contributor docs: Architectural overview for metadata

I found some old graphs I have drawn about the workings of the traditional metadata service. I don't know why I haven't contributed this earlier to Neutron docs. But anyway, better late than never. Change-Id: I7a412883c8c0d673d1617a3b212598b35e9e698f
2023-09-13 11:34:05 +02:00 · 2023-09-13 11:34:05 +02:00 · 2ec273cdc7
commit 2ec273cdc7
parent 2aae505f32
8 changed files with 595 additions and 0 deletions
--- a/doc/source/contributor/figures/neutron-metadata-dhcp-agent.dot
+++ b/doc/source/contributor/figures/neutron-metadata-dhcp-agent.dot
@ -0,0 +1,105 @@
+/*
+neutron-metadata-dhcp-agent
+
+Edit this file, instead of the corresponding png/svg.
+Those can be re-generated by:
+sudo apt install graphviz
+dot -T svg -o out.svg in.dot
+dot -T png -o out.png in.dot
+*/
+
+digraph {
+
+    compound = true
+    node [
+        shape = record
+        ]
+
+    subgraph cluster_openstack_controller {
+        label = "openstack controller node"
+        nova_metadata [
+            label = "nova metadata service"
+        ]
+        public_openstack_api [
+            label = "public openstack APIs\n(nova, neutron)"
+        ]
+    }
+
+    subgraph cluster_openstack_network {
+        label = "openstack network node"
+        neutron_dhcp_agent [
+            label = "neutron-dhcp-agent"
+        ]
+        neutron_metadata_agent [
+            label = "neutron-metadata-agent\n\nadds HTTP headers:\nX-Tenant-ID: project-UUID\nX-Instance-ID: instance-UUID\nX-Instance-ID-Signature: ...\n\nremoves HTTP header:\n X-Neutron-Network-ID"
+        ]
+        subgraph cluster_neutron_dhcp_namespace {
+            label = "neutron DHCP namespace\n(for isolated tenant net)"
+            neutron_dhcp_ns_metadata_proxy [
+                label = "neutron ns-metadata-proxy\n\nadds HTTP headers:\nX-Forwarded-For: instance-IP\nX-Neutron-Network-ID: network-UUID"
+            ]
+            metadata_lla [
+                label = "169.254.169.254/32\nconfigured in namespace"
+            ]
+            neutron_dhcp_server [
+                label = "neutron DHCP server"
+            ]
+        }
+    }
+
+    subgraph cluster_tenant_net_isolated {
+        label = "isolated tenant net\n(i.e. without gateway)"
+        instance [
+            label = "openstack instance\nno 169.254 IP configured locally"
+        ]
+    }
+
+    response_omitted [
+        label = "the response is omitted for brevity..."
+        shape = plaintext
+    ]
+
+    metadata_lla -> instance [
+        label = "HTTP GET\n169.254.169.254:80"
+        dir = back
+        align = left
+    ]
+
+    neutron_dhcp_ns_metadata_proxy -> metadata_lla [
+        label = "metadata\ntraffic"
+        dir = back
+        align = left
+    ]
+
+    neutron_metadata_agent -> neutron_dhcp_ns_metadata_proxy [
+        label = "unix socket"
+        dir = back
+    ]
+
+    neutron_dhcp_server -> instance [
+        label = "pushes static route:\n169.254.169.254 via dhcp-port-IP"
+    ]
+
+    neutron_dhcp_agent -> neutron_dhcp_server [
+        label = "configures\nstatic leases\nand dhcp options"
+    ]
+
+    neutron_dhcp_agent -> neutron_dhcp_ns_metadata_proxy [
+        label = "starts"
+    ]
+
+    nova_metadata -> neutron_metadata_agent [
+        dir = back
+    ]
+
+    public_openstack_api -> neutron_metadata_agent [
+        label = "looks up instance UUID"
+        dir = back
+    ]
+
+    nova_metadata -> response_omitted
+    response_omitted -> neutron_metadata_agent [
+        style = invis
+    ]
+
+}
--- a/doc/source/contributor/figures/neutron-metadata-dhcp-agent.png
+++ b/doc/source/contributor/figures/neutron-metadata-dhcp-agent.png
--- a/doc/source/contributor/figures/neutron-metadata-dhcp-agent.svg
