[node-devel] Support for stateless nodes
Doron Fediuck
dfediuck at redhat.com
Wed Feb 22 17:10:37 UTC 2012
On 22/02/12 18:06, Perry Myers wrote:
>> * Just stating the obvious, which is users need
>> to remove-add the host on every reboot. This will
>> not make this feature a lovable one from user's point of view.
>
> I think the point mburns is trying to make in his initial email is that
> we're going to need to do some joint work between node and vdsm teams to
> change the registration process so that this is no longer necessary.
>
> It will require some redesigning of the registration process
>
I'm aware of it, and that's why I'm raising my concerns, so we'll
have a (partial) task list ;)
>> * During initial boot, vdsm-reg configures the networking
>> and creates a management network bridge. This is a very
>> delicate process which may fail due to networking issues
>> such as resolution, routing, etc. So re-doing this on
>> every boot increases the chances of loosing a node due
>> to network problems.
>
> Well, if the network is busted which leads to the bridge rename failing,
> wouldn't the fact that the network is broken cause other problems anyhow?
>
Perry, my point is that we're increasing the chances to get
into these holes. Network is not busted most of the time, but occasionally
there's a glitch and we'd like to stay away from it. I'm sure
you know what I'm talking about.
> So I don't see this as a problem. If your network doesn't work
> properly, don't expect hosts in the network to subsequently work properly.
See previous answer.
> As an aside, why is reverse DNS lookup a requirement? If we remove that
> it makes things a lot easier, no?
>
Not sure I'm the right guy to defend it, but in order to drop reverse-dns,
you need to consider dropping SSL, LDAP and some other important shortcuts...
>> * CA pollution; generating a certificate on each reboot
>> for each node will create a huge number of certificates
>> in the engine side, which eventually may damage the CA.
>> (Unsure if there's a limitation to certificates number,
>> but having hundreds of junk cert's can't be good).
>
> I don't think we should regenerate a new certificate on each boot. I
> think we need a way for 'an already registered host to retrieve it's
> certificate from the oVirt Engine server'
>
> Using an embedded encryption key (if you trust your mgmt network or are
> booting from embedded flash), or for the paranoid a key stored in TPM
> can be used to have vdsm safely retrieve this from the oVirt Engine
> server on each boot so that it's not required to regenerate/reregister
> on each boot
>
Thoughtful redesign needed here...
>> * Today there's a supported flow that for nodes with
>> password, the user is allowed to use the "add host"
>> scenario. For stateless, it means re-configuring a password
>> on every boot...
>
> This flow would still be applicable. We are going to allow setting of
> the admin password embedded in the core ISO via an offline process.
> Once vdsm is fixed to use a non-root account for installation flow, this
> is no longer a problem
This is not exactly vdsm. More like vdsm-bootstrap.
>
> Also, if we (as described above) make registrations persistent across
> reboots by changing the registration flow a bit, then the install user
> password only need be set for the initial boot anyhow.
>
> Therefore I think as a requirement for stateless oVirt Node, we must
> have as a prerequsite removing root account usage for
> registration/installation
>
This is both for vdsm and engine, and I'm not sure it's that trivial.
>> - Other issues
>>
>> * Local storage; so far we were able to define a local
>> storage in ovirt node. Stateless will block this ability.
>
> It shouldn't. The Node should be able to automatically scan locally
> attached disks to look for a well defined VG or partition label and
> based on that automatically activate/mount
>
> Stateless doesn't imply diskless. It is a requirement even for
> stateless node usage to be able to leverage locally attached disks both
> for VM storage and also for Swap.
>
Still, in a pure disk-less setup you will not have local storage.
See also Mike's answer.
>> * Node upgrade; currently it's possible to upgrade a node
>> from the engine. In stateless it will error, since no where
>> to d/l the iso file to.
>
> Upgrades are no longer needed with stateless. To upgrade a stateless
> node all you need to do is 'reboot from a newer image'. i.e. all
> upgrades would be done via PXE server image replacement. So the flow of
> 'upload ISO to running oVirt Node' is no longer even necessary
>
This is assuming PXE only use-case. I'm not sure it's the only one.
>> * Collecting information; core dumps and logging may not
>> be available due to lack of space? Or will it cause kernel
>> panic if all space is consumed?
>
> We already provide ability to send kdumps to remote ssh/NFS location and
> already provide the ability to use both collectd and rsyslogs to pipe
> logs/stats to remote server(s). Local logs can be set to logrotate to a
> reasonable size so that local RAM FS always contains recent log
> information for quick triage, but long term historical logging would be
> maintained on the rsyslog server
>
This needs to be co-ordinated with log-collection, as well as the bootstrapping
code.
> Perry
--
/d
"Willyoupleasehelpmefixmykeyboard?Thespacebarisbroken!"
More information about the node-devel
mailing list