From 8e23bafa4afab0090736e60183fe1861cece8f7e Mon Sep 17 00:00:00 2001 From: Mark McLoughlin <markmc@redhat.com> Date: Thu, 8 Sep 2011 14:29:49 +0100 Subject: [PATCH] Have nova-api add the INPUT rule for EC2 metadata (lp:856385) It makes no sense to have nova-network add an iptables rule for the EC2 metadata service, since they may not actually be on the same host. Instead, nova-api should add it directly. In order to do that, we add a manager class for API services and allow the EC2 manager use the network driver to add the rule. Change-Id: I7c1f973c662a6d290e555b6a2ce8fc301f27b543 --- nova/api/manager.py | 42 ++++++++++++++++++++++++++++++++++++++++++ nova/flags.py | 3 +++ nova/network/linux_net.py | 11 +++++++++-- nova/network/manager.py | 2 -- nova/service.py | 28 ++++++++++++++++++++++++++++ 5 files changed, 82 insertions(+), 4 deletions(-) create mode 100644 nova/api/manager.py diff --git a/nova/api/manager.py b/nova/api/manager.py new file mode 100644 index 0000000..b3fcf93 --- /dev/null +++ b/nova/api/manager.py @@ -0,0 +1,42 @@ +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright 2010 United States Government as represented by the +# Administrator of the National Aeronautics and Space Administration. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from nova import flags +from nova import manager +from nova import utils + +FLAGS = flags.FLAGS + + +class EC2Manager(manager.Manager): + """EC2 API manager. + + This class manages the EC2 API service initialization. Currently, it + just adds an iptables filter rule for the metadata service. + """ + def __init__(self, *args, **kwargs): + super(EC2Manager, self).__init__(*args, **kwargs) + self.network_driver = utils.import_object(FLAGS.network_driver) + + def init_host(self): + """Perform any initialization. + + Currently, we only add an iptables filter rule for the metadta + service. + """ + self.network_driver.metadata_accept() diff --git a/nova/flags.py b/nova/flags.py index 11ac9f6..792407b 100644 --- a/nova/flags.py +++ b/nova/flags.py @@ -413,6 +413,9 @@ DEFINE_bool('resume_guests_state_on_host_boot', False, DEFINE_string('root_helper', 'sudo', 'Command prefix to use for running commands as root') +DEFINE_string('network_driver', 'nova.network.linux_net', + 'Driver to use for network creation') + DEFINE_bool('use_ipv6', False, 'use ipv6') DEFINE_bool('monkey_patch', False, diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py index cb71f9b..0961c4a 100755 --- a/nova/network/linux_net.py +++ b/nova/network/linux_net.py @@ -378,10 +378,17 @@ def metadata_forward(): '-p tcp -m tcp --dport 80 -j DNAT ' '--to-destination %s:%s' % \ (FLAGS.ec2_dmz_host, FLAGS.ec2_port)) + iptables_manager.apply() + + +def metadata_accept(): + """Create the filter accept rule for metadata.""" iptables_manager.ipv4['filter'].add_rule('INPUT', '-s 0.0.0.0/0 -d %s ' - '-p tcp -m tcp --dport %s -j ACCEPT' % \ - (FLAGS.ec2_dmz_host, FLAGS.ec2_port)) + '-p tcp -m tcp --dport %s ' + '-j ACCEPT' % \ + (FLAGS.ec2_dmz_host, + FLAGS.ec2_port)) iptables_manager.apply() diff --git a/nova/network/manager.py b/nova/network/manager.py index 3e89fc4..c96e5b0 100644 --- a/nova/network/manager.py +++ b/nova/network/manager.py @@ -96,8 +96,6 @@ flags.DEFINE_string('fixed_range_v6', 'fd00::/48', 'Fixed IPv6 address block') flags.DEFINE_string('gateway_v6', None, 'Default IPv6 gateway') flags.DEFINE_integer('cnt_vpn_clients', 0, 'Number of addresses reserved for vpn clients') -flags.DEFINE_string('network_driver', 'nova.network.linux_net', - 'Driver to use for network creation') flags.DEFINE_bool('update_dhcp_on_disassociate', False, 'Whether to update dhcp when fixed_ip is disassociated') flags.DEFINE_integer('fixed_ip_disassociate_timeout', 600, diff --git a/nova/service.py b/nova/service.py index 247eb4f..b9ad579 100644 --- a/nova/service.py +++ b/nova/service.py @@ -45,9 +45,13 @@ flags.DEFINE_integer('report_interval', 10, flags.DEFINE_integer('periodic_interval', 60, 'seconds between running periodic tasks', lower_bound=1) +flags.DEFINE_string('ec2_manager', 'nova.api.manager.EC2Manager', + 'EC2 API service manager') flags.DEFINE_string('ec2_listen', "0.0.0.0", 'IP address for EC2 API to listen') flags.DEFINE_integer('ec2_listen_port', 8773, 'port for ec2 api to listen') +flags.DEFINE_string('osapi_manager', None, + 'OpenStack API service manager') flags.DEFINE_string('osapi_listen', "0.0.0.0", 'IP address for OpenStack API to listen') flags.DEFINE_integer('osapi_listen_port', 8774, 'port for os api to listen') @@ -290,6 +294,7 @@ class WSGIService(object): """ self.name = name + self.manager = self._get_manager() self.loader = loader or wsgi.Loader() self.app = self.loader.load_app(name) self.host = getattr(FLAGS, '%s_listen' % name, "0.0.0.0") @@ -299,6 +304,27 @@ class WSGIService(object): host=self.host, port=self.port) + def _get_manager(self): + """Initialize a Manager object appropriate for this service. + + Use the service name to look up a Manager subclass from the + configuration and initialize an instance. If no class name + is configured, just return None. + + :returns: a Manager instance, or None. + + """ + fl = '%s_manager' % self.name + if not fl in FLAGS: + return None + + manager_class_name = FLAGS.get(fl, None) + if not manager_class_name: + return None + + manager_class = utils.import_class(manager_class_name) + return manager_class() + def start(self): """Start serving this service using loaded configuration. @@ -308,6 +334,8 @@ class WSGIService(object): :returns: None """ + if self.manager: + self.manager.init_host() self.server.start() self.port = self.server.port