[openstack-dev] [keystone] orchestration and db_sync
dstanek at dstanek.com
Tue May 31 13:38:31 UTC 2016
On Fri, May 27, 2016 at 12:08 PM, Ryan Hallisey <rhallise at redhat.com> wrote:
Theses changes do not all happen at the same times for an OpenStack
> - Create the service's users and add a password into the databse
Should only happen once during installation.
> - Sync the service with the database
Should happen during installation and for every upgrade.
> - Start the service
> I was wondering if for some services they could be aware of whether or not they need
> to sync with the database at startup. Or maybe the service runs a db_sync every time
> is starts? I figured I would start a thread about this because Keystone has some
> flexibility when running N+1 in a cluster of N. If Keystone could have that
> that ability maybe Keystone could db_sync each time it starts without harming the
This isn't something I would want to see for a few reasons. The most
important one is that I think the decision to run db_sync needs to be
explicit. An operator should run it when they are ready (maybe they
need to shut something down, ensure up-to-date backups, etc.).
Another issue is database modification permissions. The user running
the application, as well as the DB user the application uses,
shouldn't have access to DML for security reasons. Little Bobby
Tables' mom found this out the hard way.
More information about the OpenStack-dev