OpenStack Compute (nova)

instances in multi node mode can't reach metadata_host

Bug #968453 reported by Peng Yong
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Low
Peng Yong
OpenStack Compute (nova) 2012.1 "essex"

Bug Description

i install multi node openstack on centos. the instance on computes would connect to metadata_host for metadata.

ec2_host=192.168.28.6 # public interface of controller
metadata_host=10.9.0.100 #internal interface of controller
my_ip=192.168.28.7 # compute node

the instance can't connect to metadata_host, here is iptables:
-A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.9.0.100:8775
-A nova-network-snat -s 10.9.0.0/16 -j SNAT --to-source 192.168.28.7

i modify the ipfilter, and it works:
-A nova-network-snat -s 10.9.0.0/16 -o eth0 -j SNAT --to-source 192.168.28.7

Peng Yong (ppyy)
Changed in nova:
assignee: nobody → Peng Yong (ppyy)
status: New → In Progress
Revision history for this message
Vish Ishaya (vishvananda) wrote :

This can be done with dmz_cidr. Since dmz_cidr is not obvious, perhaps a change like the following is actually better:

diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
index 7258e62..908c96b 100755
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -442,6 +442,10 @@ def init_host(ip_range=None):
     add_snat_rule(ip_range)

     iptables_manager.ipv4['nat'].add_rule('POSTROUTING',
+ '-s %s -d %s/32 -j ACCEPT' %
+ (ip_range, FLAGS.metadata_host))
+
+ iptables_manager.ipv4['nat'].add_rule('POSTROUTING',
                                           '-s %s -d %s -j ACCEPT' %
                                           (ip_range, FLAGS.dmz_cidr))

Revision history for this message
Peng Yong (ppyy) wrote :

thanks vish, upload another patch

Revision history for this message
Vish Ishaya (vishvananda) wrote :

Marking this release potential because it is a very small change that has some user facing benefit. I have had multiple times where I've had to explain to people to set dmz_cidr because metadata is on another host. This makes it automatic and means people don't have to manually change a config option.

Changed in nova:
importance: Undecided → Low
tags: added: essex-rc-potential
OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: Peng Yong (ppyy) → Vish Ishaya (vishvananda)
Vish Ishaya (vishvananda)
Changed in nova:
assignee: Vish Ishaya (vishvananda) → Peng Yong (ppyy)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/5961
Committed: http://github.com/openstack/nova/commit/b302e41785920a910013b07b40c0384b2294172c
Submitter: Jenkins
Branch: master

commit b302e41785920a910013b07b40c0384b2294172c
Author: Peng Yong <email address hidden>
Date: Fri Mar 30 23:25:32 2012 +0800

    Acccept metadata ip so packets aren't snatted

     * fixes bug 968453

    Change-Id: I12a7967bb711fe5fd9a7ebc2473209833d33f546

Changed in nova:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (milestone-proposed)

Fix proposed to branch: milestone-proposed
Review: https://review.openstack.org/6028

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (milestone-proposed)

Reviewed: https://review.openstack.org/6028
Committed: http://github.com/openstack/nova/commit/6ecb3c2d2df7f58cb33d7d274200b9768d7dce81
Submitter: Jenkins
Branch: milestone-proposed

commit 6ecb3c2d2df7f58cb33d7d274200b9768d7dce81
Author: Peng Yong <email address hidden>
Date: Fri Mar 30 23:25:32 2012 +0800

    Acccept metadata ip so packets aren't snatted

     * fixes bug 968453

    Change-Id: I12a7967bb711fe5fd9a7ebc2473209833d33f546

Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: none → 2012.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.