+++ b/doc/source/contributor/figures/neutron-metadata-dhcp-agent.svg
@ -0,0 +1,167 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<!-- Generated by graphviz version 2.43.0 (0)
+ -->
+<!-- Title: %3 Pages: 1 -->
+<svg width="670pt" height="833pt"
+ viewBox="0.00 0.00 670.00 833.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 829)">
+<title>%3</title>
+<polygon fill="white" stroke="transparent" points="-4,4 -4,-829 666,-829 666,4 -4,4"/>
+<g id="clust1" class="cluster">
+<title>cluster_openstack_controller</title>
+<polygon fill="none" stroke="black" points="53,-739 53,-817 439,-817 439,-739 53,-739"/>
+<text text-anchor="middle" x="246" y="-801.8" font-family="Times,serif" font-size="14.00">openstack controller node</text>
+</g>
+<g id="clust2" class="cluster">
+<title>cluster_openstack_network</title>
+<polygon fill="none" stroke="black" points="8,-147 8,-647 520,-647 520,-147 8,-147"/>
+<text text-anchor="middle" x="264" y="-631.8" font-family="Times,serif" font-size="14.00">openstack network node</text>
+</g>
+<g id="clust3" class="cluster">
+<title>cluster_neutron_dhcp_namespace</title>
+<polygon fill="none" stroke="black" points="16,-155 16,-399 512,-399 512,-155 16,-155"/>
+<text text-anchor="middle" x="264" y="-383.8" font-family="Times,serif" font-size="14.00">neutron DHCP namespace</text>
+<text text-anchor="middle" x="264" y="-368.8" font-family="Times,serif" font-size="14.00">(for isolated tenant net)</text>
+</g>
+<g id="clust4" class="cluster">
+<title>cluster_tenant_net_isolated</title>
+<polygon fill="none" stroke="black" points="189,-8 189,-101 453,-101 453,-8 189,-8"/>
+<text text-anchor="middle" x="321" y="-85.8" font-family="Times,serif" font-size="14.00">isolated tenant net</text>
+<text text-anchor="middle" x="321" y="-70.8" font-family="Times,serif" font-size="14.00">(i.e. without gateway)</text>
+</g>
+<!-- nova_metadata -->
+<g id="node1" class="node">
+<title>nova_metadata</title>
+<polygon fill="none" stroke="black" points="61,-748.5 61,-784.5 239,-784.5 239,-748.5 61,-748.5"/>
+<text text-anchor="middle" x="150" y="-762.8" font-family="Times,serif" font-size="14.00">nova metadata service</text>
+</g>
+<!-- neutron_metadata_agent -->
+<g id="node4" class="node">
+<title>neutron_metadata_agent</title>
+<polygon fill="none" stroke="black" points="55.5,-470.5 55.5,-615.5 282.5,-615.5 282.5,-470.5 55.5,-470.5"/>
+<text text-anchor="middle" x="169" y="-600.3" font-family="Times,serif" font-size="14.00">neutron&#45;metadata&#45;agent</text>
+<text text-anchor="middle" x="169" y="-569.3" font-family="Times,serif" font-size="14.00">adds HTTP headers:</text>
+<text text-anchor="middle" x="169" y="-554.3" font-family="Times,serif" font-size="14.00">X&#45;Tenant&#45;ID: project&#45;UUID</text>
+<text text-anchor="middle" x="169" y="-539.3" font-family="Times,serif" font-size="14.00">X&#45;Instance&#45;ID: instance&#45;UUID</text>
+<text text-anchor="middle" x="169" y="-524.3" font-family="Times,serif" font-size="14.00">X&#45;Instance&#45;ID&#45;Signature: ...</text>
+<text text-anchor="middle" x="169" y="-493.3" font-family="Times,serif" font-size="14.00">removes HTTP header:</text>
+<text text-anchor="middle" x="169" y="-478.3" font-family="Times,serif" font-size="14.00"> X&#45;Neutron&#45;Network&#45;ID</text>
+</g>
+<!-- nova_metadata&#45;&gt;neutron_metadata_agent -->
+<g id="edge7" class="edge">
+<title>nova_metadata&#45;&gt;neutron_metadata_agent</title>
+<path fill="none" stroke="black" d="M62.59,-744.3C46.16,-736.26 31.01,-725.21 21,-710 12.2,-696.64 14.4,-688.58 21,-674 30.87,-652.19 46.41,-632.59 63.78,-615.62"/>
+<polygon fill="black" stroke="black" points="61.27,-747.54 71.83,-748.46 64.15,-741.16 61.27,-747.54"/>
+</g>
+<!-- response_omitted -->
+<g id="node9" class="node">
+<title>response_omitted</title>
