Re: [openstack-dev] [cinder][glance] Update volume-image-metadata proposal
Should this code cleanup be done separate from the update volume-Image-metadata update bp or should be a work item of it? -Original Message- From: Duncan Thomas [mailto:duncan.tho...@gmail.com] Sent: Thursday, June 26, 2014 7:29 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [cinder][glance] Update volume-image-metadata proposal On 25 June 2014 20:08, Tripp, Travis S travis.tr...@hp.com wrote: Once an instance is launched, the “image” properties are treated the same and lose distinction of whether they came from an image or a bootable volume in Nova. I agree with Facundo that maintaining a consistency between configuration files sounds like a configuration drift risk to me opening the opportunity to bypass protected properties. Also, commands in Cinder like upload-to-image may fail because a bootable volume is created with image properties that Glance doesn’t actually allow. Why not have a single source of truth for protected properties coming from Glance? A small possible downside I see is that the Glance API will get hit more often, but maybe we can optimize that? This does sound like a good topic for the Glance meeting, but since it is a Cinder topic as well, it would be good to get Cinder team feedback. I've just come from the glance meeting as a cinder representative, and the current plan is to require a copy the config file to both cinder and glance (deployer need to keep these in sync, and sync the protected properties code from glance into cinder (glance are happy to take code cleanups that make this easier; we can consider OSLO or whatever in future but that's a heavy height process for another day, copy and paste will do for now). There is a risk from config file drift, but there are already plenty of ways to mess up your config files so it isn't a particularly new one, any sensible deployer has tooling round this... ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [cinder][glance] Update volume-image-metadata proposal
I think make it a work item on the blueprint. I honestly haven't looked to see how much there'd be, just bought it up as a possible requirement so that it didn't later come as a surprise to glance folks On 27 June 2014 14:09, Maldonado, Facundo N facundo.n.maldon...@intel.com wrote: Should this code cleanup be done separate from the update volume-Image-metadata update bp or should be a work item of it? -Original Message- From: Duncan Thomas [mailto:duncan.tho...@gmail.com] Sent: Thursday, June 26, 2014 7:29 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [cinder][glance] Update volume-image-metadata proposal On 25 June 2014 20:08, Tripp, Travis S travis.tr...@hp.com wrote: Once an instance is launched, the “image” properties are treated the same and lose distinction of whether they came from an image or a bootable volume in Nova. I agree with Facundo that maintaining a consistency between configuration files sounds like a configuration drift risk to me opening the opportunity to bypass protected properties. Also, commands in Cinder like upload-to-image may fail because a bootable volume is created with image properties that Glance doesn’t actually allow. Why not have a single source of truth for protected properties coming from Glance? A small possible downside I see is that the Glance API will get hit more often, but maybe we can optimize that? This does sound like a good topic for the Glance meeting, but since it is a Cinder topic as well, it would be good to get Cinder team feedback. I've just come from the glance meeting as a cinder representative, and the current plan is to require a copy the config file to both cinder and glance (deployer need to keep these in sync, and sync the protected properties code from glance into cinder (glance are happy to take code cleanups that make this easier; we can consider OSLO or whatever in future but that's a heavy height process for another day, copy and paste will do for now). There is a risk from config file drift, but there are already plenty of ways to mess up your config files so it isn't a particularly new one, any sensible deployer has tooling round this... ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Duncan Thomas ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [cinder][glance] Update volume-image-metadata proposal
