Bug 910717

Summary: [nova] nova-manage usage should be made more clear
Product: Red Hat OpenStack Reporter: Nikola Dipanov <ndipanov>
Component: doc-Getting_Started_GuideAssignee: Stephen Gordon <sgordon>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: high Docs Contact:
Priority: unspecified    
Version: 2.1CC: alyoung, breeler, eglynn, sgordon
Target Milestone: snapshot4   
Target Release: 2.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Red_Hat_OpenStack-Getting_Started_Guide-2-web-en-US-1.0-22.el6eng Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-04 19:39:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nikola Dipanov 2013-02-13 11:29:25 UTC 
Description of problem:

nova-manage is a strictly admin-only tool that bypasses APIs and auth and calls into the (often db) code directly and should be treated and operated as such. This tool is meant to be used only by an administrator with shell access to nodes running OpenStack, and is not something to be used for normal operation or even administration.

Most of the data integrity checks that are normally done by the API are bypassed when using it, and extra caution needs to be taken when using it.

It would be good to have a note in our documentation that clearly states this (possibly when the nova-manage usage is shown for the first time).

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Stephen Gordon 2013-02-13 14:36:03 UTC 
Please provide an accurate list of the nova-manage actions that are explicitly not supported, and the alternative actions we recommend using other tools. The nova-manage help suggests it supports the following actions:

	account
	agent
	config
	db
	fixed
	flavor
	floating
	host
	instance_type
	logs
	network
	project
	service
	shell
	sm
	version
	vm
	volume
	vpn

Currently the documentation includes the following nova-manage commands:

nova-manage network create ....
nova-manage db sync
nova-manage floating create ...

Ideally please also provide us with the alternative methods of performing the above actions.
Comment 2 Russell Bryant 2013-02-13 14:49:07 UTC 
On 02/13/2013 09:31 AM, Steve Gordon wrote:
> Engineering need to provide an accurate list of which actions of nova-manage we will and won't support. I don't think adding a "here be dragons" statement really clarifies matters if in subsequent steps we tell users to use it anyway. 

I think at this point we should assume that *all* nova-manage commands are supported unless we note specifically otherwise in a bug.  At this point I'm not aware of any.

I think a "there be dragons" note is useful.  There are some important points that users should know.  Here is my take:

nova-manage does not use the nova API.  There is no access control based on keystone authentication.  It provides direct admin-level access.  In many cases, nova-manage performs operations by doing direct database access.  There is much less input validation done by nova-manage than by the nova API, so administrators should be careful to provide correct input to nova-manage.