Revision 56c934da
| b/doc/design-os.rst | ||
|---|---|---|
| 18 | 18 |
the disks of the instance being created, exporting/importing the instance, |
| 19 | 19 |
renaming it). |
| 20 | 20 |
|
| 21 |
These scripts receive, as environment variables, a fixed set of parameters
|
|
| 21 |
These scripts receive through environment variables a fixed set of parameters
|
|
| 22 | 22 |
related to the instance (such as the hypervisor, the name of the instance, the |
| 23 | 23 |
number of disks, and their location) and a set of user defined parameters. |
| 24 | 24 |
These parameters are also written in the configuration file of Ganeti, to allow |
| ... | ... | |
| 72 | 72 |
================ |
| 73 | 73 |
|
| 74 | 74 |
In order to fix the shortcomings of the current state, we plan to introduce the |
| 75 |
following changes: |
|
| 76 |
|
|
| 77 |
* Change the OS parameters to have three categories: |
|
| 78 |
|
|
| 79 |
* ``public``: the current behavior. The parameter is logged and stored freely. |
|
| 80 |
|
|
| 81 |
* ``private``: the parameter is saved inside the Ganeti configuration (to allow |
|
| 82 |
for instance reinstall) but it is not shown in logs, job logs, or passed back |
|
| 83 |
via RAPI. |
|
| 84 |
|
|
| 85 |
* ``secret``: the parameter is not saved inside the Ganeti configuration. |
|
| 86 |
Reinstalls are impossible unless the data is passed again. The parameter will |
|
| 87 |
not appear in any log file. When a functionality is performed jointly by |
|
| 88 |
multiple daemons (such as MasterD and LuxiD), currently Ganeti sometimes |
|
| 89 |
serializes jobs on disk and later reloads them. Secret parameters will not be |
|
| 90 |
serialized to disk. They will be passed around as part of the LUXI calls |
|
| 91 |
exchanged by the daemons, and only kept in memory, in order to reduce their |
|
| 92 |
accessibility as much as possible. In case of failure of the master node, |
|
| 93 |
these parameters will be lost and cannot be recovered because they are not |
|
| 94 |
serialized. As a result, the job cannot be taken over by the new master. |
|
| 95 |
This is an expected and accepted side effect of jobs with secret parameters: |
|
| 96 |
if they fail, they'll have to be restarted manually. |
|
| 97 |
|
|
| 98 |
* A new OS installation procedure, based on a safe virtualized environment. |
|
| 99 |
This virtualized environment will run with the same hardware parameter as the |
|
| 100 |
actual instance being installed, as much as possible. This will also allow to |
|
| 101 |
reduce the memory usage in the host (specifically, in Dom0 for Xen |
|
| 102 |
installations). Each instance will have these possible execution modes: |
|
| 103 |
|
|
| 104 |
* ``run``: the default mode, used when the machine is running normally and |
|
| 105 |
the OS installation procedure is run before starting the instance for the |
|
| 106 |
first time. |
|
| 107 |
|
|
| 108 |
* ``self_install``: the first run of the instance will be with a different set |
|
| 109 |
of parameters w.r.t. all the successive runs. This set of "install |
|
| 110 |
parameters" will allow, e.g., to attach an installation |
|
| 111 |
floppy/cdrom/network, change the boot device order, or specify an OS image |
|
| 112 |
to be used. Through this set of parameters, the administrator will have to |
|
| 113 |
provide the hypervisor a way to find an installation medium for the instance |
|
| 114 |
(e.g., a boot disk, a network image, etc). This medium will then install the |
|
| 115 |
instance itself on the disks and will then be responsible to get the |
|
| 116 |
parameters for configuring it (its network interfaces, IP address, hostname, |
|
| 117 |
etc.) from a set of metadata provided by Ganeti (e.g.: using an approach |
|
| 118 |
comparable to the one of the ``cloud-init`` tool). When this installation |
|
| 119 |
mode is used, no OS installation script is required. In order for the |
|
| 120 |
installation of an OS from an image to be possible, the ``--os-type`` |
|
| 121 |
parameter will be extended to support a new additional format: ``--os-type |
|
| 122 |
image:<URL>`` will instruct Ganeti to take an image from the specified |
|
| 123 |
position. For the initial implementation, URL can be either a filename or a |
|
| 124 |
