neutron/doc/source/admin/config-metadata-rate-limiting.rst
Guillaume Espanel 5f4a41326d Add rate-limiting to metadata agents
Requests handled by the metadata-agents can now be rate-limited by
source-ip. This is done to protect the OpenStack control plane against
VMs querying the metadata endpoint in an overly enthusiastic way.

Co-authored-by: Miguel Lavalle <mlavalle@redhat.com>

Related-Bug: #1989199
Change-Id: I748ccfa8b50496dcbcbe41fd22f84249a4d46b11
2023-05-17 18:52:25 -05:00

3.0 KiB

Metadata service query rate limiting

The OpenStack Networking service proxies the requests that VMs send to the Compute service to obtain their metadata. The Networking service offers cloud administrators the ability to limit the rate at which VMs query the Compute's metadata service, in order to protect the OpenStack deployment from DoS or misbehaved instances.

Metadata requests rate limiting is configured through the following parameters in the metadata_rate_limiting section of neutron.conf:

  • rate_limit_enabled: enables rate limiting of metadata requests. It is a boolean that is set to False by default.
  • ip_versions: list of comma separated strings that specify the metadata address versions (4 and/or 6) for which rate limiting must be enabled. The default is to configure rate limiting only for the IPv4 address.
  • base_window_duration: defines in seconds the duration of the base time sliding window in which query requests will be rate limited. The default value is 10 seconds.
  • base_query_rate_limit: maximum number of requests to be allowed during the base time window. The default value is 10 requests.
  • burst_window_duration: this parameter can be used to define, in seconds, a shorter sliding window of time during which a requests rate higher than the base one will be allowed. The default value is 10 seconds.
  • burst_query_rate_limit: maximum number of requests to be allowed during the burst time window. The default value is 10 requests.

Note

These parameters are used to configure HAProxy servers to perform the rate limiting. These servers run inside L3 routers and DHCP agents in the OVS backend and the metadata agent in the OVN backend.

Note

At the moment, rate limiting can only be configured either for IPv4 or IPv6 but not both at the same time, due to a limitation in the open source version of HAProxy.

Note

From the point of view of the Networking services, the base and burst windows are just two different sliding periods of time during which to enforce two different metadata requests rate limits. The Networking service doesn't enforce that the burst window should be shorter or that the burst rate should be higher. It is recommended, though, that cloud administrators use the burst window to allow, for shorter periods of time, a higher requests rate than the allowed during the base window, if there is a need to do so.

In the following neutron.conf snippet, the Networking service is configured to allow VMs to query the IPv4 metadata service address 6 times over a 60 seconds period, while allowing a higher rate of 2 queries during shorter periods of 10 seconds each:

[metadata_rate_limiting]
rate_limit_enabled = True
ip_versions = 4
base_window_duration = 60
base_query_rate_limit = 6
burst_window_duration = 10
burst_query_rate_limit = 2