Re: [openstack-dev] [keystone] orchestration and db_sync
On Tue, May 31, 2016 at 8:41 AM David Stanekwrote: > On Fri, May 27, 2016 at 12:08 PM, Ryan Hallisey > wrote: > > Theses changes do not all happen at the same times for an OpenStack > installation. > > > - Create the service's users and add a password into the databse > > Should only happen once during installation. > > > - Sync the service with the database > > Should happen during installation and for every upgrade. > > > - Start the service > > > > I was wondering if for some services they could be aware of whether or > not they need > > to sync with the database at startup. Or maybe the service runs a > db_sync every time > > is starts? I figured I would start a thread about this because Keystone > has some > > flexibility when running N+1 in a cluster of N. If Keystone could have > that > > that ability maybe Keystone could db_sync each time it starts without > harming the > > cluster? > > This isn't something I would want to see for a few reasons. The most > important one is that I think the decision to run db_sync needs to be > explicit. An operator should run it when they are ready (maybe they > need to shut something down, ensure up-to-date backups, etc.). > +1 > > Another issue is database modification permissions. The user running > the application, as well as the DB user the application uses, > shouldn't have access to DML for security reasons. Little Bobby > Tables' mom found this out the hard way[1]. > +2 > > 1. https://xkcd.com/327/ > > -- > David > blog: http://www.traceback.org > twitter: http://twitter.com/dstanek > www: http://dstanek.com > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- -Dolph __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] orchestration and db_sync
On Fri, May 27, 2016 at 12:08 PM, Ryan Halliseywrote: Theses changes do not all happen at the same times for an OpenStack installation. > - Create the service's users and add a password into the databse Should only happen once during installation. > - Sync the service with the database Should happen during installation and for every upgrade. > - Start the service > > I was wondering if for some services they could be aware of whether or not > they need > to sync with the database at startup. Or maybe the service runs a db_sync > every time > is starts? I figured I would start a thread about this because Keystone has > some > flexibility when running N+1 in a cluster of N. If Keystone could have that > that ability maybe Keystone could db_sync each time it starts without harming > the > cluster? This isn't something I would want to see for a few reasons. The most important one is that I think the decision to run db_sync needs to be explicit. An operator should run it when they are ready (maybe they need to shut something down, ensure up-to-date backups, etc.). Another issue is database modification permissions. The user running the application, as well as the DB user the application uses, shouldn't have access to DML for security reasons. Little Bobby Tables' mom found this out the hard way[1]. 1. https://xkcd.com/327/ -- David blog: http://www.traceback.org twitter: http://twitter.com/dstanek www: http://dstanek.com __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] orchestration and db_sync
Hi Ryan, >- Create the service's users and add a password into the databse >- Sync the service with the database >- Start the service If I am right, these are one time activity...during installation stage.. one does not need to create "service users" again and again during service start. >Or maybe the service runs a db_sync every time is starts? No, service start does not run db_sync. I think only service status is updated in db during service start(i am not talking specific to keystone...just general behavior). What is requirement for db_sync each time service starts? Best Regards, Sheel Rana On Fri, May 27, 2016 at 9:38 PM, Ryan Halliseywrote: > Hi all, > > When orchestrating an openstack service from nothing, there are a few > steps that > need to occur before you have a running service assuming the database > already exists. > > - Create the service's users and add a password into the databse > - Sync the service with the database > - Start the service > > I was wondering if for some services they could be aware of whether or not > they need > to sync with the database at startup. Or maybe the service runs a db_sync > every time > is starts? I figured I would start a thread about this because Keystone > has some > flexibility when running N+1 in a cluster of N. If Keystone could have that > that ability maybe Keystone could db_sync each time it starts without > harming the > cluster? > > It may be wishful thinking, but I'm curious to hear more thought about the > topic. > > Thanks, > Ryan > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [keystone] orchestration and db_sync
Hi all, When orchestrating an openstack service from nothing, there are a few steps that need to occur before you have a running service assuming the database already exists. - Create the service's users and add a password into the databse - Sync the service with the database - Start the service I was wondering if for some services they could be aware of whether or not they need to sync with the database at startup. Or maybe the service runs a db_sync every time is starts? I figured I would start a thread about this because Keystone has some flexibility when running N+1 in a cluster of N. If Keystone could have that that ability maybe Keystone could db_sync each time it starts without harming the cluster? It may be wishful thinking, but I'm curious to hear more thought about the topic. Thanks, Ryan __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev