Vendordata
Note
This section provides deployment information about the vendordata
feature. For end-user information about the vendordata feature and
instance metadata in general, refer to the user guide </user/metadata>.
The vendordata feature provides a way to pass vendor or
deployment-specific information to instances. This can be accessed by
users using the metadata or with
service </admin/metadata-service>config drives.
</admin/config-drive>
There are two vendordata modules provided with nova:
StaticJSON and DynamicJSON.
StaticJSON
The StaticJSON module includes the contents of a static
JSON file loaded from disk. This can be used for things which don’t
change between instances, such as the location of the corporate puppet
server. It is the default provider.
Configuration
The service you must configure to enable the StaticJSON
vendordata module depends on how guests are accessing vendordata. If
using the metadata service, configuration applies to either nova-api or nova-api-metadata,
depending on the deployment, while if using config drives, configuration
applies to nova-compute. However, configuration is otherwise
the same and the following options apply:
api.vendordata_providersapi.vendordata_jsonfile_path
Refer to the metadata service </admin/metadata-service> and
config documentation for more
drive </admin/config-drive>
information on how to configure the required services.
DynamicJSON
The DynamicJSON module can make a request to an external
REST service to determine what metadata to add to an instance. This is
how we recommend you generate things like Active Directory tokens which
change per instance.
When used, the DynamicJSON module will make a request to
any REST services listed in the api.vendordata_dynamic_targets
configuration option. There can be more than one of these but note that
they will be queried once per metadata request from the instance which
can mean a lot of traffic depending on your configuration and the
configuration of the instance.
The following data is passed to your REST service as a JSON encoded
POST:
| Key | Description |
|---|---|
project-id |
The ID of the project that owns this instance. |
instance-id |
The UUID of this instance. |
image-id |
The ID of the image used to boot this instance. |
user-data |
As specified by the user at boot time. |
hostname |
The hostname of the instance. |
metadata |
As specified by the user at boot time. |
Metadata fetched from the REST service will appear in the metadata
service at a new file called vendordata2.json, with a path
(either in the metadata service URL or in the config drive) like
this:
openstack/latest/vendor_data2.jsonFor each dynamic target, there will be an entry in the JSON file
named after that target. For example:
{
"testing": {
"value1": 1,
"value2": 2,
"value3": "three"
}
}The novajoin project
provides a dynamic vendordata service to manage host instantiation in an
IPA server.
Deployment considerations
Nova provides authentication to external metadata services in order
to provide some level of certainty that the request came from nova. This
is done by providing a service token with the request — you can then
just deploy your metadata service with the keystone authentication WSGI
middleware. This is configured using the keystone authentication
parameters in the vendordata_dynamic_auth configuration
group.
Configuration
As with StaticJSON, the service you must configure to
enable the DynamicJSON vendordata module depends on how
guests are accessing vendordata. If using the metadata service,
configuration applies to either nova-api or nova-api-metadata, depending on the deployment,
while if using config drives, configuration applies to nova-compute. However,
configuration is otherwise the same and the following options apply:
api.vendordata_providersapi.vendordata_dynamic_ssl_certfileapi.vendordata_dynamic_connect_timeoutapi.vendordata_dynamic_read_timeoutapi.vendordata_dynamic_failure_fatalapi.vendordata_dynamic_targets
Refer to the metadata service </admin/metadata-service> and
config documentation for more
drive </admin/config-drive>
information on how to configure the required services.
In addition, there are also many options related to authentication.
These are provided by keystone <> but are listed below for
completeness:
vendordata_dynamic_auth.cafilevendordata_dynamic_auth.certfilevendordata_dynamic_auth.keyfilevendordata_dynamic_auth.insecurevendordata_dynamic_auth.timeoutvendordata_dynamic_auth.collect_timingvendordata_dynamic_auth.split_loggersvendordata_dynamic_auth.auth_typevendordata_dynamic_auth.auth_sectionvendordata_dynamic_auth.auth_urlvendordata_dynamic_auth.system_scopevendordata_dynamic_auth.domain_idvendordata_dynamic_auth.domain_namevendordata_dynamic_auth.project_idvendordata_dynamic_auth.project_namevendordata_dynamic_auth.project_domain_idvendordata_dynamic_auth.project_domain_namevendordata_dynamic_auth.trust_idvendordata_dynamic_auth.default_domain_idvendordata_dynamic_auth.default_domain_namevendordata_dynamic_auth.user_idvendordata_dynamic_auth.usernamevendordata_dynamic_auth.user_domain_idvendordata_dynamic_auth.user_domain_namevendordata_dynamic_auth.passwordvendordata_dynamic_auth.tenant_idvendordata_dynamic_auth.tenant_name
Refer to the keystone documentation </configuration/index.html>
for information on configuring these.
References
- Michael Still’s talk from the Queens summit in Sydney, Metadata,
User Data, Vendor Data, oh my! - Michael’s blog post on deploying
a simple vendordata service which provides more details and sample
code to supplement the documentation above.