ungleich-staticcms/content/u/blog/how-to-build-an-openstack-alternative-step-5-metadata-service/contents.lr

131 lines
4.2 KiB
Text
Raw Permalink Normal View History

2020-01-15 10:52:19 +00:00
title: How to build an OpenStack alternative: Step 5, adding metadata
---
pub_date: 2020-01-15
---
author: ungleich virtualisation team
---
twitter_handle: ungleich
---
_hidden: no
---
_discoverable: yes
---
abstract:
Let the VMs get information about themselves
---
body:
This time we describe how virtual machines can get information about
themselves like which ssh keys should have access to it.
The previous time we
2020-01-15 12:30:36 +00:00
[added a database to
2020-01-15 10:52:19 +00:00
uncloud](../how-to-build-an-openstack-alternative-step-4-adding-a-database/).
## Motivation
If we were to start VMs without a metadata service, all of the VMs
would be looking identical and would not be able to know, whom to
allow access to it.
To customise a VM or to make it usable, we need to tell it who has
access to it and potentially inject even more information.
## Metadata service: how others do it
Enters the metadata service. OpenNebula solves this problem quite
nicely by attaching a virtual cdrom to the VMs. That cdrom contains
only one file, `context.sh`. This file contains information about
* networking
* ssh keys
OpenStack with cloud-init on the other side uses an HTTP based
service that is found on the address `http://169.254.169.254/`.
Both schemes come with disadvantages that we don't want to replicate
in uncloud:
In the opennebula case changing metadata information while the VM is
running requires to create a new CDROM and if that one is still
mounted, the VM might not get the up-to-date information. This is a
bit of a theorethical case, as the metadata is rarely re-used after
booting.
However changing the information provided in the context.sh inside the
ISO always requires to generate a new ISO. While technical possible,
not very elegant.
The OpenStack based approach has (from our point of view) a much
bigger problem: it relies on IPv4. VMs running on uncloud primarily
run IPv6 and should function without any IPv4 stack.
The motivation for using the 169.254.0.0/16 network is clear: it works
without having an IP address management system in place.
## Solving it the smart way
So it seems like the general approach of OpenStack/cloud-init is
actually quite elegant, if it wasn't forcing IPv4.
In the IPv6 world, we always have link local addresses in the
**fe80::/10** network. Should we just replace the OpenStack approach
with IPv6?
We don't think so, it has the same argument in favor for IPv4 networks
that we have in favor for IPv6 networks.
Instead, we suggest to add a simple change to the OpenStack approach:
Use http://metadata instead of using an IP address.
## http://metadata
So how should this work and why is this better than using
http://169.254.169.254/?
Using a name, it doesn't matter whether the VM is on an IPv4 ore
IPv6 network.
Using just the hostname, not an FQDN (i.e. metadata.example.com) makes
it portable.
The name can be resolved via various methods:
* uncloud: it will be delivered by DNS
* openstack: either via DNS (like uncloud) or if there is no IPAM, it
can be statically set in /etc/hosts
In the DNS resolving case, this actually gets even more interesting,
because we can use the **DNS search path**. So while the client tries
to resolve the hostname **metadata**, the underlying resolver library
will also look for **metadata.example.com**, if example.com is in the
search path.
## uncloud implementation
In uncloud we have implemented a sample [metadata
service](https://code.ungleich.ch/uncloud/uncloud/tree/master/uncloud/metadata).
However IPAM (i.e. router advertisements) and DNS servers are not part
of uncloud and can be used from the regular system infrastructure.
In one of the next versions we plan to include helpers that allow you
to bootstrap IPAM and DNS easily.
## Status
At this point uncloud can create VMs and the VMs can get the ssh keys
that should have access from the metadata service.
With this latest add-on uncloud gets near the range of a usable
prototype. A lot of things will probably need to be refactored in the
future, but at the moment uncloud supports already:
* creating VMs (using qemu)
* securing the VM network (using nftables)
* generating unique mac addresses (uncloud python code)
* storing information in a distributed database (using pytho-etcd3 and
etcd)
* providing basic metadata inforamtion (uncloud python code)