Steve, thank you for very valuable suggestions. Your block post is really
great - I've read about environments in Heat documentation but didn't
really understood them until now.

Usage of nested stacks may or may not solve my problem depending on what is
possible to do within those stacks.
Let me explain with simple example.

As you probably know Murano uses Heat for all infrastructure-related
operations. This means if some application from Catalog needs VM instance
or any other type of OpenStack resource it creates it by inserting a
snippet into user's Heat stack template and executes UPDATE STACK command.

Now suppose there is WordPress application published in App Catalog.
WordPress app manifest says that it requires installation of MySql. There
is also another application in AppCatalog called GaleraMySql that is known
to be compatible with MySql. In Murano Dashboard user creates new
environment (this corresponds to Heat stack and is not related to what is
called environment in Heat)
and puts WordPress and GaleraMySql on it. Then he connects them so that
GaleraMySql instance would be used in WordPress for MySql requirement.

WordPress and GaleraMySql were developed by different vendors that are not
aware of each others presence. But because of unfortunate combination of
circumstances both vendors chose to merge exactly the same snippet into
user's stack:

    "Resources": {
        "myHost": {
            "Type": "AWS::EC2::Instance",
            "Properties": {
                "InstanceType": "large",
                "ImageId": "someImage"
            }
        }
    }

Then instead of 2 different VMs there would be only one. Things would be
even worse if there was already resource "myHost" in user's stack.
It is more than a name-collision problem as incorrectly written application
manifest can cause any imaginable harm to the stack.

The obvious solution would be to give each app dedicated nested stack and
restrict it to that nested stack only. This would be a best solution. All I
need is to have the same level of control on nested stack I have on outer
stack - get stack template, modify and update them, access output
attributes. Is it possible to retrieve nested stack template, modify it and
populate it back to Heat?

Another option would be create separate top-level stacks for each app. But
in Murano applications themselves composed of smaller parts and in practice
this would lead to creation of dozen stacks with most of them containing
single resource. And then we would have to implement transaction update
between several stacks, coordinated deletion etc. This would also be bad
from a user's point of view at he doesn't expect to find long list of
stacks he has no idea where they came from.

My other options were on how nested stacks can be emulated on top of single
stack by controlling which app created which resource and dynamically
adjust resource names back and forth ("myHost" in example above) to some
unique values in a way that is opaque to application


On Fri, Feb 21, 2014 at 8:20 PM, Steven Hardy <sha...@redhat.com> wrote:

> On Fri, Feb 21, 2014 at 06:37:27PM +0400, Stan Lagun wrote:
> > Hi Everyone,
> >
> > While looking through Heat templates generation code in Murano I've
> > realized it has a major design flaw: there is no isolation between Heat
> > resources generated by different apps.
>
> Can you define the requirement for "isolation" in more detail?  Are you
> referring simply to namespace isolation, or do you need auth level
> isolation, e.g something enforced via keystone?
>
> > Every app manifest can access and modify its environment stack in any
> way.
> > For example it can delete instances and other resources belonging to
> other
> > applications. This may be not so bad for Murano 0.4 but it becomes
> critical
> > for AppCatalog (0.5) as there is no trust relations between applications
> > and it may be unacceptable that untrusted application can gain complete
> > write access over the whole stack.
>
> All requests to Heat are scoped by tenant/project, so unless you enforce
> resource-level access policy (which we sort-of started looking at with
> OS::Heat::AccessPolicy), this is expected behavior.
>
> > There is also a problem of name collisions - resources generated by
> > different applications may have the same names. This is especially
> probable
> > between resources generated by different instances of the same app. This
> > also affects Parameters/Output of Heat templates as each application
> > instance must generate unique names for them (and do not forget them
> later
> > as they are needed to read output results).
>
> A heirarchy of nested stacks, with each application defined as a separate
> stack seems the obvious solution here.
>
> > I think we need at least to know how we going to solve it before 0.5
> >
> > Here is possible directions i can think of:
> >
> > 1. Use nested Heat stacks. I'm not sure it solves naming collisions and
> > that nested stacks can have their own Output
>
> I think it does, and yes all stacks can have their own outputs, including
> nested stacks.
>
> Of particular interest to you may be the provider resource interface to
> nested stacks, which will allow you to define (via a series of nested stack
> templates) custom resource types defining each of your applications.
>
> See this old blog post, which will give you the providers/environments 101,
> and contains links to most of the related heat docs:
>
>
> http://hardysteven.blogspot.co.uk/2013/10/heat-providersenvironments-101-ive.html
>
> > 2. Control all stack template modifications and track which resource was
> > created by which app. Give applications read-only access to resources
> they
> > don't own
>
> I think we need more info on the use-case here, but perhaps you can either
> use the AccessPolicy resource, or we can work on defining an enhanced
> version which meets your requirements.
>
> > 3. Auto-generate resource names. Auto-add prefixes/suffixes to
> > resource/output etc names indicating owning app instance ID and remove
> them
> > upon read access from workflow so that generated names would be invisible
> > to workflow. That would also mean all VMs  would have generated names
>
> Heat already does this internally, we create unique names for all your
> instances, unless you explicitly provide a name via the OS::Nova::Server
> "name" property.
>
> It might help if you could provide a really simplified example of the
> problem you are facing, or links to the real templates which we could
> review and make suggestions?
>
> Steve
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
Sincerely yours
Stanislav (Stan) Lagun
Senior Developer
Mirantis
35b/3, Vorontsovskaya St.
Moscow, Russia
Skype: stanlagun
www.mirantis.com
sla...@mirantis.com
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to