Ask Your Question
0

Does external network need neutron-ns-metadata-proxy?

asked 2015-11-03 17:01:01 -0500

Nodir gravatar image

updated 2015-11-03 17:01:20 -0500

In my multi-node Kilo with DVR setup I have neutron-ns-metadata-proxy running for internal networks and external network. I do not understand metadata proxy is needed for the external network.

I read services provided by metadata [1] and how it is accessed via qrouter [2] and dhcp [3]. Since we don't attach VMs directly to the external network, why do we need it? Is there any option to disable neutron-ns-metadata-proxy for external network?

Thanks,

Nodir

[1] http://docs.openstack.org/admin-guide...

[2] http://techbackground.blogspot.ie/201...

[3] http://techbackground.blogspot.ie/201...

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2015-11-06 05:25:10 -0500

rossella-o gravatar image

@Nodir the metadata-proxy is not needed for the external network. I imagine something is misconfigured. Can you give more details regarding the conf file of the dhcp agent and how you created the external network?

edit flag offensive delete link more
0

answered 2015-11-04 00:54:47 -0500

dbaxps gravatar image

updated 2015-11-04 11:44:34 -0500

UPDATE 1
Per http://docs.openstack.org/networking-...

   OpenStack uses DNAT to route packets from instances to the OpenStack metadata service. Applications running inside of instances access the OpenStack metadata service by making HTTP GET requests to a web server with IP address 169.254.169.254. In an OpenStack deployment, there is no host with this IP address. Instead, OpenStack uses DNAT to change the destination IP of these packets so they reach the network interface that a metadata service is listening on.

END UPDATE
Next

[root@ip-192-169-142-147 ~(keystone_admin)]# openstack-status | grep neutron
== neutron services ==
neutron-server:                         inactive  (disabled on boot)
neutron-dhcp-agent:                     inactive  (disabled on boot)
neutron-l3-agent:                       active
neutron-metadata-agent:                 active <=== Running on DVR Compute Node
neutron-openvswitch-agent:              active 

[root@ip-192-169-142-147 ~(keystone_admin)]# ip netns
fip-d8803504-93dd-4604-b3ed-d6bce93a29b7
qrouter-12faa2c9-5091-4eee-adc6-80c88417d0a1

[root@ip-192-169-142-147 ~(keystone_admin)]# ip netns exec qrouter-12faa2c9-5091-4eee-adc6-80c88417d0a1 netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:9697            0.0.0.0:*               LISTEN      4051/python2        

[root@ip-192-169-142-147 ~(keystone_admin)]# ps -f --pid 4051 | fold -w 80 -s
UID        PID  PPID  C STIME TTY          TIME CMD
neutron   4051     1  0 09:10 ?        00:00:00 /usr/bin/python2 
/bin/neutron-ns-metadata-proxy 
--pid_file=/var/lib/neutron/external/pids/12faa2c9-5091-4eee-adc6-80c88417d0a1.p
id --metadata_proxy_socket=/var/lib/neutron/metadata_proxy 
--router_id=12faa2c9-5091-4eee-adc6-80c88417d0a1 --state_path=/var/lib/neutron 
--metadata_port=9697 --metadata_proxy_user=992 --metadata_proxy_group=990 
--verbose 
--log-file=neutron-ns-metadata-proxy-12faa2c9-5091-4eee-adc6-80c88417d0a1.log 
--log-dir=/var/log/neutron

Next

    [root@ip-192-169-142-147 ~(keystone_admin)]#  lsof /var/lib/neutron/metadata_proxy
    lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
          Output information may be incomplete.
    COMMAND    PID    USER   FD   TYPE             DEVICE SIZE/OFF  NODE NAME
    neutron-m 1237 neutron    5u  unix 0xffff8800a6810000      0t0 27952 /var/lib/neutron/metadata_proxy
    neutron-m 2541 neutron    5u  unix 0xffff8800a6810000      0t0 27952 /var/lib/neutron/metadata_proxy
    neutron-m 2542 neutron    5u  unix 0xffff8800a6810000      0t0 27952 /var/lib/neutron/metadata_proxy
    neutron-m 2543 neutron    5u  unix 0xffff8800a6810000      0t0 27952 /var/lib/neutron/metadata_proxy
    neutron-m 2544 neutron    5u  unix 0xffff8800a6810000      0t0 27952 /var/lib/neutron/metadata_proxy


    [root@ip-192-169-142-147 ~(keystone_admin)]# netstat -lxp | grep metadata
    unix  2      [ ACC ]     STREAM     LISTENING     27952    1237/python2  /var/lib/neutron/metadata_proxy

    [root@ip-192-169-142-147 ~(keystone_admin)]# ps -f --pid 1237 | fold -w 80 -s
    UID        PID  PPID  C STIME TTY          TIME CMD
    neutron   1237     1  0 09:07 ?        00:00:01 /usr/bin/python2 
    /usr/bin/neutron-metadata-agent --config-file <== It's listening on socket /var/lib/neutron/metadata_proxy.
    # Thus neutron-ns-metadata-proxy is needed
    /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf 
    --config-file /etc/neutron/metadata_agent.ini --config-dir 
    /etc/neutron/conf.d/common --config-dir 
    /etc/neutron/conf.d/neutron-metadata-agent --log-file 
    /var/log/neutron/metadata-agent.log
edit flag offensive delete link more

Comments

@dbaxps, thanks for the answer! However, you explained why neutron-ns-metadata-proxy needed in general (basically to have a working metadata service). You did not explain why it is needed for external network. Am I missing something?

Nodir gravatar imageNodir ( 2015-11-04 02:28:11 -0500 )edit

@Nodir, I believe you mix up concepts. It's about ability of cloud-init obtain metatada ( via Nova Metadata Server running on Controller/Network Node ) . VM starting on Compute Node needs neutron-ns-metadata-proxy to get neutron-metadata-agent ( local copy ) able proceed it's request.

dbaxps gravatar imagedbaxps ( 2015-11-04 02:36:42 -0500 )edit

See post http://blog.gampel.net/2014/12/openst...
neutron-ns-metadata-proxy is supposed to get the job done before procedure described in this post starts.

dbaxps gravatar imagedbaxps ( 2015-11-04 02:52:01 -0500 )edit

@dbaxps: let me paraphrase question. In my two node setup (1 controller, 1 compute) I have 3 neutron-ns-metadata-proxy http://txt.do/5rk9u. One is for router in compute node, one is for isolate tenant network (I have enable_isolated_metadata = true) and one is for external network.

Nodir gravatar imageNodir ( 2015-11-04 15:40:22 -0500 )edit

I am asking why neutron-ns-metadata-proxy needed on external network. If proxy is needed to "proxy" VM metadata requests residing on particular isolated network (to nova metadata service) and we never directly attach VM to the external network, can we get rid of metadata for external network?

Nodir gravatar imageNodir ( 2015-11-04 15:45:30 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-11-03 17:01:01 -0500

Seen: 507 times

Last updated: Nov 06 '15