Metadata service

Openstack allows VMs to access metadata by sending a HTTP request to the link local address 169.254.169.254. The metadata request from the VM is proxied to Nova, with additional HTTP header fields added. Nova uses these to identify the source instance and responds with appropriate metadata.

Contrail Vrouter acts as the proxy, trapping the metadata requests, adding the necessary header fields and sending the requests to the Nova Api server.

Configuration

The metadata service is configured by setting the "linklocal-services" property on the "global-vrouter-config" object. The linklocal-services element should have an entry of the form:

• linklocal-service-name = metadata
• linklocal-service-ip = 169.254.169.254
• linklocal-service-port = 80
• ip-fabric-service-ip = [server-ip-address]
• ip-fabric-service-port = [server-port]

This configuration can be done either thru UI or by using the following command:

python /opt/contrail/utils/provision_linklocal.py --admin_user --admin_password --linklocal_service_name metadata --linklocal_service_ip 169.254.169.254 --linklocal_service_port 80 --ipfabric_service_ip --ipfabric_service_port 8775

Nova Configuration

The following has to be added to the DEFAULT section in nova.conf file to enable metadata proxy service. Restart the openstack-nova-api service after editing the nova.conf file.

service_quantum_metadata_proxy = True

Nova configuration also has a shared secret (configured as quantum_metadata_proxy_shared_secret = secret in nova.conf). The proxy uses this shared secret to add an instance-signature (HMAC SHA256 digest) in the HTTP header while sending the request to the Nova API server. If this shared secret is configured, the same has to be added in the agent configuration file in each compute node (shared-secret tag in agent.conf). The shared secret can also be left empty (which is the default configuration).