+<text text-anchor="middle" x="169" y="-688.3" font-family="Times,serif" font-size="14.00">the response is omitted for brevity...</text>
+</g>
+<!-- nova_metadata&#45;&gt;response_omitted -->
+<g id="edge9" class="edge">
+<title>nova_metadata&#45;&gt;response_omitted</title>
+<path fill="none" stroke="black" d="M154.5,-748.32C156.73,-739.83 159.46,-729.39 161.96,-719.88"/>
+<polygon fill="black" stroke="black" points="165.38,-720.62 164.53,-710.06 158.61,-718.84 165.38,-720.62"/>
+</g>
+<!-- public_openstack_api -->
+<g id="node2" class="node">
+<title>public_openstack_api</title>
+<polygon fill="none" stroke="black" points="257.5,-747.5 257.5,-785.5 430.5,-785.5 430.5,-747.5 257.5,-747.5"/>
+<text text-anchor="middle" x="344" y="-770.3" font-family="Times,serif" font-size="14.00">public openstack APIs</text>
+<text text-anchor="middle" x="344" y="-755.3" font-family="Times,serif" font-size="14.00">(nova, neutron)</text>
+</g>
+<!-- public_openstack_api&#45;&gt;neutron_metadata_agent -->
+<g id="edge8" class="edge">
+<title>public_openstack_api&#45;&gt;neutron_metadata_agent</title>
+<path fill="none" stroke="black" d="M339.95,-737.53C336.23,-718.48 329.34,-693.31 317,-674 303.47,-652.82 285.51,-633.08 266.77,-615.71"/>
+<polygon fill="black" stroke="black" points="336.51,-738.18 341.71,-747.41 343.4,-736.95 336.51,-738.18"/>
+<text text-anchor="middle" x="416.5" y="-688.3" font-family="Times,serif" font-size="14.00">looks up instance UUID</text>
+</g>
+<!-- neutron_dhcp_agent -->
+<g id="node3" class="node">
+<title>neutron_dhcp_agent</title>
+<polygon fill="none" stroke="black" points="305.5,-525 305.5,-561 462.5,-561 462.5,-525 305.5,-525"/>
+<text text-anchor="middle" x="384" y="-539.3" font-family="Times,serif" font-size="14.00">neutron&#45;dhcp&#45;agent</text>
+</g>
+<!-- neutron_dhcp_ns_metadata_proxy -->
+<g id="node5" class="node">
+<title>neutron_dhcp_ns_metadata_proxy</title>
+<polygon fill="none" stroke="black" points="24,-268.5 24,-352.5 314,-352.5 314,-268.5 24,-268.5"/>
+<text text-anchor="middle" x="169" y="-337.3" font-family="Times,serif" font-size="14.00">neutron ns&#45;metadata&#45;proxy</text>
+<text text-anchor="middle" x="169" y="-306.3" font-family="Times,serif" font-size="14.00">adds HTTP headers:</text>
+<text text-anchor="middle" x="169" y="-291.3" font-family="Times,serif" font-size="14.00">X&#45;Forwarded&#45;For: instance&#45;IP</text>
+<text text-anchor="middle" x="169" y="-276.3" font-family="Times,serif" font-size="14.00">X&#45;Neutron&#45;Network&#45;ID: network&#45;UUID</text>
+</g>
+<!-- neutron_dhcp_agent&#45;&gt;neutron_dhcp_ns_metadata_proxy -->
+<g id="edge6" class="edge">
+<title>neutron_dhcp_agent&#45;&gt;neutron_dhcp_ns_metadata_proxy</title>
+<path fill="none" stroke="black" d="M367.84,-524.68C335.63,-490.15 262.42,-411.66 214.39,-360.16"/>
+<polygon fill="black" stroke="black" points="216.88,-357.7 207.5,-352.77 211.76,-362.47 216.88,-357.7"/>
+<text text-anchor="middle" x="316.5" y="-425.8" font-family="Times,serif" font-size="14.00">starts</text>
+</g>
+<!-- neutron_dhcp_server -->
+<g id="node7" class="node">
+<title>neutron_dhcp_server</title>
+<polygon fill="none" stroke="black" points="332.5,-292.5 332.5,-328.5 503.5,-328.5 503.5,-292.5 332.5,-292.5"/>
+<text text-anchor="middle" x="418" y="-306.8" font-family="Times,serif" font-size="14.00">neutron DHCP server</text>
+</g>
+<!-- neutron_dhcp_agent&#45;&gt;neutron_dhcp_server -->
+<g id="edge5" class="edge">
+<title>neutron_dhcp_agent&#45;&gt;neutron_dhcp_server</title>
+<path fill="none" stroke="black" d="M386.56,-524.68C392.43,-484.86 406.92,-386.61 413.99,-338.68"/>
+<polygon fill="black" stroke="black" points="417.46,-339.12 415.46,-328.71 410.54,-338.09 417.46,-339.12"/>
