OpenStack Compute (nova)

Instance can't access metadata

Asked by Patrick Vinas

I am running a 4 node Grizzly setup, with quantum flat networking, on Ubuntu 12.04 LTS (openstack installed from Ubuntu Cloud Archive packages).

My instances cannot access the metadata service (running on the cloud controller) through the abstraction IP 169.254.169.254. DNAT is set up correctly in iptables on the compute node (if I tcpdump on the instance, compute node and cloud controller, I can see the requests going through and the responses coming back).

The only way I can retrieve metadata is if I curl directly to the cloud controller (IP 10.200.0.11) with the appropriate X-Instance-ID and X-Instance-ID-Signature. Is there any debugging I can do to figure out why, if the instances are ostensibly able to see the metadata service (see above, server responses getting all the way back to the instances), they wouldn't be able to actually retrieve metadata from the service? I've been beating my head against the wall on this issue for a couple weeks now, and it hasn't been a huge problem because I have the credentials for all my instances. We're getting close to rolling out to production, though, and I need to get this last issue nailed down (for the instance boot-up time, if nothing else.)

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Compute (nova) Edit question
Assignee:
No assignee Edit question
Solved by:
Patrick Vinas
Solved:
Last query:
Last reply:
Revision history for this message
Patrick Vinas (patrickvinas) said : 		#1

Ok. Got it working. Enabled namespaces in quantum, disabled the quantum metadata service, and set up an iptables rule on the compute node to DNAT to the correct server/port (it was trying to use a REDIRECT).

Revision history for this message
Peter Borghard (pborghard) said : 		#2

Patrick,

I'm running into a similar issue, grizzly+quantum(multinode). Can you give some more detail as to what you did to get it working? I'm still researching elsewhere, if I find a solution I will post back as well for the public.

Thanks,
Peter Borghard

Revision history for this message
Patrick Vinas (patrickvinas) said : 		#3

Peter-

On the quantum (neutron) server, in l3_agent.ini I set:
     nova_metadata_ip = <nova-api IP> (or nova-api-metadata IP, if you're running that service on your compute nodes)
     nova_metadata_port = <nova-api port>
and in dhcp_agent.ini, I have:
     use_namespaces = true
     enable_isolated_metadata = true
     enable_metadata_network = true (not sure if these two are necessary, but they certainly aren't hurting anything)

On the nova server, in nova.conf:
      metadata_host = <nova-api IP> (or nova-api-metadata IP, as above)
and:
iptables -t nat -A PREROUTING -i <br-ex or equivalent> -p tcp -m tcp --dport 80 -j DNAT --to-destination <nova-api IP>:8775