15:03:00 <bswartz> #startmeeting manila 15:03:01 <openstack> Meeting started Thu Dec 5 15:03:00 2013 UTC and is due to finish in 60 minutes. The chair is bswartz. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:03:02 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:03:04 <openstack> The meeting name has been set to 'manila' 15:03:08 <aostapenko_alt> Hi all! 15:03:13 <bswartz> hello 15:03:19 <akerr> hello 15:03:19 <achirko> hi 15:03:19 <Dinny_> hi 15:03:21 <bill_az_> Hi 15:03:23 <vponomaryov> hi 15:03:25 <kdurazzo> hi 15:03:29 <yportnova> hi 15:03:35 <bswartz> cool we have a lot of people 15:03:38 <gregsfortytwo1> hi 15:03:48 <bswartz> unfortunately I'm not as prepared as I should be 15:03:53 <bswartz> heh 15:04:00 <bswartz> #link https://wiki.openstack.org/wiki/ManilaMeetings 15:04:01 <rraja> hi 15:04:09 <vbellur> hi 15:04:18 <bswartz> so it looks like I setup the agenda already 15:04:37 <bill_az_> bswartz: before we get started, I want to introduce Marc Eshel. 15:04:38 <bill_az_> He will be working with me on IBM/GPFS Manila drivers. 15:05:04 <bswartz> bill_az_: does he have a IRC handle? 15:05:15 <bill_az_> Marc has years of experience with NFS, in particular with open source ganesha project 15:05:24 <bswartz> ah, excellent 15:05:26 <bill_az_> His handle is eshel - but I don't think he's on just yet 15:05:33 <csaba> hi 15:05:42 <bswartz> eshel: welcome! 15:05:56 <anands> Hi guys 15:06:00 <caitlin56> hi 15:06:18 <anands> Vijay Bellur is not able to make today's meeting, I will be filling in from the redhat folks 15:06:20 <bswartz> okay so bill_az_ and vbellur and I were supposed to get together to discuss gateway-mediated attachements 15:06:33 <bswartz> anands: thank you 15:07:17 <bswartz> what I would really like is for someone to volunteer to prototype a gateway-mediated attachment scheme 15:07:39 <bswartz> I could do it if I had like 100x more spare time 15:07:55 <bswartz> I'm interested in NFS-over-vsock and I'm also interested in VirtFS 15:08:04 <anands> bswartz: Worked with vbellur, ramana etc. we have a draft of the architecture for hyperv-mediated model for multi-tenancy - we can discuss when others are ready - https://wiki.openstack.org/wiki/Manila_Networking/Hypervisor_mediated#References: 15:08:21 <bswartz> I guess I can offer a brief background for people not familiar with the issue 15:09:07 <bswartz> Manila is going to need 2 different mechanisms for attaching guests to shared storage: 15:09:15 <eshel> hi I am on, I was on the manila tab 15:10:22 <bswartz> 1) For backends that support it, manila will create virtual servers on the backends and conenct them directly to the tenant network so guests can use native protocols to talk directly to the backends. This mostly includes hardware backends with features like NetApp vservers -- I know that Nexenta has a comparable feature, and I think EMC has a comparable feature too 15:11:45 <bswartz> 2) For backends that only understand how to serve data to one network segment, manila will provide virtualized access to the shared storage with a bridge of some kind at the hybervisor. Possible bridges including things like VirtFS, or NFS gateways layered on top of a clustered filesystem 15:11:54 <bswartz> eshel: hi 15:12:16 <bswartz> we are making good progress on (1), but we need to do some prototyping for (2) 15:12:41 <anands> We are ready to do that if everyone agrees to the arch outlined in the wiki link for (2) 15:12:52 <bswartz> vbellur, bill_az, and I have volunteered to run a separate working group to work on (2), so please contact us if you want to be included 15:13:40 <bswartz> however we haven't actually started up that working group yet due to the US holidays 15:14:00 <bswartz> bill_az I'll contact you offline 15:14:01 <bill_az_> bswartz: the description in Hypervisor Mediated storage link is similar to what we are thinking 15:14:11 <bswartz> anands: let vbellur know that we need to connect 15:14:17 <bill_az_> we'd like to be included in discussions of that 15:14:35 <anands> bswartz: sure, was working with him all along wrt the wiki arch 15:14:40 <gregsfortytwo1> anands: what drove you to a per-hypervisor instead of per-tenant ganesha instance? 15:14:42 <bswartz> okay cool 15:15:33 <anands> gregsfortytwo1: we thought a single ganesha on the hypervisor could scale well enough, per-tenant approach seemed like an overkill 15:15:57 <bswartz> anands: what's the benefit of ganesha over nfs-kernel-server? 