Distributed Image Import spec

As planned in the glance meeting today, this adds a new spec for distributed image import, in total isolation, with a proposal to start with the simple case and moving to use image location metadata when available. Change-Id: Ic11be7628535f87b9002b69f845150bd02b9f0d7
2021-02-04 08:59:22 -08:00 · 2021-02-04 08:59:22 -08:00 · 434abee27e
commit 434abee27e
parent e518123237
1 changed files with 245 additions and 0 deletions
--- a/specs/wallaby/approved/glance/distributed-image-import.rst
+++ b/specs/wallaby/approved/glance/distributed-image-import.rst
@ -0,0 +1,245 @@
 ..
 This work is licensed under a Creative Commons Attribution 3.0 Unported
 License.
 http://creativecommons.org/licenses/by/3.0/legalcode
 ================================
 Distributed Image Import Support
 ================================
 https://blueprints.launchpad.net/glance/+spec/distributed-image-import
 Glance is moving towards supporting rich operations on images, mostly
 during create time, via the import mechanism. This opens the door to
 things like metadata injection, format conversion, and copying between
 stores. Currently in order for this to work for what the user would
 consider the closest analog to ``image-upload`` (which is the
 ``glance-direct`` import method), the API nodes require access to
 shared storage which is a real blocker to adoption by deployers, and
 is the subject of this spec.
 Problem description
 ===================
 Currently, when images are uploaded via the import mechanism, they are
 stored in a special area called "staging." This is implemented under
 the covers as a ``glance_store`` but it must be a locally-accessible
 directory on the host filesystem. When using multiple API worker nodes
 (as any real deployment would), the staging directories of all worker
 nodes must be shared (i.e. mounted on a common NFS server) in order to
 support the ``glance-direct`` import method. This is obviously a
 problem for HA, performance, and a non-starter for any arrangement
 where some glance API workers are located in remote sites.
 In order to get an image from zero to usable with a ``glance-direct``
 import, there are multiple API requests that are required. One of
 these is the "staging" of the image data, which is followed by an
 "import" operation which moves the data from the staging area to its
 final destination(s). In a multi-node load-balanced scenario, the
 "stage" operation will almost definitely hit a different worker than
 the "import" operation, which will result in the latter not having
 access to the staged image data in its staging store, and thus a
 failure.
 Proposed change
 ===============
 The goal of the work outlined by this spec, is to allow the API
 workers to keep their staging store directories local and
 un-shared, but still enabling the import operation to work. In order
 to do this, we will:
 #. Record the URL by which the staging worker can be reached from the
   other workers in the database, and
 #. Proxy the import request to the host that has it staged via that
   URL if the image is not local.
 #. Any delete request while the image is staged also needs to be
   proxied, to ensure that the temporary file is deleted from the
   staging directory on the appropriate node.
 With the above change, we can eliminate the need for shared storage
 between the API worker nodes, allowing them to be isolated from an HA
 point of view, as well as distributed geographically. It requires very
 little actual change, as the non-local recipient node simply proxies
 the request it receives to the node that has it staged and returns the
 result. Both the ``import`` and ``delete`` operations are quick and do
 not require a chained client -> proxy -> destination arrangement to
 persist for long periods of time.
 Alternatives
 ------------
 One alternative is always to do nothing. We could continue to require
 shared storage for the staging area between the API nodes to support
 the import feature. We could also direct users to use image uploading
 instead of importing in cases where a shared directory is not
 feasible.
 Another alternative would be to do effectively the same thing as
 described here, but over RabbitMQ or some other RPC mechanism. That
 has the disadvantage of needing additional supporting infrastructure
 that glance does not currently require today, as well as new code to
 handle sending and receiving those RPC calls and directing them to the
 appropriate internal actions.
 Data model impact
 -----------------
 In order to do this, we only need to store one new piece of
 information, and only for a short period of time. That is the direct
 URL of the API worker node that has staged an image. When the image is
 finally imported (which usually happens immediately after staging),
 that URL is no longer needed (nor relevant).
 Initially, this implementation will use the reserved and
 quota-independent ``os_glance`` namespace to store the URL in the
 image's ``extra_properties``.
