[Engine-devel] Requirements for Aeolus instance data injection.
David Lutterkort
lutter at redhat.com
Wed Jan 11 20:48:44 UTC 2012
On Wed, 2012-01-11 at 22:21 +0200, Itamar Heim wrote:
> On 01/11/2012 10:10 PM, David Lutterkort wrote:
> > On Wed, 2012-01-11 at 08:14 -0500, Ayal Baron wrote:
> >>
> >> ----- Original Message -----
> >>> Itamar,
> >>>
> >>> The below, provided by David Lutterkort, is a good description
> >>> of the requirements for Aeolus instance data injection.
> >>>
> >>> Joe VLcek
> >>>
> >>> RHEV-M shall accept a small blob of data as part of the
> >>> 'start
> >>> VM' action. That data has to be placed somewhere where the
> >>> VM
> >>> can easily and securely access it. The data must only be
> >>> visible
> >>> to the VM it is intended for.
> >>>
> >>> Possibilities for where to put the data include placing it
> >>> into
> >>> a file on a virtual floppy or CD-ROM that the instance can
> >>> mount, or posting it on a webserver that only the instance
> >>> has
> >>> access to (cf. EC2's handling of userData for the
> >>> RunInstances
> >>> call)
> >>>
> >>> The size limitation for the amount of data shouldn't be kept
> >>> artificially low, but if there are important reasons to make
> >>> it
> >>> this small 1k would certainly suffice.
> >>
> >> For the above we want to create an iso containing the data (floppy
> >> seems too limiting) and pass as a cd to the guest
> >
> > Just to provide some more background info: for DMTF CIMI, I will be
> > pusing to standardize the EC2 approach, since it is the only one that
> > properly decouples the VM from the infrastructure; IOW, the standard
> > will hopefully mandate that each instance can access a web server at
> > http://169.254.169.254/ from which it can get the user data.
>
> so you would provide the real IP of that web server, and oVirt would set
> up a re-route/nat/whatever from 169.254.169.254 to the requested IP?
> any details on how this is done at the technical level wrt iptables, etc.?
> what parameter are you passing for this?
No, the web server is provided by the cloud/virt infrastructure; the
user_data that comes in from the 'start VM' request is put onto that web
server by the infrastructure, and the infrastructure sets up a route for
the VM so that 169.254.169.254[1] goes to the infrastructure's web
server.
As an example how this can be done (quoting apevec):
...
remote IP is used to figure out which instance requested its metadata:
https://github.com/openstack/nova/blob/master/nova/api/metadata/handler.py#L243
...
openstack sets iptables rules to forward metadata requests from compute node to the node running openstack-api service:
https://github.com/openstack/nova/blob/master/nova/network/linux_net.py#L384
David
[1] link local address, see http://www.rfc-editor.org/rfc/rfc5735.txt
More information about the Engine-devel
mailing list