+<text text-anchor="middle" x="464.5" y="-440.8" font-family="Times,serif" font-size="14.00">configures</text>
+<text text-anchor="middle" x="464.5" y="-425.8" font-family="Times,serif" font-size="14.00">static leases</text>
+<text text-anchor="middle" x="464.5" y="-410.8" font-family="Times,serif" font-size="14.00">and dhcp options</text>
+</g>
+<!-- neutron_metadata_agent&#45;&gt;neutron_dhcp_ns_metadata_proxy -->
+<g id="edge3" class="edge">
+<title>neutron_metadata_agent&#45;&gt;neutron_dhcp_ns_metadata_proxy</title>
+<path fill="none" stroke="black" d="M169,-460.19C169,-423.73 169,-382.39 169,-352.57"/>
+<polygon fill="black" stroke="black" points="165.5,-460.33 169,-470.33 172.5,-460.33 165.5,-460.33"/>
+<text text-anchor="middle" x="210" y="-425.8" font-family="Times,serif" font-size="14.00">unix socket</text>
+</g>
+<!-- metadata_lla -->
+<g id="node6" class="node">
+<title>metadata_lla</title>
+<polygon fill="none" stroke="black" points="121.5,-163.5 121.5,-201.5 316.5,-201.5 316.5,-163.5 121.5,-163.5"/>
+<text text-anchor="middle" x="219" y="-186.3" font-family="Times,serif" font-size="14.00">169.254.169.254/32</text>
+<text text-anchor="middle" x="219" y="-171.3" font-family="Times,serif" font-size="14.00">configured in namespace</text>
+</g>
+<!-- neutron_dhcp_ns_metadata_proxy&#45;&gt;metadata_lla -->
+<g id="edge2" class="edge">
+<title>neutron_dhcp_ns_metadata_proxy&#45;&gt;metadata_lla</title>
+<path fill="none" stroke="black" d="M189.12,-258.8C197.15,-238.56 205.88,-216.57 211.81,-201.61"/>
+<polygon fill="black" stroke="black" points="185.81,-257.66 185.37,-268.24 192.31,-260.24 185.81,-257.66"/>
+<text text-anchor="middle" x="238" y="-238.8" font-family="Times,serif" font-size="14.00">metadata</text>
+<text text-anchor="middle" x="238" y="-223.8" font-family="Times,serif" font-size="14.00">traffic</text>
+</g>
+<!-- instance -->
+<g id="node8" class="node">
+<title>instance</title>
+<polygon fill="none" stroke="black" points="197,-16.5 197,-54.5 445,-54.5 445,-16.5 197,-16.5"/>
+<text text-anchor="middle" x="321" y="-39.3" font-family="Times,serif" font-size="14.00">openstack instance</text>
+<text text-anchor="middle" x="321" y="-24.3" font-family="Times,serif" font-size="14.00">no 169.254 IP configured locally</text>
+</g>
+<!-- metadata_lla&#45;&gt;instance -->
+<g id="edge1" class="edge">
+<title>metadata_lla&#45;&gt;instance</title>
+<path fill="none" stroke="black" d="M229.56,-153.79C235.49,-139.8 243.58,-122.89 253,-109 266.75,-88.72 286.17,-68.63 300.74,-54.76"/>
+<polygon fill="black" stroke="black" points="226.18,-152.8 225.64,-163.38 232.66,-155.45 226.18,-152.8"/>
+<text text-anchor="middle" x="325.5" y="-127.8" font-family="Times,serif" font-size="14.00">HTTP GET</text>
+<text text-anchor="middle" x="325.5" y="-112.8" font-family="Times,serif" font-size="14.00">169.254.169.254:80</text>
+</g>
+<!-- neutron_dhcp_server&#45;&gt;instance -->
+<g id="edge4" class="edge">
+<title>neutron_dhcp_server&#45;&gt;instance</title>
+<path fill="none" stroke="black" d="M420.15,-292.31C423.87,-256.23 428.44,-170.83 398,-109 388.61,-89.92 371.96,-73.27 356.53,-60.75"/>
+<polygon fill="black" stroke="black" points="358.66,-57.97 348.63,-54.59 354.36,-63.49 358.66,-57.97"/>
+<text text-anchor="middle" x="541.5" y="-186.3" font-family="Times,serif" font-size="14.00">pushes static route:</text>
+<text text-anchor="middle" x="541.5" y="-171.3" font-family="Times,serif" font-size="14.00">169.254.169.254 via dhcp&#45;port&#45;IP</text>
+</g>
+<!-- response_omitted&#45;&gt;neutron_metadata_agent -->
+</g>
+</svg>
--- a/doc/source/contributor/figures/neutron-metadata-l3-agent.dot
+++ b/doc/source/contributor/figures/neutron-metadata-l3-agent.dot
@ -0,0 +1,115 @@
+/*
+neutron-metadata-l3-agent
+
+Edit this file, instead of the corresponding png/svg.