15:16:23 <vponomaryov> bswartz: userspace nfs 15:16:41 <gregsfortytwo1> bswartz: note the listing of FSALs it already supports? :) 15:16:47 <bswartz> I know it's in userspace, but that shouldn't matter in the context of a hypervisor 15:16:59 <anands> bswartz: its a user-space nfs server implementation, can scale up based on its cache-inode layer which can grow arbitrarily large, a crash will not necessarily reboot your hypervisor ;) 15:17:20 <gregsfortytwo1> anands: hrm, that makes sense, just thinking that per-tenant would have better cache properties 15:17:25 <bswartz> anands: oh I wasn't aware of these FSALs 15:17:25 <anands> gregsfortytwo1: :) 15:17:33 <bswartz> I need to read up on ganesha it would seem 15:17:37 <gregsfortytwo1> and would make it easier to move to a model where we don't rely on the nfs server for doing all the security 15:17:55 <bswartz> hold on there about security 15:18:06 <bswartz> security is one of the thorniest problems with shared filesystems 15:18:13 <gregsfortytwo1> sorry, that comment was about a per-tenant versus per-hypervisor model 15:18:21 <anands> the wiki also refers to some of the security aspects, we could take that topic up separately I guess 15:18:28 <anands> gregsfortytwo1: ah ok 15:18:58 <bswartz> My personal feeling is that in the hypervisor mediated model, security is actually a lot simpler, because we can rely on the hypervisor and the gateway to enforce it 15:19:04 <bswartz> the backend doesn't need to do anything 15:19:32 <anands> bswartz: yes true, but if we further want more fine grained access control we have a way to enforce 15:19:53 <bswartz> I would actually prefer to make the tunneling procotol something stupid like NFSv3 with UNIX security (aka No Fscking Security) 15:20:25 <caitlin56> tenant network mediated offers truer security. hypervisor mediated requires the storage admin to trust the hypervisors. 15:20:29 <anands> um...sure, we could think on those lines 15:20:39 <gregsfortytwo1> why prefer that security model? 15:20:47 <caitlin56> Not that this makes hypervisor mediated totally invalid, but that is one of its limitations. 15:21:19 <bswartz> so with any kind of mediated access -- the point is that the mediator limits the tenants view to a subset of the actual backend filesystems 15:21:34 <bswartz> however, within that subset the tenant should be able to do whatever he wants 15:21:49 <bswartz> because tenants are all "root" within their guest OSes 15:21:55 <anands> yes 15:22:20 <bswartz> now if tenants want to further subdivide access to multiple non-root users within their guests, that's their business 15:22:25 <caitlin56> bswartz: with the vlan method i can configure my file server to squash root. 15:23:35 <caitlin56> But to be clear, I think both models are valid. 15:23:51 <bswartz> caitlin56: I would argue that squashing root is unneeded -- indeed many users may want root access to their shared filesystem 15:24:32 <bswartz> the security model needs to be about which filesystems you can see, or which parts of a larger filesystem you can see -- all of that is implemented at layers above the actual file-sharing procotol 15:24:34 <caitlin56> If hypervisor mediation is acceptable then you do not need root squashing, agreed. 15:25:33 <bswartz> okay so we can talk and talk about this, but I don't want to take up the whole meeting 15:25:57 <bswartz> as I said before, we'll form a working group to drive this to the prototype stage, then we'll present it and solicit feedback 15:26:04 <bswartz> #topic dev status 15:26:44 <bswartz> the more critical tasks are to continue driving method (1) to completion, so we can demonstate a fully working multitenant implementation 15:26:52 <caitlin56> Nexenta has some interest in this, but resources for hypervisor-mediation would probably be unavailable for at least 2 months. 15:27:13 <bswartz> we're a lot closer on (1) than we are on (2) 15:27:33 <bswartz> btw I've seen a lot of changes go into gerrit and they're awaiting review 15:27:42 <eshel> are we developing all 4 options? 15:27:47 <bswartz> I'm behind on reviewing and could use whatever help I can get 15:28:09 <bswartz> eshel: sort of 15:28:10 * caitlin56 will do some reviewing this week. 15:28:29 <csaba> bswartz: https://review.openstack.org/59124, we are looking for getting reviews 15:28:42 <bswartz> eshel: mentally I've collapsing all the mediated methods down to one method with flavors 15:28:53 <csaba> (glusterfs driver resubmitted along lines that we last discussed) 15:29:05 <bswartz> eshel: and the flat network model is just a degenerate case of (1) 15:29:49 <bswartz> csaba: yes I saw it -- I apologize to everyone waiting for reviews, I've been busy since the holidays 15:30:00 <eshel> but to get approval we need them all to be implemented? 