On 09/18/2015 11:04 AM, Ian Cordasco wrote:
On 9/18/15, 08:03, "Major Hayden" <ma...@mhtx.net> wrote:
Hey there,
I start working on a bug[1] last night about adding a managed NTP
configuration to openstack-ansible hosts. My patch[2] gets chrony up and
running with configurable NTP servers, but I'm still struggling to meet
the "Proposal" section of the bug where the author has asked for
non-infra physical nodes to get their time from the infra nodes. I can't
figure out how to make it work for AIO builds when one physical host is
part of all of the groups. ;)
I'd argue that time synchronization is critical for a few areas:
1) Security/auditing when comparing logs
2) Troubleshooting when comparing logs
3) I've been told swift is time-sensitive
4) MySQL/Galera don't like time drift
However, there's a strong argument that this should be done by deployers,
and not via openstack-ansible. I'm still *very* new to the project and
I'd like to hear some feedback from other folks.
Personally, I fall into the camp of "this is a deployer concern".
Specifically, there is already an ansible-galaxy role to enable NTP on
your deployment hosts (https://galaxy.ansible.com/list#/roles/464) which
*could* be expanded to do this very work that you're talking about. Using
specialized roles to achieve this (and contributing back to the larger
ansible community) seems like a bigger win than trying to reimplement some
of this in OSA instead of reusing other roles that already exist.
Compare it to a hypothetical situation where Keystone wrote its own
backing libraries to implement Fernet instead of using the cryptography
library. In that case there would be absolutely no argument that Keystone
should use cryptography (even if it uses cffi and has bindings to OpenSSL
which our infra team doesn't like and some deployers find difficult to
manage when using pure-python deployment tooling). Why should OSA be any
different from another OpenStack project?
Have to agree with Ian here. NTP, as Major wrote, is a critical piece of
the deployment puzzle, but I don't think it's necessary to put anything
in OSA specifically to configure NTP. As Ian wrote, better to contribute
to upstream ansible-galaxy playbooks/roles that do this well.
Best,
-jay
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