+Those can be re-generated by:
+sudo apt install graphviz
+dot -T svg -o out.svg in.dot
+dot -T png -o out.png in.dot
+*/
+
+digraph {
+
+    compound = true
+    node [
+        shape = record
+        ]
+
+    subgraph cluster_openstack_controller {
+        label = "openstack controller node"
+        nova_metadata [
+            label = "nova metadata service"
+        ]
+        public_openstack_api [
+            label = "public openstack APIs\n(nova, neutron)"
+        ]
+    }
+
+    subgraph cluster_openstack_network {
+        label = "openstack network node"
+        neutron_l3_agent [
+            label = "neutron-l3-agent"
+        ]
+        neutron_metadata_agent [
+            label = "neutron-metadata-agent\n\nadds HTTP headers:\nX-Tenant-ID: project-UUID\nX-Instance-ID: instance-UUID\nX-Instance-ID-Signature: ...\n\nremoves HTTP header:\n X-Neutron-Router-ID"
+        ]
+        subgraph cluster_neutron_router_namespace {
+            label = "neutron router namespace\n(for tenant router)"
+            neutron_l3_ns_metadata_proxy [
+                label = "neutron ns-metadata-proxy\n\nadds HTTP headers:\nX-Forwarded-For: instance-IP\nX-Neutron-Router-ID: router-UUID"
+            ]
+            neutron_iptables [
+                label = "iptables\nnat table, PREROUTING chain\nrule dst=169.254.169.254:80\ntarget REDIRECT to=127.0.0.1:9697"
+            ]
+            neutron_router [
+                label = "neutron router"
+            ]
+        }
+    }
+
+    subgraph cluster_tenant_net_with_gateway {
+        label = "tenant net with gateway"
+        instance [
+            label = "openstack instance\nno 169.254 IP configured locally\nroute: 169.254.169.254 via subnet-gw-IP"
+        ]
+    }
+
+    response_omitted [
+        label = "the response is omitted for brevity..."
+        shape = plaintext
+    ]
+
+    traffic_omitted [
+        label = "omitted..."
+        shape = plaintext
+    ]
+
+    traffic_omitted -> neutron_router [
+        dir = back
+        label = "normal traffic"
+    ]
+
+    neutron_router -> instance [
+        dir = back
+        label = "normal\ntraffic"
+    ]
+
+    neutron_iptables -> instance [
+        label = "HTTP GET\n169.254.169.254:80"
+        dir = back
+        align = left
+    ]
+
+    neutron_l3_ns_metadata_proxy -> neutron_iptables [
+        dir = back
+        label = "metadata\ntraffic"
+    ]
+
+    neutron_metadata_agent -> neutron_l3_ns_metadata_proxy [
+        label = "unix socket"
+        dir = back
+    ]
+
+    neutron_l3_agent -> neutron_router [
+        label = "configures\nroutes"
+    ]
+
+    neutron_l3_agent -> neutron_l3_ns_metadata_proxy [
+        label = "starts"
+    ]
+
+    nova_metadata -> neutron_metadata_agent [
+        dir = back
+    ]
+
+    public_openstack_api -> neutron_metadata_agent [
+        label = "looks up instance UUID"
+        dir = back
+    ]
+
+    nova_metadata -> response_omitted
+    response_omitted -> neutron_metadata_agent [
+        style = invis
+    ]
+
+}
--- a/doc/source/contributor/figures/neutron-metadata-l3-agent.png
+++ b/doc/source/contributor/figures/neutron-metadata-l3-agent.png
--- a/doc/source/contributor/figures/neutron-metadata-l3-agent.svg
+++ b/doc/source/contributor/figures/neutron-metadata-l3-agent.svg
@ -0,0 +1,180 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<!-- Generated by graphviz version 2.43.0 (0)
+ -->
+<!-- Title: %3 Pages: 1 -->
+<svg width="569pt" height="848pt"
+ viewBox="0.00 0.00 569.00 848.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 844)">
+<title>%3</title>
+<polygon fill="white" stroke="transparent" points="-4,4 -4,-844 565,-844 565,4 -4,4"/>
+<g id="clust1" class="cluster">
+<title>cluster_openstack_controller</title>
+<polygon fill="none" stroke="black" points="40,-754 40,-832 426,-832 426,-754 40,-754"/>
+<text text-anchor="middle" x="233" y="-816.8" font-family="Times,serif" font-size="14.00">openstack controller node</text>
+</g>
+<g id="clust2" class="cluster">
+<title>cluster_openstack_network</title>
+<polygon fill="none" stroke="black" points="8,-147 8,-662 444,-662 444,-147 8,-147"/>
