Skip to content

Commit

Permalink
Add Quantum metadata proxy documentation
Browse files Browse the repository at this point in the history 
Document metadata_agent.ini - includes auth_* and admin_* flags needed
for the Quantum client as the metadata agent does not seem to be able
to read these from quantum.conf even though it is on the command line.
Removed section in advanced config options about the need for
additional routing as this no longer applies.

Fixes bug 1099573

Cherry-picked from https://review.openstack.org/34576

Change-Id: I2f5b73d5a6bd2add27f9dd46ad2ca1d6db832b1c
  • Loading branch information
@djoreilly
djoreilly authored and Lorin Hochstein committed Jul 5, 2013
1 parent fbe43ec commit bf70087
Show file tree
Hide file tree
Showing 4 changed files with 56 additions and 71 deletions.
64 changes: 56 additions & 8 deletions doc/src/docbkx/openstack-network-connectivity-admin/app_core.xml
View file
Expand Up @@ -1065,14 +1065,8 @@
state poll requests. </td>
</tr>
<tr>
<td>metadata_ip= </td>
<td>(StrOpt) IP address used by OpenStack
Compute metadata server. </td>
</tr>
<tr>
<td>metadata_port=8775 </td>
<td>(IntOpt) TCP Port used by OpenStack
Compute metadata server. </td>
<td>metadata_port=9697 </td>
<td>(IntOpt) TCP Port used by metadata namespace proxy.</td>
</tr>
<tr>
<td>router_id= </td>
Expand All @@ -1096,6 +1090,60 @@
</table></para>
</section>
</section>
<section xml:id="metadata_agent_options">
<title>metadata_agent.ini</title>
<para>Use the following options in the <filename>metadata_agent.ini</filename> file for the
Metadata agent.<table rules="all">
<caption>Metadata Agent Options</caption>
<thead>
<tr>
<th>Configuration option=Default value</th>
<th>(Type) Description </th>
</tr>
</thead>
<tbody>
<tr>
<td>nova_metadata_ip=127.0.0.1 </td>
<td>(StrOpt) The IP address of the Nova metadata service. </td>
</tr>
<tr>
<td>nova_metadata_port=8775 </td>
<td>(IntOpt) The TCP port of the Nova metadata service. </td>
</tr>
<tr>
<td>metadata_proxy_shared_secret= </td>
<td>(StrOpt) When proxying metadata requests, Quantum signs the Instance-ID
header with a shared secret to prevent spoofing. You may select any
string for a secret, but it must match here and in the configuration
used by the Nova Metadata Server. NOTE: Nova uses a different key:
quantum_metadata_proxy_shared_secret </td>
</tr>
<tr>
<td>admin_user= </td>
<td>(StrOpt) The administrative user name for OpenStack Networking, which is
defined in <link xlink:href="keystone.html">OpenStack Identity</link>
(keystone). </td>
</tr>
<tr>
<td>admin_password= </td>
<td>(StrOpt) The password for the administrative user.</td>
</tr>
<tr>
<td>admin_tenant_name= </td>
<td>(StrOpt) The administrative user's tenant name.</td>
</tr>
<tr>
<td>auth_url= </td>
<td>(StrOpt) The URL used to validate tokens. For example,
<code>`auth_protocol`://`auth_host`:`auth_port`/v2.0</code>. </td>
</tr>
<tr>
<td>auth_region= </td>
<td>(StrOpt) The authentication region.</td>
</tr>
</tbody>
</table></para>
</section>
<section xml:id="device_manager_options">
<title>Common Device Manager Options</title>
<para>Use the following device manager options in the
Expand Down
43 changes: 0 additions & 43 deletions doc/src/docbkx/openstack-network-connectivity-admin/ch_adv_config.xml
View file
Expand Up @@ -289,48 +289,5 @@ external_network_bridge = br-ex</computeroutput></screen>
gateway_external_network_id = e828e54c-850a-4e74-80a8-8b79c6a285d8
external_network_bridge = br-ex-2</computeroutput></screen>
</section>
<section xml:id="adv_cfg_l3_agent_metadata">
<title>OpenStack Compute Metadata Server Support</title>
<para> To use OpenStack Compute metadata service, metadata_ip and metadata_port in the L3 agent
configuration file need to be configured. Accessing from VMs to OpenStack Compute metadata
service is forwarded to an external network through OpenStack Networking L3 router. OpenStack Compute metadata
service must be reachable from the external network. As the <link
linkend="ch_limitations">Limitations section </link> says, note that OpenStack Networking
overlapping IPs support and OpenStack Compute metadata service cannot be used together. </para>
<para>Allowing VMs to reach the metadata service is a big point of confusion with
OpenStack Networking. We need to make sure instructions for how to set this up are displayed more
prominently than they already are, and that there are instructions for how to
validate and troubleshoot in this scenario.</para>
<para>Example validation includes:</para>
<para><emphasis role="bold">VALIDATION STEP #1</emphasis></para>
<para>- on network node(l3_agent running) ping to <literal>nova_metadata_ip</literal>
specified in <literal>metadata_agent.ini</literal></para>
<para> if you are not using namespace, just run:</para>

