I agree that *-paste.ini files should remain static. Keystone contains the only one that we need to edit (for security reasons) and the patch to move this configuration out of keystone-paste.ini needs attention from the keystone project. As for the installation guide, I prefer to unify the documentation for editing keystone-paste.ini for all distributions. Furthermore, our audience (mostly new users) likely feels more confident about editing files that reside in a less "intimidating" location such as /etc/$service.

Best I can tell, neutron (and all other services) separate "mandatory" message queue access (the 'rpc_backend' option) from notification access because the latter only pertains to deployments with a consumer for notifications such as ceilometer. Without a consumer, notification queues pile up and lead to stability problems. Hence, the 'notification_driver' option defaults to a blank value that essentially disables such notifications. The upstream configuration file comments this option out and installation guide doesn't explicitly configure it which means neutron uses the value of 'notification_driver' from the neutron-dist.conf file and sends notifications to a queue without a consumer. While I'm thinking about it, I'm trying to determine the source of a memory leak (or strange increase in consumption) in my RDO Liberty environment (and prior releases) and should try disabling the notification driver. In comparison, my Ubuntu Liberty environment containing the same services and virtual resources has stable memory usage.

On Tue, Nov 3, 2015 at 4:59 AM, Ihar Hrachyshka <ihrachys@redhat.com> wrote:
Matt Kassawara <mkassawara@gmail.com> wrote:

Ihar,

I think distribution packages should bundle upstream source without alteration to maximize flexibility for authors of deployment tools (or simple instructions) that choose to use packages. In other words, distribution packages should include few if any decisions on how to deploy services. Instead, leave those decisions to authors of deployment tools including organizations that produce distribution packages. For example, decisions on how to deploy OpenStack using RDO packages should reside in products like Packstack and RHEL-OSP. In the meantime, content in /usr/share/$service directories impacts the following portions in the installation guide:

You mix things here. RDO *is* a product, and *is* successfully used by companies without paying for RHEL-OSP subscription. Manual installation is still a supported way to deploy RDO, so anything that makes deployer life easier (like reasonable defaults) is beneficial.

Below, I will comment on neutron only and will leave other components to respective team members.


1) http://docs.openstack.org/draft/install-guide-rdo/keystone-verify.html - The keystone-paste.ini file should reside in the /etc/keystone directory.

2) http://docs.openstack.org/draft/install-guide-rdo/glance.html - The glance-api-dist.conf and glance-registry-dist.conf files contain defunct options in the [keystone_authtoken] section. Also, the *-paste.ini files should reside in the /etc/glance directory.

3) http://docs.openstack.org/draft/install-guide-rdo/nova.html - The nova-dist.conf file contains defunct options in the [keystone_authtoken] section, assumes use of nova-network, and contains several opinions about libvirt configuration.

4) http://docs.openstack.org/draft/install-guide-rdo/neutron.html - The neutron-dist.conf file specifies a notification driver regardless of a consumer (e.g., ceilometer) and disables nova-neutron interaction. Also, the *-paste.ini file should reside in the /etc/neutron directory.


I agree nova-neutron notifications should not be disabled (I merged a patch for that yesterday: https://review.gerrithub.io/#/c/251171/)

For notification driver, I am not sure I follow. The assumption is that DHCP agent is a common piece of neutron setup that is widely used, and since it relies on RPC notifications, we enable it by default. Do you believe it’s better to make everyone using refarch neutron to define it for themselves?

For *-paste.ini file, I believe the RDO assumption is that there is no reason to modify it, hence it’s not available for user modifications. Can you show me the exact place where installation guide became more complex due to -paste.ini file located under /usr/share?


5) http://docs.openstack.org/draft/install-guide-rdo/cinder.html - The cinder-dist.conf file contains defunct options in the [keystone_authtoken] section. Interestingly, the *-paste.ini files correctly reside in the /etc/cinder directory.

6) http://docs.openstack.org/draft/install-guide-rdo/swift.html - Interestingly, no /usr/share/swift directory exists. However, the configuration files in /etc/swift are considerably out of date and easier to overwrite from upstream source than attempt to fix via procedure.

7) http://docs.openstack.org/draft/install-guide-rdo/heat.html - The heat-dist.conf file contains defunct options in the [keystone_authtoken] section, contains a defunct database connection option (belongs in [database]), and enables a defunct message queue (Qpid). Also, the *-paste.ini file should reside in the /etc/heat directory.

I haven't looked at the ceilometer packages recently, but I suspect they involve similar issues.

Matt



On Mon, Nov 2, 2015 at 4:34 AM, Ihar Hrachyshka <ihrachys@redhat.com> wrote:

> On 21 Oct 2015, at 15:32, Matt Kassawara <mkassawara@gmail.com> wrote:
>
> I think packages available for standalone installation (i.e., without a deployment tool) should include complete upstream configuration files in standard locations without modification. In the case of *-dist.conf files with RDO packages, they seldom receive updates leading to deprecation warnings and sometimes override useful upstream default values. For example, most if not all services default to keystone for authentication (auth_strategy), yet the RDO neutron packages revert authentication to "noauth" in the *-dist.conf file. In another example, the RDO keystone package only includes the keystone-paste.ini file as /usr/share/keystone/keystone-dist-paste.ini rather than using the standard location and name which leads to confusion, particularly for new users. The installation guide contains quite a few extra steps and option-value pairs that work around the existence and contents of *-dist.conf files... additions that unnecessarily increase complexity for our audience of new users.

Can you provide links to the guide pages that are complicated by the existence of -dist.conf files?

I agree that some values may not be optimal (f.e. auth_strategy indeed should not be overridden; I sent a patch [1] to remove it from -dist.conf); but in principle, there should be a way for distributions to change defaults, and it should not be expected that all distributions ship identical configuration files.

[1]: https://review.gerrithub.io/#/c/251170/

Ihar