+<text text-anchor="middle" x="226" y="-646.8" font-family="Times,serif" font-size="14.00">openstack network node</text>
+</g>
+<g id="clust3" class="cluster">
+<title>cluster_neutron_router_namespace</title>
+<polygon fill="none" stroke="black" points="16,-155 16,-429 436,-429 436,-155 16,-155"/>
+<text text-anchor="middle" x="226" y="-413.8" font-family="Times,serif" font-size="14.00">neutron router namespace</text>
+<text text-anchor="middle" x="226" y="-398.8" font-family="Times,serif" font-size="14.00">(for tenant router)</text>
+</g>
+<g id="clust4" class="cluster">
+<title>cluster_tenant_net_with_gateway</title>
+<polygon fill="none" stroke="black" points="68,-8 68,-101 392,-101 392,-8 68,-8"/>
+<text text-anchor="middle" x="230" y="-85.8" font-family="Times,serif" font-size="14.00">tenant net with gateway</text>
+</g>
+<!-- nova_metadata -->
+<g id="node1" class="node">
+<title>nova_metadata</title>
+<polygon fill="none" stroke="black" points="48,-763.5 48,-799.5 226,-799.5 226,-763.5 48,-763.5"/>
+<text text-anchor="middle" x="137" y="-777.8" font-family="Times,serif" font-size="14.00">nova metadata service</text>
+</g>
+<!-- neutron_metadata_agent -->
+<g id="node4" class="node">
+<title>neutron_metadata_agent</title>
+<polygon fill="none" stroke="black" points="42.5,-485.5 42.5,-630.5 269.5,-630.5 269.5,-485.5 42.5,-485.5"/>
+<text text-anchor="middle" x="156" y="-615.3" font-family="Times,serif" font-size="14.00">neutron&#45;metadata&#45;agent</text>
+<text text-anchor="middle" x="156" y="-584.3" font-family="Times,serif" font-size="14.00">adds HTTP headers:</text>
+<text text-anchor="middle" x="156" y="-569.3" font-family="Times,serif" font-size="14.00">X&#45;Tenant&#45;ID: project&#45;UUID</text>
+<text text-anchor="middle" x="156" y="-554.3" font-family="Times,serif" font-size="14.00">X&#45;Instance&#45;ID: instance&#45;UUID</text>
+<text text-anchor="middle" x="156" y="-539.3" font-family="Times,serif" font-size="14.00">X&#45;Instance&#45;ID&#45;Signature: ...</text>
+<text text-anchor="middle" x="156" y="-508.3" font-family="Times,serif" font-size="14.00">removes HTTP header:</text>
+<text text-anchor="middle" x="156" y="-493.3" font-family="Times,serif" font-size="14.00"> X&#45;Neutron&#45;Router&#45;ID</text>
+</g>
+<!-- nova_metadata&#45;&gt;neutron_metadata_agent -->
+<g id="edge8" class="edge">
+<title>nova_metadata&#45;&gt;neutron_metadata_agent</title>
+<path fill="none" stroke="black" d="M49.59,-759.3C33.16,-751.26 18.01,-740.21 8,-725 -0.8,-711.64 1.4,-703.58 8,-689 17.87,-667.19 33.41,-647.59 50.78,-630.62"/>
+<polygon fill="black" stroke="black" points="48.27,-762.54 58.83,-763.46 51.15,-756.16 48.27,-762.54"/>
+</g>
+<!-- response_omitted -->
+<g id="node9" class="node">
+<title>response_omitted</title>
+<text text-anchor="middle" x="156" y="-703.3" font-family="Times,serif" font-size="14.00">the response is omitted for brevity...</text>
+</g>
+<!-- nova_metadata&#45;&gt;response_omitted -->
+<g id="edge10" class="edge">
+<title>nova_metadata&#45;&gt;response_omitted</title>
+<path fill="none" stroke="black" d="M141.5,-763.32C143.73,-754.83 146.46,-744.39 148.96,-734.88"/>
+<polygon fill="black" stroke="black" points="152.38,-735.62 151.53,-725.06 145.61,-733.84 152.38,-735.62"/>
+</g>
+<!-- public_openstack_api -->
+<g id="node2" class="node">
+<title>public_openstack_api</title>
+<polygon fill="none" stroke="black" points="244.5,-762.5 244.5,-800.5 417.5,-800.5 417.5,-762.5 244.5,-762.5"/>
+<text text-anchor="middle" x="331" y="-785.3" font-family="Times,serif" font-size="14.00">public openstack APIs</text>
+<text text-anchor="middle" x="331" y="-770.3" font-family="Times,serif" font-size="14.00">(nova, neutron)</text>
+</g>
+<!-- public_openstack_api&#45;&gt;neutron_metadata_agent -->
+<g id="edge9" class="edge">
+<title>public_openstack_api&#45;&gt;neutron_metadata_agent</title>
+<path fill="none" stroke="black" d="M326.95,-752.53C323.23,-733.48 316.34,-708.31 304,-689 298.98,-681.15 271.41,-656.41 241.39,-630.6"/>
+<polygon fill="black" stroke="black" points="323.51,-753.18 328.71,-762.41 330.4,-751.95 323.51,-753.18"/>
+<text text-anchor="middle" x="403.5" y="-703.3" font-family="Times,serif" font-size="14.00">looks up instance UUID</text>
