[Openstack-operators] [openstack-dev] [nova] Is verification of images in the image cache necessary?

Matthew Booth mbooth at redhat.com
Wed May 25 11:28:15 UTC 2016


On Tue, May 24, 2016 at 10:21 PM, Michael Still <mikal at stillhq.com> wrote:

> On Wed, May 25, 2016 at 3:28 AM, Dan Smith <dms at danplanet.com> wrote:
>
>> > It was my impression we were trying to prevent bitrot, not defend
>> > against an attacker that has gained control over the compute node.
>>
>> I think we've established that addressing bitrot at the nova layer is
>> (far) out of scope and not something we want or need to do in nova.
>>
>
> Hi, guy from awkward timezone here.
>
> I wrote this code, in approximately the diablo timeline. So, its been
> around for a long time (before pluggable instance storage backends for
> example).
>
> Originally I wanted to just write the cache cleaner, because that was the
> bit I really needed in my deployment. The image verification thing was
> added at the request of the PTL at the time, presumably for good reasons I
> can't recall any more.
>
> That said, I think its time has passed. It cases a lot of disk IO,
> especially if you imagine that we're trying to do a checksum on a file that
> might be 100gb. If people really care about this sort of thing, I think an
> optional boot time verification per instance would be a reasonable path to
> explore.
>
> So, I vote for removing image verification (but not image cache cleaning).
>

Thanks, Michael. Patch posted here:

 https://review.openstack.org/#/c/320910/

Take a moment to revel in the diffstat:

 nova/tests/unit/virt/libvirt/test_imagecache.py | 265
++----------------------
 nova/virt/libvirt/imagecache.py                 | 211 +------------------
 2 files changed, 23 insertions(+), 453 deletions(-)

Happy Wednesday :)

Matt
-- 
Matthew Booth
Red Hat Engineering, Virtualisation Team

Phone: +442070094448 (UK)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160525/a014404c/attachment.html>


More information about the OpenStack-operators mailing list