HackStack Posts

Who Are We? Really? Really!

Fri, 14 Apr 2017 04:14:00 CDT

[Most of this originally appeared in a thread on the openstack-dev mailing list but seemed interesting enough to repost here.]

It is TC election season again in OpenStack-land and this time around a few days gap has been included between the self-nomination period and the actual election for those standing for election to be quizzed on various topics. One of these questions[0] was the usual "what is OpenStack?" between One Big Thing and Loosely Familiar Many Things.

I started with a smart-alec response to ttx's comparison of OpenStack to Lego (which I still own more of than I care to admit to my wife): "something something step on them in the dark barefoot". OpenStack really can be a lot like that, you think you are cruising along fine getting it running and BAM, there's that equivalent to a 2x2 brick in the carpet locating your heel in the dark. Why are those the sharpest ones???

Back to the topic at hand: This question comes up over and over, almost like clockwork at election time. This is a signal to me that we (the community overall) still do not have a shared understanding of the answer, or some just don't like the stated answer and their process to change that answer is to repeat the question hoping for a different answer.

In my case, the answer may be changing a bit. We've used the term 'cloud operating system' in various places, but not in our defining documents:

The OpenStack Foundation Bylaws use the phrase "the open source cloud computing project which is known as the OpenStack Project"
The Technical Committee Charter uses the phrase "one community with one common mission, producing one framework of collaborating components"
The User Committee Charter does not include a statement on "what is OpenStack"

I've never liked the "cloud operating system" term because I felt it mis-represented how we defined ourself and is too generic and used in other places for other things. But I've come to realize it is an easy-to-understand metaphor for what OpenStack does and where we are today. Going forward it is increasingly apparent that hybrid stacks (constellations, etc) will be common that include significant components that are not OpenStack at layers other than "layer 0" (ie, below all OpenStack components: database, message queue, etc). The example commonly given is of course Kubernetes, but there are others.

UNIX caught on as well as it did partly because of its well-defined interfaces between components at user-visible levels, specifically in userspace. The 'everything is a file' metaphor, for all its faults, was simple to understand and use, until it wasn't, but it still serves us well. There was a LOT of 'differentiation' between the eventual commercial implementations of UNIX which caused a lot of pain for many (including me) but the masses have settled on the highly-interoperable GNU/Linux combination. (I am conveniently ignoring the still-present 'differentiation' that Linux distros insist on because that will never go away).

This is where I see OpenStack today. We are in the role of being the cloud for the masses, used by both large (hi CERN!) and small (hi mtreinish's closet!) clouds and largely interoperable. Just as an OS (operating system) is the enabling glue for applications to function and communicate, our OS (OpenStack) is in position to do that for cloud apps. What we are lacking for guidance is a direct lineage to 20 years of history. We have to have our own discipline to keep our interfaces clean and easy to consume and understand, and present a common foundation for applications to build on, including applications that are themselves higher layers of an OS stack.

Phew! Thank you again for reading this far, I know this is not news to a lot of our community, but the assumption that "everyone knows this" is not true, we need to occasionally repeat ourselves to remind ourselves and inform our newer members what we are, where we are headed and why we are all here in the first place: to enable awesome work to build on our foundation, and if we sell a few boxes or service contracts or chips along the way, our sponsors are happy too.

Client Cloud Configuration

Thu, 30 Apr 2015 15:04:30 CDT

How I Learned to Love the Lack of Environment Variables

Previously I posted a preview of my favorite new feature of OpenStackClient, support for cloud configuration files and the new --os-cloud global option. Who knew it would take six months to get it done and released? There is some merely adequate documentation of the Client Cloud Configuration (or CCC) operation in the OSC Configuration docs, but this is too good to leave to official docs alone.

CCC was actually introduced in OSC release 1.1.0, which is the basis for compatibility with Liberty dependency requirements. But like the rest of OSC, it works just fine with all of the supported OpenStack releases.

Overview

The TL;DR for Client Cloud Configuration is take a global public cloud configuration file, add to it local clouds and/or public cloud authentication and region details and use them with a single command line option or environment variable and forget sourcing many openrc-like files.

clouds.yaml

It all starts with the clouds.yaml file that contains your cloud configuration details. This is really the only file required to use --os-cloud and defines its available arguments. OSC searches the following directories for clouds.yaml and uses only the first one it finds:

* the current directory
* ``~/.config/openstack``, aka ``$XDG_CONFIG_HOME/openstack``
* ``/etc/openstack``

~/.config is a well-known directory defined by the freedesktop.org XDG Base Directory Specification. If XDG_CONFIG_HOME is defined, it will be used in place of ~/.config.

clouds.yaml defines a list of clouds, the key for each cloud definition is shockingly the argument used with the --os-cloud option. Each cloud definition is made up of a list of keys that correspond to OSC's global options. One special item in this list is auth, which contains all of the authentication-related options. A bare-minimum clouds.yaml that works with a default DevStack installation (using Identity v2) looks like this:

clouds:
  devstack:
    auth:
      auth_url: http://127.0.0.1:35357/
      project_name: demo
      username: demo
      password: 0penstack
    region_name: RegionOne

With that configuration, you can skip sourcing openrc and do this:

openstack --os-cloud devstack token issue

to get a token from the running cloud.

clouds-public.yaml

Duplicating the configuration for public clouds (or private clouds within an organization) gets tedious, thus the motivation for clouds-public.yaml. The search path is the same as for clouds.yaml, in fact it is basically the same file except that the top-level key is public-clouds.