<screen> ping &lt;metadata_ip></screen>
<para>for example, if the metadata server IP is 172.16.10.5, run:</para>
<screen><prompt>$</prompt><userinput>ping 172.16.10.5 </userinput></screen>

<para>if you are using namespaces, identify the UUID of the router and run:</para>

<screen>ip netns exec qrouter-&lt;router uuid> ping &lt;metadata_ip></screen>
<para>for example, if the router uuid is d7e9ec57-77c2-4046-aebf-d978ed4a4f83 and
the metadata server IP is 172.16.10.5, run:</para>
<screen><prompt>$</prompt> <userinput>ip netns exec qrouter-d7e9ec57-77c2-4046-aebf-d978ed4a4f83 ping 172.16.10.5</userinput></screen>

<para><emphasis role="bold">VALIDATION STEP #2</emphasis></para>
<para>- on metadata server(nova_api server) check connection to vm's subnets using an un-NATed IP address of the VM, such as 10.0.0.2:</para>
<para><screen><prompt>$</prompt><userinput>ping 10.0.0.2</userinput></screen></para>
<para><emphasis role="bold">NOTE</emphasis></para>
<para>OpenStack does not manage this routing for you, so you need to make sure that your
host running the metadata service always has a route to reach each private network's
subnet via the external network IP of that subnet's OpenStack Networking router. To do this, you
can either run OpenStack Networking without namespaces, and run the quantum-l3-agent on the same
host as nova-api. Otherwise, you can identify an IP prefix that includes all private
network subnet's (e.g., 10.0.0.0/8) and then make sure that your metadata server has
a route for that prefix with the OpenStack Networking router's external IP address as the
next hop. </para>

</section>
</section>
</chapter>
17 changes: 0 additions & 17 deletions doc/src/docbkx/openstack-network-connectivity-admin/ch_install.xml
View file
Expand Up @@ -420,23 +420,6 @@ interface_driver = quantum.agent.linux.interface.OVSInterfaceDriver
this node running quantum-l3-agent to the external
network, then attach the NIC attached to the external
network to this bridge.</para>
<warning>
<para>OpenStack does not manage this routing for you,
so you need to make sure that your host running
the metadata service always has a route to reach
each private network's subnet via the external
network IP of that subnet's OpenStack Networking router. To do
this, you can run OpenStack Networking without namespaces, and
run the quantum-l3-agent on the same host as
nova-api. Alternatively, you can identify an IP
prefix that includes all private network subnet's
(e.g., 10.0.0.0/8) and then make sure that your
metadata server has a route for that prefix with
the OpenStack Networking router's external IP address as the
next hop. For more validation information, refer
to <link linkend="adv_cfg_l3_agent_metadata"
>Advanced configuration</link></para>
</warning>
<para>For example, with Open vSwitch and NIC eth1 connect
to the external network, run:</para>
<screen><computeroutput>ovs-vsctl add-br br-ex
Expand Down
3 changes: 0 additions & 3 deletions doc/src/docbkx/openstack-network-connectivity-admin/ch_overview.xml
View file
Expand Up @@ -445,9 +445,6 @@
range of IP addresses in an IP block. </para>
</listitem>
</itemizedlist>
<note><para>If the OpenStack Compute metadata service is being used, any address space used on tenant networks
must be route-able on both the API network and on the External network, since the host running nova-api
must be able to reply to HTTP requests with the un-SNATed IP address of a VM. </para></note>
</section>
</section>
<section xml:id="use_cases">
Expand Down

0 comments on commit bf70087

Please sign in to comment.