+</g>
+<!-- neutron_l3_agent -->
+<g id="node3" class="node">
+<title>neutron_l3_agent</title>
+<polygon fill="none" stroke="black" points="289,-540 289,-576 425,-576 425,-540 289,-540"/>
+<text text-anchor="middle" x="357" y="-554.3" font-family="Times,serif" font-size="14.00">neutron&#45;l3&#45;agent</text>
+</g>
+<!-- neutron_l3_ns_metadata_proxy -->
+<g id="node5" class="node">
+<title>neutron_l3_ns_metadata_proxy</title>
+<polygon fill="none" stroke="black" points="24.5,-298.5 24.5,-382.5 287.5,-382.5 287.5,-298.5 24.5,-298.5"/>
+<text text-anchor="middle" x="156" y="-367.3" font-family="Times,serif" font-size="14.00">neutron ns&#45;metadata&#45;proxy</text>
+<text text-anchor="middle" x="156" y="-336.3" font-family="Times,serif" font-size="14.00">adds HTTP headers:</text>
+<text text-anchor="middle" x="156" y="-321.3" font-family="Times,serif" font-size="14.00">X&#45;Forwarded&#45;For: instance&#45;IP</text>
+<text text-anchor="middle" x="156" y="-306.3" font-family="Times,serif" font-size="14.00">X&#45;Neutron&#45;Router&#45;ID: router&#45;UUID</text>
+</g>
+<!-- neutron_l3_agent&#45;&gt;neutron_l3_ns_metadata_proxy -->
+<g id="edge7" class="edge">
+<title>neutron_l3_agent&#45;&gt;neutron_l3_ns_metadata_proxy</title>
+<path fill="none" stroke="black" d="M340.89,-539.73C310.91,-507.59 245.59,-437.55 201.18,-389.94"/>
+<polygon fill="black" stroke="black" points="203.63,-387.43 194.25,-382.5 198.51,-392.2 203.63,-387.43"/>
+<text text-anchor="middle" x="289.5" y="-448.3" font-family="Times,serif" font-size="14.00">starts</text>
+</g>
+<!-- neutron_router -->
+<g id="node7" class="node">
+<title>neutron_router</title>
+<polygon fill="none" stroke="black" points="306,-322.5 306,-358.5 428,-358.5 428,-322.5 306,-322.5"/>
+<text text-anchor="middle" x="367" y="-336.8" font-family="Times,serif" font-size="14.00">neutron router</text>
+</g>
+<!-- neutron_l3_agent&#45;&gt;neutron_router -->
+<g id="edge6" class="edge">
+<title>neutron_l3_agent&#45;&gt;neutron_router</title>
+<path fill="none" stroke="black" d="M357.8,-539.73C359.54,-502.36 363.65,-413.75 365.74,-368.74"/>
+<polygon fill="black" stroke="black" points="369.24,-368.71 366.21,-358.55 362.25,-368.38 369.24,-368.71"/>
+<text text-anchor="middle" x="400" y="-455.8" font-family="Times,serif" font-size="14.00">configures</text>
+<text text-anchor="middle" x="400" y="-440.8" font-family="Times,serif" font-size="14.00">routes</text>
+</g>
+<!-- neutron_metadata_agent&#45;&gt;neutron_l3_ns_metadata_proxy -->
+<g id="edge5" class="edge">
+<title>neutron_metadata_agent&#45;&gt;neutron_l3_ns_metadata_proxy</title>
+<path fill="none" stroke="black" d="M156,-475.13C156,-443.6 156,-408.92 156,-382.8"/>
+<polygon fill="black" stroke="black" points="152.5,-475.24 156,-485.24 159.5,-475.24 152.5,-475.24"/>
+<text text-anchor="middle" x="197" y="-448.3" font-family="Times,serif" font-size="14.00">unix socket</text>
+</g>
+<!-- neutron_iptables -->
+<g id="node6" class="node">
+<title>neutron_iptables</title>
+<polygon fill="none" stroke="black" points="36,-163.5 36,-231.5 318,-231.5 318,-163.5 36,-163.5"/>
+<text text-anchor="middle" x="177" y="-216.3" font-family="Times,serif" font-size="14.00">iptables</text>
+<text text-anchor="middle" x="177" y="-201.3" font-family="Times,serif" font-size="14.00">nat table, PREROUTING chain</text>
+<text text-anchor="middle" x="177" y="-186.3" font-family="Times,serif" font-size="14.00">rule dst=169.254.169.254:80</text>
+<text text-anchor="middle" x="177" y="-171.3" font-family="Times,serif" font-size="14.00">target REDIRECT to=127.0.0.1:9697</text>
+</g>
+<!-- neutron_l3_ns_metadata_proxy&#45;&gt;neutron_iptables -->
+<g id="edge4" class="edge">
+<title>neutron_l3_ns_metadata_proxy&#45;&gt;neutron_iptables</title>
+<path fill="none" stroke="black" d="M163.61,-288.42C166.41,-269.59 169.51,-248.76 172.03,-231.89"/>
+<polygon fill="black" stroke="black" points="160.14,-287.93 162.13,-298.34 167.07,-288.96 160.14,-287.93"/>
+<text text-anchor="middle" x="202" y="-268.8" font-family="Times,serif" font-size="14.00">metadata</text>
