[openstack-dev] [Openstack-operators] nova resize on shared storage

Marcus Furlong furlongm at gmail.com
Thu Aug 4 04:12:59 UTC 2016


On 1 August 2016 at 14:02, Blair Bethwaite <blair.bethwaite at gmail.com> wrote:
> On 1 August 2016 at 13:30, Marcus Furlong <furlongm at gmail.com> wrote:
>> Looks like there is a bug open which suggests that it should be using
>> RPC calls, rather than commands executed over ssh:
>>
>> https://bugs.launchpad.net/nova/+bug/1459782
>
> I agree, no operator in their right mind wants to turn this on for a
> production cloud, but it's a capability that a lot of useful higher
> level tooling wants to exploit (e.g. right-sizing solutions). IIRC
> this was discussed some time ago and I thought there was something in
> the dev pipeline to address it. Looking at the bug it does mention the
> related live-migration cleanup work that happened ~Havana or so, I
> guess the cold-migrate/resize pathway was missed or did it get stuck
> in review?

Good question. CC:ing openstack-dev in the hope someone might know.

> On this point in the bug report:
> ==
> There's a complication though. In virt.libvirt.utils.copy_image() we
> also rely on passwordless authentication to do either "rsync" or "scp"
> to copy the image file over when doing cold migration with local
> storage. So for the case of local storage we'd still need to set up
> passwordless ssh between compute nodes to handle cold migration.
> ==
>
> Passwordless ssh for services need not be so scary, it just needs to
> be managed right... Fortunately OpenSSH has a rather cool feature
> (that lots of people seem not to know about) - it supports auth by
> certificate, by which I mean an appropriately configured sshd can
> authenticate a client's cert based on the fact that it was signed by a
> trusted SSH CA without any need to have a record of the client's
> public key. Signed certs are valid for a limited time, so you can
> imagine building some automation that created a short-lived cert on
> demand that was valid just long enough to establish the scp connection
> needed to complete a cold-migration or resize. See "man ssh-keygen" ->
> CERTIFICATES.

Would it also be possible to use glance to store the image for the
local storage scenario? That would remove the ssh access requirement
from the equation completely.  Upload from source, download to
destination, then delete?
-- 
Marcus Furlong



More information about the OpenStack-dev mailing list