Thanks for the response, I'll be there this Thursday. Having the file in more than one place could me a nightmare if we have to maintain consistency between them. It could be good if we want to protect different properties than Glance. Thanks, Facundo From: Brian Rosmaita [mailto:brian.rosma...@rackspace.com] Sent: Tuesday, June 24, 2014 7:10 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [cinder][glance] Update volume-image-metadata proposal Hi Facundo, Can you attend the Glance meeting this week at 20:00 UTC on Thursday in #openstack-meeting-alt ? I may be misunderstanding what's at stake, but it looks like: - Glance holds the image metadata (some user-modifiable, some not) - Cinder copies the image metadata to use as volume metadata (none is user-modifiable) - You want to implement user-modifiable metadata in Cinder, but you don't know which items should be mutable and which not. - You propose to add glance API calls to allow you to figure out property protections on a per-property basis. It looks like the only roles for Glance here are (1) as the original source of the image metadata, and then (2) as the source of truth for what image properties can be modified on the volume metadata. For (1), you've already got an API call. For (2), why not use the glance property protection configuration file directly? It's going to be deployed somehow to your glance nodes, you can deploy it to your cinder nodes at the same time. Or you can just use it as the basis of a Cinder property protection config file, because I wonder whether in the general case, you'll always want volume properties protected exactly the same as image properties. If not, the new API call strategy will force you to deal with differences in the code, whereas the config file strategy would move dealing with differences to setting up the config file. So I'm not convinced that a new API call is the way to go here. But there may be some nuances I'm missing, so it might be easier to discuss at the Glance meeting. The agenda looks pretty light for Thursday if you want to add this topic: https://etherpad.openstack.org/p/glance-team-meeting-agenda cheers, brian From: Maldonado, Facundo N [facundo.n.maldon...@intel.com] Sent: Tuesday, June 24, 2014 2:34 PM To: OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [cinder][glance] Update volume-image-metadata proposal Hi folks, I started working on this blueprint [1] but the work to be done is not limited to cinder python client. Volume-image-metadata is immutable in Cinder and Glance has RBAC image properties and it doesn't provide any way to find out which are those protected properties in advance [2]. I want to share this proposal and get feedback from you. https://docs.google.com/document/d/1XYEqGOa30viOyZf8AiwkrCiMWGTfBKjgmeYBptaCHlM/ Thanks, Facundo [1] https://blueprints.launchpad.net/python-cinderclient/+spec/support-volume-image-metadata [2] http://openstack.10931.n7.nabble.com/Cinder-Confusion-about-the-respective-use-cases-for-volume-s-admin-metadata-metadata-and-glance-imaga-td39849.html ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [cinder][glance] Update volume-image-metadata proposal
From: Brian Rosmaita [mailto:brian.rosma...@rackspace.com] Or you can just use it as the basis of a Cinder property protection config file, because I wonder whether in the general case, you'll always want volume properties protected exactly the same as image properties. If not, the new API call strategy will force you to deal with differences in the code, whereas the config file strategy would move dealing with differences to setting up the config file. Once an instance is launched, the image properties are treated the same and lose distinction of whether they came from an image or a bootable volume in Nova. I agree with Facundo that maintaining a consistency between configuration files sounds like a configuration drift risk to me opening the opportunity to bypass protected properties. Also, commands in Cinder like upload-to-image may fail because a bootable volume is created with image properties that Glance doesn't actually allow. Why not have a single source of truth for protected properties coming from Glance? A small possible downside I see is that the Glance API will get hit more often, but maybe we can optimize that? This does sound like a good topic for the Glance meeting, but since it is a Cinder topic as well, it would be good to get Cinder team feedback. -Travis From: Maldonado, Facundo N [mailto:facundo.n.maldon...@intel.com] Sent: Wednesday, June 25, 2014 7:34 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [cinder][glance] Update volume-image-metadata proposal Thanks for the response, I'll be there this Thursday. Having the file in more than one place could me a nightmare if we have to maintain consistency between them. It could be good if we want to protect different properties than Glance. Thanks, Facundo From: Brian Rosmaita [mailto:brian.rosma...