[ovs-discuss] How instance get metadata with OVN

Vikrant Aggarwal ervikrant06 at gmail.com
Sat Sep 23 06:22:53 UTC 2017

Hi Folks,

I am trying to understand how instance get metadata when OVN is used as
mechanism driver. I read the theory on [1] but not able to understand the
practical implementation of same.

Created two private networks (internal1 and internal2), one private network
(internal1) is created to router and other one (internal2) is isolated.

I tried to spin the cirros instances using both networks. Both instances
are able to get the metadata from networks.

List of metadata related processes running on devstack node.

stack at testuser-KVM:~/devstack$ ps -ef | grep -i metadata
stack     1067     1  0 Sep22 ?        00:00:39 /usr/bin/python
/usr/local/bin/networking-ovn-metadata-agent --config-file
stack     1414  1067  0 Sep22 ?        00:00:17 /usr/bin/python
/usr/local/bin/networking-ovn-metadata-agent --config-file
stack     1415  1067  0 Sep22 ?        00:00:17 /usr/bin/python
/usr/local/bin/networking-ovn-metadata-agent --config-file
stack    25192     1  0 10:43 ?        00:00:00 haproxy -f
stack    27424     1  0 11:24 ?        00:00:00 haproxy -f

Default content of neutron ovn metadata file.

stack at testuser-KVM:~/devstack$ egrep -v "^(#|$)"
state_path = /opt/stack/data/neutron
metadata_workers = 2
nova_metadata_ip =
debug = True
ovsdb_connection = unix:/usr/local/var/run/openvswitch/db.sock
root_helper_daemon = sudo /usr/local/bin/neutron-rootwrap-daemon
ovn_sb_connection = tcp:

I don't see any NAT rule inside the network namespace which can route the
request coming for "" to nova metadata IP which is mentioned
in ovn metadata configuration file.

stack at testuser-KVM:~/devstack$ sudo ip netns list
ovnmeta-86eefb22-1417-407a-b56f-a1f3f147ee4e (id: 1)
ovnmeta-54f264d5-c2f5-409c-9bd2-dbcec52edffd (id: 0)
stack at testuser-KVM:~/devstack$ sudo ip netns exec
ovnmeta-86eefb22-1417-407a-b56f-a1f3f147ee4e iptables -t nat -L
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

target     prot opt source               destination

Content of the haproxy configuration file.

root at testuser-KVM:~/devstack# cat

    log         /dev/log local0 debug
    user        stack
    group       stack
    maxconn     1024

    log global
    mode http
    option httplog
    option dontlognull
    option http-server-close
    option forwardfor
    retries                 3
    timeout http-request    30s
    timeout connect         30s
    timeout client          32s
    timeout server          32s
    timeout http-keep-alive 30s

listen listener
    server metadata /opt/stack/data/neutron/metadata_proxy
    http-request add-header X-OVN-Network-ID

It seems like that isolate metadata option is enabled by default in my
setup, but in neutron ovn configuration files I don't see such setting, I
am suspecting it's enabled because when network is not connected to router
even in that case instance spawned using isolated network able to get the

How the instance is able to get metadata in both cases isolate network and
network connected to router?


Thanks & Regards,
Vikrant Aggarwal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20170923/603016bd/attachment.html>

More information about the discuss mailing list