Open Stack

On 9/18/15, 08:03, "Major Hayden" <major at mhtx.net> wrote:

>Hey there,
>
>I start working on a bug[1] last night about adding a managed NTP
>configuration to openstack-ansible hosts.  My patch[2] gets chrony up and
>running with configurable NTP servers, but I'm still struggling to meet
>the "Proposal" section of the bug where the author has asked for
>non-infra physical nodes to get their time from the infra nodes.  I can't
>figure out how to make it work for AIO builds when one physical host is
>part of all of the groups. ;)
>
>I'd argue that time synchronization is critical for a few areas:
>
>  1) Security/auditing when comparing logs
>  2) Troubleshooting when comparing logs
>  3) I've been told swift is time-sensitive
>  4) MySQL/Galera don't like time drift
>
>However, there's a strong argument that this should be done by deployers,
>and not via openstack-ansible.  I'm still *very* new to the project and
>I'd like to hear some feedback from other folks.

Personally, I fall into the camp of "this is a deployer concern".
Specifically, there is already an ansible-galaxy role to enable NTP on
your deployment hosts (https://galaxy.ansible.com/list#/roles/464) which
*could* be expanded to do this very work that you're talking about. Using
specialized roles to achieve this (and contributing back to the larger
ansible community) seems like a bigger win than trying to reimplement some
of this in OSA instead of reusing other roles that already exist.

Compare it to a hypothetical situation where Keystone wrote its own
backing libraries to implement Fernet instead of using the cryptography
library. In that case there would be absolutely no argument that Keystone
should use cryptography (even if it uses cffi and has bindings to OpenSSL
which our infra team doesn't like and some deployers find difficult to
manage when using pure-python deployment tooling). Why should OSA be any
different from another OpenStack project?

Cheers,
Ian