subject:"\[openstack\-dev\] \[keystone\] orchestration and db

Re: [openstack-dev] [keystone] orchestration and db_sync

2016-05-31 Thread Dolph Mathews

On Tue, May 31, 2016 at 8:41 AM David Stanek  wrote:

> On Fri, May 27, 2016 at 12:08 PM, Ryan Hallisey 
> wrote:
>
> Theses changes do not all happen at the same times for an OpenStack
> installation.
>
> > - Create the service's users and add a password into the databse
>
> Should only happen once during installation.
>
> > - Sync the service with the database
>
> Should happen during installation and for every upgrade.
>
> > - Start the service
> >
> > I was wondering if for some services they could be aware of whether or
> not they need
> > to sync with the database at startup.  Or maybe the service runs a
> db_sync every time
> > is starts?  I figured I would start a thread about this because Keystone
> has some
> > flexibility when running N+1 in a cluster of N. If Keystone could have
> that
> > that ability maybe Keystone could db_sync each time it starts without
> harming the
> > cluster?
>
> This isn't something I would want to see for a few reasons. The most
> important one is that I think the decision to run db_sync needs to be
> explicit. An operator should run it when they are ready (maybe they
> need to shut something down, ensure up-to-date backups, etc.).
>

+1


>
> Another issue is database modification permissions. The user running
> the application, as well as the DB user the application uses,
> shouldn't have access to DML for security reasons. Little Bobby
> Tables' mom found this out the hard way[1].
>

+2


>
> 1. https://xkcd.com/327/
>
> --
> David
> blog: http://www.traceback.org
> twitter: http://twitter.com/dstanek
> www: http://dstanek.com
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-- 
-Dolph
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [keystone] orchestration and db_sync

2016-05-31 Thread David Stanek

On Fri, May 27, 2016 at 12:08 PM, Ryan Hallisey  wrote:

Theses changes do not all happen at the same times for an OpenStack
installation.

> - Create the service's users and add a password into the databse

Should only happen once during installation.

> - Sync the service with the database

Should happen during installation and for every upgrade.

> - Start the service
>
> I was wondering if for some services they could be aware of whether or not 
> they need
> to sync with the database at startup.  Or maybe the service runs a db_sync 
> every time
> is starts?  I figured I would start a thread about this because Keystone has 
> some
> flexibility when running N+1 in a cluster of N. If Keystone could have that
> that ability maybe Keystone could db_sync each time it starts without harming 
> the
> cluster?

This isn't something I would want to see for a few reasons. The most
important one is that I think the decision to run db_sync needs to be
explicit. An operator should run it when they are ready (maybe they
need to shut something down, ensure up-to-date backups, etc.).

Another issue is database modification permissions. The user running
the application, as well as the DB user the application uses,
shouldn't have access to DML for security reasons. Little Bobby
Tables' mom found this out the hard way[1].

1. https://xkcd.com/327/

-- 
David
blog: http://www.traceback.org
twitter: http://twitter.com/dstanek
www: http://dstanek.com

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [keystone] orchestration and db_sync

2016-05-27 Thread Sheel Rana Insaan

Hi Ryan,

>- Create the service's users and add a password into the databse
>- Sync the service with the database
>- Start the service
If I am right, these are one time activity...during installation stage..
one does not need to create "service users" again and again during service
start.


>Or maybe the service runs a db_sync every time
is starts?
No, service start does not run db_sync.
I think only service status is updated in db during service start(i am not
talking specific to keystone...just general behavior).

What is requirement for db_sync each time service starts?

Best Regards,
Sheel Rana

On Fri, May 27, 2016 at 9:38 PM, Ryan Hallisey  wrote:

> Hi all,
>
> When orchestrating an openstack service from nothing, there are a few
> steps that
> need to occur before you have a running service assuming the database
> already exists.
>
> - Create the service's users and add a password into the databse
> - Sync the service with the database
> - Start the service
>
> I was wondering if for some services they could be aware of whether or not
> they need
> to sync with the database at startup.  Or maybe the service runs a db_sync
> every time
> is starts?  I figured I would start a thread about this because Keystone
> has some
> flexibility when running N+1 in a cluster of N. If Keystone could have that
> that ability maybe Keystone could db_sync each time it starts without
> harming the
> cluster?
>
> It may be wishful thinking, but I'm curious to hear more thought about the
> topic.
>
> Thanks,
> Ryan
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [keystone] orchestration and db_sync

2016-05-27 Thread Ryan Hallisey

Hi all,

When orchestrating an openstack service from nothing, there are a few steps that
need to occur before you have a running service assuming the database already 
exists.

- Create the service's users and add a password into the databse
- Sync the service with the database
- Start the service

I was wondering if for some services they could be aware of whether or not they 
need
to sync with the database at startup.  Or maybe the service runs a db_sync 
every time
is starts?  I figured I would start a thread about this because Keystone has 
some
flexibility when running N+1 in a cluster of N. If Keystone could have that
that ability maybe Keystone could db_sync each time it starts without harming 
the
cluster?

It may be wishful thinking, but I'm curious to hear more thought about the 
topic.

Thanks,
Ryan

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [keystone] orchestration and db_sync

Re: [openstack-dev] [keystone] orchestration and db_sync

Re: [openstack-dev] [keystone] orchestration and db_sync

[openstack-dev] [keystone] orchestration and db_sync

4 matches

Site Navigation

Mail list logo

Footer information