Openstack modules #19529
Openstack modules #19529
Conversation
|
Cool :) I've used this work for https://github.com/domenkozar/snabb-openstack-testing and never got to finishing the cleanup phase, which needs quite some work as you said :) |
domenkozar
added
6.topic: nixos
Sometimes, neutron tries to create its service but keystone admin user has not been created yet.
We added an interface that is used by the public network. This allows us to ping a VM from the hypervisor.
@domenkozar, do you know someone who could be interested to comment or review this PR ? |
|
@nlewo Thank you for this. I saw your post on the mailing list and was eager to try it. does not exist in 59daf08 I had to instead set I'm also deploying on to virtualbox rather than libvirtd. Below is the full {
openstack =
{config, pkgs, nixpkgs, ...}:
let
credentials = {
keystoneAdminUsername = "admin";
keystoneAdminTenant = "admin";
keystoneAdminPassword = "admin";
};
osConfig = {
endpointPublic = config.networking.privateIPv4;
} // credentials;
keystoneConfig = {
enable = true;
} // osConfig;
otherConfig = {
enableSingleNode = true;
} // osConfig;
in
{
deployment.targetEnv = "virtualbox";
deployment.virtualbox.memorySize = 4096;
deployment.virtualbox.headless = true;
nixpkgs.config.allowBroken = true;
networking.firewall.enable = false;
environment.systemPackages = with pkgs.pythonPackages;
[ neutronclient
keystoneclient
glanceclient
novaclient
];
virtualisation.keystone = keystoneConfig;
virtualisation.glance = otherConfig;
virtualisation.neutron = otherConfig;
virtualisation.nova = otherConfig;
};
} |
There was a problem hiding this comment.
Hey, I did small review. Biggest thing I noticed is that there is a lot of passwords in the configs and scripts which probably could be extracted to files (so for example files with secrets can be deployed by "nixops" or other secret managment, instead of putting them in nix store.
I'm new to open stack but I'm interested in that work and will be happy to review test and support with commit power if needed. Please ping me about that whenever you want.
| @@ -42,6 +42,8 @@ pkgs.vmTools.runInLinuxVM ( | |||
| mv closure xchg/ | |||
| ''; | |||
| buildInputs = [ pkgs.utillinux pkgs.perl pkgs.e2fsprogs pkgs.parted ]; | |||
| allowSubstitutes = false; | |||
There was a problem hiding this comment.
Are you sure you want to change system level parameters in package pull request?
If you need those in package tests maybe worth to override those variables in package specific tests rather than globally?
There was a problem hiding this comment.
I don't know why this was set... so I remove it and tests are still ok.
| cfg = config.virtualisation.glance; | ||
| commonConf = '' | ||
| [database] | ||
| connection = mysql://glance:${cfg.dbPassword}@${cfg.dbHost}/glance |
There was a problem hiding this comment.
passwords in nix store? I would prefer not.
There was a problem hiding this comment.
@spinus Could you provide a pointer related to secret managment? I don't know what is secret managment good pratice.
There was a problem hiding this comment.
@nlewo I don't think we have something like that. But there is known thing that all derivations end up in /nix/store so all the passwords go there.
What I do to avoid it is:
- I follow nixops pattern to put ALL credentials in the key store (https://nixos.org/nixops/manual/#opt-deployment.keys) - those keys are not going to be written in /nix/store, they will end up in /run/keys/.
- in the scripts I use:
run-something --secret "$(</run/keys/<my-secret>)"
Config files are little harder. If it's possible to use that by the process, use mix of config files and environment variables. If it's not possible, I keep template of config file in nix store, and than, on preStart script I copy this file to /var/lib// and fill the template (for example with sed) with keys from /run/keys.
There was a problem hiding this comment.
I would prefer to not do this now since this PR is already really big. This will add more complexity. Moreover, current modules target a dev environment, where password are not really important.
What do you think to address this problem in another PR (once/if this one is merged)?
There was a problem hiding this comment.
Oh, I have no merge power here, I'm only talking :-) You don't even have to listen to me :-) probably better to ask people who have merge power.
Personally I woudn't merge thing in that state. I agree it's really big. If I would be doing that, I would create separate PR for each service and than another PR for "top-level" service which configures smaller services.
There was a problem hiding this comment.
yep, I also think I have to create a PR per components.
There was a problem hiding this comment.
It's the best when mysql client uses mysql client config files only. They allow !include, and thus you could have non-sensitive parameters in a "public" file and secret file included in it.
There was a problem hiding this comment.
@ip1981 Sorry, I don't understand your point. Could you point me a doc or an example related to the pattern you are suggesting?
There was a problem hiding this comment.
| project_domain_id = default | ||
| user_domain_id = default | ||
| username = ${cfg.serviceUsername} | ||
| password = ${cfg.servicePassword} |
| example = "localhost"; | ||
| }; | ||
|
|
||
| dbPassword = mkOption { |
| ''; | ||
| }; | ||
|
|
||
| keystoneAdminPassword = mkOption { |
|
|
||
| systemd.services.keystone-all = { | ||
| description = "OpenStack Keystone Daemon"; | ||
| after = [ "mysql.service" "network.target"]; |
There was a problem hiding this comment.
if you have after, maybe you want "requires" or "wants" as well?
