From 8e23bafa4afab0090736e60183fe1861cece8f7e Mon Sep 17 00:00:00 2001
From: Mark McLoughlin <markmc@redhat.com>
Date: Thu, 8 Sep 2011 14:29:49 +0100
Subject: [PATCH] Have nova-api add the INPUT rule for EC2 metadata
(lp:856385)
It makes no sense to have nova-network add an iptables rule for the EC2
metadata service, since they may not actually be on the same host.
Instead, nova-api should add it directly. In order to do that, we add a
manager class for API services and allow the EC2 manager use the network
driver to add the rule.
Change-Id: I7c1f973c662a6d290e555b6a2ce8fc301f27b543
---
nova/api/manager.py | 42 ++++++++++++++++++++++++++++++++++++++++++
nova/flags.py | 3 +++
nova/network/linux_net.py | 11 +++++++++--
nova/network/manager.py | 2 --
nova/service.py | 28 ++++++++++++++++++++++++++++
5 files changed, 82 insertions(+), 4 deletions(-)
create mode 100644 nova/api/manager.py
diff --git a/nova/api/manager.py b/nova/api/manager.py
new file mode 100644
index 0000000..b3fcf93
--- /dev/null
+++ b/nova/api/manager.py
@@ -0,0 +1,42 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2010 United States Government as represented by the
+# Administrator of the National Aeronautics and Space Administration.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from nova import flags
+from nova import manager
+from nova import utils
+
+FLAGS = flags.FLAGS
+
+
+class EC2Manager(manager.Manager):
+ """EC2 API manager.
+
+ This class manages the EC2 API service initialization. Currently, it
+ just adds an iptables filter rule for the metadata service.
+ """
+ def __init__(self, *args, **kwargs):
+ super(EC2Manager, self).__init__(*args, **kwargs)
+ self.network_driver = utils.import_object(FLAGS.network_driver)
+
+ def init_host(self):
+ """Perform any initialization.
+
+ Currently, we only add an iptables filter rule for the metadta
+ service.
+ """
+ self.network_driver.metadata_accept()
diff --git a/nova/flags.py b/nova/flags.py
index 11ac9f6..792407b 100644
--- a/nova/flags.py
+++ b/nova/flags.py
@@ -413,6 +413,9 @@ DEFINE_bool('resume_guests_state_on_host_boot', False,
DEFINE_string('root_helper', 'sudo',
'Command prefix to use for running commands as root')
+DEFINE_string('network_driver', 'nova.network.linux_net',
+ 'Driver to use for network creation')
+
DEFINE_bool('use_ipv6', False, 'use ipv6')
DEFINE_bool('monkey_patch', False,
diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
index cb71f9b..0961c4a 100755
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -378,10 +378,17 @@ def metadata_forward():
'-p tcp -m tcp --dport 80 -j DNAT '
'--to-destination %s:%s' % \
(FLAGS.ec2_dmz_host, FLAGS.ec2_port))
+ iptables_manager.apply()
+
+
+def metadata_accept():
+ """Create the filter accept rule for metadata."""
iptables_manager.ipv4['filter'].add_rule('INPUT',
'-s 0.0.0.0/0 -d %s '
- '-p tcp -m tcp --dport %s -j ACCEPT' % \
- (FLAGS.ec2_dmz_host, FLAGS.ec2_port))
+ '-p tcp -m tcp --dport %s '
+ '-j ACCEPT' % \
+ (FLAGS.ec2_dmz_host,
+ FLAGS.ec2_port))
iptables_manager.apply()
diff --git a/nova/network/manager.py b/nova/network/manager.py
index 3e89fc4..c96e5b0 100644
--- a/nova/network/manager.py
+++ b/nova/network/manager.py
@@ -96,8 +96,6 @@ flags.DEFINE_string('fixed_range_v6', 'fd00::/48', 'Fixed IPv6 address block')
flags.DEFINE_string('gateway_v6', None, 'Default IPv6 gateway')
flags.DEFINE_integer('cnt_vpn_clients', 0,
'Number of addresses reserved for vpn clients')
-flags.DEFINE_string('network_driver', 'nova.network.linux_net',
- 'Driver to use for network creation')
flags.DEFINE_bool('update_dhcp_on_disassociate', False,
'Whether to update dhcp when fixed_ip is disassociated')
flags.DEFINE_integer('fixed_ip_disassociate_timeout', 600,
diff --git a/nova/service.py b/nova/service.py
index 247eb4f..b9ad579 100644
--- a/nova/service.py
+++ b/nova/service.py
@@ -45,9 +45,13 @@ flags.DEFINE_integer('report_interval', 10,
flags.DEFINE_integer('periodic_interval', 60,
'seconds between running periodic tasks',
lower_bound=1)
+flags.DEFINE_string('ec2_manager', 'nova.api.manager.EC2Manager',
+ 'EC2 API service manager')
flags.DEFINE_string('ec2_listen', "0.0.0.0",
'IP address for EC2 API to listen')
flags.DEFINE_integer('ec2_listen_port', 8773, 'port for ec2 api to listen')
+flags.DEFINE_string('osapi_manager', None,
+ 'OpenStack API service manager')
flags.DEFINE_string('osapi_listen', "0.0.0.0",
'IP address for OpenStack API to listen')
flags.DEFINE_integer('osapi_listen_port', 8774, 'port for os api to listen')
@@ -290,6 +294,7 @@ class WSGIService(object):
"""
self.name = name
+ self.manager = self._get_manager()
self.loader = loader or wsgi.Loader()
self.app = self.loader.load_app(name)
self.host = getattr(FLAGS, '%s_listen' % name, "0.0.0.0")
@@ -299,6 +304,27 @@ class WSGIService(object):
host=self.host,
port=self.port)
+ def _get_manager(self):
+ """Initialize a Manager object appropriate for this service.
+
+ Use the service name to look up a Manager subclass from the
+ configuration and initialize an instance. If no class name
+ is configured, just return None.
+
+ :returns: a Manager instance, or None.
+
+ """
+ fl = '%s_manager' % self.name
+ if not fl in FLAGS:
+ return None
+
+ manager_class_name = FLAGS.get(fl, None)
+ if not manager_class_name:
+ return None
+
+ manager_class = utils.import_class(manager_class_name)
+ return manager_class()
+
def start(self):
"""Start serving this service using loaded configuration.
@@ -308,6 +334,8 @@ class WSGIService(object):
:returns: None
"""
+ if self.manager:
+ self.manager.init_host()
self.server.start()
self.port = self.server.port
