openstack/neutron
Code Issues Proposed changes

Merge "Allow to request metadata proxy only with redirection"

Browse Source
This commit is contained in:
Jenkins 2015-02-05 12:06:37 +00:00 committed by Gerrit Code Review
commit 38f2704a85
4 changed files with 45 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
etc/l3_agent.ini
View File

@ -71,6 +71,9 @@
# if the Nova metadata server is not available # if the Nova metadata server is not available
# enable_metadata_proxy = True # enable_metadata_proxy = True
# Iptables mangle mark used to mark metadata valid requests
# metadata_access_mark = 0x1
# Location of Metadata Proxy UNIX domain socket # Location of Metadata Proxy UNIX domain socket
# metadata_proxy_socket = $state_path/metadata_proxy # metadata_proxy_socket = $state_path/metadata_proxy

6
neutron/agent/l3/config.py
View File

@ -55,5 +55,9 @@ OPTS = [
cfg.BoolOpt('enable_metadata_proxy', default=True, cfg.BoolOpt('enable_metadata_proxy', default=True,
help=_("Allow running metadata proxy.")), help=_("Allow running metadata proxy.")),
cfg.BoolOpt('router_delete_namespaces', default=False, cfg.BoolOpt('router_delete_namespaces', default=False,
help=_("Delete namespace after removing a router.")) help=_("Delete namespace after removing a router.")),
cfg.StrOpt('metadata_access_mark',
default='0x1',
help=_('Iptables mangle mark used to mark metadata valid '
'requests'))
] ]

29
neutron/agent/metadata/driver.py
View File

@ -24,6 +24,9 @@ from neutron.services import advanced_service
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
# Access with redirection to metadata proxy iptables mark mask
METADATA_ACCESS_MARK_MASK = '0xffffffff'
class MetadataDriver(advanced_service.AdvancedService): class MetadataDriver(advanced_service.AdvancedService):
@ -47,10 +50,14 @@ class MetadataDriver(advanced_service.AdvancedService):
def __init__(self, l3_agent): def __init__(self, l3_agent):
super(MetadataDriver, self).__init__(l3_agent) super(MetadataDriver, self).__init__(l3_agent)
self.metadata_port = l3_agent.conf.metadata_port self.metadata_port = l3_agent.conf.metadata_port
self.metadata_access_mark = l3_agent.conf.metadata_access_mark
def after_router_added(self, router): def after_router_added(self, router):
for c, r in self.metadata_filter_rules(self.metadata_port): for c, r in self.metadata_filter_rules(self.metadata_port,
self.metadata_access_mark):
router.iptables_manager.ipv4['filter'].add_rule(c, r) router.iptables_manager.ipv4['filter'].add_rule(c, r)
for c, r in self.metadata_mangle_rules(self.metadata_access_mark):
router.iptables_manager.ipv4['mangle'].add_rule(c, r)
for c, r in self.metadata_nat_rules(self.metadata_port): for c, r in self.metadata_nat_rules(self.metadata_port):
router.iptables_manager.ipv4['nat'].add_rule(c, r) router.iptables_manager.ipv4['nat'].add_rule(c, r)
router.iptables_manager.apply() router.iptables_manager.apply()
@ -60,8 +67,11 @@ class MetadataDriver(advanced_service.AdvancedService):
router.ns_name) router.ns_name)
def before_router_removed(self, router): def before_router_removed(self, router):
for c, r in self.metadata_filter_rules(self.metadata_port): for c, r in self.metadata_filter_rules(self.metadata_port,
self.metadata_access_mark):
router.iptables_manager.ipv4['filter'].remove_rule(c, r) router.iptables_manager.ipv4['filter'].remove_rule(c, r)
for c, r in self.metadata_mangle_rules(self.metadata_access_mark):
router.iptables_manager.ipv4['mangle'].remove_rule(c, r)
for c, r in self.metadata_nat_rules(self.metadata_port): for c, r in self.metadata_nat_rules(self.metadata_port):
router.iptables_manager.ipv4['nat'].remove_rule(c, r) router.iptables_manager.ipv4['nat'].remove_rule(c, r)
router.iptables_manager.apply() router.iptables_manager.apply()
@ -70,9 +80,18 @@ class MetadataDriver(advanced_service.AdvancedService):
router.ns_name) router.ns_name)
@classmethod @classmethod
def metadata_filter_rules(cls, port): def metadata_filter_rules(cls, port, mark):
return [('INPUT', '-s 0.0.0.0/0 -p tcp -m tcp --dport %s ' return [('INPUT', '-m mark --mark %s -j ACCEPT' % mark),
'-j ACCEPT' % port)] ('INPUT', '-s 0.0.0.0/0 -p tcp -m tcp --dport %s '
'-j DROP' % port)]
@classmethod
def metadata_mangle_rules(cls, mark):
return [('PREROUTING', '-s 0.0.0.0/0 -d 169.254.169.254/32 '
'-p tcp -m tcp --dport 80 '
'-j MARK --set-xmark %(value)s/%(mask)s' %
{'value': mark,
'mask': METADATA_ACCESS_MARK_MASK})]
@classmethod @classmethod
def metadata_nat_rules(cls, port): def metadata_nat_rules(cls, port):

16
neutron/tests/unit/agent/metadata/test_driver.py
View File

@ -48,10 +48,20 @@ class TestMetadataDriver(base.BaseTestCase):
metadata_driver.MetadataDriver.metadata_nat_rules(8775)) metadata_driver.MetadataDriver.metadata_nat_rules(8775))
def test_metadata_filter_rules(self): def test_metadata_filter_rules(self):
rules = ('INPUT', '-s 0.0.0.0/0 -p tcp -m tcp --dport 8775 -j ACCEPT') rules = [('INPUT', '-m mark --mark 0x1 -j ACCEPT'),
('INPUT', '-s 0.0.0.0/0 -p tcp -m tcp --dport 8775 -j DROP')]
self.assertEqual( self.assertEqual(
[rules], rules,
metadata_driver.MetadataDriver.metadata_filter_rules(8775)) metadata_driver.MetadataDriver.metadata_filter_rules(8775, '0x1'))
def test_metadata_mangle_rules(self):
rule = ('PREROUTING', '-s 0.0.0.0/0 -d 169.254.169.254/32 '
'-p tcp -m tcp --dport 80 '
'-j MARK --set-xmark 0x1/%s' %
metadata_driver.METADATA_ACCESS_MARK_MASK)
self.assertEqual(
[rule],
metadata_driver.MetadataDriver.metadata_mangle_rules('0x1'))
def _test_spawn_metadata_proxy(self, expected_user, expected_group, def _test_spawn_metadata_proxy(self, expected_user, expected_group,
user='', group=''): user='', group=''):