| 2018-03-05 16:57:18 |
James Troup |
bug |
|
|
added bug |
| 2018-03-05 16:57:29 |
James Troup |
bug |
|
|
added subscriber The Canonical Sysadmins |
| 2018-03-06 06:57:55 |
Junien F |
description |
A Juju deployed OpenStack will not show the real hypervisor name to
tenants who are not admins, instead they are presented with a
per-tenant hash of the hypervisor name.
The hashed hostnames causes numerous problems, e.g.
1) if administrators are performing maintenance on a hypervisor,
they can't just communicate the hostname of the machine
maintenance is being performed on and let the tenants figure out
if they have instances on there.
2) if the administrators of the cloud make their
monitoring/observability data available to their users, the users
won't be able to make use of this because they don't know which
host their instance is running on
While the hypervisor name hashing (arguably) makes sense for an
OpenStack with untrusted users (e.g. which is providing a public cloud
service), I don't think it makes sense for the majority of OpenStack
deployments which are likely to be private clouds where the users are
trusted enough that there's no harm in them knowing hostnames of
machines.
Can we please consider:
a) switching the default to not hash hypervisor names?
b) providing a way to control the hashing via Juju config?
Thanks
FWIW, we've fixed this in some of our clouds by removing
'rule:admin_api' from 'os_compute_api:os-extended-server-attributes'
in /etc/nova/poly.json but I understand that this variable has changed
names between different releases of OpenStack. |
A Juju deployed OpenStack will not show the real hypervisor name to
tenants who are not admins, instead they are presented with a
per-tenant hash of the hypervisor name.
The hashed hostnames causes numerous problems, e.g.
1) if administrators are performing maintenance on a hypervisor,
they can't just communicate the hostname of the machine
maintenance is being performed on and let the tenants figure out
if they have instances on there.
2) if the administrators of the cloud make their
monitoring/observability data available to their users, the users
won't be able to make use of this because they don't know which
host their instance is running on
While the hypervisor name hashing (arguably) makes sense for an
OpenStack with untrusted users (e.g. which is providing a public cloud
service), I don't think it makes sense for the majority of OpenStack
deployments which are likely to be private clouds where the users are
trusted enough that there's no harm in them knowing hostnames of
machines.
Can we please consider:
a) switching the default to not hash hypervisor names?
b) providing a way to control the hashing via Juju config?
Thanks
FWIW, we've fixed this in some of our clouds by removing
'rule:admin_api' from 'os_compute_api:os-extended-server-attributes'
in /etc/nova/policy.json but I understand that this variable has changed
names between different releases of OpenStack. |
|
| 2018-07-02 10:40:11 |
James Page |
charm-nova-cloud-controller: status |
New |
Triaged |
|
| 2018-07-02 10:40:13 |
James Page |
charm-nova-cloud-controller: importance |
Undecided |
Wishlist |
|
| 2018-09-28 08:25:47 |
Peter Sabaini |
tags |
|
canonical-bootstack |
|
| 2018-09-28 08:26:17 |
Peter Sabaini |
bug |
|
|
added subscriber Canonical IS BootStack |
| 2018-10-22 22:27:27 |
Ryan Beisner |
charm-nova-cloud-controller: milestone |
|
18.11 |
|
| 2018-10-22 22:27:36 |
Ryan Beisner |
charm-nova-cloud-controller: importance |
Wishlist |
Medium |
|
| 2018-11-20 00:25:41 |
David Ames |
charm-nova-cloud-controller: milestone |
18.11 |
19.04 |
|
| 2019-04-17 22:08:26 |
David Ames |
charm-nova-cloud-controller: milestone |
19.04 |
19.07 |
|
| 2019-08-12 21:30:51 |
David Ames |
charm-nova-cloud-controller: milestone |
19.07 |
19.10 |
|
| 2019-10-24 23:29:00 |
David Ames |
charm-nova-cloud-controller: milestone |
19.10 |
20.01 |
|
| 2019-12-10 20:33:58 |
Ryan Beisner |
tags |
canonical-bootstack |
canonical-bootstack custom-policy |
|
| 2019-12-17 22:35:02 |
Peter Matulis |
bug |
|
|
added subscriber Peter Matulis |
| 2020-03-02 15:40:14 |
James Page |
charm-nova-cloud-controller: milestone |
20.01 |
20.05 |
|
| 2020-05-21 20:40:44 |
David Ames |
charm-nova-cloud-controller: milestone |
20.05 |
20.08 |
|
| 2020-08-03 14:02:08 |
James Page |
charm-nova-cloud-controller: milestone |
20.08 |
|
|