I should also note that a small set of public OpenStack clouds is also built-in to OSC so they can be referenced automatically. Here is an sample of the current built-in configuration:

public-clouds:
    hp:
        auth:
            auth_url: https://region-b.geo-1.identity.hpcloudsvc.com:35357/v2.0
        region_name: region-b.geo-1
        dns_service_type: 'hpext:dns'
        image_api_version: 1
        image_format: qcow2
    rackspace:
        auth:
            auth_url: https://identity.api.rackspacecloud.com/v2.0/
        database_service_type: 'rax:database'
        compute_service_name: cloudServersOpenStack
        image_api_version: 2
        image_api_use_tasks: True
        image_format: vhd
    dreamhost:
        auth:
            auth_url: https://keystone.dream.io/v2.0
        region_name: RegionOne
        image_api_version: 2
        image_format: raw

Note that not all of those configuration options are recognized by OSC yet.

With the above file, a clouds.yaml file that utilized it might look like this:

clouds:
    rax:
        cloud: rackspace
        auth:
            project_id: 123456
            username: joe-stacker
            password: 0penstack
        region_name: DFW

The cloud key selects the rackspace definition from the clouds-public.yaml file. The auth_url is automatically inherited from the rackspace definition. With those definitions, all that is required is the following:

openstack --os-cloud rax server list

or for those who still want to hang on to the old way, with an environment variable:

OS_CLOUD=rax openstack server list

Followup

Oh, just one more thing... I promised a followup to this post once things settled down. I am settling into my new role with Intel doing pretty much the same set of upstream things I was doing before. As hoped, OpenStackClient is a primary focus, along with some of the other client-side and app developer things I have been peripherally involved in lately like the Python SDK and the API Working Group. And DevStack. Always DevStack.

Actually, two more things... I was also elected to the OpenStack Technical Committee in the recent election.

How about one more one more thing? I shamelessly grabbed control of this dormant repo and intend to keep slowly plugging away at recreating a Keystone Session-style client in my favorite strongly-typed language. Come join!

OpenStackClient Is Three and Official

Sat, 18 Apr 2015 15:03:18 CDT

I was looking forward to writing a bit about OpenStackClient becoming the first project added to OpenStack under the 'big yurt' [1] governance model. It was even mostly written and set to publish right after the QA Code sprint article when Nebula did what so many startups do, which is to abruptly cease to exist. On April 1 no less. So instead I'll rehash this as a note on OSC's third birthday, based on the first repo commit.

Looking Backward

I don't want to spend too much energy looking at where we have been, except to note that a lot has happened since I shared a cab to SFO with Dolph Matthews and I floated the idea of scrapping all of the OpenStack project CLIs and starting over. He was just receptive enough that I spent most of the flight home teasing out the basic set of command actions and objects. And he backed that up by later choosing to not implement a CLI for the Identity v3 API but instead use OSC.

The rigorous command structure is what I consider the big win for OSC, having a small set of common actions and a set of known objects that are manipulated with those actions. Define a common operation and then do that operation on EVERY object the same way, even if that means a bunch of work under the hood because the REST API doesn't work that way.

One now-forgotten tidbit here is that I designed the commands to look similar to VMS's DCL command line set, in that the action preceeds the object. One complaint was that the objects needed to be pluralized on some actios, like list, because that's the proper English thing to do. I ignored plurals completely, although it does seem like we could have done it only with the list command.

It was at the Portland summit that I was persuaded to make the change when someone who understands bash command completion better than I do (which is to say 'I never looked at it') mentioned that it would be much simpler if the object came first. OK, finally, a good technical reason to change so we did. I think dhellmann said something like "I expected that to be much harder" afterward. I do change my mind, sometimes.

Looking Around Today

In the three years we have had just over 1000 commits from around 70 contributors. I want to grow the team; we have a small band of regulars now with a core review team of 4, having recently added Terry Howe, who has also spent a significant amount of time working on the Python SDK.

We have a couple of interesting features brewing for the next significant release, support for the os-client-config cloud configuration files and a client-side caching that will significantly improve responsiveness in many instances. [2]

Another historical bit is that for most of its life, OSC was mostly a side project for me. I was able to eventually give it some real time along side DevStack and the other things but it seems to be the kind of project that doesn't seem so important until you really really need it now.

As I was talking to a lot of people over the last couple of weeks trying to find my next professional home, it became clear to me how some people and organizations feel about projects like OSC. They're not sexy, not the sort of thing that 'sells' customers on your cloud or your service or whatever. There were a couple of companies that totally did not view this as worth spending time on. Fortunately for us all, there are more companies that do think it is worth the time and I expect to be able to give OSC and other client/app developer projects a significant part of my time going forward.

When OSC was added as an official project, we also brought the os-client-config (from Stackforge) and cliff (from Oslo) repos with it. Cliff was written by Doug Hellmann specifically for OSC to manage the numerous command implementations and give a solid basis for each of the actions. I think it has worked out great and been a great help in maintaining the consistency in OSC so far. It has also been adopted by other projects, some outside of the OpenStack ecosystem.

os-client-config (aka o-c-c) was originated by Monty Taylor to add client-side cloud configuration along with his shade library. BTW, if you ever want to see what the challenges of using multiple clouds in the same project, have a look at shade. In an ideal world it should not need to exist, especially since it only talks to OpenStack clouds.

OSC will be using o-c-c to implement the same cloud configuration that will make it simple to switch between cloud authentication configurations with a single command line option. And also to share public cloud configuration templates without sharing authentication details for them. I plan to follow up with details on how to use this soon, watch this space.

Looking Ahead

Technically we still have a lot of work to do. There are significant APIs that are still not implemented (Network, Volume v2) and incomplete (Image v1 and v2). We need to speed up the load time, eliminate unnecessary dependencies, and fix bugs. Always fix bugs.

