OpenStack Compute (nova)

DNAT rule for accessing metadata server does not work if metadata_host is 127.0.0.1

Bug #1015853 reported by Lars Kellogg-Stedman
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Undecided
Jiajun Liu
OpenStack Compute (nova) 2012.2 "folsom"

Bug Description

If metadata_host is 127.0.0.1, linux_net.py creates the following iptables rule:

  -A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8775

This does not work as intended because the Linux kernel will reject packets to a 127.0.0.0/8 address that do not come from an address in that range. The correct solution in this case is to create a REDIRECT rule instead:

  -A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775

Jiajun Liu (ljjjustin)
Changed in nova:
assignee: nobody → ljjjustin (ljjjustin)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/10210

Changed in nova:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/10210
Committed: http://github.com/openstack/nova/commit/34cec1c5c82d56c96f0d624fd691f7e259cbc5d8
Submitter: Jenkins
Branch: master

commit 34cec1c5c82d56c96f0d624fd691f7e259cbc5d8
Author: justin ljj <email address hidden>
Date: Tue Jul 24 17:47:11 2012 +0800

    use REDIRECT to forward local metadata request

    VMs can not get metadata when metadata_host is set to 127.0.0.1 because
    packet's destination address will be changed into 127.0.0.1 by iptables.
    However, linux kernel will reject packets to 127.0.0.0/8 if packets do not
    come from that range. We can use REDIRECT to resolve this problem because
    REDIRECT will rewrite the destination address to our own host.

    Fixes bug 1015853.

    Change-Id: I162fc57510ef9c8e84130b2d11eb53e10dcc5cb0

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → folsom-rc1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: folsom-rc1 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.