- I chatted for a bit with Rion Dooley who manages a scientific computing platform called Agave. His use cases overlap ours by quite a lot -- he recently migrated his users from grid engine to K8s, supports a Jypiter install, etc. He seems to live in Austin so I said I'd invite him to meet up with us when we're down there in December.
- Real people are really using CephFS and Manila as an NFS replacement and claiming that it pretty much works. So this could easily be a part of our big ceph/cinder future plan.
- At a 'state of Designate' talk: They're deprecating the 1.0 API in the Q release which will probably break some of our minor internal tooling but modern Horizon dashboards have long since moved off of it. It's pretty clear that the Designate team is limping along -- last cycle they had 0 paid staff on the project, now they have one (or maybe one part-timer). Nevertheless adoption of designate is climbing (12% of installed clouds run it now) so it's unlikely to die off.
- I pestered the Horizon team about some of our performance issues. It sounds like the super-slow Identity issues have fixes in progress (but not yet released). It's less clear on if there's anywhere good to go with the puppet UI -- there's a big caching patch in place for that widget but we might already be running that, it's unclear.
- I attended a lightning talk about the metadata service to ask about using metadata to provide per-tenant or per-instance secrets to VMs:
Q: metadata -- is it private? Specifically, if the metadata agent is providing private data based on instance/tenant can I depend on it not providing that data to another badly-behaved instance?
A: It's intended to prevent spoofing but you should probably audit this yourself
A (from a later talk): The metadata server checks x-forwarded-for and instances can spoof that and steal creds from different VMs. Either disable x-forwarded-for or use the config drive for security.
- Horizon: Can use the ui-cookiecutter project to create a base template for a new panel with angular examples. Briefly I thought that they were threatening to break all of our existing Django-based custom panels in favor of Angular but I talked to the team lead and it sounds like there's no actual plan for that.
- Keystone: In the P release they've totally redone policy config and I don't quite understand the change. They're moving policies 'into code' which I think means that there are live-alterable database-stored policy rules. I asked about migration path and they said that the existing policy files will be considered an override for the time being, so we don't need to tear down the existing system. (Of course the new system will be better, but we can move over incrementally.) Keystone STILL doesn't support project-local admin roles, which is stupid but definitely means that we should just write our own implementation of this since an upstream fix is clearly many years away.
- Ops designate feedback talk: I asked about sharing a domain among multiple projects and they put it on the wishlist. I think it's been on the wishlist for a while though. It sounds like the next upgrade cycle (or the next two, L->M->N) will be rocky but after that it may go a bit better.