 Later, when work is done to complete the usage of the staging
 directory as a proper glance store, we may be able to store the URL in
 the location metadata when the staging image data is registered
 there. When this happens and assuming there is an appropriate
 interface to use that location metadata, the plan will be to make this
 implementation use that metadata store instead.
 REST API impact
 ---------------
 None.
 Security impact
 ---------------
 The proxy behavior will be done with the user's token, as presented to
 the worker that the load balancer selects. No additional authorization
 is added, and that token is used to make the request to the
 appropriate worker on the user's behalf. Thus, this operation is
 entirely transparent from a security perspective.
 Notifications impact
 --------------------
 None.
 Other end user impact
 ---------------------
 More users will be able to use the image import functionality after
 this is implemented as operators unwilling or unable to provide shared
 storage between their workers will no longer need to disable
 ``glance-direct`` import for their users.
 Performance Impact
 ------------------
 Eliminating the use of a shared NFS (or similar) storage location for
 the staging store should improve performance of upload and import,
 since the staging directory can be local. It also vastly reduces the
 need to move a potentially very large image back and forth over the
 network multiple times in the process of doing a single image import
 (reduces from a minimum of four round-trips of the image data to two).
 Other deployer impact
 ---------------------
 Deployers may wish to enable image import after upgrading to a release
 that supports this, where previously they needed to disable the
 feature (or just ``glance-direct``. They will need to configure each
 API worker with an additional element indicating the direct URL by
 which they can be reached, and ensure that API nodes are able to
 communicate with each other in this way.
 Deployers that currently support import via shared storage may want to
 quiesce image activity while they split the workers from the shared
 storage location to local directories.
 Deployers wishing to keep the shared storage for image staging may
 choose to do so with no impact or action required.
 Deployers wishing to keep the import feature (or just the
 ``glance-direct`` method) disabled, may also do so with no impact or
 action required.
 Developer impact
 ----------------
 When we move to the location-based metadata approach detailed above,
 we will need to change the API from using the image
 ``extra_properties`` dict to passing that information through to the
 store routines. It is expected that this will be less than ten lines
 of code.
 Implementation
 ==============
 Assignee(s)
 -----------
 Primary assignee:
  danms
 Work Items
 ----------
 #. Build a mechanism by which we can use the user's authorization
   token to make an outbound call to another service
 #. Add a configuration element allowing the operators to teach the API
   workers what their externally-visible URL is.
 #. Make the API workers record their own URL on the image during the
   image ``stage`` operation.
 #. Make the ``import`` and ``delete`` operations proxy to the
   appropriate URL when it is determined appropriate to do so.
 Dependencies
 ============
 * Devstack needs support for starting additional glance workers in
  order to properly test this.
 * Tempest needs support for looking up alternative image services in
  the service catalog.
 Testing
 =======
 Unit tests for the API behaviors and import tasks are sufficient, as
 the changes are minimal.
 Functional tests for the image proxying.
 A set of tempest tests that stage and import/delete images on
 different glance workers with separate staging directories will be
 written to ensure CI coverage for this behavior in a realistic sense.
 Documentation Impact
 ====================
 Since this just makes something work that did not before, no large
 amount of documentation will need to be written. As mentioned above,
 deployers will have one new config option to set on API nodes as well
 as network and firewall considerations to address in order for this to
 work, which will be covered in the documentation.
 References
 ==========
 Much discussion on this was done on another spec:
 * https://review.opendev.org/c/openstack/glance-specs/+/763574
 The code implementation for this also has discussion relevant to the
 topic:
 * https://review.opendev.org/c/openstack/glance/+/769976
 This was discussed at the Wallaby PTG in the glance sessions, under
 the topic of "Cluster Awareness":
 * https://etherpad.opendev.org/p/glance-wallaby-ptg
 This has been discussed in multiple glance meetings:
 * http://eavesdrop.openstack.org/meetings/glance/2021/glance.2021-01-28-14.01.log.html#l-26
 * http://eavesdrop.openstack.org/meetings/glance/2021/glance.2021-02-04-14.00.log.html#l-30