15:30:06 <bswartz> I will be out of town this afternoon and tomorrow in Westford MA 15:30:16 <bill_az_> bswartz: csaba I'll take a look at gluster driver today and comment 15:30:37 <bswartz> eshel: no! the intent is that any given backend only needs to implement 1 15:31:02 <bswartz> I'll try to get some reviewing done in my downtime while travelling 15:31:09 <csaba> bill_az_: kthx 15:31:42 <bill_az_> eshel: the question about approval is regarding getting into incubation status? 15:31:44 <anands> bill_az_: thx, look forward to your comments 15:32:04 <bswartz> yportnova/vponomaryov: do you want to let the group know what's new this week for you end? 15:33:31 <eshel> so is multi tenants is a requerment? 15:33:32 <bill_az_> bswartz: is support for multiple backends implemented? I dont find it 15:34:06 <vponomaryov> network api commit were released 15:34:10 <bswartz> eshel: not right now -- I'm happy to have single tenant drivers until we get the major multitenant work done 15:34:11 <yportnova> bswartz: we are working on implementation of this bp https://blueprints.launchpad.net/manila/+spec/join-tenant-network 15:34:42 <bswartz> bill_az_: it should mostly be there -- I wouldn't be shocked if there are bug though -- it's not something we've done testing on 15:34:43 <vponomaryov> https://review.openstack.org/#/c/60241/ - service 15:34:43 <vponomaryov> https://review.openstack.org/#/c/59466/ - client 15:35:27 <bswartz> anyone with review bandwidth: https://review.openstack.org/#/q/status:open+manila,n,z 15:36:11 <csaba> just to tell, aostapenko_alt 's ?' failed 15:36:28 <bswartz> csaba: ? 15:36:28 <csaba> commit https://review.openstack.org/#/c/59082/ 15:36:45 <csaba> -- sorry bogus newline -- 15:36:55 <csaba> caused a bit hiccup 15:37:07 <bswartz> okay 15:37:29 <csaba> as migration was provided for schema change but the manage.py script is not provideed 15:37:50 <bswartz> and version of the NetApp driver w/ multitenant support is coming along -- I'm hoping it will be upstream soon 15:37:58 <csaba> I resolved it on my end so I can volunteer to sumbit a usable manage.py 15:38:19 <bswartz> the NetApp driver will probably serve as a reference driver for other hardware vendors because I expect the generic driver to actually be fairly complex 15:38:43 <bswartz> although both will be available during icehouse 15:39:07 <bswartz> if there are folks out there trying to work on backends and getting stuck, please reach out to me 15:39:20 <eshel> where are the requierments for multitenant support documented 15:39:30 <bswartz> I want to know what we can do better (other than speeding up our current work) 15:39:41 <vponomaryov> csaba: if you found a bug, please post in launchpad, I have tested share metadata on lvm 15:39:49 <bswartz> eshel: they're not -- it's all being coded up last month and this month 15:40:12 <bswartz> eshel: developer docs / backend docs are something we know we need 15:40:22 <aostapenko_alt> csaba: you can manage migrations by 'manila-manage db' commands 15:41:25 <bswartz> #topic open discussion 15:41:27 <csaba> aostapenko_alt: thanks I did not now, just worked my way through migration with googling... 15:41:30 <vponomaryov> aostapenko_alt: yes, there is need to sync db 15:41:51 <bswartz> I don't have anything else on my agenda 15:42:06 <bill_az_> general question - let's say I have created a share and given access to several vm instances 15:42:45 <bill_az_> is there (or is there planned) an automated way to mount the share on several instances automatically? 15:43:14 <bill_az_> I can envision how this can be done w/ user data when booting a new instance 15:43:34 <bswartz> bill_az_: yes I consider that a desirable feature to have inside manila 15:43:40 <bill_az_> but not sure about instances that are already running 15:43:47 <caitlin56> It shoulb be just as automatable as it is without virtualization. 15:43:57 <bswartz> bill_az_: however it's not on the critical path to getting the service working 15:44:04 <anands> caitlin56: yes, agree 15:44:33 <bill_az_> caitlin56: true - my question is whether we have ideas on how to do that 15:44:45 <bswartz> I want to consider offering agents that can be installed on guests to automate the mount process -- we need to standardize a protocol so manila can at least try to automate the mount 15:44:50 <bill_az_> bswartz: I agree it's not highest priority 15:44:57 <caitlin56> bill_az: why not keep the mechanisms that work? 15:45:01 <bswartz> whether the agent is a boot time only thing or is always running -- perhaps we offer both 15:45:23 <caitlin56> If you belong to a tenant network, you mount your file shares on that network the same way you would have done on a corporate intranet. 