Description of problem: nova-manage is a strictly admin-only tool that bypasses APIs and auth and calls into the (often db) code directly and should be treated and operated as such. This tool is meant to be used only by an administrator with shell access to nodes running OpenStack, and is not something to be used for normal operation or even administration. Most of the data integrity checks that are normally done by the API are bypassed when using it, and extra caution needs to be taken when using it. It would be good to have a note in our documentation that clearly states this (possibly when the nova-manage usage is shown for the first time). Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Please provide an accurate list of the nova-manage actions that are explicitly not supported, and the alternative actions we recommend using other tools. The nova-manage help suggests it supports the following actions: account agent config db fixed flavor floating host instance_type logs network project service shell sm version vm volume vpn Currently the documentation includes the following nova-manage commands: nova-manage network create .... nova-manage db sync nova-manage floating create ... Ideally please also provide us with the alternative methods of performing the above actions.
On 02/13/2013 09:31 AM, Steve Gordon wrote: > Engineering need to provide an accurate list of which actions of nova-manage we will and won't support. I don't think adding a "here be dragons" statement really clarifies matters if in subsequent steps we tell users to use it anyway. I think at this point we should assume that *all* nova-manage commands are supported unless we note specifically otherwise in a bug. At this point I'm not aware of any. I think a "there be dragons" note is useful. There are some important points that users should know. Here is my take: nova-manage does not use the nova API. There is no access control based on keystone authentication. It provides direct admin-level access. In many cases, nova-manage performs operations by doing direct database access. There is much less input validation done by nova-manage than by the nova API, so administrators should be careful to provide correct input to nova-manage.