@rackspace.com] Sent: Tuesday, June 24, 2014 7:10 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [cinder][glance] Update volume-image-metadata proposal Hi Facundo, Can you attend the Glance meeting this week at 20:00 UTC on Thursday in #openstack-meeting-alt ? I may be misunderstanding what's at stake, but it looks like: - Glance holds the image metadata (some user-modifiable, some not) - Cinder copies the image metadata to use as volume metadata (none is user-modifiable) - You want to implement user-modifiable metadata in Cinder, but you don't know which items should be mutable and which not. - You propose to add glance API calls to allow you to figure out property protections on a per-property basis. It looks like the only roles for Glance here are (1) as the original source of the image metadata, and then (2) as the source of truth for what image properties can be modified on the volume metadata. For (1), you've already got an API call. For (2), why not use the glance property protection configuration file directly? It's going to be deployed somehow to your glance nodes, you can deploy it to your cinder nodes at the same time. Or you can just use it as the basis of a Cinder property protection config file, because I wonder whether in the general case, you'll always want volume properties protected exactly the same as image properties. If not, the new API call strategy will force you to deal with differences in the code, whereas the config file strategy would move dealing with differences to setting up the config file. So I'm not convinced that a new API call is the way to go here. But there may be some nuances I'm missing, so it might be easier to discuss at the Glance meeting. The agenda looks pretty light for Thursday if you want to add this topic: https://etherpad.openstack.org/p/glance-team-meeting-agenda cheers, brian From: Maldonado, Facundo N [facundo.n.maldon...@intel.com] Sent: Tuesday, June 24, 2014 2:34 PM To: OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [cinder][glance] Update volume-image-metadata proposal Hi folks, I started working on this blueprint [1] but the work to be done is not limited to cinder python client. Volume-image-metadata is immutable in Cinder and Glance has RBAC image properties and it doesn't provide any way to find out which are those protected properties in advance [2]. I want to share this proposal and get feedback from you. https://docs.google.com/document/d/1XYEqGOa30viOyZf8AiwkrCiMWGTfBKjgmeYBptaCHlM/ Thanks, Facundo [1] https://blueprints.launchpad.net/python-cinderclient/+spec/support-volume-image-metadata [2] http://openstack.10931.n7.nabble.com/Cinder-Confusion-about-the-respective-use-cases-for-volume-s-admin-metadata-metadata-and-glance-imaga-td39849.html ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin
Re: [openstack-dev] [cinder][glance] Update volume-image-metadata proposal
Hi Facundo, Can you attend the Glance meeting this week at 20:00 UTC on Thursday in #openstack-meeting-alt ? I may be misunderstanding what's at stake, but it looks like: - Glance holds the image metadata (some user-modifiable, some not) - Cinder copies the image metadata to use as volume metadata (none is user-modifiable) - You want to implement user-modifiable metadata in Cinder, but you don't know which items should be mutable and which not. - You propose to add glance API calls to allow you to figure out property protections on a per-property basis. It looks like the only roles for Glance here are (1) as the original source of the image metadata, and then (2) as the source of truth for what image properties can be modified on the volume metadata. For (1), you've already got an API call. For (2), why not use the glance property protection configuration file directly? It's going to be deployed somehow to your glance nodes, you can deploy it to your cinder nodes at the same time. Or you can just use it as the basis of a Cinder property protection config file, because I wonder whether in the general case, you'll always want volume properties protected exactly the same as image properties. If not, the new API call strategy will force you to deal with differences in the code, whereas the config file strategy would move dealing with differences to setting up the config file. So I'm not convinced that a new API call is the way to go here. But there may be some nuances I'm missing, so it might be easier to discuss at the Glance meeting. The agenda looks pretty light for Thursday if you want to add this topic: https://etherpad.openstack.org/p/glance-team-meeting-agenda cheers, brian From: Maldonado, Facundo N [facundo.n.maldon...@intel.com] Sent: Tuesday, June 24, 2014 2:34 PM To: OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [cinder][glance] Update volume-image-metadata proposal Hi folks, I started working on this blueprint [1] but the work to be done is not limited to cinder python client. Volume-image-metadata is immutable in Cinder and Glance has RBAC image properties and it doesn’t provide any way to find out which are those protected properties in advance [2]. I want to share this proposal and get feedback from you. https://docs.google.com/document/d/1XYEqGOa30viOyZf8AiwkrCiMWGTfBKjgmeYBptaCHlM/ Thanks, Facundo [1] https://blueprints.launchpad.net/python-cinderclient/+spec/support-volume-image-metadata [2] http://openstack.10931.n7.nabble.com/Cinder-Confusion-about-the-respective-use-cases-for-volume-s-admin-metadata-metadata-and-glance-imaga-td39849.html ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
