From: Brian Rosmaita [mailto:brian.rosma...@rackspace.com] >Or you can just use it as the basis of a Cinder property protection config >file, >because I wonder whether in the general case, you'll always want volume >properties protected exactly the same as image properties. If not, the new >API call strategy will force you to deal with differences in the code, whereas >the config file strategy would move dealing with differences to setting up the >config file.
Once an instance is launched, the "image" properties are treated the same and lose distinction of whether they came from an image or a bootable volume in Nova. I agree with Facundo that maintaining a consistency between configuration files sounds like a configuration drift risk to me opening the opportunity to bypass protected properties. Also, commands in Cinder like upload-to-image may fail because a bootable volume is created with image properties that Glance doesn't actually allow. Why not have a single source of truth for protected properties coming from Glance? A small possible downside I see is that the Glance API will get hit more often, but maybe we can optimize that? This does sound like a good topic for the Glance meeting, but since it is a Cinder topic as well, it would be good to get Cinder team feedback. -Travis From: Maldonado, Facundo N [mailto:facundo.n.maldon...@intel.com] Sent: Wednesday, June 25, 2014 7:34 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [cinder][glance] Update volume-image-metadata proposal Thanks for the response, I'll be there this Thursday. Having the file in more than one place could me a nightmare if we have to maintain consistency between them. It could be good if we want to protect different properties than Glance. Thanks, Facundo From: Brian Rosmaita [mailto:brian.rosma...@rackspace.com] Sent: Tuesday, June 24, 2014 7:10 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [cinder][glance] Update volume-image-metadata proposal Hi Facundo, Can you attend the Glance meeting this week at 20:00 UTC on Thursday in #openstack-meeting-alt ? I may be misunderstanding what's at stake, but it looks like: - Glance holds the image metadata (some user-modifiable, some not) - Cinder copies the image metadata to use as volume metadata (none is user-modifiable) - You want to implement user-modifiable metadata in Cinder, but you don't know which items should be mutable and which not. - You propose to add glance API calls to allow you to figure out property protections on a per-property basis. It looks like the only roles for Glance here are (1) as the original source of the image metadata, and then (2) as the source of truth for what image properties can be modified on the volume metadata. For (1), you've already got an API call. For (2), why not use the glance property protection configuration file directly? It's going to be deployed somehow to your glance nodes, you can deploy it to your cinder nodes at the same time. Or you can just use it as the basis of a Cinder property protection config file, because I wonder whether in the general case, you'll always want volume properties protected exactly the same as image properties. If not, the new API call strategy will force you to deal with differences in the code, whereas the config file strategy would move dealing with differences to setting up the config file. So I'm not convinced that a new API call is the way to go here. But there may be some nuances I'm missing, so it might be easier to discuss at the Glance meeting. The agenda looks pretty light for Thursday if you want to add this topic: https://etherpad.openstack.org/p/glance-team-meeting-agenda cheers, brian ________________________________ From: Maldonado, Facundo N [facundo.n.maldon...@intel.com] Sent: Tuesday, June 24, 2014 2:34 PM To: OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [cinder][glance] Update volume-image-metadata proposal Hi folks, I started working on this blueprint [1] but the work to be done is not limited to cinder python client. Volume-image-metadata is immutable in Cinder and Glance has RBAC image properties and it doesn't provide any way to find out which are those protected properties in advance [2]. I want to share this proposal and get feedback from you. https://docs.google.com/document/d/1XYEqGOa30viOyZf8AiwkrCiMWGTfBKjgmeYBptaCHlM/ Thanks, Facundo [1] https://blueprints.launchpad.net/python-cinderclient/+spec/support-volume-image-metadata [2] http://openstack.10931.n7.nabble.com/Cinder-Confusion-about-the-respective-use-cases-for-volume-s-admin-metadata-metadata-and-glance-imaga-td39849.html
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