On a slightly longer scope, we will switch to use the OpenStack SDK when it is ready, continue to better enable plugins to support upper layer services, and most importantly, we MUST drive down the number of dependencies required to install OSC and make it easy to use for non-Python developers. There needs to be a single file install that 'just works'.

I do still want to duplicate it all in Go. My Go prototype is older than OSC, actually...and is a single file install...

[1]	Yeah, I know the usual term is big tent. Every time I hear that I think of a big top and I really don't want to be thought of as 'one of the clowns in the big top'... even if it might be accurate...

[2]	Update: Caching didn't make it.

QA Code Sprint

Mon, 30 Mar 2015 15:03:30 CDT

Last week (Mar 25-27) a handful of OpenStack QA Team members gathered at HP's Chelsea office to Get Some Code Written and Merged. We had a small list of priorities and some amazement at the amount of stuff the morning caterer could fit into a single box. [Note to self: get a magic catering box to store oversized project todo list]

I was focused primarily on DevStack although some discussion took place around some future direction on Grenade plugins (see below). Much actual work was accomplished by others present in spite of Matt's attempts to feed us into submission. Dang, those short ribs were good...

DevStack

There are two major priorities for DevStack: run services in virtual environments and use Neutron as the default network stack.

Neutron

Sean Collins (sc68cal) was present [1] and is taking on most of the work to get Neutron supported as the default. We had given him some constraints to be the default, being use of a single interface and using linuxbridge rather than Open vSwitch. Other Sean had the single interface work mostly complete and after one false start it was merged.

The selection of linuxbridge seems to be a bit controversial but the thinking goes like this: DevStack's default should be simple and not require a huge learning curve. The linuxbridge configuration is an intermediate step between nova-network and full-blown Neutron-with-OVS and is totally adequate for a large number of use cases. If it is not a valid use case, then we feel it should be totally removed from Neutron.

Other Sean sent a WIP review into the gate to see just how badly linuxbridge is as it is not currently tested in the gate AT ALL! Unsurprisingly it has a number of failures, but is not a total washout.

DevStack's Neutron code is in bad shape. It has been continually updated by many people who do not understand the Big Picture. I blame myself for not staying on top of this code and allowing it to diverge from the rest of DevStack's style and implementation. Other Sean found a number of inconsistencies in variable names and uses as he tried to get the single interface work done and we came to the inevitable conclusion that it was time to start over.

lib/neutron was renamed to lib/neutron-legacy in review 167684 and I put together the first cut as a new lib/neutron that takes a similar form to the rest of DevStack in 168438. This is a stripped-down subset that has a number of changes:

Service names are renamed to neutron-api, neutron-agent, etc.
At this point, only the API service and basic agents are intended to be started.

But what about the plugins? What about the advanced services? What about the vendors? I can't do it all at once. The first priority is to get a 'minimum viable Neutron' configuration to use as the default. The old code was renamed not removed, and exactly zero of the configuration variables and service names have changed. Nothing should be directly importing lib/neutron* so that change is handled in DevStack and Grenade already. After we have working linuxbridge and ovs configurations we can look at what else needs to be included.

The advanced services should be implemented as plugins in the same manner that we are doing with other layer 3 and higher services. Vendor plugins will be removed from the tree when the legacy code is removed and should also be moved to out-of-tree plugins.

Virtual Environments

The first set of virtual environment (venv) support was finally merged. This work has exposed a number of assumptions on both DevStack and the projects themselves that have needed to be handled. The most recent is that rootwrap is called from the services without a fully-qualified path, relying on a PATH search. Normally this is a Bad Thing(TM) in conjunction with sudo use, and I think that applies to this situation too. When venvs are active, the {project}-rootwrap binary is not in the system PATH, nor the one configured in sudo's secure_path. We need to now add each venv /bin directory to the secure_path so the {project}-rootwrap binary can be found.

Review 168773 extracts the basic rootwrap configuration for Cinder and Nova into lib/rootwrap and adds a function to maintain a useful secure_path setting for sudo.

Other DevStack Bits

Sean Dague (sdague) nuked the INSTALL_TESTONLY_PACKAGES setting and set the code to always install those packages, ie as if INSTALL_TESTONLY_PACKAGES=True. We felt that the evolution of DevStack no longer made sense to maintain this distinction, some may argue it never was needed in the first place. They can now say 'I told you so' and buy us a $COLD_BEVERAGE in Vancouver.

Some travel delays and spotty on-board wifi on the trip home led to a semi-irregular cleanup review that fixed a bunch of Shocco docs build errors and spellings and comment spacings and most importantly, the capitalization of 'DevStack'.

Grenade

The Grenade plugin story has not been completed, it is in the first set of draft rewrites to remove the zombies and vampires and make it just a 'plugin exiled to project repo' kind of story.

There were a pair of minor reviews landed to support the DevStack/Neutron rework but they demanded more lines and were relegated to the 'C' story that parallels Rosencrantz and Guildenstern, who of course are now dead.

[1]	great, another Sean, spelled the same way even. Let's call him 'Other Sean'

Plug In To OpenStackClient

Sun, 08 Mar 2015 03:08:00 CDT

OpenStackClient has had plugin support for a while now and it is being used by real-world OpenStack project clients such as Congress. I've also been using it as an entry point (ha!) for some of my experimental command setups, and so can you.

osc-debug

I've spent a lot of time debugging OSC lately in preparation for my favorite new feature yet-to-come, support for the new --os-cloud option that takes advantage of os-client-config's cloud configuration file abilities. Much of this debugging is necessarily around authentication and it became obvious to me that a built-in way to see what OSC was using for authentication might be handy and osc-debug was born.

