[openstack-dev] [Vitrage] New proposal for analysis.
MinWookKim
delightwook at ssu.ac.kr
Mon Apr 2 01:51:48 UTC 2018
Hello Ifat,
Thank you for the reply. :)
It is my opinion only, so if I'm wrong, we can change the implementation
part at any time. (Even if it differs from my initial intention)
The same security issues arise as you say. But now Vitrage does not call
external APIs.
The Vitrage-dashboard uses Vitrageclient libraries for Topology, Alarms,
and RCA requests to Vitrage.
So if we add an API, it will have the following flow.
Vitrage-dashboard requests checks using the Vitrageclient library. ->
Vitrage receives the API.
-> api / controllers / v1 / checks.py is called. -> checks service is
called.
In accordance with the above flow, passing through the Vitrage API is the
purpose of data passing and function calls.
I think Vitrage does not need to call external APIs.
If you do not want to go through the Vitrage API, we need to create a
function for the check action in the Vitrage-dashboard, and write code to
call the function.
If I think wrong, please tell me anytime. :)
Thank you.
Best regards,
Minwook.
From: Afek, Ifat (Nokia - IL/Kfar Sava) [mailto:ifat.afek at nokia.com]
Sent: Sunday, April 1, 2018 3:40 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Vitrage] New proposal for analysis.
Hi Minwook,
I understand your concern about the security issue.
But how would that be different if the API call is passed through Vitrage
API? The authentication from vitrage-dashboard to vitrage API will work, but
then Vitrage will call an external API and you’ll have the same security
issue, right? I don’t understand what is the difference between calling the
external component from vitrage-dashboard and calling it from vitrage.
Best regards,
Ifat.
From: MinWookKim <delightwook at ssu.ac.kr <mailto:delightwook at ssu.ac.kr> >
Reply-To: "OpenStack Development Mailing List (not for usage questions)"
<openstack-dev at lists.openstack.org
<mailto:openstack-dev at lists.openstack.org> >
Date: Thursday, 29 March 2018 at 14:51
To: "'OpenStack Development Mailing List (not for usage questions)'"
<openstack-dev at lists.openstack.org
<mailto:openstack-dev at lists.openstack.org> >
Subject: Re: [openstack-dev] [Vitrage] New proposal for analysis.
Hello Ifat,
Thanks for your reply. : )
I wrote my opinion on your comment.
Why do you think the request should pass through the Vitrage API? Why can’t
vitrage-dashboard call the check component directly?
Authentication issues:
I think the check component is a separate component based on the API.
In my opinion, if the check component has a separate api address from the
vitrage to receive requests from the Vitrage-dashboard,
the Vitrage-dashboard needs to know the api address for the check
component.
This can result in a request / response situation open to anyone,
regardless of the authentication supported
by openstack between the Vitrage-dashboard and the request / response
procedure of check component.
This is possible not only through the Vitrage-dashboard, but also with
simple commands such as curl.
(I think it is unnecessary to implement a separate authentication system
for the check component.)
This problem may occur if someone knows the api address for the check
component,
which can cause the host and VM to execute system commands.
what should happen if the user closes the check window before the checks
are over? I assume that the checks will finish, but the user won’t be able
to see the results?
If the window is closed before the check is finished, the user can not
check the result.
To solve this problem, I think that temporarily saving a list of recent
results is also a solution.
By storing temporary lists (for example, up to 10), the user can see the
previous results and think that it is also possible to empty the list by the
user.
how is it?
Thank you.
Best Regrads,
Minwook.
From: Afek, Ifat (Nokia - IL/Kfar Sava) [mailto:ifat.afek at nokia.com]
Sent: Thursday, March 29, 2018 8:07 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Vitrage] New proposal for analysis.
Hi Minwook,
Why do you think the request should pass through the Vitrage API? Why can’t
vitrage-dashboard call the check component directly?
And another question: what should happen if the user closes the check
window before the checks are over? I assume that the checks will finish, but
the user won’t be able to see the results?
Thanks,
Ifat.
From: MinWookKim < <mailto:delightwook at ssu.ac.kr> delightwook at ssu.ac.kr>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <
<mailto:openstack-dev at lists.openstack.org>
openstack-dev at lists.openstack.org>
Date: Thursday, 29 March 2018 at 10:25
To: "'OpenStack Development Mailing List (not for usage questions)'" <
<mailto:openstack-dev at lists.openstack.org>
openstack-dev at lists.openstack.org>
Subject: Re: [openstack-dev] [Vitrage] New proposal for analysis.
Hello Ifat and Vitrage team.
I would like to explain more about the implementation part of the mail I
sent last time.
The flow is as follows.
Vitrage-dashboard (action-list-panel) -> Vitrage-api -> check component
The last time I mentioned it as api-handler, it would be better to call the
check component directly from Vitarge-api without having to use it.
I hope this helps you understand.
Thank you
Best Regards,
Minwook.
From: MinWookKim [ <mailto:delightwook at ssu.ac.kr>
mailto:delightwook at ssu.ac.kr]
Sent: Wednesday, March 28, 2018 11:21 AM
To: 'OpenStack Development Mailing List (not for usage questions)'
Subject: Re: [openstack-dev] [Vitrage] New proposal for analysis.
Hello Ifat,
Thanks for your reply. : )
This proposal is a proposal that we expect to be useful from a user
perspective.