15:45:24 <bswartz> and interfacing with cloud_init seems like an obvious starting point 15:45:47 <bswartz> the key is that whatever we do it will be optional for tenants 15:45:55 <caitlin56> the tenant shouldn't be able to tell them apart. 15:47:30 <bswartz> if that's all for today I'll see you next week 15:47:38 <kdurazzo> the automation point actually lends itself well to the hypervisor model 15:47:51 <kdurazzo> instead of per tenant 15:47:59 <bswartz> kdurazzo: perhaps 15:48:07 <caitlin56> kdurazzo: why? 15:48:19 <bswartz> kdurazzo: I'd like to see some prototypes here -- it's something that can be worked on in parallel by whoever is interested 15:48:27 <kdurazzo> the HV could handle the init upon bringup 15:48:40 <caitlin56> the tenant network approach can look *exactly* like the corporate intranet. client machines know how to deal with that. 15:48:42 <kdurazzo> ok 15:49:01 <kdurazzo> the ok was for bswartz :-) 15:49:13 <caitlin56> the limitation on tenant-network method is that it is harder on the storage servers, which have to offer vritualized interfaces. But it is definitely simpler for the clients. 15:49:29 <bill_az_> bswartz: +1 on cloud-init 15:49:58 <kdurazzo> we should probably discuss that more, I am not sure it is *simpler*, would like to understand your point on that 15:50:45 <Dinny_> bswartz : what is cloud_init you refer here? I could not follow that 15:50:48 <caitlin56> kdurazzo: with a proper dhcp-agent the network-mediated approach can leave the guest os with the illusion that they are on a corporate network. 15:51:13 <bswartz> Dinny_: https://help.ubuntu.com/community/CloudInit 15:51:27 <kdurazzo> caitlin56: I believe the same could be accomplished with the HV init approach as well 15:51:32 <caitlin56> kdurazzo: I posted one comment on this to the blueprint, the current dhcp-agent does not do as much as many corporate intranet DHCP servers do. That is the only gap. 15:51:41 <Dinny_> bswartz: thanks for the link :) 15:51:59 <kdurazzo> caitlin56: will look at your comments and review the BP again 15:52:14 <caitlin56> kdurazzo: that depends on whether the hypervisor-mediated is using a virtFS or is transparently proxying NAS services. 15:52:45 <caitlin56> virtfs is a great solution, but guest OSs don't support it today. 15:53:17 <bswartz> caitlin56: I fear the proxying won't ever by transparent in the mediated approaches -- that's not the intent 15:53:27 <bswartz> s/by/be/ 15:53:37 <caitlin56> transparent proxying is indeed complex to set up. 15:54:16 <gregsfortytwo1> anands: just looked at it again because of caitlin56's comments and noticed the draft doesn't specify how clients will connect to the local ganesha server; what are your plans for plumbing that? 15:54:22 <bswartz> the intent of the mediated approaches is to provide a filesystem to the tenant, where the tenant's view of the filesystem is whatever the gateway wants it to be, and it independent of the real backend filesystem 15:54:42 <bswartz> indeed the real backend filesystem should be unknown to the tenant when a mediated approach is used 15:55:13 <anands> gregsfortytwo1: there are some details to be ironed out completely; main idea is that sub-dirs can be exported as tenant shares - each directly mountable by a tenant 15:55:21 <caitlin56> bswartz: isn't the simplest way to do hypervisor mediated to require the tenant to install a virtfs library? 15:55:44 <bswartz> caitlin56: that's one approach, but we need to be more flexible 15:56:10 <caitlin56> bswartz: agreed, because existingVMs cannot use a library. 15:56:10 <bswartz> caitlin56: until somone writes a virtfs library for windows that's not an option for some users 15:56:11 <gregsfortytwo1> anands: right, but it'll still need to do the network plumbing somehow (I'm not sure what the options are when it's all on one machine) 15:57:09 <bswartz> okay so before we dive back down the mediated multitenany rathole I'm going to end the meeting 15:57:16 <anands> gregsfortytwo1: vsock interface is something vbellur has mentioned, can sync up with him and get back on that. Maybe the answer? 15:57:17 <caitlin56> Effectively "hypervisor mediated with proxy" is the same as "network mediated" -- with the difference of where the "proxying" is done. 15:57:28 <caitlin56> With "network mediated" the "proxying" is done of the storage server itself. 15:57:32 <bswartz> please feel free to continue the discussion in #openstack-manila 15:57:34 <gregsfortytwo1> k, just curious 15:57:46 <bswartz> I'll be over there 15:57:53 <bswartz> #endmeeting