[openstack-dev] [tripleo] Requesting files from the overcloud from the undercloud

Emilien Macchi emilien at redhat.com
Mon Dec 12 13:34:02 UTC 2016

On Wed, Nov 30, 2016 at 3:54 PM, Alex Schultz <aschultz at redhat.com> wrote:
> Hey folks,
> So I'm in the process of evaluating options for implementing the
> capture-environment-status-and-logs[0] blueprint.  At the moment my
> current plan is to implement a mistral workflow to execute the
> sosreport to bundle the status and logs up on the requested nodes.
> I'm leveraging a similar concept to the the remote execution[1] method
> we current expose via 'openstack overcloud execute'.  The issue I'm
> currently running into is getting the files off the overcloud node(s)
> so that they can be returned to the tripleoclient.  The files can be
> large so I don't think they are something that can just be returned as
> output from Heat.  So I wanted to ask for some input on the best path
> forward.
> IDEA 1: Write something (script or utility) to be executed via Heat on
> the nodes to push the result files to a container on the undercloud.
> Pros:
> - The swift container can be used by the mistral workflow for other
> actions as part of this bundling
> - The tripleoclient will be able to just pull the result files
> straight from swift
> - No additional user access needs to be created to perform operations
> against the overcloud from the undercloud
> Cons:
> - Swift credentials (or token) need to be passed to the script being
> executed by Heat on the overcloud nodes which could lead to undercloud
> credentials being leaked to the overcloud
> - I'm not sure if all overcloud nodes would have access to the
> undercloud swift endpoint

I'm in favor of prototyping idea 1 and see how we can resolve the
issue with credentials. We could eventually create a special and
dedicated account for these containers?
I think this is the simplest solution for now, let's see how it could work.

> IDEA 2: Write additional features into undercloud deployment for ssh
> key generation and inclusion into the deployment specifically for this
> functionality to be able to reach into the nodes and pull files out
> (via ssh).
> Pros:
> - We would be able to leverage these 'support' credentials for future
> support features (day 2 operations?)
> - ansible (or similar tooling) could be used to perform operations
> against the overcloud from the undercloud nodes
> Cons:
> - Complexity and issues around additional user access
> - Depending on where the ssh file transfer occurs (client vs mistral),
> additional network access might be needed.
> IDEA 2a: Leverage the validations ssh key to pull files off of the
> overcloud nodes
> Pros:
> - ssh keys already exist when enable_validations = true so we can
> leverage existing
> Cons:
> - Validations can be disabled, possibly preventing 'support' features
> from working
> - Probably should not leverage the same key for multiple functions.
> I'm leaning towards idea 1, but wanted to see if there was some other
> form of existing functionality I'm not aware of.
> Thanks,
> -Alex
> [0] https://blueprints.launchpad.net/tripleo/+spec/capture-environment-status-and-logs
> [1] https://blueprints.launchpad.net/tripleo/+spec/remote-execution
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Emilien Macchi

More information about the OpenStack-dev mailing list