I agree that *-paste.ini files should remain static. Keystone contains the
only one that we need to edit (for security reasons) and the patch to move
this configuration out of keystone-paste.ini needs attention from the
keystone project. As for the installation guide, I prefer to unify the
documentation for editing keystone-paste.ini for all distributions.
Furthermore, our audience (mostly new users) likely feels more confident
about editing files that reside in a less "intimidating" location such as
/etc/$service.
Best I can tell, neutron (and all other services) separate "mandatory"
message queue access (the 'rpc_backend' option) from notification access
because the latter only pertains to deployments with a consumer for
notifications such as ceilometer. Without a consumer, notification queues
pile up and lead to stability problems. Hence, the 'notification_driver'
option defaults to a blank value that essentially disables such
notifications. The upstream configuration file comments this option out and
installation guide doesn't explicitly configure it which means neutron uses
the value of 'notification_driver' from the neutron-dist.conf file and
sends notifications to a queue without a consumer. While I'm thinking about
it, I'm trying to determine the source of a memory leak (or strange
increase in consumption) in my RDO Liberty environment (and prior releases)
and should try disabling the notification driver. In comparison, my Ubuntu
Liberty environment containing the same services and virtual resources has
stable memory usage.
On Tue, Nov 3, 2015 at 4:59 AM, Ihar Hrachyshka <ihrachys(a)redhat.com> wrote:
Matt Kassawara <mkassawara(a)gmail.com> wrote:
Ihar,
>
> I think distribution packages should bundle upstream source without
> alteration to maximize flexibility for authors of deployment tools (or
> simple instructions) that choose to use packages. In other words,
> distribution packages should include few if any decisions on how to deploy
> services. Instead, leave those decisions to authors of deployment tools
> including organizations that produce distribution packages. For example,
> decisions on how to deploy OpenStack using RDO packages should reside in
> products like Packstack and RHEL-OSP. In the meantime, content in
> /usr/share/$service directories impacts the following portions in the
> installation guide:
>
You mix things here. RDO *is* a product, and *is* successfully used by
companies without paying for RHEL-OSP subscription. Manual installation is
still a supported way to deploy RDO, so anything that makes deployer life
easier (like reasonable defaults) is beneficial.
Below, I will comment on neutron only and will leave other components to
respective team members.
> 1)
http://docs.openstack.org/draft/install-guide-rdo/keystone-verify.html
> - The keystone-paste.ini file should reside in the /etc/keystone directory.
>
> 2)
http://docs.openstack.org/draft/install-guide-rdo/glance.html - The
> glance-api-dist.conf and glance-registry-dist.conf files contain defunct
> options in the [keystone_authtoken] section. Also, the *-paste.ini files
> should reside in the /etc/glance directory.
>
> 3)
http://docs.openstack.org/draft/install-guide-rdo/nova.html - The
> nova-dist.conf file contains defunct options in the [keystone_authtoken]
> section, assumes use of nova-network, and contains several opinions about
> libvirt configuration.
>
> 4)
http://docs.openstack.org/draft/install-guide-rdo/neutron.html - The
> neutron-dist.conf file specifies a notification driver regardless of a
> consumer (e.g., ceilometer) and disables nova-neutron interaction. Also,
> the *-paste.ini file should reside in the /etc/neutron directory.
>
>
I agree nova-neutron notifications should not be disabled (I merged a
patch for that yesterday:
https://review.gerrithub.io/#/c/251171/)
For notification driver, I am not sure I follow. The assumption is that
DHCP agent is a common piece of neutron setup that is widely used, and
since it relies on RPC notifications, we enable it by default. Do you
believe it’s better to make everyone using refarch neutron to define it for
themselves?
For *-paste.ini file, I believe the RDO assumption is that there is no
reason to modify it, hence it’s not available for user modifications. Can
you show me the exact place where installation guide became more complex
due to -paste.ini file located under /usr/share?
5)
http://docs.openstack.org/draft/install-guide-rdo/cinder.html - The
> cinder-dist.conf file contains defunct options in the [keystone_authtoken]
> section. Interestingly, the *-paste.ini files correctly reside in the
> /etc/cinder directory.
>
> 6)
http://docs.openstack.org/draft/install-guide-rdo/swift.html -
> Interestingly, no /usr/share/swift directory exists. However, the
> configuration files in /etc/swift are considerably out of date and easier
> to overwrite from upstream source than attempt to fix via procedure.
>
> 7)
http://docs.openstack.org/draft/install-guide-rdo/heat.html - The
> heat-dist.conf file contains defunct options in the [keystone_authtoken]
> section, contains a defunct database connection option (belongs in
> [database]), and enables a defunct message queue (Qpid). Also, the
> *-paste.ini file should reside in the /etc/heat directory.
>
> I haven't looked at the ceilometer packages recently, but I suspect they
> involve similar issues.
>
> Matt
>
>
>
> On Mon, Nov 2, 2015 at 4:34 AM, Ihar Hrachyshka <ihrachys(a)redhat.com>
> wrote:
>
> > On 21 Oct 2015, at 15:32, Matt Kassawara <mkassawara(a)gmail.com> wrote:
> >
> > I think packages available for standalone installation (i.e., without a
> deployment tool) should include complete upstream configuration files in
> standard locations without modification. In the case of *-dist.conf files
> with RDO packages, they seldom receive updates leading to deprecation
> warnings and sometimes override useful upstream default values. For
> example, most if not all services default to keystone for authentication
> (auth_strategy), yet the RDO neutron packages revert authentication to
> "noauth" in the *-dist.conf file. In another example, the RDO keystone
> package only includes the keystone-paste.ini file as
> /usr/share/keystone/keystone-dist-paste.ini rather than using the standard
> location and name which leads to confusion, particularly for new users. The
> installation guide contains quite a few extra steps and option-value pairs
> that work around the existence and contents of *-dist.conf files...
> additions that unnecessarily increase complexity for our audience of new
> users.
>
> Can you provide links to the guide pages that are complicated by the
> existence of -dist.conf files?
>
> I agree that some values may not be optimal (f.e. auth_strategy indeed
> should not be overridden; I sent a patch [1] to remove it from -dist.conf);
> but in principle, there should be a way for distributions to change
> defaults, and it should not be expected that all distributions ship
> identical configuration files.
>
> [1]:
https://review.gerrithub.io/#/c/251170/
>
> Ihar
>