[openstack-dev] [TripleO] os-refresh-config run frequency

Macdonald-Wallace, Matthew matthew.macdonald-wallace at hp.com
Thu Jun 26 11:13:31 UTC 2014


Hi all,

I've been working more and more with TripleO recently and whilst it does seem to solve a number of problems well, I have found a couple of idiosyncrasies that I feel would be easy to address.

My primary concern lies in the fact that os-refresh-config does not run on every boot/reboot of a system.  Surely a reboot *is* a configuration change and therefore we should ensure that the box has come up in the expected state with the correct config?

This is easily fixed through the addition of an "@reboot" entry in /etc/crontab to run o-r-c or (less easily) by re-designing o-r-c to run as a service.

My secondary concern is that through not running os-refresh-config on a regular basis by default (i.e. every 15 minutes or something in the same style as chef/cfengine/puppet), we leave ourselves exposed to someone trying to make a "quick fix" to a production node and taking that node offline the next time it reboots because the config was still left as broken owing to a lack of updates to HEAT (I'm thinking a "quick change" to allow root access via SSH during a major incident that is then left unchanged for months because no-one updated HEAT).

There are a number of options to fix this including Modifying os-collect-config to auto-run os-refresh-config on a regular basis or setting os-refresh-config to be its own service running via upstart or similar that triggers every 15 minutes

I'm sure there are other solutions to these problems, however I know from experience that claiming this is solved through "education of users" or (more severely!) via HR is not a sensible approach to take as by the time you realise that your configuration has been changed for the last 24 hours it's often too late!

I'd welcome thoughts on the above,

Kind regards,

Matt



More information about the OpenStack-dev mailing list