savanna-all team mailing list archive

Thread
Date

Re: some feedback on the hadoop diskimage-builder element

To: Robert Collins <robertc@xxxxxxxxxxxxxxxxx>
From: Sergey Lukjanov <slukjanov@xxxxxxxxxxxx>
Date: Fri, 7 Jun 2013 08:40:26 +0400
Cc: savanna-all@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAJ3HoZ3KU6aNNrGvZmGkxTfg+qCy2LzqK1N_NhKPA4RqxRx33g@mail.gmail.com>

Hi Robert,

first of all, thank you for the great feedback. 

Ivan will respond with more detail, but I want to comment on forcing credentials.

The current version of DIB elements is targeted to the Savanna v. 0.1 that depends on some user with login-password auth, password-less sudo and password-less hadoop-to-hadoop ssh, but we are working on Savanna v. 0.2 that depends only on password-less sudo for some management user. Savanna v. 0.2 generates unique key pairs per Hadoop cluster for hadoop-to-hadoop interop and can inject user keys to created VMs.

Sincerely yours,
Sergey Lukjanov
Software Engineer
Mirantis Inc.
GTalk: me@xxxxxxxxxxx
Skype: lukjanovsv

On Jun 7, 2013, at 5:41, Robert Collins <robertc@xxxxxxxxxxxxxxxxx> wrote:

> Hi there, I've had a look through the diskimage builder element -
> hadoop - you've put together, to see whether it worked well for you
> etc.
> 
> There's a few things that could be done to make it a bit more robust /
> simpler. Primarily is to separate out the last-mile configuration
> stages from software installation. That is, software installation
> should happen in the diskimage-builder, but anything that will vary in
> environments - e.g. ssh keys, passwords, configuration files - should
> be supplied via nova or heat metadata.
> 
> Specifics that came to mind when I read through the element:
> https://bugs.launchpad.net/savanna/+bug/1188438
> https://bugs.launchpad.net/savanna/+bug/1188442
> 
> The ssh config tweaking is something we don't have a great answer for
> today; I'd be inclined though to make it an idempotent
> os-refresh-config script rather than build-time, because as it stands
> someone may edit it on the live system, and break whatever it is
> hadoop has that depends on those settings. Relatedly, I think it would
> be great if the README.md for the element documented the security
> caveats (e.g. that systems running hadoop images are vulnerable to
> password cracking attacks.
> 
> Secondly, there is a dependency system in the elements, so anything
> that needs to be baked in but that folk might do differently can be
> abstracted by putting it in a separate element - see
> https://review.openstack.org/#/c/32059/ for an example.
> 
> I've also filed
> https://bugs.launchpad.net/diskimage-builder/+bug/1188408 about
> something diskimage-builder could make nicer.
> 
> Cheers,
> Rob
> 
> -- 
> Robert Collins <rbtcollins@xxxxxx>
> Distinguished Technologist
> HP Cloud Services
> 
> -- 
> Mailing list: https://launchpad.net/~savanna-all
> Post to     : savanna-all@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~savanna-all
> More help   : https://help.launchpad.net/ListHelp

References

some feedback on the hadoop diskimage-builder element
From: Robert Collins, 2013-06-07