publically accessible HTTP or FTP resource. Once the instance image is |
|
| 125 |
received, it will be dd-ed onto the first disk of the instance. When an |
|
| 126 |
image is specified, ``--os-parameters`` can still be used, and its content |
|
| 127 |
will be passed to the instance as part of the metadata. Note that, as part |
|
| 128 |
of the OS scripts, there is a file specifying what parameters are |
|
| 129 |
expected. With OS images, though, none of the traditional structure of OS |
|
| 130 |
scripts is in place, so there will be no check regarding what parameters can |
|
| 131 |
be specified: they will all be passed, as long as the ``--os-parameters`` |
|
| 132 |
string is syntactically valid. The set of ``self_install`` parameters will |
|
| 133 |
be stored as part of the instance configuration, so that they can be used to |
|
| 134 |
reinstall the instance. It will be the user's responsibility to ensure that |
|
| 135 |
the OS image or any installation media is still available in the proper |
|
| 136 |
position when a reinstall happens. After the first run, the instance will |
|
| 137 |
revert to ``run`` mode. |
|
| 138 |
|
|
| 139 |
* ``install``: Ganeti will start the instance using a virtual appliance |
|
| 140 |
specifically made for installing Ganeti instances. Scripts analogous to the |
|
| 141 |
current ones will run inside this instance. The disks of the instance being |
|
| 142 |
installed will be connected to this virtual appliance, so that the scripts |
|
| 143 |
can mount them and modify them as needed, as currently happens, but with the |
|
| 144 |
additional protection given by this happening in a VM. The disk of the |
|
| 145 |
virtual appliance will be read only, so that a pristine copy of the |
|
| 146 |
appliance can be started every time a new instance needs to be created, to |
|
| 147 |
further increase security. The data the instance needs to write at runtime |
|
| 148 |
will only be stored in RAM, and disappear as soon as the instance is |
|
| 149 |
stopped. Metadata will be provided also to this virtual applicance, that |
|
| 150 |
will take care of converting them to environment variables for the |
|
| 151 |
installation scripts. After the first run, the instance will revert to |
|
| 152 |
``run`` mode. |
|
| 153 |
|
|
| 154 |
* In order to allow for the metadata to be sent inside the instance, a |
|
| 155 |
communication mechanism between the instance and the host will be created. |
|
| 156 |
This mechanism will be bidirectional (e.g.: to allow the setup process going |
|
| 157 |
on inside the instance to communicate its progress to the host). Each instance |
|
| 158 |
will have access exclusively to its own metadata, and it will be only able to |
|
| 159 |
communicate with its host over this channel. More details will be provided in |
|
| 160 |
the `Communication mechanism and metadata service`_ section. |
|
| 161 |
|
|
| 162 |
* As part of the instance creation command it will be possible to indicate a URL |
|
| 163 |
for a "personalization package", that is an archive containing a set of files |
|
| 164 |
meant to be overlayed on top of the operating system file system at the end of |
|
| 165 |
the setup process, before the VM is started for the first time in ``run`` |
|
| 166 |
mode. Ganeti will provide a mechanism for receiving and unpacking this |
|
| 167 |
archive as part of the ``install`` execution mode, whereas in ``self_install`` |
|
| 168 |
mode it will only be provided as a metadata for the instance to use. The |
|
| 169 |
archive will be in TAR-GZIP format (with extension ``.tar.gz`` or ``.tgz``) |
|
| 170 |
and will contain the files according to the directory structure that will be |
|
| 171 |
recreated on the installation disk. Files contained in this archive will |
|
| 172 |
overwrite files with the same path created during the install procedure (if |
|
| 173 |
any). The URL of the "personalization package" will have to specify an |
|
| 174 |
extesion to identify the file format (in order to allow for more formats to be |
|
| 175 |
supported in the future). The URL will be stored as part of the configuration |
|
| 176 |
of the instance (therefore, the URL should not contain confidential |
|
| 177 |
information, but the files there available can). It is up to the system |
|
| 178 |
administrator to ensure that a package is actually available at that URL at |
|
| 179 |
install and reinstall time. The content of the package is allowed to change. |
|
| 180 |
E.g.: a system administrator might create a package containing the private |
|
| 181 |
keys of the instance being created. When the instance is reinstalled, a new |
|
| 182 |
package with new keys can be made available there, therefore allowing instance |
|
| 183 |
reinstall without the need to store keys. Together with the URL, a username |
|
| 184 |
and a password can be specified to. If the URL is a HTTP(S) URL, they will be |
|
| 185 |
used as basic access authentication credentials to access that URL. The |
|
| 186 |
username and password will not be saved in the config, and will have to be |
|
| 187 |
provided again in case a reinstall is requested. The downloaded |
|
| 188 |
personalization package will not be stored locally on the node for longer than |
|
| 189 |
it is needed while unpacking it and adding its files to the instance being |
|
| 190 |
created. The personalization package will be overlayed on top of the instance |
|
| 191 |
filesystem after the scripts that created it have been executed. In order for |
|
| 192 |
the files in the package to be automatically overlayed on top of the instance |
|
| 193 |
filesystem it is required that the appliance is actually able to mount the |
|
| 194 |
instance disks, therefore this will not work for every filesystem. |
|
| 75 |
following changes. |
|
| 76 |
|
|
| 77 |
|
|
| 78 |
OS parameters categories |
|
| 79 |
++++++++++++++++++++++++ |
|
| 80 |
|
|
| 81 |
Change the OS parameters to have three categories: |
|
| 82 |
|
|
| 83 |
* ``public``: the current behavior. The parameter is logged and stored freely. |
|
| 84 |
|
|
| 85 |
* ``private``: the parameter is saved inside the Ganeti configuration (to allow |
|
| 86 |
for instance reinstall) but it is not shown in logs, job logs, or passed back |
|
| 87 |
via RAPI. |
|
| 88 |
|
|
| 89 |
* ``secret``: the parameter is not saved inside the Ganeti configuration. |
|
| 90 |
Reinstalls are impossible unless the data is passed again. The parameter will |
|
| 91 |
not appear in any log file. When a functionality is performed jointly by |
|
| 92 |
multiple daemons (such as MasterD and LuxiD), currently Ganeti sometimes |
|
| 93 |
serializes jobs on disk and later reloads them. Secret parameters will not be |
|
| 94 |
serialized to disk. They will be passed around as part of the LUXI calls |
|
| 95 |
exchanged by the daemons, and only kept in memory, in order to reduce their |
|
| 96 |
accessibility as much as possible. In case of failure of the master node, |
|
| 97 |
these parameters will be lost and cannot be recovered because they are not |
|
| 98 |
serialized. As a result, the job cannot be taken over by the new master. This |
|
| 99 |
is an expected and accepted side effect of jobs with secret parameters: if |
|
| 100 |
they fail, they'll have to be restarted manually. |
|
| 101 |
|
|
| 102 |
|
|
| 103 |
Metadata |
|
| 104 |
++++++++ |
|
| 105 |
|
|
| 106 |
In order to allow metadata to be sent inside the instance, a communication |
|
| 107 |
mechanism between the instance and the host will be created. This mechanism |
|
| 108 |
will be bidirectional (e.g.: to allow the setup process going on inside the |
|
| 109 |
instance to communicate its progress to the host). Each instance will have |
|
| 110 |
access exclusively to its own metadata, and it will be only able to communicate |
|
| 111 |
with its host over this channel. This is the approach followed the |
|
| 112 |
``cloud-init`` tool and more details will be provided in the `Communication |
|
| 113 |
mechanism and metadata service`_ section. |
|
| 114 |
|
|
| 115 |
|
|
| 116 |
Installation procedure |
|
| 117 |
++++++++++++++++++++++ |
|
| 118 |
|
|
| 119 |
A new installation procedure will be introduced, with which it will be possible |
|
| 120 |
to use an installation medium and run the OS scripts in an optional virtualized |
|
| 121 |
environment and with an optional personalization package. There will be two |
|
| 122 |
sets of parameters, namely, installation parameters, which are used mainly for |
|
| 123 |
installs and reinstalls, and execution parameters, which are used in all the |
