Configuring the Neutron metadata agent

OpenStack Compute provides a metadata service that enables users to retrieve information about their instances that can be used to configure or manage the running instance. Metadata includes information such as the hostname, fixed and floating IPs, public keys, and more. In addition to metadata, users can access userdata such as scripts and other bootstrapping configurations that can be executed during the boot process or once the instance is active. OpenStack Networking implements a proxy that forwards metadata requests from instances to the metadata service provided by OpenStack Compute.

Instances typically access the metadata service over HTTP at http://169.254.169.254 during the boot process. This mechanism is provided by cloud-init, a utility found on most cloud-ready images and available at the following URL: https://launchpad.net/cloud-init.

The following diagram provides a high-level overview of the retrieval of metadata from an instance when the controller node hosts networking services:

In the preceding diagram, the following actions take place when an instance makes a request to the metadata service:

  • An instance sends a request for metadata to 169.254.269.254 via HTTP
  • The metadata request hits either the router or DHCP namespace depending on the route in the instance
  • The metadata proxy service in the namespace sends the request to the Neutron metadata agent service via a Unix socket
  • The Neutron metadata agent service forwards the request to the Nova metadata API service
  • The Nova metadata API service responds to the request and forwards the response to the Neutron metadata agent service
  • The Neutron metadata agent service sends the response back to the metadata proxy service in the namespace
  • The metadata proxy service forwards the HTTP response to the instance
  • The instance receives the metadata and/or the user data and continues the boot process

For proper operation of metadata services, both Neutron and Nova must be configured to communicate together with a shared secret. Neutron uses this secret to sign the Instance-ID header of the metadata request to prevent spoofing. On the controller node, update the following metadata options in the [neutron] section of the Nova configuration file located at /etc/nova/nova.conf:

[neutron] 
... 
service_metadata_proxy = true 
metadata_proxy_shared_secret = MetadataSecret123

Next, update the [DEFAULT] section of the metadata agent configuration file located at /etc/neutron/metadata_agent.ini with the Neutron authentication details and the metadata proxy shared secret:

[DEFAULT] 
... 
nova_metadata_host = controller01 
metadata_proxy_shared_secret = MetadataSecret123

Configuration options not mentioned here have sufficient default values and should not be changed unless your environment requires it.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset