Open Stack

Question on the image transfer from the "Image" node like Glance to the
Host being provisioned.

Why not add support for distributed bit-torrent servers that can serve out
the images? They use this approach in the Rocks HPC cluster OS based off of
CentOS / RedHat.

Endre


2013/5/8 Day, Phil <philip.day at hp.com>

> Personally I'd like to see it made optional for Nova as well - it doesn't
> work universally with Guest Operating systems and with metadata server and
> config drive support providing two reasonable alternatives I don't see any
> reason for Nova to need to inject files into the Users filesystem
>
> Phil
>
> -----Original Message-----
> From: Robert Collins [mailto:robertc at robertcollins.net]
> Sent: 07 May 2013 19:10
> To: OpenStack Development Mailing List
> Subject: [openstack-dev] [nova][ironic] making file injection optional /
> removing it
>
> For baremetal, file injection is a scalability, security and performance
> headache.
>
> With virtual nodes, the overheads of injection are spread around many
> hypervisors; for baremetal each nova-compute can potentially run 1000's of
> instances, so you have far fewer compute processes, and the relative
> overhead is much higher.
>
> The image cache for nova compute doesn't help baremetal at all, as we have
> to copy the content to the node every time : we're planning on mitigating
> that with something to avoid bottlenecking on either glance or nova-compute
> - sharing the load between machines that are deploying the same image -
> e.g. bittorrent. File injection means we have a unique image or we have to
> transfer the content to be injected to the node being deployed on...
>
> And from a security perspective, copying secrets - in particular the
> replacement root password - over the network in an insecure fashion is
> troubling. TFTP isn't encrypted, and that's the boot process for baremetal.
> A salted password is substantially safer, but that would mean a significant
> layering violation if we pass that separate to the image, and if we pass it
> by injecting on the nova-compute node, we now have a different image.
>
> We could in principle generate a binary patch file to the image to apply
> after the identical base image, but we'd still need substantial complexity
> to ensure that scaled well and avoid issues when partition sizes are
> different etc.
>
> So - we'd like to make file injection either optional, or ideally just
> make it not exist for bare metal.
>
> Are there reasons we shouldn't/can't do that (e.g. is file injection a
> mandatory feature for a nova hypervisor driver?).
>
> -Rob
>
> --
> Robert Collins <rbtcollins at hp.com>
> Distinguished Technologist
> HP Cloud Services
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130508/78af8162/attachment.html>