As far as plugins go, osc-debug is pretty ordinary. It just adds three new commands (so far) that dump internal OSC state information.

api list

A mash-up of service, region and endpoint listings. api list coughs up the basic information in the service catalog returned by the Identity authentication request. It shows the available services by type, name and region. With a little help from the --long option it adds the actual endpoint URL and a list of the supported versions at that endpoint.

The version support output needs a bit of explaining. Nearly every OpenStack service catalog is configured to include a service API version in the URL. This means that to use a different version requires 'knowledge'. But here we know that these versions are nearly always in the form of vNNN in the URI path.

api list starts at the base URI and looks for returned version information in a couple of the usual JSON formats. If not found it loops adding the URI path components one at a time, stopping when it finds a recognized version response.

The returned service catalog entries can be filtered by service type --type or service name --name.

osc api list
    [--type ]
    [--name ]
    [--long]

auth show

auth show displays the authentication information that OSC will use to perform authentication. This command stops just before authentication would otherwise occur so you can see exactly what has been collected from the command line options, environment variables and os-client-config file.

Note that this is one of the rare 'show' commands that does not take a positional argument to determine what to show. This is due to there being ony one thing (authentication options) to choose from, but wanting to present the output in the traditional show command format. This makes grabbing any of these values in a shell script trivial using the --format shell option.

Also, os_password is not displayed, because, duh.

osc auth show

auth type list

auth type list simply lists the authentication plugin types installed and their entry point targets. Handy to see why things are not working as expected.

osc auth type list

auth type show

auth type show shows details of the specified auth plugin type. This includes the options that the plugin type defines. Note that the option names are the internal names, OSC will add --os- prefix to command lise options and OS_ prefix, plus forcing uppercase and replacing - with _ for environment variables.

osc auth type show

osc-quintette

osc-quintette is where the experimentation really gets going. This oddly-named [1] plugin has a couple of things, the most interesting one is how the server create command has been extended to accept --ram, --disk and --vcpu arguments to auto-select a matching flavor for the new server.

While the functionality is nice, the interesting bit is how the stock commands are extended.

flavor find

This is the functional basis for the enhanced server create command, directly searching for matching flavors that meet or exceed the specified values for RAM, disk and virtual CPUs.

What is the difference between a find and list command? I don't know yet. List + filtering == find maybe, but remember, this is experimental for a reason.

osc flavor find
    [--ram ]
    [--disk ]
    [--vcpus ]

server create

Extends the stock server create by adding the options to select a flavor directly based on RAM, disk and/or virtual CPUs.

osc server create
    [--ram ]
    [--disk ]
    [--vcpus ]
    ...

server show

Another command that extends the stock version by changing the output displayed, in this case swapping project_id for tenant_id. This is something that needs to be done in OSC itself as part of our "never show the user a 'tenant'" campaign.

show flavor

Yes! I can restore my long-lost command format just by putting the right things into setup.cfg. Unfortunately, the command class does not know (yet) which command form was given to call it so changing behaviour is not yet possible. This requires a patch to cliff that is in progress and should be released soon.

What Else?

Imagination is all that is required to go from here. Go forth and plugin.

[1]

The word quintette comes directly from the name of Raymond Scott's small band in the 1930's, it is what I was listening to when I neede a name. Much of his work from this era will sem eerily familiar to those who have seen Warner Brothers shorts scored by Carl Stalling in the 1940's and 1950's. I'm planning to propose Powerhouse as the Official OpenStack Theme. Look it up...

Real World DevStack Configuration

Wed, 11 Feb 2015 15:02:11 CST

Configuring DevStack for development use is a trail of Google searches and devstack.org reading and all sorts of things. In my experience, the best and hardest source of what to do is experience. And we all know how experience is the bridge between Bad Judgement and Good Judgement.[]

local.conf

This is DevStack's configuration file. It will never be modified by DevStack.

localrc

Now just a section in local.conf, localrc used to be the main config file. References to it should be mentally translated to local.conf [[local|localrc]] section.

I also tend to carry a number of config bits commented out to make changing quick. I'll leave those in to illustrate alternatives to my defaults.

Logging

LOGDIR=$DEST/logs
LOGFILE=$LOGDIR/stack.sh.log  # why didn't bare name work???

The logging support has been recently revamped to use a more conventional configuration. LOGDIR will default to $DEST/logs and all log files will be found here. LOGFILE will be honored as always, putting the stack.sh trace log in that location; if LOGFILE does not include a path, it becomes $LOGDIR/$LOGFILE.

The services logs (aka screen logs) no longer default to a screen-specific subdirectory, unless SCREEN_LOGDIR is set. It is deprecated and will be removed in the future.

Network Addressing

FIXED_RANGE=10.254.1.0/24

Set FIXED_RANGE away from the default 10.0.0.0/24 because, well, many clouds use 10/8 for various things and some of them start at the beginning. Running DevStack in a cloud VM requires that the DevStack network addresses do not overlap with the host cloud networks. Pick a range that isn't at the top or the bottom to (slightly) reduce the chances of collision. This is safe for the neighborhoods I cloud in.

Services

For my normal workflow, I want debugging bits enabled and services I am not using disabled.

enable_service dstat
disable_service h-eng h-api h-api-cfn h-api-cw
disable_service horizon
#enable_service s-proxy s-object s-container s-account

I typically don't use Heat or Horizon, you know, being the CLI guy and all. Swift is not added by default because it takes a toll on memory use, my laptop is not well-endowed in that area so 2G VMs are necessary whenever possible. In the cloud VMs this is not an issue.