+<text text-anchor="middle" x="202" y="-253.8" font-family="Times,serif" font-size="14.00">traffic</text>
+</g>
+<!-- instance -->
+<g id="node8" class="node">
+<title>instance</title>
+<polygon fill="none" stroke="black" points="75.5,-16.5 75.5,-69.5 384.5,-69.5 384.5,-16.5 75.5,-16.5"/>
+<text text-anchor="middle" x="230" y="-54.3" font-family="Times,serif" font-size="14.00">openstack instance</text>
+<text text-anchor="middle" x="230" y="-39.3" font-family="Times,serif" font-size="14.00">no 169.254 IP configured locally</text>
+<text text-anchor="middle" x="230" y="-24.3" font-family="Times,serif" font-size="14.00">route: 169.254.169.254 via subnet&#45;gw&#45;IP</text>
+</g>
+<!-- neutron_iptables&#45;&gt;instance -->
+<g id="edge3" class="edge">
+<title>neutron_iptables&#45;&gt;instance</title>
+<path fill="none" stroke="black" d="M187.46,-153.26C191.28,-139.02 195.92,-123.2 201,-109 205.75,-95.74 212.02,-81.4 217.51,-69.57"/>
+<polygon fill="black" stroke="black" points="183.98,-152.75 184.84,-163.31 190.75,-154.52 183.98,-152.75"/>
+<text text-anchor="middle" x="273.5" y="-127.8" font-family="Times,serif" font-size="14.00">HTTP GET</text>
+<text text-anchor="middle" x="273.5" y="-112.8" font-family="Times,serif" font-size="14.00">169.254.169.254:80</text>
+</g>
+<!-- neutron_router&#45;&gt;instance -->
+<g id="edge2" class="edge">
+<title>neutron_router&#45;&gt;instance</title>
+<path fill="none" stroke="black" d="M372.1,-312.38C379.21,-266.45 387,-172.2 346,-109 335.07,-92.15 318.17,-79.25 300.62,-69.55"/>
+<polygon fill="black" stroke="black" points="368.62,-312.01 370.43,-322.45 375.52,-313.16 368.62,-312.01"/>
+<text text-anchor="middle" x="402.5" y="-201.3" font-family="Times,serif" font-size="14.00">normal</text>
+<text text-anchor="middle" x="402.5" y="-186.3" font-family="Times,serif" font-size="14.00">traffic</text>
+</g>
+<!-- response_omitted&#45;&gt;neutron_metadata_agent -->
+<!-- traffic_omitted -->
+<g id="node10" class="node">
+<title>traffic_omitted</title>
+<text text-anchor="middle" x="495" y="-554.3" font-family="Times,serif" font-size="14.00">omitted...</text>
+</g>
+<!-- traffic_omitted&#45;&gt;neutron_router -->
+<g id="edge1" class="edge">
+<title>traffic_omitted&#45;&gt;neutron_router</title>
+<path fill="none" stroke="black" d="M487.35,-530.31C479.51,-505.19 465.95,-467.05 448,-437 430.05,-406.95 402.64,-376.92 384.77,-358.78"/>
+<polygon fill="black" stroke="black" points="484,-531.34 490.26,-539.89 490.7,-529.31 484,-531.34"/>
+<text text-anchor="middle" x="511.5" y="-448.3" font-family="Times,serif" font-size="14.00">normal traffic</text>
+</g>
+</g>
+</svg>
--- a/doc/source/contributor/internals/index.rst
+++ b/doc/source/contributor/internals/index.rst
@ -48,6 +48,7 @@ Neutron Internals
   linuxbridge_agent
   live_migration
   local_ips
+   metadata
   ml2_ext_manager
   network_ip_availability
   objects_usage
--- a/doc/source/contributor/internals/metadata.rst
+++ b/doc/source/contributor/internals/metadata.rst
@ -0,0 +1,27 @@
+..
+
+=======================================
+Metadata Service Architectural Overview
+=======================================
+
+The following figures give an overview of the traditional implementation of the
+metadata service primarily focusing on the component view and the flow of
+information. There are two distinct figures depicting the metadata service as
+implemented in isolated networks or in networks with a router.
+
+Please be aware that these figures are not complete. They do not apply to
+:ref:`ml2/ovn implementation<metadata_api>` or to
+`distributed metadata <https://specs.openstack.org/openstack/neutron-specs/specs/yoga/distributed-metadata-data-path.html>`_.
+They also omit details like IPv6 metadata or redundancy in the deployment.
+
+Metadata on isolated networks - DHCP Agent
+------------------------------------------
+
+.. image:: ../figures/neutron-metadata-dhcp-agent.png
+   :alt: Overview of traditional metadata architecture with DHCP agent
+
+Metadata on networks with a router - L3 Agent
+---------------------------------------------
+
+.. image:: ../figures/neutron-metadata-l3-agent.png
+   :alt: Overview of traditional metadata architecture with L3 agent