Streamline README for policy overrides
The appendix in the deploy-guide has recently been refreshed. This is the third of the nine charms that support overrides to receive a streamlining in order to cut down on duplication. Some driveby formatting improvements. Change-Id: I47eb1f0c1c2d71b6c804e238dbcc3d64f9f6c86d
This commit is contained in:
Peter Matulis
parent
2ea4cff1ac
commit
8cd0d5843e
114
README.md
114
README.md
@ -1,11 +1,9 @@
|
||||
Overview
|
||||
--------
|
||||
# Overview
|
||||
|
||||
This charm provides the Glance image service for OpenStack. It is intended to
|
||||
be used alongside the other OpenStack components.
|
||||
|
||||
Usage
|
||||
-----
|
||||
# Usage
|
||||
|
||||
Glance may be deployed in a number of ways. This charm focuses on 3 main
|
||||
configurations. All require the existence of the other core OpenStack
|
||||
@ -13,8 +11,7 @@ services deployed via Juju charms, specifically: mysql, keystone and
|
||||
nova-cloud-controller. The following assumes these services have already
|
||||
been deployed.
|
||||
|
||||
Local Storage
|
||||
=============
|
||||
## Local Storage
|
||||
|
||||
In this configuration, Glance uses the local storage available on the server
|
||||
to store image data:
|
||||
@ -24,8 +21,7 @@ to store image data:
|
||||
juju add-relation glance mysql
|
||||
juju add-relation glance nova-cloud-controller
|
||||
|
||||
Swift backed storage
|
||||
====================
|
||||
## Swift backed storage
|
||||
|
||||
Glance can also use Swift Object storage for image storage. Swift is often
|
||||
deployed as part of an OpenStack cloud and provides increased resilience and
|
||||
@ -41,8 +37,7 @@ charms:
|
||||
|
||||
This configuration can be used to support Glance in HA/Scale-out deployments.
|
||||
|
||||
Ceph backed storage
|
||||
===================
|
||||
## Ceph backed storage
|
||||
|
||||
In this configuration, Glance uses Ceph based object storage to provide
|
||||
scalable, resilient storage of images. This configuration assumes that you
|
||||
@ -61,8 +56,7 @@ NOTE: Glance acts as a Ceph client in this case which requires IP (L3)
|
||||
connectivity to ceph monitors and OSDs. For MAAS-based deployments this
|
||||
can be addressed with network spaces (see the relevant section below).
|
||||
|
||||
HA/Clustering
|
||||
===================
|
||||
## HA/Clustering
|
||||
|
||||
There are two mutually exclusive high availability options: using virtual
|
||||
IP(s) or DNS. In both cases, a relationship to hacluster is required which
|
||||
@ -98,8 +92,7 @@ set
|
||||
Note that Glance in HA configuration must be used with either Ceph or
|
||||
Swift providing backing image storage.
|
||||
|
||||
Glance metering
|
||||
===============
|
||||
## Glance metering
|
||||
|
||||
In order to do Glance metering with Ceilometer, an AMQP relation is required
|
||||
e.g.
|
||||
@ -112,23 +105,36 @@ e.g.
|
||||
juju add-relation glance ceilometer-agent
|
||||
...
|
||||
|
||||
Network Space support
|
||||
---------------------
|
||||
## Spaces
|
||||
|
||||
This charm supports the use of Juju Network Spaces, allowing the charm to be bound to network space configurations managed directly by Juju. This is only supported with Juju 2.0 and above.
|
||||
This charm supports the use of Juju Spaces, allowing the charm to be bound to
|
||||
network space configurations managed directly by Juju. This is only supported
|
||||
with Juju 2.0 and above.
|
||||
|
||||
API endpoints can be bound to distinct network spaces supporting the network separation of public, internal and admin endpoints.
|
||||
API endpoints can be bound to distinct network spaces supporting the network
|
||||
separation of public, internal and admin endpoints.
|
||||
|
||||
Glance acts as a Ceph client and needs IP connectivity to Ceph monitors and OSDs. Binding the ceph endpoint to a space can solve this problem in case monitors and OSDs are located on a single L2 broadcast domain (if they are not, static or dynamic routes need to be used in addition to spaces).
|
||||
Glance acts as a Ceph client and needs IP connectivity to Ceph monitors and
|
||||
OSDs. Binding the ceph endpoint to a space can solve this problem in case
|
||||
monitors and OSDs are located on a single L2 broadcast domain (if they are not,
|
||||
static or dynamic routes need to be used in addition to spaces).
|
||||
|
||||
Access to the underlying MySQL instance can also be bound to a specific space using the shared-db relation.
|
||||
Access to the underlying MySQL instance can also be bound to a specific space
|
||||
using the shared-db relation.
