[fabric-utils] Metadata service: metadata_proxy_secret is not provisioned in /etc/contrail/contrail-vrouter-agent.conf on compute (vrouter) nodes from the Openstack node

Hi,

On a setup with 3 nodes (running Centos 7.3):
-Openstack node (Mitaka)
-Contrail config, controller, analytics node (Contrail 3.2)
-compute node
The Openstack was installed first, then Contrail was installed and provisioned using the fab tool.

Problem:
1)Boot up a VM from openstack (I used a Cirros VM)
2)Go to the VM console and try to access the metadata service using the link local address:

curl http://169.254.169.254/openstack

It will return an error message (403 Forbidden):
<html>
 <head>
  <title>403 Forbidden</title>
 </head>
 <body>
  <h1>403 Forbidden</h1>
  Invalid proxy request signature.<br /><br />
 </body>
</html>

The problem is that the metadata_proxy_shared_secret field from /etc/nova/nova.conf )on the openstack node is not configured also in the metadata_proxy_secret field from /etc/contrail/contrail-vrouter-agent.conf on the compute node.

After manually configured it and restart the vrouter service on the compute node (service supervisor-vrouter restart) it worked. See Contrail feature guide 3.2 chapter 24 Common Support Answers, Troubleshooting Procedure for Link-Local Metadata Service page 650.

The contrail-fabric-utils and contrail-provisioning scripts seems to have the code to configure metadata_proxy_secret field from /etc/contrail/contrail-vrouter-agent.conf.

The value to be put in metadata_proxy_secret field is taken from /etc/nova/nova.conf by the get_metadata_secret() from /opt/contrail/utils/fabfile/utils/cluster.py (contrail-fabric-utils project) and then passed to setup-vnc-compute command (contrail-provisioning project) which should write it into /etc/contrail/contrail-vrouter-agent.conf.

Looking into the code from get_metadata_secret(), it first try to determine the version of openstack since the field from /etc/nova/nova.conf was called 'neutron_metadata_proxy_shared_secret' in the older versions and 'metadata_proxy_shared_secret' in the newer version.

Looking into the log generated when running the fab tool:
opt/contrail/utils/setup_without_openstack_2017_05_17_20_56_14_623756.log:1665:2017-05-17 20:58:45:709851: WARNING: Exception (No option 'neutron_metadata_proxy_shared_secret' in section: 'DEFAULT') during retrieving (neutron_metadata_proxy_shared_secret) from section (DEFAULT

So it seems that it wrongly looked for the field neutron_metadata_proxy_shared_secret in /etc/nova/nova.conf instead of the correct name metadata_proxy_shared_secret for Mitaka.

The code that implemented the logic for deciding the name on the field was the following (in get_metadata_secret()):

                    api_version = sudo("rpm -q --queryformat='%{VERSION}' openstack-nova-api")
                    is_juno_or_higher = LooseVersion(api_version) >= LooseVersion('2014.2.2')

When I executed manually the command "rpm -q --queryformat='%{VERSION}' openstack-nova-api" on the openstack node from my setup, I obtained the version 13.0.0.

Looking into the OpenStack Nova release versioning scheme (https://releases.openstack.org/teams/nova.html)
it seems that before Liberty, the versions started with the year (like 2014.2.x for Juno, 2015.1.x for Kilo), then the versioning was changed from Liberty (12.0.x for Liberty, 13.1.x for Mitaka, 14.0.x for Newton etc)

Thank you,
Mihai