glance sync slave

Description

This charm will import glance images from a master openstack installations.
It will copy image files and metadata with rsync over ssh to local disk and import into glance from there.


Overview

The glance-sync-slave charm pulls glance images and metadata from a master openstack
installation. It copies them to local disk using rsync over ssh and imports them into
local glance from there.

The master has a list of command-limited authorized keys (juju config option) where slaves can be authorized.
Your slave unit will need to be subscribed there.

Slave units regularly pull images from the master unit using rsync, the metadata that is rsynced as a separate json file contains the md5 checksum which the slave verifies before importing into their local glance store.

Image IDs are preserved across locations, this means no glance images should be created in a slave location to avoid ID conflicts.

One thing to note is that glance (by default) does not delete images. If you glance image-delete it will be removed from an image-list but not actually deleted from the database. A subsequent image-create with the same ID will lead to a conflict.

If an image is deleted from the masters glance instance, it will also be deleted from the local rsync directory which will propagate out to the slaves filesystem. But the slaves are currently not deleting images from their local glance stores.

Context: Should a glance image accidentally get deleted from the master glance instance and subsequently from the slave, there would be no way to add the image back (with the same image ID) without manual DB surgery on both the slave and the master. We avoid this by not deleting images from slave glance instances as mentioned.

Glance credentials:

Both the i-age--ync-master and glance-sync-slave units can pull admin credentials from their local glance instances through a keystone-admin relation. This can be overridden with a custom novarc that can be set through a base64-encoded juju config setting. If a pre-existing custom novarc is removed the charm will fall back to using the relation and will display an error in juju status if neither are available.

Usage

juju deploy glance-sync-slave

after the deploy, make sure to set an rsync source:

You can find the configured data directory with juju get glance-sync-master in the data_dir config option. The default is /srv/glance_sync_master/data

juju set glance-sync-slave sync_source=:

Then enable the sync which enables a sync cronjob on the slave unit (in /etc/cron.d)

juju set sync_enabled=True

Configuration

novarc
(string) base64 encoded novarc file
data_dir
(string) directory to store image and metadata files
/srv/glance_sync_slave/data
nagios_context
(string) Used by the nrpe-external-slave subordinate charm. A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like: juju-postgresql-0 If you're running multiple environments with the same services in them this allows you to differentiate between them.
juju
sync_enabled
(boolean) switch to enable or disable sync from master to disk
True
master_creds
(string) Comma separated OpenStack credentials to be used to download images from the master region. It is strongly recommended this be a user with a dedicated role, and not a full admin. Takes the format of username=foo, password=bar, project=baz, region=Region1, auth_url=https://127.0.0.1:35357/v3, domain=Default
script_dir
(string) directory to store scripts
/srv/glance_sync_slave/scripts
log_dir
(string) directory to store sync logfiles
/srv/glance_sync_slave/logs
sync_source
(string) rsync URL of master to sync images from for example: ubuntu@172.16.109.180:/srv/glance_sync_master/data
cron_frequency
(string) cron frequency for sync script
30 */3 * * *
admin_email
(string) email address for notifications
root@canonical.com
config_dir
(string) directory to store configuration like novarc
/srv/glance_sync_slave/config
trusted_ssl_ca
(string) base64 encoded SSL ca cert to use for OpenStack API client connections. This relies on the same CA being used for both the master and slave region.