Neutron

# Nova Net
enable_service n-net
disable_Service q-svc q-agt q-dhcp q-l3 q-meta

# Neutron
# NETWORK_GATEWAY must be in the FIXED_RANGE network
#NETWORK_GATEWAY=10.254.1.1
#disable_service n-net
#enable_service q-svc q-agt q-dhcp q-l3 q-meta

Neutron may or may not be the default in DevStack by the time you read this, I've stopped taking chances, I want to know what I get, which by default is Nova Net for as long as possible, again mostly for memory and complexity reasons.

Note that Neutron in the default config requires NETWORK_GATEWAY to be set inside the network defined by FIXED_RANGE. Nova Net does not require this, although it is mostly harmless to define anyway.

Legacy Nova Bits

disable_service n-obj n-crt

n-obj is the Nova Object Service, left over from the euca2ools bundle command's need of an S3 service. That's it. Same with n-crt. They should be removed as defaults soon if not already.

nova.conf

Set values here via local.conf:

[[post-config|$NOVA_CONF]]
[DEFAULT]
api_rate_limit = False

Rate limiting can be a problem during testing, nuke it.

How Dost Thy Cloud Know Me, Let Me Count The Ways

Fri, 24 Oct 2014 10:24:00 CDT

One of the coolest (IMHO) new features [1] recently added to OpenStackClient is its leveraging of a new-ish feature of Keystone's client library, authentication plugins. As that name implies, this allows for Keystone client to be able to use an extendable set of authentication backends for validating users. At press time (keypress time for the pedantic) the freshly released python-keystoneclient 0.11.2 includes the traditional password method, a new variant on the token method and a recent addition supporting SAML2.

Happily, the master branch of OpenStackClient has learned how to take advantage of these plugins, plus any additional ones written for Keystone client. This creates a new problem because the authentication type can not always be inferred and needs to be supplied by the user. And thus we arrive at the Topic of the Day.

But First, Preview Time

There is one additional yet-to-come feature that I can't resist mentioning now that it has been proposed for review. It leverages mordred's os-client-config module to read configuration information from a file by name. In plain language, rather than set up a handful of environment variables or command-line options, all of the authentication and other configuration for OSC can be stashed in a YAML file and called by name:

openstack --os-cloud devstack-1 image list --long

This is also step one in simplifying dealing with multiple clouds:

for cloud in devstack-1 hpcloud-az2 rax-ord; do
    openstack --os-cloud image list --long

It is a small thing, but small things often make us happy. It figures in to the following authentication discussion that I don't want to update again in a month. So until os-cloud support merges, ignore references to YAML, CloudConfig, etc. below.

Sources of Truth

OpenStackClient has three sources of configuration information (in decreasing priority order):

command line options
environment
CloudConfig (~/.config/openstack/clouds.yaml file)

Once all of the sources have been processed and a single configuration object assembled, the fun can begin. If an authentication type is not provided, the authentication options are examined to determine if one of the default types can be used. If no match is found an error is reported and a period of stillness is declared. Rather, the program exits.

Note that the authentication call to the Identity service has not yet occurred. It is deferred until the last possible moment in order to reduce the number of unnecessary queries to the server, such as when further processing detects an invalid command.

Keystone Authentication Plugins

The Keystone client library implements the base set of plugins. Additional plugins may be available from the Keystone project or other sources. See the Keystone client documentation for more information.

There are at least three authentication types that are always available:

Password: A username and password, plus optional project and/or domain, are used to identify the user. This is the most common type and the default any time a username is supplied. An authentication URL for the Identity service is also required. [Required: --os-auth-url, --os-project-name, --os-username; Optional: --os-password]
Token: This is slightly different from the usual token authentication (described below as token/endpoint) in that a token and an authentication URL are supplied and the plugin retrieves a new (scoped?) token. [Required: --os-auth-url, --os-token]
Token/Endpoint: This is the original token authentication (known as 'token flow' in the early CLI documentation in the OpenStack wiki). It requires a token and a direct endpoint that is used in the API call. The difference from the new Token type is this token is used as-is, no call is made to the Identity service from the client. This type is most often used to bootstrap a Keystone server where the token is the admin_token configured in keystone.conf. It will also work with other services and a regular scoped token such as one obtained from a token issue command. [Required: --os-url, --os-token]

[Note that the Token/Endpoint plugin is currently supplied by OSC itself and is not available for other clients using the Keystone client lib. It shall move to its Proper Home in Good Time.]
Others: There are SAML and other (Kerberos?) plugins under development that are also supported. To use them they must be selected by supplying the --os-auth-type options.

How It's Made

[Who doesn't love that show? ]

The authentication process flows from OSC's OpenStackShell to the New-and-Improved ClientManager.

But first, on import api.auth:
- obtains the list of installed Keystone authentication plugins from the keystoneclient.auth.plugin entry point.
- builds a list of authentication options from the plugins.
OpenStackShell parses the command line:
- If --os-cloud is present read the named configuration from ~/.config/openstack/clouds.yaml and create a CloudConfig object
  - CloudConfig also handles picking up the matching environment variables for the options
- The remaining global command line options are merged into the new CloudConfig
A new ClientManager is created and provided with the CloudConfig:
- If --os-auth-type is provided and is a valid and available plugin it is used.
- If --os-auth-type is not provided select an authentication plugin based on the existing options. This is a short-circuit evaluation, first match wins.
  - If --os-endpoint and --os-token are both present token_endpoint is selected
  - If --os-username is present password is selected
  - If --os-token is present token is selected
  - If no selection has been made by now exit with error
- Load the selected plugin class.
ClientManager waits until an operation that requires authentication is attempted to make the initial request to the Identity service.
- if --os-auth-url is not present for any of the types except Token/Endpoint, exit with an error.

