[openstack-dev] [oslo][kolla][openstack-helm][tripleo][all] Storing configuration options in etcd(?)

Emilien Macchi emilien at redhat.com
Tue Mar 14 23:09:35 UTC 2017

On Tue, Mar 14, 2017 at 6:17 PM, Clint Byrum <clint at fewbar.com> wrote:
> Excerpts from Davanum Srinivas's message of 2017-03-14 13:04:37 -0400:
>> Team,
>> So one more thing popped up again on IRC:
>> https://etherpad.openstack.org/p/oslo.config_etcd_backend
>> What do you think? interested in this work?
>> Thanks,
>> Dims
>> PS: Between this thread and the other one about Tooz/DLM and
>> os-lively, we can probably make a good case to add etcd as a base
>> always-on service.
> This is a cool idea, and I think we should do it.
> A few loose ends I'd like to see in a spec:
> * Security Security Security. (Hoping if I say it 3 times a real
>   security person will appear and ask the hard questions).

I don't consider myself as a Security expert but in little knowledge:

- etcd v2 API allows authentification:
- etcd supports SSL/TLS as well as authentication through client
certificates, both for clients to server as well as peer (server to
server / cluster) communication

Which sounds pretty secure at this stage, comparing to what we have
now: config files with passwords and secrets everywhere.

> * Explain clearly how operators would inspect, edit, and diff their
>   configs.

That's a good question and we clearly need a tool to query etcd and
grab all parameters + values from a project in particular.
One other aspect that we could see is, thanks to
https://review.openstack.org/#/c/440835/ - we would have a single
interface that expose all parameters in a human readable format
and let operators manage these parameters (through an UI or just by
reading in the file).

Emilien Macchi

More information about the OpenStack-dev mailing list