|
| 124 |
other runs that are not part of an installation procedure. |
|
| 125 |
|
|
| 126 |
This set of installation parameters will allow, e.g., to attach an installation |
|
| 127 |
floppy/cdrom/network, change the boot device order, or specify a disk image to |
|
| 128 |
be used. Through this set of parameters, the administrator will have to provide |
|
| 129 |
the hypervisor a location for an installation medium for the instance (e.g., a |
|
| 130 |
boot disk, a network image, etc). This medium will carry out the installation |
|
| 131 |
of the instance onto the instance's disks and will then be responsible for |
|
| 132 |
getting the parameters for configuring the instance, such as, network |
|
| 133 |
interfaces, IP address, and hostname. These parameters are taken from the |
|
| 134 |
metadata. The installation parameters will be stored in the configuration of |
|
| 135 |
Ganeti and used in future reinstalls, but not during normal execution. |
|
| 136 |
|
|
| 137 |
The instance is reinstalled using the same installation parameters from the |
|
| 138 |
first installation. However, it will be the administrator's responsibility to |
|
| 139 |
ensure that the any installation media is still available at the proper location |
|
| 140 |
when a reinstall occurs. |
|
| 141 |
|
|
| 142 |
The parameter ``--os-parameters`` can still be used to specify the OS |
|
| 143 |
parameters. However, without OS scripts, Ganeti cannot do more than a syntactic |
|
| 144 |
check to validate the supplied OS parameters string. As a result, this string |
|
| 145 |
will be directly passed to the instance as part of the metadata. If the |
|
| 146 |
installation procedure is running inside a virtualized environment, then Ganeti |
|
| 147 |
will take these parameters from the metadata and pass them to the OS scripts as |
|
| 148 |
environment variables. |
|
| 149 |
|
|
| 150 |
* Use a disk image: |
|
| 151 |
|
|
| 152 |
Currently, it is already possible to specify an installation medium, such as, |
|
| 153 |
a cdrom, but not a disk image. Therefore, a new parameter ``--os-image`` will |
|
| 154 |
be used to specify the location of a disk image which will be dumped to the |
|
| 155 |
instance's first disk before the instance is started. The location of the |
|
| 156 |
image can be a URL and, if this is the case, Ganeti will download this image. |
|
| 157 |
|
|
| 158 |
* Run OS scripts: |
|
| 159 |
|
|
| 160 |
The parameter ``--os-type`` (short version: ``-o``), is currently used to |
|
| 161 |
specify the OS scripts. This parameter will still be used to specify the OS |
|
| 162 |
scripts with the difference that these OS scripts may optionally run inside a |
|
| 163 |
virtualized environment for safety reasons, depending on whether they are |
|
| 164 |
trusted or not. For more details on trusted and untrusted OS scripts, refer |
|
| 165 |
to the `Installation process in a virtualized environment`_ section. |
|
| 166 |
|
|
| 167 |
* Personalization package |
|
| 168 |
|
|
| 169 |
As part of the instance creation command, it will be possible to indicate a |
|
| 170 |
URL for a "personalization package", which is an archive containing a set of |
|
| 171 |
files meant to be overlayed on top of the OS file system at the end of the |
|
| 172 |
setup process and before the VM is started for the first time in normal mode. |
|
| 173 |
Ganeti will provide a mechanism for receiving and unpacking this archive |
|
| 174 |
whether the installation is being performed inside the virtualized environment |
|
| 175 |
or not. |
|
| 176 |
|
|
| 177 |
The archive will be in TAR-GZIP format (with extension ``.tar.gz`` or |
|
| 178 |
``.tgz``) and contain the files according to the directory structure that will |
|
| 179 |
be recreated on the installation disk. Files contained in this archive will |
|
| 180 |
overwrite files with the same path created during the installation procedure |
|
| 181 |
(if any). The URL of the "personalization package" will have to specify an |
|
| 182 |
extension to identify the file format (in order to allow for more formats to |
|
| 183 |
be supported in the future). The URL will be stored as part of the |
|
| 184 |
configuration of the instance (therefore, the URL should not contain |
|
| 185 |