There was a problem hiding this comment.
I added requires statement.
There was a problem hiding this comment.
Remember that if you use requires and mysql fail or restart this component will be failed as well, make sure that's what you expect :-)
There was a problem hiding this comment.
This suggests that you use local mysql only. If so, you don't need any passwords: use UNIX-socket authentication. But I think local mysql is not a strategy, and then the service better not to depends on mysql, or poll it.
|
|
||
| publicInterface = mkOption { | ||
| default = "eth0"; | ||
| description = "The pysical interface name used by the linuxbridge agent"; |
There was a problem hiding this comment.
I don't know openstack very well so probably I'm missing a bit. Usually I think the setup is that public interface is the separate one that bridge interface for vms, no? what's the story here?
There was a problem hiding this comment.
This interface is added to the bridge created for an network which is 'bound' to an external one. I update the documentation to provide some help about this.
|
|
||
| systemd.services.neutron-server = { | ||
| description = "OpenStack Neutron Daemon"; | ||
| after = [ "rabbitmq.service" "mysql.service" "network.target"]; |
There was a problem hiding this comment.
maybe "requires" or "wants" needed as well?
| chown neutron:neutron /var/lock/neutron/ /var/lib/neutron | ||
|
|
||
| # TODO: move out of here | ||
| mysql -u root -N -e "create database neutron;" || true |
There was a problem hiding this comment.
probably some dbHost value not propagated here
|
|
||
| # Wait until the keystone is available for use | ||
| count=0 | ||
| while ! keystone user-get ${cfg.keystoneAdminUsername} > /dev/null |
There was a problem hiding this comment.
Here you could do a nice trick. Becasue keystone can hang for whatever reason, you could prefix it with timeout i.e: "timeout 30 keystone...."
Next thing (just to consider) is to use $SECONDS variable instead of count, so you know for how long you will be trying. ($SECONDS gives you seconds since bash started, so you could check condition like :
max=$(($SECONDS+30))
if [ $SECONDS < $max ];then
break
fi
)
There was a problem hiding this comment.
I prefer to let it as it is since this is not really a timeout. We try 30 times but each try can be longer than 1 seconds.
|
@badi thx for your feedback. I upgraded the blog post according to your remarks. There is now a nixos test that builds a VM ready to use. I think this is the most convenient way to do some tries. |
|
@spinus thanks for all of your comments. |
|
@nlewo no worries. I'm interested in helping with this, I was just too lazy to start it myself but if you need a tester, code reviews or some other help let me know. |
|
I start to split this PR into several sub PR. The first one is keystone #20905. |
|
Sorry as I don't have time to review this, but others have jumped on the ship. Thanks for getting this upstream! Just a reference, here is WIP backend for nixops: NixOS/nixops#408 |
|
@domenkozar, this PR is too big and really not attractive for reviewers... It's why I submitted a PR that only addresses Keystone #20905. For sake of clarity, I squashed our commits into one and I mentioned your works in the commit message (I hope you're ok with that). |
|
@domenkozar what do you think about passwords and secrets, should this be passed as file (or env variable, or other) or still worth to merge this with passwords in nix store as a first draft? |
why rush? |
|
@ip1981 no rush, I'm just exposing some comments |
|
@spinus I don't know how to handle that best. It's the reason I haven't submitted this upstream. They shouldn't be in store, but we do have some services that do it today, but eventually someone will be screwed. |
|
@domenkozar that is my impression too hence I suggested to refactor this to keep secrets out of nix store but wanted some confirmation from the core team. Cheers. |
|
Hi @nlewo, I am thrilled that you're putting this effort in. I hope the (long) delay to getting this merged hasn't discouraged you too much. One thing I've noticed is basically all our current openstack modules need upgrades. Is that a project you could undertake as well? |
|
Hi @grahamc, I understand it takes time to upstream all these modules and since this is the first time I'm doing this... it takes even more times! I already planned to upgrade our openstack version, but I would prefer to first have modules for basic openstack modules in order to be able to easily do functional tests. Do you have an idea (order of magnitude) on how many time we could continue to have the liberty release? (I know several production lines where Juno is still in use...) Are there known security issues on liberty components? Thanks for your interest. |
|
Glance and Keystone are now already part of nixos. |
|
I will create new PRs regarding neutron and nova (as I did for keystone and glance). So I close this one mainly to clean the backlog;) |
I continued the works started by @domenkozar on Openstack NixOS modules.
I'm now able to deploy an Openstack compute node, create a network, a floating IP, boot a VM and ssh to it. So all basic components seem to work well;)
Note the Neutron driver is currently linuxbridge but I plan to add OVS.
There is still some (a lot of?) work to have clean modules.
I would like to know if some people are interested in these modules and if we could define what is required to go to a merge in master.
For those who are not familiar with Openstack but want to try it, I wrote a short guide to easily play with these modules, thanks to nixops.