Destinations of Consequences

The changes that began with utilizing Keystone client's Session are nearly complete and have added the openstackclient.api.auth module and drastically restructured the openstackclient.shell and openstackclient.clientmanger modules. One result is that the ClientManager is now nearly self-contained with regard to its usability apart from the OSC shell. At this time I can neither confirm nor deny that ClientManager could be used as a single-point client API. While it works (one example) it is not yet a stable API because it only unifies the session and auth components, passing the real work down to either the project libraries or OSC's internal API objects. So don't go and do that. Yet...

[1]	Currently only in master branch, to be included in the next release.

First Principles - Glossary

Wed, 08 Oct 2014 10:08:00 CDT

OpenStack Terms and You

I think we need to start from the beginning to know a bit about where we really are...and to do that we need to speak the same language. This doesn't mean we must agree on the actual terms used, but that their definition and evidence of need are spelled out and can inform the following steps and discussion.

In some cases, the bikeshed will simply be in primer with placeholders until we converge an appropriate terms.

The Technical Committee Charter refers to some terms that should be clarified early in this process.

Official Programs - The current unit of organization, called a program, logically groups people and code for purposes of achieving the OpenStack project mission. The current programs are generally teams of people woring on a common project or set of related projects. These teams elect a Program Team Lead (PTL) who has management responsibilities to the program. A proposal to change this terminology to project team is in part intended to reinforce the idea that these are groups of people first and code repositories second. The proposal is part of a series to re-structure the organization of OpenStack projects and by itself is mostly for clarity. It does not appear to be controversial based on the comments so far so I will adopt it here.

Program Leads - We've all grown to love the term PTL and the change from program to team can be used to re-redefine PTL as project team lead as it once was back in the day.
Oversight - The TC charter includes "[the TC] still has oversight over team decisions, especially when they affect other programs or go contrary to general OpenStack project goals". There is concern about the balance between project rights and responsibilities changing. There may also be concerns over what that balance is today.

I'm looking for the baked-in connection between governance organization and deliverables. Today we have a 1:1 between official teams (programs) and their participation in the "integrated release". Many of the proposals floating about disconnect those.

Coordinated Release Cycle - The time period roughly starting at or just before the semi-annual Design Summit and ending approximately six months later, again just before the next Design Summit.
Release Artifacts - The output of the process formerly known as integrated release. These are the major output of the coordinated release cycle and typically what distributions would consume in building their periodic releases.
Project Groups - Project groups are simply groups of related projects and/or project teams that are dependent on each other and it is often useful to consider the projects together for certain matters. For example Group C includes Nova, Glance, Cinder and Neutron. Other groups might include Group I (Keystone and plugins), Group O (Swift), Group W (litterbugs), Group H (Ironic and other hypervisor drivers), Group D (Trove), Group M (Zaqar), and so on. Many groups may only have one member if there are not multiple projects with a strongly set of similar or mutual dependencies.

One use of project groups is in simplifying the relationship diagram between projects; the diagram between projects within the group can focus on that subset and the diagram between groups can minimize the effect of the intra-group relationships. These diagrams should be useful in informing testing policy and requirements.

These groups map into my layers description with layer one comprised of Groups I and most of C and layer 2 comprised of Groups O, H and the remainder of C (Cinder). Remaining groups of official OpenStack projects make up layer 3.
Integrated Release - The first step is to change the term integrated release to something better defined and less overloaded. This is highly contentious as you might expect. I had intended on using nucleus to describe this chewy middle of OpenStack because it has all sorts of metaphorical nooks and crannies to be mined, but then I saw nuclear release in writing and decided to just use the rather archaic term bindle here instead, as in "the OpenStack Bindle contains the basic cloud necessities".

The key part of the existing definition, "The OpenStack bindle is a subset of the official OpenStack projects whose member teams submit to stricter policies and oversight", divides the official OpenStack projects into at least two tiers. dhellmann describes it like this:
```
size(ecosystem) > size(official-projects) > size(bindle)
```
Inclusion in the integrated release has become the high-value attribute for many corporations judging project worthiness for contribution and/or use. Removing this attribute is one of the major driving forces for re-considering the organizational structure in general and in renaming and clearly defining the bindle.

The makeup of the bindle defines what release artifacts are published as a result of the release process. These projects are held to a higher bar in regards to testing, documentation in involvement of team members in horizontal OpenStack activities.

A Funny Thing Happened On The Way To The Summit

Fri, 03 Oct 2014 10:03:00 CDT

So back in the old days I started throwing around different terminology to describe some of the technical relationships between OpenStack projects because it was useful to sort out things like startup order requirements in DevStack and other semi-obvious stuff.

And wow have things happened since then. To recap, oh nevermind, I'm just going to take back the term layer for technical use and propose anything else other than layer 1 (there is no other layer?) for the rest of the conversation. The various alternate approaches all boil down to a nucleus with a cloud (heh) of projects with probabilistic locations. I wasn't a physics major but I do know that doesn't sound like that Q-word that shall not be spoken.

I think it is important to remember that one of the primary purposes of OpenStack is to enable the creation of useful clouds. In my dictionary what makes a useful cloud is described as "the set of services that enable useful work to be done". In a cloud.

The original layers idea has been picked up, painted, folded, carved and whitewashed to a shadow of its original. Even so, in the end all of the ideas still end up looking similar. Now seems like a good time to see how the orignal layers have held up.

Layer 1

We're still the one...

We open with the addition of Neutron as a viable alternative to Nova Network, and the likelihood of it becoming the default configuration in DevStack early in the Juno cycle.

