<div dir="ltr"><div><div><div><div>Hi Folks,<br><br></div>I am trying to understand how instance get metadata when OVN is used as mechanism driver. I read the theory on [1] but not able to understand the practical implementation of same. <br><br></div>Created two private networks (internal1 and internal2), one private network (internal1) is created to router and other one (internal2) is isolated. <br><br></div>I tried to spin the cirros instances using both networks. Both instances are able to get the metadata from networks. <br><br></div>List of metadata related processes running on devstack node. <br><div><br>~~~<br>stack@testuser-KVM:~/devstack$ ps -ef | grep -i metadata<br>stack 1067 1 0 Sep22 ? 00:00:39 /usr/bin/python /usr/local/bin/networking-ovn-metadata-agent --config-file /etc/neutron/networking_ovn_metadata_agent.ini<br>stack 1414 1067 0 Sep22 ? 00:00:17 /usr/bin/python /usr/local/bin/networking-ovn-metadata-agent --config-file /etc/neutron/networking_ovn_metadata_agent.ini<br>stack 1415 1067 0 Sep22 ? 00:00:17 /usr/bin/python /usr/local/bin/networking-ovn-metadata-agent --config-file /etc/neutron/networking_ovn_metadata_agent.ini<br>stack 25192 1 0 10:43 ? 00:00:00 haproxy -f /opt/stack/data/neutron/ovn-metadata-proxy/54f264d5-c2f5-409c-9bd2-dbcec52edffd.conf<br>stack 27424 1 0 11:24 ? 00:00:00 haproxy -f /opt/stack/data/neutron/ovn-metadata-proxy/86eefb22-1417-407a-b56f-a1f3f147ee4e.conf<br>~~~</div><div><br></div><div>Default content of neutron ovn metadata file. <br></div><div><br></div><div>~~~</div><div>stack@testuser-KVM:~/devstack$ egrep -v "^(#|$)" /etc/neutron/networking_ovn_metadata_agent.ini<br>[DEFAULT]<br>state_path = /opt/stack/data/neutron<br>metadata_workers = 2<br>nova_metadata_ip = 192.168.122.98<br>debug = True<br>[ovs]<br>ovsdb_connection = unix:/usr/local/var/run/openvswitch/db.sock<br>[agent]<br>root_helper_daemon = sudo /usr/local/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf<br>[ovn]<br>ovn_sb_connection = tcp:<a href="http://192.168.122.98:6642">192.168.122.98:6642</a></div><div>~~~<br></div><div><br><div><div>I don't see any NAT rule inside the network namespace which can route the request coming for "169.254.169.254" to nova metadata IP which is mentioned in ovn metadata configuration file.</div><div><br></div><div>~~~<br></div><div>stack@testuser-KVM:~/devstack$ sudo ip netns list<br>ovnmeta-86eefb22-1417-407a-b56f-a1f3f147ee4e (id: 1)<br>ovnmeta-54f264d5-c2f5-409c-9bd2-dbcec52edffd (id: 0)<br>stack@testuser-KVM:~/devstack$ sudo ip netns exec ovnmeta-86eefb22-1417-407a-b56f-a1f3f147ee4e iptables -t nat -L<br>Chain PREROUTING (policy ACCEPT)<br>target prot opt source destination<br><br>Chain INPUT (policy ACCEPT)<br>target prot opt source destination<br><br>Chain OUTPUT (policy ACCEPT)<br>target prot opt source destination<br><br>Chain POSTROUTING (policy ACCEPT)<br>target prot opt source destination</div><div>~~~</div><div><br></div><div>Content of the haproxy configuration file. <br></div><div><br></div><div>~~~</div><div>root@testuser-KVM:~/devstack# cat /opt/stack/data/neutron/ovn-metadata-proxy/86eefb22-1417-407a-b56f-a1f3f147ee4e.conf<br><br>global<br> log /dev/log local0 debug<br> user stack<br> group stack<br> maxconn 1024<br> pidfile /opt/stack/data/neutron/external/pids/86eefb22-1417-407a-b56f-a1f3f147ee4e.pid<br> daemon<br><br>defaults<br> log global<br> mode http<br> option httplog<br> option dontlognull<br> option http-server-close<br> option forwardfor<br> retries 3<br> timeout http-request 30s<br> timeout connect 30s<br> timeout client 32s<br> timeout server 32s<br> timeout http-keep-alive 30s<br><br>listen listener<br> bind <a href="http://0.0.0.0:80">0.0.0.0:80</a><br> server metadata /opt/stack/data/neutron/metadata_proxy<br> http-request add-header X-OVN-Network-ID 86eefb22-1417-407a-b56f-a1f3f147ee4e</div><div>~~~</div><div><br></div><div>It seems like that isolate metadata option is enabled by default in my setup, but in neutron ovn configuration files I don't see such setting, I am suspecting it's enabled because when network is not connected to router even in that case instance spawned using isolated network able to get the metadata. <br></div><div><br></div><div>How the instance is able to get metadata in both cases isolate network and network connected to router? <br></div><div><br>[1] <a href="https://docs.openstack.org/networking-ovn/latest/contributor/design/metadata_api.html">https://docs.openstack.org/networking-ovn/latest/contributor/design/metadata_api.html</a><br><div><div><br><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div>Thanks & Regards,</div>
<div>Vikrant Aggarwal</div><br><span></span><span></span></div></div></div>
</div></div></div></div></div></div>