Last week with the help of the lovely openstack-infra people, I discovered that you can have a local cache of pip downloads. This speeds up rebuilding test environments when you need to jump between branches with different dependencies. Its as simple as chucking something like: export PIP_DOWNLOAD_CACHE=~/cache/pip ...into your .bashrc or equivalent.
LaunchPad bug 1013893 asked nicely if the drop action for iptables rules created by nova-network could be configured. The idea here is that you might want to do something other than a plain old drop -- for example logging before dropping. This has now been implemented in Havana. To configure the drop action, set the iptables_drop_action to the name of an already existing iptables target. Creating this target is not managed by nova, and you'll need to do it on every compute node. When iptables creates or deletes rules on compute nodes it will now use this new target. There's a bit of an upgrade problem here in that this will stop nova from deleting rules which use the old hard coded drop target. However, if an instance is torn down then all of its tables are torn down as well and rules will be deleted correctly, so this is only a problem if a security group is changed while the instance is running. It occurs to me that we can do better here, so I've sent off this review to handle the case where a rule is being removed and used the default drop action. For safety, I would…
In the last few weeks a new quota has been added to Nova covering Fixed IPs. This was done in response to LaunchPad bug 1125468, which was disclosed as CVE 2013-1838. To be honest I think there are some things the vulnerability management team learned the hard way with this disclosure. For example, we didn't realize that we needed to update python-novaclient to allow users to set the quota, or that adding a quota would require changes in Horizon. Both of these errors have been corrected. More importanly, the default value of the new quota was set to 10. I made this decision based on the default value of the instances quota coupled with a desire to protect deployments from denial of service. However, this decision combined with a failure to explicitly call out the new quota in the release notes for the Folsom stable release have resulted in some deployers experiencing upgrade problems. This was drawn to our attention by LaunchPad bug 1161190. We have therefore moved to set the default quota for fixed IPs to unlimited. If you want to protect yourself from a potential DoS, then you should seriously consider changing this default value in your deployment.…
This is just a quick reminder that there are only a couple more days to vote in the Nova PTL elections for the Havana cycle. If you're eligible to vote, you should have a voting URL in your email. The candidates: Russell Bryant -- announcement Michael Still -- announcement The incumbent PTL, Vishvananda Ishaya, has chosen not to run.
I was super excited to get my hands on the latest John Scalzi book because I've really liked his previous stuff. Unfortunately while this book is fun I feel that the underlying concept is pretty weak... Its more of a toy boy than something which makes you think, which is a disappointment to me. Don't get me wrong, the overall execution is good, but the book feels lazily plotted, much like a badly done Harry Harrison does. So, if that sort of thing annoys you, give this one a miss.
This is the third book in the Marsbound series. The Others have just turned off all electronics on Earth, and now we need to survive. One problem with this book is that it jumps straight into the action -- I had to go back and re-read Marsbound and Starbound in order to understand what was happening in this book. That was ok because those two books are excellent, and I enjoyed re-reading them. In fact, those two are probably a little better than this one. Overall Earthbound is pretty dark, and there isn't a lot of hope presented -- its just a series of scenes where the main characters attempt to deal with an all powerful adversary. Perhaps if the Others weren't so powerful this would be a better book, because you just know that everyone is doomed. I also respect authors who are willing to kill off lead characters, but that happens a lot in this book, which sort of bothered me. Perhaps that's what combat is really like though -- people you have an attachment to just stop being there. There's no warning or explanation. The end of this book isn't very satisfying. There better be a sequel…
As some of you might know, I'm the Director for linux.conf.au 2013. I've tried really hard to not use my powers for evil and make the entire conference about OpenStack -- in fact I haven't pulled rank and demanded that specific content be included at all. However, the level of interest in OpenStack has grown so much since LCA 2012 that there is now a significant amount of OpenStack content in the conference without me having to do any of that. I thought I'd take a second to highlight some of the OpenStack content that I think is particularly interesting -- these are the talks I'll be going to if I have the time (which remains to be seen): Monday Cloud Infrastructure, Distributed Storage and High Availability Miniconf: while not specifically about OpenStack, this miniconf is going to be a good warm up for all things IaaS at the conference. Here's a list of the talks for that miniconf:<ul Delivering IaaS with Apache CloudStack - Joe Brockmeier oVirt - Dan Macpherson Aeolus - Dan Macpherson Ops: From bare metal to cloud space - Phil Ingram VMs on VLANs on Bridges on Bonds on many NICs - Kim Hawtin OpenStack Swift…
George asks in the comments on my previous post about loop and nbd devices an interesting question about the behavior of this code on essex. I figured the question was worth bringing out into its own post so that its more visible. I've edited George's question lightly so that this blog post flows reasonably. Can you please explain the order (and conditions) in which the three methods are used? In my Essex installation, the "img_handlers" is not defined in nova.conf, so it takes the default value "loop,nbd,guestfs". However, nova is using nbd as the chose method. The handlers will be used in the order specified -- with the caveat that loop doesn't support Copy On Write (COW) images and will therefore be skipped if the libvirt driver is trying to create a COW image. Whether COW images are used is configured with the use_cow_images flag, which defaults to True. So, loop is being skipped because you're probably using COW images. My ssh keys are obtained by cloud-init, and still whenever I start a new instance I see in the nova-compute.logs this sequence of events: qemu-nbd -c /dev/nbd15 /var/lib/nova/instances/instance-0000076d/disk kpartx -a /dev/nbd15 mount /dev/mapper/nbd15p1 /tmp/tmpxGBdT0 umount /dev/mapper/nbd15p1 kpartx -d /dev/nbd15 qemu-nbd…
A quick note for OpenStack operators -- if you are using loop or nbd devices to mount disk images in nova-compute, then you would be well served to have plenty of device files hanging around to reduce contention. For loop devices, that seems as simple as making more of them with MAKEDEV. With nbd, you'll also need to increase the value of the max_nbd_devices flag to nova-compute. The latter is improved in grizzly, where we will autodetect nbd devices.