386453 (10) [Avatar] Offline
#1
HI There,

I have metadata service enabled in the router name space. However,
“curl http://169.254.169.254/latest/meta-data” failed during VM comes up

I ran tcpdump ( ip netns exec qrouter-XXX tcpdump -i qg-4aa69c80-13) on the router interface and I do not see the incoming HTTP packets.

I check iptables and there is no hit on the redirect rule
0 0 REDIRECT tcp -- any any anywhere 169.254.169.254 tcp dpt:http redir ports 9697

However, when we change the IP addess in iptables from 169.254.169.253, we can reach the meta service. I'm puzzle, please helps....


This is how the iptables entries is,

# Generated by iptables-save v1.4.21 on Fri Apr 1 16:34:22 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:neutron-filter-top - [0:0]
:neutron-l3-agent-FORWARD - [0:0]
:neutron-l3-agent-INPUT - [0:0]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-local - [0:0]
-A INPUT -j neutron-l3-agent-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT
COMMIT
# Completed on Fri Apr 1 16:34:22 2016
# Generated by iptables-save v1.4.21 on Fri Apr 1 16:34:22 2016
*nat
smilieREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
smilieOSTROUTING ACCEPT [0:0]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-POSTROUTING - [0:0]
:neutron-l3-agent-PREROUTING - [0:0]
:neutron-l3-agent-float-snat - [0:0]
:neutron-l3-agent-snat - [0:0]
:neutron-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-OUTPUT -d 10.162.221.101/32 -j DNAT --to-destination 172.16.0.25
-A neutron-l3-agent-POSTROUTING ! -i qg-4aa69c80-13 ! -o qg-4aa69c80-13 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-PREROUTING -d 10.162.221.101/32 -j DNAT --to-destination 172.16.0.25
-A neutron-l3-agent-float-snat -s 172.16.0.25/32 -j SNAT --to-source 10.162.221.101
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -s 172.16.0.0/24 -j SNAT --to-source 10.162.221.100
-A neutron-postrouting-bottom -j neutron-l3-agent-snat
COMMIT