On Wed, Nov 30, 2016 at 3:54 PM, Alex Schultz <aschu...@redhat.com> wrote: > Hey folks, > > So I'm in the process of evaluating options for implementing the > capture-environment-status-and-logs[0] blueprint. At the moment my > current plan is to implement a mistral workflow to execute the > sosreport to bundle the status and logs up on the requested nodes. > I'm leveraging a similar concept to the the remote execution[1] method > we current expose via 'openstack overcloud execute'. The issue I'm > currently running into is getting the files off the overcloud node(s) > so that they can be returned to the tripleoclient. The files can be > large so I don't think they are something that can just be returned as > output from Heat. So I wanted to ask for some input on the best path > forward. > > IDEA 1: Write something (script or utility) to be executed via Heat on > the nodes to push the result files to a container on the undercloud. > Pros: > - The swift container can be used by the mistral workflow for other > actions as part of this bundling > - The tripleoclient will be able to just pull the result files > straight from swift > - No additional user access needs to be created to perform operations > against the overcloud from the undercloud > Cons: > - Swift credentials (or token) need to be passed to the script being > executed by Heat on the overcloud nodes which could lead to undercloud > credentials being leaked to the overcloud > - I'm not sure if all overcloud nodes would have access to the > undercloud swift endpoint
I'm in favor of prototyping idea 1 and see how we can resolve the issue with credentials. We could eventually create a special and dedicated account for these containers? I think this is the simplest solution for now, let's see how it could work. > IDEA 2: Write additional features into undercloud deployment for ssh > key generation and inclusion into the deployment specifically for this > functionality to be able to reach into the nodes and pull files out > (via ssh). > Pros: > - We would be able to leverage these 'support' credentials for future > support features (day 2 operations?) > - ansible (or similar tooling) could be used to perform operations > against the overcloud from the undercloud nodes > Cons: > - Complexity and issues around additional user access > - Depending on where the ssh file transfer occurs (client vs mistral), > additional network access might be needed. > > IDEA 2a: Leverage the validations ssh key to pull files off of the > overcloud nodes > Pros: > - ssh keys already exist when enable_validations = true so we can > leverage existing > Cons: > - Validations can be disabled, possibly preventing 'support' features > from working > - Probably should not leverage the same key for multiple functions. > > I'm leaning towards idea 1, but wanted to see if there was some other > form of existing functionality I'm not aware of. > > Thanks, > -Alex > > [0] > https://blueprints.launchpad.net/tripleo/+spec/capture-environment-status-and-logs > [1] https://blueprints.launchpad.net/tripleo/+spec/remote-execution > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Emilien Macchi __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev