On 06/25/2018 05:28 PM, Mohammed Naser wrote:
Hi everyone:
While working with the OpenStack infrastructure team, we noticed that
we were having some intermittent issues where we wanted to identify a
theory if all VMs with this issue were landing on the same hypervisor.
However, there seems to be no way of directly accessing `hostId` from
inside the virtual machine (such as using the metadata API).
Yes, that is correct. VMs should not know (or need to know) where they
are hosted.
This is a very useful thing to expose over the metadata API as not
only would it help for troubleshooting these types of scenarios
however it would also help software that can manage anti-affinity
simply by checking the API and taking scheduling decisions.
We try very hard to not expose administrative operational details about
the underlying hardware via the metadata API.
Virtual machines and the software running in them should not need to
know what particular piece of hardware they are running on. VMs having
knowledge of the underlying hardware and host violates the principle of
least privilege and introduces attack vectors that I'm pretty sure you
(as an operator) don't want to open up.
There is a bright red line between the adminstrative domain and the
virtual/guest domain, and presenting host identifiers over the metadata
API would definitely cross that bright red line.
I've proposed the following patch to add this[1], however, this is
technically an API change, and the blueprints document specifies that
"API changes always require a design discussion."
Also, I believe that we're in a state where getting a spec would
require an exception. However, this is a very trivial change. Also,
according to the notes in the metadata file, it looks like there is
one "bump" per OpenStack release[3] which means that this change can
just be part of that release-wide version bump of the OpenStack API.
Can we include this trivial patch in the upcoming Rocky release?
I'm -2'd the patch in question because of these concerns about crossing
the line between administrative and guest/virtual domains. It may seem
like a very trivial patch, but from what I can tell, it would be a very
big departure from the types of information we have traditionally
allowed in the metadata API.
Best,
-jay
Thanks,
Mohammed
[1]: https://review.openstack.org/577933
[2]: https://docs.openstack.org/nova/latest/contributor/blueprints.html
[3]:
http://git.openstack.org/cgit/openstack/nova/tree/nova/api/metadata/base.py#n60
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
