On Tue, May 24, 2016 at 10:21 PM, Michael Still <mi...@stillhq.com> wrote:
> On Wed, May 25, 2016 at 3:28 AM, Dan Smith <d...@danplanet.com> wrote: > >> > It was my impression we were trying to prevent bitrot, not defend >> > against an attacker that has gained control over the compute node. >> >> I think we've established that addressing bitrot at the nova layer is >> (far) out of scope and not something we want or need to do in nova. >> > > Hi, guy from awkward timezone here. > > I wrote this code, in approximately the diablo timeline. So, its been > around for a long time (before pluggable instance storage backends for > example). > > Originally I wanted to just write the cache cleaner, because that was the > bit I really needed in my deployment. The image verification thing was > added at the request of the PTL at the time, presumably for good reasons I > can't recall any more. > > That said, I think its time has passed. It cases a lot of disk IO, > especially if you imagine that we're trying to do a checksum on a file that > might be 100gb. If people really care about this sort of thing, I think an > optional boot time verification per instance would be a reasonable path to > explore. > > So, I vote for removing image verification (but not image cache cleaning). > Thanks, Michael. Patch posted here: https://review.openstack.org/#/c/320910/ Take a moment to revel in the diffstat: nova/tests/unit/virt/libvirt/test_imagecache.py | 265 ++---------------------- nova/virt/libvirt/imagecache.py | 211 +------------------ 2 files changed, 23 insertions(+), 453 deletions(-) Happy Wednesday :) Matt -- Matthew Booth Red Hat Engineering, Virtualisation Team Phone: +442070094448 (UK)
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
