[openstack-dev] [keystone] orchestration and db_sync

David Stanek dstanek at dstanek.com
Tue May 31 13:38:31 UTC 2016


On Fri, May 27, 2016 at 12:08 PM, Ryan Hallisey <rhallise at redhat.com> wrote:

Theses changes do not all happen at the same times for an OpenStack
installation.

>     - Create the service's users and add a password into the databse

Should only happen once during installation.

>     - Sync the service with the database

Should happen during installation and for every upgrade.

>     - Start the service
>
> I was wondering if for some services they could be aware of whether or not they need
> to sync with the database at startup.  Or maybe the service runs a db_sync every time
> is starts?  I figured I would start a thread about this because Keystone has some
> flexibility when running N+1 in a cluster of N. If Keystone could have that
> that ability maybe Keystone could db_sync each time it starts without harming the
> cluster?

This isn't something I would want to see for a few reasons. The most
important one is that I think the decision to run db_sync needs to be
explicit. An operator should run it when they are ready (maybe they
need to shut something down, ensure up-to-date backups, etc.).

Another issue is database modification permissions. The user running
the application, as well as the DB user the application uses,
shouldn't have access to DML for security reasons. Little Bobby
Tables' mom found this out the hard way[1].

1. https://xkcd.com/327/

-- 
David
blog: http://www.traceback.org
twitter: http://twitter.com/dstanek
www: http://dstanek.com



More information about the OpenStack-dev mailing list