|
||||
|
||||
To use this feature, use the --bind option when deploying the charm:
|
||||
|
||||
juju deploy glance --bind "public=public-space internal=internal-space admin=admin-space shared-db=internal-spacec ceph=ceph-access-space"
|
||||
juju deploy glance --bind \
|
||||
"public=public-space \
|
||||
internal=internal-space \
|
||||
admin=admin-space \
|
||||
shared-db=internal-space \
|
||||
ceph=ceph-access-space"
|
||||
|
||||
Alternatively, these can also be provided as part of a juju native bundle configuration:
|
||||
Alternatively, these can also be provided as part of a juju native bundle
|
||||
configuration:
|
||||
|
||||
```yaml
|
||||
glance:
|
||||
charm: cs:xenial/glance
|
||||
num_units: 1
|
||||
@ -138,51 +144,47 @@ Alternatively, these can also be provided as part of a juju native bundle config
|
||||
internal: internal-space
|
||||
shared-db: internal-space
|
||||
ceph: ceph-access-space
|
||||
```
|
||||
|
||||
NOTE: Spaces must be configured in the underlying provider prior to attempting to use them.
|
||||
NOTE: Spaces must be configured in the underlying provider prior to attempting
|
||||
to use them.
|
||||
|
||||
NOTE: Existing deployments using os-*-network configuration options will continue to function; these options are preferred over any network space binding provided if set.
|
||||
NOTE: Existing deployments using os-*-network configuration options will
|
||||
continue to function; these options are preferred over any network space
|
||||
binding provided if set.
|
||||
|
||||
Policy Overrides
|
||||
================
|
||||
## Policy Overrides
|
||||
|
||||
This feature allows for policy overrides using the `policy.d` directory. This
|
||||
is an **advanced** feature and the policies that the OpenStack service supports
|
||||
should be clearly and unambiguously understood before trying to override, or
|
||||
add to, the default policies that the service uses. The charm also has some
|
||||
policy defaults. They should also be understood before being overridden.
|
||||
Policy overrides is an **advanced** feature that allows an operator to override
|
||||
the default policy of an OpenStack service. The policies that the service
|
||||
supports, the defaults it implements in its code, and the defaults that a charm
|
||||
may include should all be clearly understood before proceeding.
|
||||
|
||||
> **Caution**: It is possible to break the system (for tenants and other
|
||||
services) if policies are incorrectly applied to the service.
|
||||
|
||||
Policy overrides are YAML files that contain rules that will add to, or
|
||||
override, existing policy rules in the service. The `policy.d` directory is
|
||||
a place to put the YAML override files. This charm owns the
|
||||
`/etc/keystone/policy.d` directory, and as such, any manual changes to it will
|
||||
be overwritten on charm upgrades.
|
||||
|
||||
Overrides are provided to the charm using a Juju resource called
|
||||
`policyd-override`. The resource is a ZIP file. This file, say
|
||||
`overrides.zip`, is attached to the charm by:
|
||||
Policy statements are placed in a YAML file. This file (or files) is then (ZIP)
|
||||
compressed into a single file and used as an application resource. The override
|
||||
is then enabled via a Boolean charm option.
|
||||
|
||||
Here are the essential commands (filenames are arbitrary):
|
||||
|
||||
zip overrides.zip override-file.yaml
|
||||
juju attach-resource glance policyd-override=overrides.zip
|
||||
|
||||
The policy override is enabled in the charm using:
|
||||
|
||||
juju config glance use-policyd-override=true
|
||||
|
||||
When `use-policyd-override` is `True` the status line of the charm will be
|
||||
prefixed with `PO:` indicating that policies have been overridden. If the
|
||||
installation of the policy override YAML files failed for any reason then the
|
||||
status line will be prefixed with `PO (broken):`. The log file for the charm
|
||||
will indicate the reason. No policy override files are installed if the `PO
|
||||
(broken):` is shown. The status line indicates that the overrides are broken,
|
||||
not that the policy for the service has failed. The policy will be the defaults
|
||||
for the charm and service.
|
||||
See appendix [Policy Overrides][cdg-appendix-n] in the [OpenStack Charms
|
||||
Deployment Guide][cdg] for a thorough treatment of this feature.
|
||||
|
||||
Policy overrides on one service may affect the functionality of another
|
||||
service. Therefore, it may be necessary to provide policy overrides for
|
||||
multiple service charms to achieve a consistent set of policies across the
|
||||
OpenStack system. The charms for the other services that may need overrides
|
||||
should be checked to ensure that they support overrides before proceeding.
|
||||
# Bugs
|
||||
|
||||
Please report bugs on [Launchpad][lp-bugs-charm-glance].
|
||||
|
||||
For general charm questions refer to the OpenStack [Charm Guide][cg].
|
||||
|
||||
<!-- LINKS -->
|
||||
|
||||
[cg]: https://docs.openstack.org/charm-guide
|
||||
[cdg]: https://docs.openstack.org/project-deploy-guide/charm-deployment-guide
|
||||
[cdg-appendix-n]: https://docs.openstack.org/project-deploy-guide/charm-deployment-guide/latest/app-policy-overrides.html
|
||||
[lp-bugs-charm-glance]: https://bugs.launchpad.net/charm-glance/+filebug
|
||||
|
||||
Loading…
Reference in New Issue
Block a user