>From a manager's point of view, we need an implementation that minimizes
the overhead incurred by the proposal.
The answers to some of your questions are:
• I assume that these checks will not be implemented in Vitrage, and
the results will not be stored in Vitrage, right? Vitrage role is to be a
place where it is easy and intuitive for the user to execute external
actions/checks.
Yes, that's right. We do not need to save it to Vitrage because we just
need to check the results.
However, it is possible to implement the function directly in
Vitrage-dashboard separately from Vitrage like add-action-list panel,
but it seems that it is not enough to implement all the functions.
If you do not mind, we will have the following flow.
1. The user requests the check action from the vitrage-dashboard
(add-action-list-panel).
2. Call the check component through the vitrage's API handler.
3. The check component executes the command and returns the result.
Because it is my opinion only, please tell us if there is an unnecessary
part. :)
• Do you expect the user to click an entity, select an action to run
(e.g. ‘P2P check’), and wait by the open panel for the results? What if the
user switches to another menu before the check is done? What if the user
asks to run an additional check in parallel? What if the user wants to see
again a previous result?
My idea was to select the task, wait for the results in an open panel, and
then instantly see it in the panel.
If we switch to another menu before the scan is complete, we will not be
able to see the results.
Parallel checking is a matter of fact. (This can cause excessive overhead.)
For earlier results, it may be okay to temporarily save the open panel
until we exit the panel. We can see the previous results through the
temporary saved results.
• Any thoughts of what component will implement those checks? Or
maybe these will be just scripts?
I think I implement a separate component to request it.
• It could be nice if, as a result of an action check, a new alarm
will be raised in Vitrage. A specific alarm with the additional details that
were found. However, it might not be trivial to implement it. We could think
about it as phase #2.
It is expected to be really good. It would be very useful if an
Entity-Graph generates an alarm based on the check result.
I think that part will be able to talk in detail later.
My answer is my opinions and assumptions.
If you think my implementation is wrong, or an inefficient implementation,
please do not hesitate to tell me.
Thanks.
Best Regards,
Minwook.
From: Afek, Ifat (Nokia - IL/Kfar Sava) [ <mailto:ifat.afek at nokia.com>
mailto:ifat.afek at nokia.com]
Sent: Wednesday, March 28, 2018 2:23 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Vitrage] New proposal for analysis.
Hi Minwook,
I think that from a user’s perspective, these are very good ideas.
I have some questions regarding the UX and the implementation, since I’m
trying to think what could be the best way to execute such actions from
Vitrage.
* I assume that these checks will not be implemented in Vitrage,
and the results will not be stored in Vitrage, right? Vitrage role is to be
a place where it is easy and intuitive for the user to execute external
actions/checks.
* Do you expect the user to click an entity, select an action to
run (e.g. ‘P2P check’), and wait by the open panel for the results? What if
the user switches to another menu before the check is done? What if the user
asks to run an additional check in parallel? What if the user wants to see
again a previous result?
* Any thoughts of what component will implement those checks? Or
maybe these will be just scripts?
* It could be nice if, as a result of an action check, a new alarm
will be raised in Vitrage. A specific alarm with the additional details that
were found. However, it might not be trivial to implement it. We could think
about it as phase #2.
Best Regards,
Ifat
From: MinWookKim < <mailto:delightwook at ssu.ac.kr> delightwook at ssu.ac.kr>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <
<mailto:openstack-dev at lists.openstack.org>
openstack-dev at lists.openstack.org>
Date: Tuesday, 27 March 2018 at 14:45
To: " <mailto:openstack-dev at lists.openstack.org>
openstack-dev at lists.openstack.org" <
<mailto:openstack-dev at lists.openstack.org>
openstack-dev at lists.openstack.org>
Subject: [openstack-dev] [Vitrage] New proposal for analysis.
Hello Vitrage team.
I am currently working on the Vitrage-Dashboard proposal for the ‘Add
action list panel for entity click action’.
( <https://review.openstack.org/#/c/531141/>
https://review.openstack.org/#/c/531141/)
I would like to make a new proposal based on the action list panel
mentioned above.
The new proposal is to provide multidimensional analysis capabilities in
several entities that make up the infrastructure in the entity graph.
Vitrage's entity-graph allows us to efficiently monitor alarms from various
monitoring tools.
In the current state, when there is a problem with the VM and Host, or when
we want to check the status, we need to access the console individually for
each VM and Host.
This situation causes unnecessary behavior when the number of VMs and hosts
increases.
My new suggestion is that if we have a large number of vm and host, we do
not need to directly connect to each VM, host console to enter the system
command.
Instead, we can send a system command to VM and hosts in the cloud through
this proposal. It is only checking results.
I have written some use-cases for an efficient explanation of the function.
>From an implementation perspective, the goals of the proposal are:
1. To execute commands without installing any Agent / Client that can
cause load on VM, Host.
2. I want to provide a simple UI so that users or administrators can get
the desired information to multiple VMs and hosts.
3. I want to be able to grasp the results at a glance.
4. I want to implement a component that can support many additional
scenarios in plug-in format.
I would be happy if you could comment on the proposal or ask questions.
Thanks.
Best Regards,
Minwook.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 33310 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180402/2a0bf34d/attachment.bin>
More information about the OpenStack-dev
mailing list