Open Stack

On 06/25/2018 05:28 PM, Mohammed Naser wrote:
> Hi everyone:
> 
> While working with the OpenStack infrastructure team, we noticed that
> we were having some intermittent issues where we wanted to identify a
> theory if all VMs with this issue were landing on the same hypervisor.
> 
> However, there seems to be no way of directly accessing `hostId` from
> inside the virtual machine (such as using the metadata API).

Yes, that is correct. VMs should not know (or need to know) where they 
are hosted.

> This is a very useful thing to expose over the metadata API as not
> only would it help for troubleshooting these types of scenarios
> however it would also help software that can manage anti-affinity
> simply by checking the API and taking scheduling decisions.

We try very hard to not expose administrative operational details about 
the underlying hardware via the metadata API.

Virtual machines and the software running in them should not need to 
know what particular piece of hardware they are running on. VMs having 
knowledge of the underlying hardware and host violates the principle of 
least privilege and introduces attack vectors that I'm pretty sure you 
(as an operator) don't want to open up.

There is a bright red line between the adminstrative domain and the 
virtual/guest domain, and presenting host identifiers over the metadata 
API would definitely cross that bright red line.

> I've proposed the following patch to add this[1], however, this is
> technically an API change, and the blueprints document specifies that
> "API changes always require a design discussion."
> 
> Also, I believe that we're in a state where getting a spec would
> require an exception.  However, this is a very trivial change.  Also,
> according to the notes in the metadata file, it looks like there is
> one "bump" per OpenStack release[3] which means that this change can
> just be part of that release-wide version bump of the OpenStack API.
> 
> Can we include this trivial patch in the upcoming Rocky release?

I'm -2'd the patch in question because of these concerns about crossing 
the line between administrative and guest/virtual domains. It may seem 
like a very trivial patch, but from what I can tell, it would be a very 
big departure from the types of information we have traditionally 
allowed in the metadata API.

Best,
-jay

> Thanks,
> Mohammed
> 
> [1]: https://review.openstack.org/577933
> [2]: https://docs.openstack.org/nova/latest/contributor/blueprints.html
> [3]: http://git.openstack.org/cgit/openstack/nova/tree/nova/api/metadata/base.py#n60
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>