confidential information, but the files there available can). |
|
| 186 |
|
|
| 187 |
It is up to the system administrator to ensure that a package is actually |
|
| 188 |
available at that URL at install and reinstall time. The contents of the |
|
| 189 |
package are allowed to change. E.g.: a system administrator might create a |
|
| 190 |
package containing the private keys of the instance being created. When the |
|
| 191 |
instance is reinstalled, a new package with new keys can be made available |
|
| 192 |
there, thus allowing instance reinstall without the need to store keys. A |
|
| 193 |
username and a password can be specified together with the URL. If the URL is |
|
| 194 |
a HTTP(S) URL, they will be used as basic access authentication credentials to |
|
| 195 |
access that URL. The username and password will not be saved in the config, |
|
| 196 |
and will have to be provided again in case a reinstall is requested. |
|
| 197 |
|
|
| 198 |
The downloaded personalization package will not be stored locally on the node |
|
| 199 |
for longer than it is needed while unpacking it and adding its files to the |
|
| 200 |
instance being created. The personalization package will be overlayed on top |
|
| 201 |
of the instance filesystem after the scripts that created it have been |
|
| 202 |
executed. In order for the files in the package to be automatically overlayed |
|
| 203 |
on top of the instance filesystem, it is required that the appliance is |
|
| 204 |
actually able to mount the instance's disks. As a result, this will not work |
|
| 205 |
for every filesystem. |
|
| 206 |
|
|
| 207 |
* Combine a disk image, OS scripts, and a personalization package |
|
| 208 |
|
|
| 209 |
It will possible to combine a disk image, OS scripts, and a personalization |
|
| 210 |
package, both with or without a virtualized environment. There is one |
|
| 211 |
exception which is if there are untrusted OS scripts. At least, an |
|
| 212 |
installation medium or OS scripts should be specified. |
|
| 213 |
|
|
| 214 |
The disk image of the actual virtual appliance, which bootstraps the virtual |
|
| 215 |
environment used in the installation procedure, will be read only, so that a |
|
| 216 |
pristine copy of the appliance can be started every time a new instance needs |
|
| 217 |
to be created and to further increase security. The data the instance needs |
|
| 218 |
to write at runtime will only be stored in RAM and disappear as soon as the |
|
| 219 |
instance is stopped. |
|
| 220 |
|
|
| 221 |
The parameter ``--enable-safe-install=yes|no`` will be used to give the |
|
| 222 |
administrator control over whether to use a virtualized environment for the |
|
| 223 |
installation procedure. By default, a virtualized environment will be used. |
|
| 224 |
Note that some feature combinations, such as, using untrusted scripts, will |
|
| 225 |
require the virtualized environment. In this case, Ganeti will not allow |
|
| 226 |
disabling the virtualized environment. |
|
| 195 | 227 |
|
| 196 | 228 |
Implementation |
| 197 | 229 |
============== |
| ... | ... | |
| 203 | 235 |
#. Communication mechanism between host and instance |
| 204 | 236 |
#. Metadata service |
| 205 | 237 |
#. Personalization package (inside a virtualization environment) |
| 206 |
#. ``self_install`` mode
|
|
| 207 |
#. ``install`` mode (inside a virtualization environment)
|
|
| 238 |
#. Instance creation via a disk image
|
|
| 239 |
#. Instance creation inside a virtualized environment
|
|
| 208 | 240 |
|
| 209 | 241 |
Some of these steps need to be more deeply specified w.r.t. what is already |
| 210 | 242 |
written in the `Proposed changes`_ Section. Extra details will be provided in |
| ... | ... | |
| 214 | 246 |
++++++++++++++++++++++++++++++++++++++++++++ |
| 215 | 247 |
|
| 216 | 248 |
The communication mechanism and the metadata service are described together |
| 217 |
because they are deeply tied. On the other hand, the communication mechanism
|
|
| 218 |
will need to be more generic because it can be used for other reasons in the
|
|
| 219 |
future (like allowing instances to explicitly send commands to Ganeti, or to let
|
|
| 220 |
Ganeti control a helper instance, like the one hereby introduced for performing
|
|
| 221 |
OS installs inside a safe environment).