Identity (Keystone)

Image (Glance)

Network (Neutron)

Compute (Nova)

What really stands out to me now is the realization that all of these were originally part of Nova itself (plus the cinder volume service, more on that later). They were broken apart or re-implemented to scale the development as Nova kept growing. In fact, there is talk again of need to break out more simply because Nova continues to expand.

This is the smallest working set for a compute-enabled cloud. Realistic useful clouds of course offer more than this, so we have...

Layer 2

Layer 2 services are optional in a useful compute cloud but some are also useful in their own right as non-compute cloud services.

So the current Layer 2 still contains:

Volume (Cinder)

Object (Swift)

Bare-metal (Ironic)

These all build on the Layer 1 nucleus and get us a practical useful cloud. They also all have the characteristic of having dependency arrows pointing out of Layer 1 when used with a compute cloud, such as Glance using Swift as its backend store. This is a defining characteristic that brings a project in to Layer 2.

Even though Cinder was literally carved out of the Nova code base it stays in Layer 2 because it is an optional service to a Layer 1 cloud. Manila will also fit here for the same reasons.

I neglected to mention last time the ability of Swift to stand alone as a useful cloud service as it has maintained its own authentication capability. However, using it with any other OpenStack services requires Swift to use Keystone.

I also think it is worth considering the direction of the trademark usage constraints the board is refining with the DefCore work. The current DefCore capability proposal is satisfied using only Layer 1 and 2 projects. Also, the stand-alone services currently would not be able to qualify for trademark usage when deployed alone.

Layer 3

Do something useful. Host services for paying customers. Provide Lego blocks for them to build awesome cloud apps. Warn about runaway while true; done loops. Count cycles burned and bits sent so paying customers know what to pay. Communicate with your useful cloud.

The rest of the OpenStack-affiliated projects (for some value of affiliated) go in Layer 3 to populate the big tent. If we've done our job right the majority of everything else should be able to be accomplished without special consideration from Layers 1 and 2. Broad categories of Layer 3 projects include:

User Interfaces - You need one but a feature of well documented REST APIs is allowing the client side to be easily replaceable.

Orchestration (Heat) (it is basically a smart automated cloud client, no?)

Web UI (Horizon)

Something-as-a-Service - These are all services a deployer may choose to offer.

Database (Trove)

Message Passing (Zaqar)

Tracking Snooping and Counting - Keeping an eye on the useful cloud

Telemetry (Ceilometer)

Why is Heat in Layer 3??? Heat is essentially a smart automated cloud client and should be treated as one. It needs to meet the same requirements for API compatibility to be useful over time.

Layer 4

Layer 4 is everything else that is not OpenStack-affiliated but might be a part of an especially useful OpenStack cloud. Things like Ceph or Apache jclouds are useful with and as part of OpenStack clouds, but they also have a life of their own and we should respect that and not call late at night.

What About Layer 0?

Ah, right, where the Libraries live. The last year has seen significant changes to how OpenStack-related libraries are integrated with a number of Oslo libraries being released stand-alone. In most cases these can and should be thought of as dependencies just as any non-OpenStack project dependency (like SQLAlchemy or requests) that happen to live in either the openstack or stackforge namespaces in our Git repositories.

It also seems appropriate to add the client API libraries and SDKs to Layer 0 as the dependency model and release schedule is very similar to the other libraries. I am specifically not including command-line interfaces here as I think those belong in Layer 3 but the project client libraries have an embedded CLI so the'll straddle the boundaries no matter what.

So How Do We Govern and Test All This?

OK, I lied. I said I would skip this, but anyone still reading must think this is has a thread of merit, right? I choose to make that assumption going forward, and those of you still reading for a laugh, here is your cue.

I'll lay out an overview of a developers perspective because I am primarily an OpenStack developer and I need the world to know what I think. However, I am also an application developer and cloud end-user so those perspectives are not lost. I have not managed to add cloud deployer to my CV, yet.

Releases

If you turn your head sideways and squint, the Layer picture can also be grouped according to release-able/deploy-able units with decently defined and documented interfaces between them.

Maintaining the current notion of an Integrated Release the layers fall out like this:

Layers 1 and 2 are the Integrated Release. The services required to meet DefCore are currently a subset of these layers.

Layer 3 projects treat the Integrated Release as a dependency like any other they may have so they can have the freedom to iterate at a pace that suits the service being provided. Trove probably needs fewer releases in the next year than Zaqar.

Switching to a more modularized set of released units the first 'natural' groupings are:

Layer 1 plus the semi-tightly coupled Nova projects like Cinder (and Manila) comprise a Compute Release.

Swift comprises an Object Store release

Ironic comprises an (insert-catchy-name-here) release and not in the Compute Release as it can also stand alone (right?)

Actually, everything else is on its own because Independence From Tyranny! Things that need to talk to each other or to the Integrate projects need to correctly identify and handle the documented APIs available to them.

Basically, this alternative splits the Integrated Release into a Compute Release and two stand-alone releases for Swift and Ironic. The Release Management team may reconsider the criteria required for them to continue to handle other project releases or allow (force?) the projects to handle their own.

Note how the difference in those two approaches to releases is exactly two things, pulling Swift and Ironic out of the Integrated Release bundle so they can stand alone.

Testing

As current work is showing, the actual detailed relationships between OpenStack services is very complex. Describing it to a level of detail that can drive a test matrix is not simple. We can, however, reduce the problem space by re-thinking at a higher level what needs to be tested together.

Layers 1 and 2 are really where the work needs to be done. By changing the perspective of Layer 3 projects we can reduce the piling-on of additional projects that are currently in our Test All The Things check/gate jobs. Individual project relationships across that boundary may be important enough to warrant specific test jobs but those are considered exceptions and not the rule.

