Bug 734347

Summary: Fix nova's iptables rules
Product: [Fedora] Fedora Reporter: Mark McLoughlin <markmc>
Component: openstack-novaAssignee: Mark McLoughlin <markmc>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: asalkeld, markmc, matt_domsch
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-nova-2011.3-0.8.d4.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-30 19:43:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark McLoughlin 2011-08-30 07:05:42 UTC 
Currently you need to disable iptables in order to get nova networking

The basic problem is that Nova's rules were written to work on Ubuntu where there are no iptables rules by default and all packets are accepted. The rules need to be adapted to work with Fedora's reject rules
Comment 1 Mark McLoughlin 2011-09-01 19:09:00 UTC 
Some progress here. This is enough to get things working for me:

iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 67 -j ACCEPT
Comment 2 Mark McLoughlin 2011-09-03 13:52:21 UTC 
Okay, I've built this:

* Sat Sep  3 2011 Mark McLoughlin <markmc> - 2011.3-0.7.d4
- Add iptables rules to allow requests to dnsmasq (#734347)

It looks like we also need ACCEPT rules for the 169.254.169.254 meta-data service too, though
Comment 3 Mark McLoughlin 2011-09-05 07:08:05 UTC 
Okay, added a rule for that too:

* Mon Sep  5 2011 Mark McLoughlin <markmc> - 2011.3-0.8.d4
- Add iptables rule to allow EC2 metadata requests (#734347)
Comment 4 Fedora Update System 2011-09-05 07:14:51 UTC 
openstack-nova-2011.3-0.8.d4.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/openstack-nova-2011.3-0.8.d4.fc16
Comment 5 Fedora Update System 2011-09-06 18:08:45 UTC 
Package openstack-nova-2011.3-0.8.d4.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openstack-nova-2011.3-0.8.d4.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/openstack-nova-2011.3-0.8.d4.fc16
then log in and leave karma (feedback).
Comment 6 Mark McLoughlin 2011-09-09 09:46:48 UTC 
For reference, here's the upstream bug with two associated merge proposals for the patches I included in our package:

  https://bugs.launchpad.net/nova/+bug/844935
Comment 7 Fedora Update System 2011-09-30 19:43:13 UTC 
openstack-nova-2011.3-0.8.d4.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.