I’d like to overhaul the openstack modules, fixing bugs, adding features and making them easier to use. Before I do so, however, I’d like to discuss my proposed changes so they don’t conflict with existing roadmaps (if any).
All modules:
Get default authentication info from environment, just like the openstack cli tools do
Allow auth via token+endpoint.
Remove dependencies on openstack clients libraries, and use REST instead.
Allow referencing objects by id or by tenant+name.
So this all sounds great and we’d definitely welcome upgrades to the OpenStack content.
A few comments:
I’m fine with auth standardization but existing methods should continue to work as is when doing this – and things should go into module_utils like we have done to standardize AWS and Rackspace auth – so code isn’t repeated between modules.
I don’t understand why you would want to not use the provided OpenStack client libs, that seems to be a step back, and a giant maintaince problem. Is there a deprecation of these that I’m not aware of? I’m open to discussing this but it doesn’t seem like the right thing to do if the libraries are well maintained.
+1 to security groups taking a list, it should also take a string. The “type=list” in the module argument_spec will allow for this as it splits on commas if given a string.
+1 to having name options in addition to id options. Be sure to use “mutually_exclusive” in module utils to check that a confusing combination isn’t used.
Actually Openstack suggest developing against the REST API rather than using the client libs, presumably because they try and keep the REST API as stable as possible so there shouldn’t be as many changes required as the openstack versions change. (see https://wiki.openstack.org/wiki/SDKs definition 5 and https://wiki.openstack.org/wiki/APIChangeGuidelines last argument in “No we really mean it!”)
I would actually like to see a bunch of tasks for deploying OpenStack itself (rather than deploying clients onto OpenStack). Unfortunately not something I am currently working on at work at the moment but if I can get the time I might start working on that…
There are some interesting dependencies between different pieces that would give me some experience working with Ansible that I might not get otherwise.
Of course, once you have your OpenStack deployment in place you do need to be able to manipulate it and I am not saying that the OpenStack modules do not have a place, just not at the level that I currently have had to deal with OpenStack.
"Actually Openstack suggest developing against the REST API rather than using the client libs, presumably because they try and keep the REST API as stable as possible so there shouldn’t be as many changes required as the openstack versions change. "
I see where that says the REST API is supposed to be stable (we say that too), but where does this say “don’t use our client libraries”?
“I would actually like to see a bunch of tasks for deploying OpenStack itself”
Modules are going to make sense for using OpenStack, I don’t think modules are needed for deploying it.
There are several example roles for that sort of thing. I will freely admit ours in github.com/ansible/ansible-examples is not super well updated, but patches are welcome.
"Actually Openstack suggest developing against the REST API rather than using the client libs, presumably because they try and keep the REST API as stable as possible so there shouldn’t be as many changes required as the openstack versions change. "
I see where that says the REST API is supposed to be stable (we say that too), but where does this say “don’t use our client libraries”?
They don’t say it exactly, they do say… “We encourage developers to develop against OpenStack REST API. There will be many tools and applications which favor the REST API over our libraries or command line interfaces.” My reading of “encourage developers to use the REST API” is that they would suggest that rather than using the python client library. However, I admit I could easily be reading nuances into their writing that aren’t intended.
“I would actually like to see a bunch of tasks for deploying OpenStack itself”
Modules are going to make sense for using OpenStack, I don’t think modules are needed for deploying it.
There are several example roles for that sort of thing. I will freely admit ours in github.com/ansible/ansible-examples is not super well updated, but patches are welcome.
And no I wasn’t thinking that we needed an OpenStack deployment module, merely that it would be nice if some roles were available in Galaxy to make it easier for people to deploy OpenStack…
I’ll have a look at the examples and see if I can update/rewrite them as needed…
Thanks, I’ll have a look at those modules. My main motive is is nova-network^Wquantum^Wneutron^Wopenstackclient. There are now 4 different iterations of that lib around, each with a disjunct install base, and a somewhat incompatible API. The ReST API is far more stable than the python APIs. Also, as mentioned elsewhere in this thread, OpenStack actually encourages developers to use the ReST APIs. And while they don’t recommend against using the python client libs, all examples, documentation, mailinglists and other sources work against the ReST API. Perhaps, some day in the future, the openstackclient lib settles down, and achieves reasonable stability and code quality. Unfortunately that day hasn’t come yet. Oviously it should be backward compatible. This goes for all of the features. I wasn’t aware of that option. Thanks for pointing it out.
“My main motive is is nova-network^Wquantum^Wneutron^Wopenstackclient. There are now 4 different iterations of that lib around, each with a disjunct install base, and a somewhat incompatible API. The ReST API is far more stable than the python APIs.”
Is it unstable, or is it just going through namechanges.
I don’t think the code should have to suffer through a more complex REST-layer implementation when this can be solved with some conditional “try/except” and “import as” kind of logic.
Further, switching to all REST API invalidates pretty much all of the work that was done previously, which I’m not quite ok with as there are people using these modules and it has a very high chance of breaking them.
It’s ok to encourage people to use REST APIs – that’s great – we do this to, but I don’t see anyone being discouraged from using the client libs.
They exist for good reason – to prevent a library from having to all re-invent the logic that wraps the REST API, handles error codes, and does the right thing.
This is really the great tradgedy of REST, for multiple-API calls, worklows, auth, every consumer has to reimplement something for themselves… thus having a library that uses the REST API is entirely what you want.
Is it unstable, or is it just going through namechanges.
Unfortunately both are happening; though it's mostly the latter.
I don't think the code should have to suffer through a more complex
REST-layer implementation when this can be solved with some
conditional "try/except" and "import as" kind of logic.
[snip even more valid points]
I guess you are right;
I'll just deal with the incompatibilities using an
'ask-for-forgiveness' approach.
But note that a new openstackclient lib is coming, which is entirely
incompatible with existing libs. When that's released, we'll have to do
a rewrite at some point, as the existing libs will no longer be
maintained.
There is work being done to create python-openstacksdk. There is supposed to be some discussion this week to get things kicked off. Looks like this will be held in #openstack-sdks on Wednesday at 1pm America/Central.
The idea is that the python-*client packages will no longer be the SDKs or python APIs. python-openstacksdk would become the dependency for all of the clients.
I've booked quite some progress, an I'd really like some feedback. This
isn't a merge request just yet, but I'm getting closer. My work can be
found here: https://github.com/CloudVPS/ansible
To do:
- keystone (trust|domain|endpoint|service)
- nova_compute blockdevice_mapping
- cinder (snapshot|backup)
- swift (*)
- documentation docstrings
The link is just to a (temporary) fork of ansible. Can you add release notes of some sort to indicate what you HAVE added/modified?
thanks,
kesten
ps. if you are taking requests/suggestions, I was just about to integrate https://github.com/ansible/ansible-redhat-openstack/blob/master/playbooks/tenant.yml
into my deployment scripts. The first 5 steps use the ansible openstack modules. The last three tasks require shell or command modules to directly access the openstack controllers to setup security group rules etc.
It would be nice if that weren’t the case, so we wouldn’t have to delegate_to and include controllers in our host files etc.
I’ve been using Koert’s cinder_volume and nova_compute improvements in daily work now and would recommend them.
I think some care should be taken to standardize between rax and non-rax openstack modules for naming of things. Do i report doc issues the same way as regular code issues via github?
I believe believe the nova_compute needs some work to make it idempotent. If a vm is already existing then a volume will not get attached to it even if it is in the arg_spec. Generally, quite useable.