Hi Sean, Thanks for your post. On 11/23/20 2:32 PM, Sean Mooney wrote:
nova need to enforce it as we use the absense or present of the db creads to know if common code is running in the compute agent or in controller services
I'm a bit shocked to read what I've read in this thread, about the double-guess that Nova is doing. The way the Nova team has been describing, this really looks like hacks to hide the internals of Nova, and what the team is asking, is more band-aid for it. Probably things have been done this way to make it easier for the users, but at this point, it feels like we shouldn't attempt to hide facts anymore, and try to have everything explicit, which is going the opposite way of what you describe. Why don't we go the other way around, and get things like a superconductor=true configuration directive, for example? On 11/23/20 2:32 PM, Sean Mooney wrote:
it is a bug to have the db cred in the set fo configs passed to nova-comptue and it has been for years.
In such case, detect that it's the nova-compute agent that's running, detect that it has access to db creds, and either: - display a big warning (I would prefer that) - display an error and quit (maybe bad in the case of an all-in-one setup) This is orthogonal to the fact that Nova code is doing a hack (which should be fixed) to check which daemon is currently running in what mode. On 11/23/20 2:32 PM, Sean Mooney wrote:
we could make this just a ERROR log without the hard fail but that would still not change the fact there is a bug in packages or deployment tools that should be fixed.
Probably. But that shouldn't be upstream author's business on how things are deployed. IMO, in the case of an all-in-one, nova-compute should continue to work and just ignore the db params, and at worse display a huge warning on the logs. With the light of this thread, my opinion now has shifted to *not* have special files for the db credential, to give Nova a chance to tell the users what to do if nova-compute detects a mistake. If we push the creds in /etc/nova/nova-db.conf, it wont be loaded by nova-compute, and it wont be able to warn the user that the file shouldn't be there on a compute node. Checking for the file existence only would be wrong (because it could have empty values and just be there ... just because it's there! :) ). Hoping sharing my view is constructive and adding value to the thread, Cheers, Thomas Goirand (zigo)