--- a/components/openstack/neutron/files/metadata_agent.ini	Fri Feb 05 11:09:10 2016 -0800
+++ b/components/openstack/neutron/files/metadata_agent.ini	Fri Feb 05 17:54:17 2016 -0500
@@ -39,12 +39,21 @@
 # When proxying metadata requests, Neutron signs the Instance-ID header with a
 # shared secret to prevent spoofing.  You may select any string for a secret,
 # but it must match here and in the configuration used by the Nova Metadata
-# Server. NOTE: Nova uses a different key: neutron_metadata_proxy_shared_secret
+# Server. NOTE: Nova uses the same config key, but in [neutron] section.
 # metadata_proxy_shared_secret =
 
 # Location of Metadata Proxy UNIX domain socket
 # metadata_proxy_socket = $state_path/metadata_proxy
 
+# Metadata Proxy UNIX domain socket mode, 3 values allowed:
+# 'deduce': deduce mode from metadata_proxy_user/group values,
+# 'user': set metadata proxy socket mode to 0o644, to use when
+# metadata_proxy_user is agent effective user or root,
+# 'group': set metadata proxy socket mode to 0o664, to use when
+# metadata_proxy_group is agent effective group,
+# 'all': set metadata proxy socket mode to 0o666, to use otherwise.
+# metadata_proxy_socket_mode = deduce
+
 # Number of separate worker processes for metadata server. Defaults to
 # half the number of CPU cores
 metadata_workers = 1