[Interop-wg] Question regarding DefCore 2016.08
Matt Riedemann
mriedemos at gmail.com
Fri Apr 28 15:03:34 UTC 2017
> On Apr 2, 2017, at 18:18 PM, Chris Hoge <chris at openstack.org> wrote:
> My apologies for the late reply about the outcomes of this meeting. As
> discussed, the Cinder API as described in the active guidelines is
> required for the OpenStack Powered Compute and OpenStack Powered
> Platform trademarks. The Nova/Cinder proxy API is not sufficient, and
> the direct Cinder API is required for the following reasons:
>
> 1) It is not the future direction of the Cinder API. [1]
> 2) The Nova volume extension API is deprecated. [2]
> 3) Projects other than Nova, such as Kubernetes, may want to consume
> the Cinder API as a provider plugin. [3]
> 4) There was no demonstration of any inherent vulnerabilities from
> direct use of the Cinder API.
>
> Thanks,
>
> Chris Hoge
> Interop Enginner
> OpenStack Foundation
There is a misunderstanding of what this is testing:
https://github.com/openstack/interop/blob/master/2017.01.json#L2656
That's testing the os-attach and os-detach APIs in Cinder. Nova uses
those to change the status on a volume at the end of a volume attach or
detach operation that is initiated via the compute API, not the volume
API. All they do is update the status and set some other metadata in the
Cinder volume DB table. They don't actually do anything with respect to
attaching a volume to a guest on the compute host or the storage
backend. They are a result of the nova-volume split out which became
Cinder and in no way should a user need to be using those APIs (the
os-attach and os-detach APIs).
The compute API for attaching, detaching, and listing volume attachments
to a server is here:
https://developer.openstack.org/api-ref/compute/#servers-with-volume-attachments-servers-os-volume-attachments
That is tested under the compute-volume-attach guideline:
https://github.com/openstack/interop/blob/master/2017.01.json#L1258
Which indirectly tests the os-attach/os-detach APIs in Cinder since Nova
relies on them to finish the attach / detach operations.
There is no proxying involved. The proxy APIs in Nova you're talking
about are these:
https://developer.openstack.org/api-ref/compute/#volume-extension-os-volumes-os-snapshots-deprecated
Which were deprecated in the compute 2.36 microversion in the Newton
release, and they have absolutely nothing to do with attaching volumes
to a server.
My understanding is that Huawei public cloud disables the
os-attach/os-detach APIs in the volume API endpoint via policy so that
end users basically don't harm themselves by messing up the actual
volume attach operation which is initiated via and orchestrated by the
compute API.
The volumes-v2-attach-detach guideline should be deprecated/removed from
the interop guidelines as it really doesn't make any sense that we test
against this. I'd push a patch to remove those tests from Tempest today
if it weren't for the fact that defcore relies on them.
I'm new to the interop process, so at this point what needs to happen to
fix this?
--
Thanks,
Matt
More information about the Interop-wg
mailing list