|
|
| 222 |
|
|
| 223 |
The communication mechanism will be enabled automatically when the instance is
|
|
| 224 |
in ``self_install`` or ``install`` mode, but for backwards compatibility it will
|
|
| 225 |
be disabled when the instance is in ``run`` mode unless it is explicitly
|
|
| 226 |
requested. Specifically, a new parameter ``--communication`` (short version:
|
|
| 227 |
``-C``), with possible values ``true`` or ``false`` will be added to
|
|
| 249 |
because they are deeply tied. The communication mechanism will be made more
|
|
| 250 |
generic because it can be used for other purposes in the future (like allowing
|
|
| 251 |
instances to explicitly send commands to Ganeti, or to let Ganeti control a
|
|
| 252 |
helper instance, like the one hereby introduced for performing OS installs
|
|
| 253 |
inside a safe environment). |
|
| 254 |
|
|
| 255 |
The communication mechanism will be enabled automatically during an installation
|
|
| 256 |
procedure that requires a virtualized environment, but for backwards
|
|
| 257 |
compatibility it will be disabled when the instance is running normally, unless
|
|
| 258 |
it is explicitly requested. Specifically, a new parameter
|
|
| 259 |
``--communication=yes|no`` (short version: ``-C``) will be added to
|
|
| 228 | 260 |
``gnt-instance add`` and ``gnt-instance modify``. It will determine whether the |
| 229 |
instance will have a communication channel set up to interact with the host and
|
|
| 230 |
to receive metadata. The value of this parameter will be saved as part of the
|
|
| 231 |
configuration of the instance.
|
|
| 261 |
instance has a communication channel set to interact with the host and receive
|
|
| 262 |
metadata. The value of this parameter will be saved as part of the configuration
|
|
| 263 |
of the instance. |
|
| 232 | 264 |
|
| 233 | 265 |
When the communication mechanism is enabled, Ganeti will create a new network |
| 234 | 266 |
interface inside the instance. This additional network interface will be the |
| ... | ... | |
| 313 | 345 |
user-provided value of the parameter, and ``<visibility>`` is either ``public``, |
| 314 | 346 |
``private`` or ``secret``. |
| 315 | 347 |
|
| 316 |
The installation scripts to be run inside the virtualized environment while the
|
|
| 317 |
instance is run in ``install`` mode will be available at::
|
|
| 348 |
The installation scripts to be run inside the virtualized environment will be
|
|
| 349 |
available at:: |
|
| 318 | 350 |
|
| 319 |
http://169.254.169.254/<version>/ganeti/os/scripts/<script_name>
|
|
| 351 |
http://169.254.169.254/ganeti/<version>/os/scripts/<script_name>
|
|
| 320 | 352 |
|
| 321 | 353 |
where ``<script_name>`` is the name of the script. |
| 322 | 354 |
|
Also available in: Unified diff