[Bug 580184] [NEW] Instance without public ip fails reading metadata with separate CC & CLC

Mike Cook mikewillcook at gmail.com
Thu May 13 21:21:21 BST 2010 

Public bug reported:

With separate CC and CLC, when an instance without a public address (in
MANAGED[_NOVLAN] mode) attempts to contact the metadata service to get
its ssh key, the CC reroutes the request to the CLC and masquerades the
requestor's address.  So the CLC appears to get the metadata request
from the CC address and doesn't properly respond (how can it identify
which instance is asking?), whereas a request from an instance with a
public ip shows up as coming from that public ip (since the CC nat's the
public/private address and doesn't masquerade it).

For example:
CC+SC: 10.0.0.1
CLC+WALRUS: 10.0.0.2
VNET_MODE=MANAGED_NOVLAN
VNET_SUBNET=172.16.0.0
VNET_CLOUDIP=10.0.0.2

A private instance (no public ip) is created as 172.16.1.1.  On boot it
queries (in /etc/rc.local) to http://169.254.169.254/latest/meta-data
/public-keys/0/openssh-key for it's ssh key.  The 169.254.169.254
address is bound on the CC (10.0.0.1), which has a DNAT rule redirecting
HTTP to the CLC (10.0.0.2:8773).  The CC masquerades the instance's
private IP as itself (as it must, since the CLC isn't on the private
network) and forwards the request.  The CLC then gets the request, but
the source IP address is 10.0.0.1 (the CC's address) and it doesn't
reply with the key.  Without the ssh key you then can't ssh to the
private instance (either from the CC or another public/private host in
the subnet).

In contrast, a public instance is created as 172.16.1.2 with public ip
10.0.0.3.  It makes the same HTTP request which gets redirected through
the CC to the CLC.  The CC, however, applies SNAT and DNAT rules which
make the request appear as coming from 10.0.0.3 (the instance public IP)
and the CLC properly responds to the request since it can identify the
source instance.  And there was much rejoicing...

** Affects: eucalyptus (Ubuntu)
     Importance: Undecided
         Status: New

-- 
Instance without public ip fails reading metadata with separate CC & CLC
https://bugs.launchpad.net/bugs/580184
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to eucalyptus in ubuntu.

More information about the Ubuntu-server-bugs mailing list