A significant amount of the gains to me made here are contingent on the projects developing comprehensive functional tests.

Horizontal Projects

While it feels like I'm saving the best for last, in reality much of the above has to have some structure to know the scope that Infrastructure, Docs and QA need to be able to support. Focusing these on Layers 1 and 2 provides a clear limit to the scope required. This is not to say that other projects are not going to be accommodated, particularly those already in the current release, but it does say that it is not assured.

Now What Smart Guy?

With my thoughts on Layers updated to include the governance and testing considerations it is time to match up other perspectives, flesh out the above with the new information and catch up on the plethora of other posts on this topic.

Film at eleven...

OpenStack Low Level API

Mon, 15 Sep 2014 09:15:00 CDT

The current Python library situation for OpenStack is, sorry to say, a mess. Cleaning it up requires essentially starting over and abstracting the individual REST APIs to usable levels. With OpenStackClient I started from the top and worked down to make the CLI a better experience. I think we have proved that to be a worthwhile task. Now it is time to start from the bottom and work up.

The existing libraries utilize a Manager/Resource model that may be suitable for application work, but every project's client repo was forked and changed so they are all similar but maddeningly different. However, a good idea or two can be easily extracted and re-used in making things as simple as possible.

I originally started with no objects at all and went straight to top-level functions, as seen in the current object.v1.lib APIs in OSC. That required passing around the session and URLs required to complete the REST calls, which OSC already has available, but it is not a good general-purpose API.

I've been through a number of iterations of this and have settles on what is described here, a low-level API for OSC and other applications that do not require an object model.

api.BaseAPI

We start with a BaseAPI object that contains the common operations. It is pretty obvious there are only a couple of ways to get a list of resources from OpenStack APIs so the bulk of that and similar actions are here.

It is also very convenient to carry around a couple of other objects so they do not have to be passed in every call. BaseAPI contains a session, service type and endpoint for each instance. The session is a requests.session.Session-compatible object. In this implementation we are using the keystoneclient.session.Session which is close enough. We use the ksc Session to take advantage of keystoneclient's authentication plugins.

The service type and endpoint attributes are specific to each API. service type is as it is used in the Service Catalog, i.e. Compute, Identity, etc. endpoint is the base URL extracted from the service catalog and is prepended to the passed URL strings in the API method calls.

Most of the methods in BaseAPI also are meant as foundational building blocks for the service APIs. As such they have a pretty flexible list of arguments, many of them accepting a session to override the base session. This layer is also where the JSON decoding takes place, these all return a Python list or dict.

The derived classes from BaseAPI will contain all of the methods used to access their respective REST API. Some of these will grow quite large...

api.object_store.APIv1

While this is a port of the existing code from OpenStackClient, object_store.APIv1 is still essentially a greenfield implementation of the Object-Store API. All of the path manipulation, save for prepending the base URL, is done at this layer.

api.compute.APIv2

This is one of the big ones. At this point, only flavor_list(), flavor_show() and key_list() have been implemented in compute.APIv2.

Unlike the object-store API, the rest of the OpenStack services return resources wrapped up in a top-level dict keyed with the base name of the resource. This layer shall remove that wrapper so the returned values are all directly lists or dicts. This removed the variations in server implementations where some wrap the list object individually and some wrap the entire list once. Also, Keystone's tendency to insert an additional values key into the return.

api.identity_vX.APIvX

The naming of identity_v2.APIv2 and identity_v3.APIv3 is a bit repetitive but putting the version into the module name lets us break down the already-long files.

At this point, only project_list() is implemented in an effort to work out the mechanics of supporting multiple API versions. In OSC, this is already handled in the ClientManager and individual client classes so there is not much to see here. It may be different otherwise.

OSC Usage

To demonstrate how this API is used, I've added an BaseAPI instance to the existing client objects that get stored in the ClientManager. For example, the addition for compute.client is one object instantiation and an import. Now in OSC, clientmanager.compute.api has all of the (implemented) Compute API methods.

Using it in the flavor commands is a simple change to call compute.api methods rather than the compute.flavor.XXX methods.

Setting up for multiple API versions took a bit more work, as shown in identity.client. A parallel construction to the client class lookup is required, and would totally replace the existing version lookup once the old client is no longer required.

Fluff

One other cool feature is utilizing requests_mock for testing from the start. It works great and has not the problems that rode along with httpretty.

Now What?

Many object models could be built on top of this API design. The API object hierarchy harkens back to the original client lib Manager classes, except that they encompass an entire REST API and not one for each resource type.

But You Said 'Sanity' Earlier!

Sanity in terms of coalescing the distinct APIs into something a bit more common? Yes. However, this isn't going to fix everything, just some of the little things that application developers really shouldn't have to worry about. I want the project REST API docs to be usable, with maybe a couple of notes for the differences.

For example, OSC and this implementation both use the word project in place of tenant. Everywhere. Even where the underlying API uses tenant. This is an easy change for a developer to remember. I think.

Also, smoothing out the returned data structures to not include the resource wrappers is an easy one.

Duplicating Work?

"Doesn't this duplicate what is already being done in the OpenStack Python SDK?"

Really, no. This is meant to be the low-level SDK API that the Resource model can utilize to provide the back-end to its object model. Honestly, most applications are going to want to use the Resource model, or an even higher API that makes easy things really easy, and hard things not-so-hard, as long as you buy in to the assumptions baked in to the implementation.

Sort of like OS/X or iOS. Simple to use, as long as you don't want to anything different. Maybe we should call that top-most API iOSAPI?