[node-devel] oVirt Node designs for stateless operation and 3rd party plugins
Mike Burns
mburns at redhat.com
Tue Dec 6 14:26:29 UTC 2011
On Tue, 2011-12-06 at 08:52 -0500, Mike Burns wrote:
> Comments Inline
>
> On Tue, 2011-12-06 at 21:18 +1100, Geoff O'Callaghan wrote:
> > On Thu, 2011-12-01 at 09:32 -0500, Perry Myers wrote:
> > > the Node development team has been trying to write up rough requirements
> > > around the stateless and plugins concepts. And also some working high
> > > level design.
> > >
> > > They can be reviewed on these two wiki pages:
> > >
> > > http://ovirt.org/wiki/Node_plugins
> > > http://ovirt.org/wiki/Node_Stateless
> > >
> > > Since the plugin model and the stateless model affect more than just the
> > > oVirt Node itself, we definitely would like to get input from other
> > > teams on the oVirt project.
> > >
> > > Please add comments here or directly to the wiki.
> > >
> >
> > Hi There
> >
> > I work for a *large* organisation, I have issues with the goal of a
> > stateless design.
>
> Thanks for the feedback overall. I'll try to address all your points
> below.
>
> >
> > * Being able to install without a local disk
> >
> > I don't see this as a compelling reason for doing anything. In fact,
> > in many cases for other nameless hypervisors we use local disk as a
> > source for logging / dumps etc.
>
> That may be the case in your environment, but when we presented this at
> the oVirt Workshop, the idea of a diskless deployment was very well
> received.
> I suppose that what we're calling stateless is really more of
> a diskless feature rather than truly stateless since we're keeping the
> stateful information in a configuration server.
This is actually not correct. My mind was just caught up in thinking of
a totally diskless system. What Perry said is correct. We're looking
to move all configuration to a central location (configuration
neutrality). Disk would then become optional for things like swap
and/or kdump, etc.
>
> >
> > I think the goal for stateless should be instead be configuration
> > neutral. ie. if the node is destroyed the configuration can be
> > re-deployed without issue.
>
> Redeployed on the same machine? Or redeployed on a different machine?
> We already provide autoinstallation options that will do redeployments
> easily and one of the goals or ideas along with the proposed stateless
> model is that the machine gets re-provisioned and downloads its config
> bundle. This would successfully recover the node if someone were to
> power it off or destroy it somehow. If you're looking to move the
> config to a new machine, then that's not quite as simple. The easiest
> would be to simply install it again from scratch.
>
> >
> > The other issue is that the node should continue to be re-bootable even
> > if the configuration server is unavailable, which is a reason for having
> > the configuration on a local disk or a san attached LUN. This should
> > apply to the entire operational environment - if the engine is
> > unavailable during a restart I should continue working the way I was
> > configured to do so - that implies state is retained. It needs to be
> > easily refreshable :-)
>
> I will admit that the thought of the config server being unavailable
> hadn't come up previously. If this is something that you're
> legitimately concerned about, then it sounds like you'd want to continue
> doing local installations and not stateless installs.
>
> Currently, node images will install to local disk and they will boot
> fine without a management server or config server. But they won't be
> truly functional unless there is a management server available to tell
> it what to do. This is the case for all hypervisors, whether they're
> ovirt-node images or Fedora 16 images with VDSM installed or any of the
> other distributions. It's a limitation the VDSM and Engine need to
> solve outside the scope of ovirt-node.
> >
> > The configuration bundle should be refreshable from a configuration
> > server (part of the engine) and that could either be just configuration
> > or agents or even s/w images - all would be preferred and it's pretty
> > simple conceptually to have an active/backup image on local disk concept
> > to allow easy rollbacks etc. Yes all this , except for the logging /
> > swap could be in a usb key.
>
> We do provide a RootBackup partition that we automatically activate if
> something goes wrong with an upgrade. It would make sense that we
> should keep a backup configuration bundle on the management server as
> well. The actual image itself is a livecd, so updating that would be a
> matter of changing the usb stick/cd-rom/pxe image to the old/new version
>
> >
> > The bundle should all be pushed via a SSL encrypted RESTful api using
> > known non-priv credentials, preferably with rotating passwords or some
> > cert based approach. The server should also know who previously
> > managed it to reduce hostile attempts to change ownership of the node.
>
> Yes, the security issues are something that we're definitely aware of
> and not taking lightly. The actual process for how we do this is
> something that still would need to be worked out. The initial design
> was something along the lines of a free posting to the config server
> that the admin has to approve. The thought was that we would have
> different levels of security that could be configured depending on your
> deployment and the strictness of the rules in your environment.
>
> >
> > * DHCP and PXE booting
> >
> > Many corporate security policies prohibit the use of DHCP or PXE booting
> > servers for production environments. I don't see it as a big issue to
> > boot an install image and be a good woodpecker and hit enter a few times
> > and configure a management IP address. It should be possible to script
> > the complete configuration / addition of the node after that step. I
> > see the initial install as a trivial part of the complete node
> > lifecycle.
