[Openstack] Built in security group?

David Medberry openstack at medberry.net
Tue Jul 12 16:50:02 UTC 2016


No, I don't think there is a way to "add" a rule that isn't already in your
default settings to an instance so that it can reach the metadata server.

If users bypass the "default" (presuming you allow default to access the
metadata server), they simply won't have that access.



On Tue, Jul 12, 2016 at 10:13 AM, Turbo Fredriksson <turbo at bayour.com>
wrote:

> I noticed today when I created an instance which
> only allowed incoming/outgoing SSH connections
>
>         • ALLOW IPv4 22/udp to 0.0.0.0/0
>         • ALLOW IPv4 22/tcp from 0.0.0.0/0
>
> that it failed on the setup of the cloud info.
>
> As in, the "http://169.254.169.254/2009-04-04/instance-id"
> request failed (because it couldn't reach 169.254.169.254).
>
> However, if I added a
>
>         • ALLOW IPv4 80/tcp to 169.254.169.254/32
>
> then it worked..
>
> Which is/was kind'a obvious in retrospect :).
>
>
> Is there a way to specify that a (that) rule should
> ALWAYS be added to an instance, no matter what is
> (or isn't!) selected in the GUI?
>
> As in, in my use-case(s), _ALL_ instances must
> _ALWAYS_ have that latter rule, but I rather not
> have to remember to add it to every security group
> I create (and I already have).
> --
> There are no dumb questions,
> unless a customer is asking them.
> - Unknown
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160712/6bb11690/attachment.html>


More information about the Openstack mailing list