Bug 910717 - [nova] nova-manage usage should be made more clear
Summary: [nova] nova-manage usage should be made more clear
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: doc-Getting_Started_Guide
Version: 2.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: snapshot4
: 2.1
Assignee: Stephen Gordon
QA Contact: ecs-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-02-13 11:29 UTC by Nikola Dipanov
Modified: 2019-09-09 13:28 UTC (History)
4 users (show)

Fixed In Version: Red_Hat_OpenStack-Getting_Started_Guide-2-web-en-US-1.0-22.el6eng
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-04 19:39:27 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Nikola Dipanov 2013-02-13 11:29:25 UTC
Description of problem:

nova-manage is a strictly admin-only tool that bypasses APIs and auth and calls into the (often db) code directly and should be treated and operated as such. This tool is meant to be used only by an administrator with shell access to nodes running OpenStack, and is not something to be used for normal operation or even administration.

Most of the data integrity checks that are normally done by the API are bypassed when using it, and extra caution needs to be taken when using it.

It would be good to have a note in our documentation that clearly states this (possibly when the nova-manage usage is shown for the first time).

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Stephen Gordon 2013-02-13 14:36:03 UTC
Please provide an accurate list of the nova-manage actions that are explicitly not supported, and the alternative actions we recommend using other tools. The nova-manage help suggests it supports the following actions:

	account
	agent
	config
	db
	fixed
	flavor
	floating
	host
	instance_type
	logs
	network
	project
	service
	shell
	sm
	version
	vm
	volume
	vpn

Currently the documentation includes the following nova-manage commands:

nova-manage network create ....
nova-manage db sync
nova-manage floating create ...

Ideally please also provide us with the alternative methods of performing the above actions.

Comment 2 Russell Bryant 2013-02-13 14:49:07 UTC
On 02/13/2013 09:31 AM, Steve Gordon wrote:
> Engineering need to provide an accurate list of which actions of nova-manage we will and won't support. I don't think adding a "here be dragons" statement really clarifies matters if in subsequent steps we tell users to use it anyway. 

I think at this point we should assume that *all* nova-manage commands are supported unless we note specifically otherwise in a bug.  At this point I'm not aware of any.

I think a "there be dragons" note is useful.  There are some important points that users should know.  Here is my take:

nova-manage does not use the nova API.  There is no access control based on keystone authentication.  It provides direct admin-level access.  In many cases, nova-manage performs operations by doing direct database access.  There is much less input validation done by nova-manage than by the nova API, so administrators should be careful to provide correct input to nova-manage.


Note You need to log in before you can comment on or make changes to this bug.