Configure metadata

The Compute service allows VMs to query metadata associated with a VM by making a web request to a special 169.254.169.254 address. Networking supports proxying those requests to nova-api, even when the requests are made from isolated networks, or from multiple networks that use overlapping IP addresses.

To enable proxying the requests, you must update the following fields in nova.conf.

Table 7.9. nova.conf metadata settings
Item	Configuration
`service_neutron_metadata_proxy`	Update to `true`, otherwise `nova-api` will not properly respond to requests from the `neutron-metadata-agent`.
`neutron_metadata_proxy_shared_secret`	Update to a string "password" value. You must also configure the same value in the `metadata_agent.ini` file, to authenticate requests made for metadata. The default value of an empty string in both files will allow metadata to function, but will not be secure if any non-trusted entities have access to the metadata APIs exposed by `nova-api`.

Note

	Note
As a precaution, even when using `neutron_metadata_proxy_shared_secret`, it is recommended that you do not expose metadata using the same `nova-api` instances that are used for tenants. Instead, you should run a dedicated set of `nova-api` instances for metadata that are available only on your management network. Whether a given `nova-api` instance exposes metadata APIs is determined by the value of `enabled_apis` in its `nova.conf`.

As a precaution, even when using neutron_metadata_proxy_shared_secret, it is recommended that you do not expose metadata using the same nova-api instances that are used for tenants. Instead, you should run a dedicated set of nova-api instances for metadata that are available only on your management network. Whether a given nova-api instance exposes metadata APIs is determined by the value of enabled_apis in its nova.conf.

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

Legal notices