For the VPC virtual router case this would this have to be done on all guest interfaces? Could we alias localhost on the VR to 169.254.169.254? For shared networks, basic zone and networks where the VR is not the default gateway, we would have to send another (169.254.0.0/16) route in the DHCP response to point to the VR.
Additionally in basic zone the anti-spoof filters in dom0 would have to be adjusted to let 169.254.169.254 addresses On 10/24/13 8:51 AM, "Darren Shepherd" <darren.s.sheph...@gmail.com> wrote: >So additionally you need to do > >ip addr add dev eth0 169.254.169.254/0 > >On Thu, Oct 24, 2013 at 8:29 AM, Kris G. Lindgren <klindg...@godaddy.com> >wrote: >> You would also need to supernet 169.254.169.254 on the virtual router >> (assigning it as 169.254.169.254 netmask 0.0.0.0 on eth0) that way it >>will >> still arp to servers that are calling it that have real ip addresses. >> >> Additionally we had some other iptables rules in there that would change >> the the ip address of the incoming request to metadata based upon the >>mac >> address that was hitting it. This was to prevent spoofing of another >>vm's >> IP and getting someone else's metadata (at least in our metadata >> implementation we keyed off of the VM IP calling into metadata). This >> also allowed a user to set whatever ipaddress they wanted, but as long >>as >> the mac address was the same and they still had a zeroconfig route on >>the >> VM, they still got only their metadata. >> ____________________________________________ >> >> Kris Lindgren >> Senior Linux Systems Engineer >> GoDaddy, LLC. >> >> >> This email message and any attachment(s) hereto are intended for use >>only >> by its intended recipient(s) and may contain confidential information. >>If >> you have received this email in error, please immediately notify the >> sender and permanently delete the original and any copy of this message >> and its attachments. >> >> >> >> >> >> >> >> On 10/24/13 9:12 AM, "Darren Shepherd" <darren.s.sheph...@gmail.com> >>wrote: >> >>>My guess, I don't really know, would be because its hard. The VR uses >>>link local for the control network so 169.254/16 is bound to the wrong >>>nic. To fix this you just need some ip routing magic in linux (credit >>>goes to Kris Lindgren who showed me how to do this). Add the below to >>>a file, substitute eth0 for the guest network nic, run "ip -b <FILE>" >>>The below effectively creates a routing table dedicated to the IP >>>169.254.169.254 that sets it default route to go out the guest network >>>nic. >>> >>>rule add from 169.254.169.254 table 70 >>>rule add to 169.254.169.254 dev eth0 table 70 >>>route flush table 70 >>>route add default dev eth0 src 169.254.169.254 table 70 >>>route flush cache >>> >>>Darren >>> >>>On Thu, Oct 24, 2013 at 6:10 AM, Shanker Balan >>><shanker.ba...@shapeblue.com> wrote: >>>> Hi Guys, >>>> >>>> CloudStack metadata services are on the default gateway while on EC2, >>>> its at 169.254.169.254. Am curious to know why CloudStack does not >>>> use a link local address for meta data services. >>>> >>>> A search of the Wiki >>>>(https://cwiki.apache.org/confluence/dosearchsite.action?where=CLOUDSTA >>>>CK >>>>&tooltip=Type+ALL%3A+in+your+query+to+search+all+of+Confluence&spaceSea >>>>rc >>>>h=true&queryString=metadata) didnĀ¹t seem to list any doc related to the >>>>design of this service. >>>> >>>> TIA. >>>> >>>> -- >>>> @shankerbalan >>>> >>>> M: +91 98860 60539 | O: +91 (80) 67935867 >>>> shanker.ba...@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue >>>> ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade >>>>Centre, Bangalore - 560 055 >>>> >>>> CloudStack Bootcamp Training on 27/28 November, Bangalore >>>> http://www.shapeblue.com/cloudstack-training/ >>>> >>>> >>>> >>>> >>>> This email and any attachments to it may be confidential and are >>>>intended solely for the use of the individual to whom it is addressed. >>>>Any views or opinions expressed are solely those of the author and do >>>>not necessarily represent those of Shape Blue Ltd or related companies. >>>>If you are not the intended recipient of this email, you must neither >>>>take any action based upon its contents, nor copy or show it to anyone. >>>>Please contact the sender if you believe you have received this email >>>>in >>>>error. Shape Blue Ltd is a company incorporated in England & Wales. >>>>ShapeBlue Services India LLP is a company incorporated in India and is >>>>operated under license from Shape Blue Ltd. Shape Blue Brasil >>>>Consultoria Ltda is a company incorporated in Brasil and is operated >>>>under license from Shape Blue Ltd. ShapeBlue is a registered trademark. >>