>
> So a couple thoughts here:
>
> 1. If only pxe is restricted, then you could have a usb stick or cd-rom
> with the image in each machine and still do stateless as defined
> otherwise.
> 2. If just DHCP, then you could have a pxe profile per machine that
> sets up the static networking options needed
> 3. If both are restricted, then you would have to go with a stateful
> installation. It's not going away, just another mode that we will
> provide.
>
> Actual installation and configuration can be completed automatically
> using kernel command line options. That is independent of whether
> you're using a stateful or stateless installation.
>
> >
> > * DNS SRV records
> >
> > Sorry, I hate the idea. Large corporates have so many different teams
> > doing little things that adding this in as a requirement simply adds
> > delays to the deployments and opportunities for misconfiguration.
>
> Sure, that's a valid possibility. Perhaps another commandline option
> that allows someone to specify the config server manually.
>
> >
> > Having the node image and config on local disk (or usb) avoids this
> > requirement as the node knows who manages it. A complete rebuild could
> > occur and the configuration reloaded once added back into the engine.
>
> Yes, this is a valid use case. And if that's the way you want to deploy
> your environment, then use the install to disk option and not stateless.
> We will provide both
>
> >
> > * Previously configured state
> >
> > Yes, the node should remember the previous operational state if it
> > can't talk to the engine. This is not a bad thing.
> >
> > * Configuration server
> >
> > This should be part of the engine. It should know the complete
> > configuration of a node, right down to hypervisor 'firmware' image. The
> > process should be 2-way. An admin should be able to 'pull' the
> > image/config from an operational and accessible node and new
> > configurations/images should be pushable to it.
> >
> > I really don't think this needs to be a separate server to the engine.
>
> I agree, it should be part of the engine, probably will be. Depending
> on time frames and availability, it might be developed separate
> initially, but long term we probably want to integrate with the
> management server.
> >
> > * New bundle deployments / Upgrades
> >
> > The engine should keep track of what images are on a node. If a new
> > config / image is to be deployed then for example, the node would be
> > tagged with the new image. If the node was online, an alternate image
> > would be pushed, vm's migrated to an alternate node and the node
> > restarted implementing the new image when requested.
>
> This is mostly already done, I think. I know the functionality is there
> in RHEV-M, but not sure if it's all in the webadmin UI yet. I know the
> backend pieces are all there though.
>
> A running node has it's version info that vdsm reads initially and
> reports back to the engine. An admin logs into the engine, and can see
> the details of the node including the version that it's currently
> running. There is an option to push out a new image to the node and
> have it upgrade itself. The node does have to be in maintenance mode to
> start the process which causes all VMs to be migrated away.
>
> >
> > If the node was offline at the time the new image was configured in the
> > engine or if the node was built say with an old image then when it
> > connects to the engine the image would be refreshed and the node
> > recycled.
>
> Automatic upgrades like this aren't done at the moment. There probably
> needs to be some policy engine that can control it so all machines don't
> suddenly try to upgrade themselves.
>
> This whole section really applies to stateful installations though. In
> Stateless, you just need to refresh the image in the PXE
> server/cd-rom/usb stick and reboot the machine (after putting it in
> maintenance mode)
>
> >
> > * Swap
> >
> > Local disk swap is likely to be required. Overcommit is common and SSD
> > local disk is something that is quite useful :-)
>
> I agree, in general. I did talk to one person at the workshop that had
> a machine with 300+GB RAM and had 0 interest in doing overcommit. So
> there is certainly a use case for being able to support both.
>
> >
> > So in summary, I prefer to think that the target should be
> > configuration neutrality or even just plain old distributed
> > configuration from a central source rather than completely stateless.
> > The goal should be toleration of complete destruction of a node image
> > and configuration and a simple process to re-add it and automatically
> > re-apply the configuration/sw image.
>
> I like the thought of storing the configuration to a central location
> even when having the image installed locally. I definitely think there
> will be people that can't or won't go with stateless for various reasons
> many of which you state above. But I also think there are some that
> will want it as well.
>
> The simplest use case for wanting a stateless model like we designed is
> someone that has a rack of blades without local disks. The setup pxe
> and dhcp, and just turn on the blades.
>
> Mike
> >
> > Just some thoughts for discussion / abuse ;-)
> >
> > Tks
> > Geoff
> >
> > > Cheers,
> > >
> > > Perry
> > > _______________________________________________
> > > Arch mailing list
> > > Arch at ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/arch
> >
> >
> > _______________________________________________
> > Arch mailing list
> > Arch at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/arch
>
>
> _______________________________________________
> node-devel mailing list
> node-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/node-devel
More information about the Arch
mailing list