destination address of the gateway brought up by
  nova-network. The nova-api rules are not modified in this case and are
  only allowing requests destined to 127.0.0.1 and not the gateway IP
  addresses managed by nova-network.

  We need to update the logic used to generate the rules for nova-api to
  account for the REDIRECT use case.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1202356/+subscriptions
  Thread PreviousDate PreviousThread Next