OpenStack Miniconf at PyConAu
OpenStack: A Vision for the Future
by Monty Taylor
- Create truth in realistic acting
- Know what problem you're trying to solve.
- Develop techniques to solve the problem.
- Don't confuse the techniques with the result.
- Willingness to change with new information.
What Monty Wants
- Provide computers and networks that work.
- Should not chase 12-factor apps.
- Kubernetes / CoreOS are already providing these frameworks
- OpenStack should provide a place for these frameworks to work.
- By default give a directly routable IP.
inaugust.com/talks/a-vision-for-the-future.html
The Future of Identity (Keystone) in OpenStack
- Moving to Fernet Tokens as the default, everywhere.
- Lightweight
- No database requirement
- Limited token size
- Will support all the features of existing token types.
- Problems with UUID or PKI tokens:
- SQL back end
- PKI tokens are too large.
- Moving from bespoke WSGI to Flask
- Moving to a KeystoneAuth Library to remove the need for the client to be everywhere.
- Keystone V3 API...everywhere. Focus on removing technical debt.
- V2 API should die.
- Deprecating the Keystone client in favour of the
openstackclient. - Paste.ini functionality being moved to core and controlled via policy.json
Orchestration and CI/CD with Ansible and OpenStack
- Gave a great overview of OpenStack / CoreOS / Containers
- All configuration management sucks. Ansible sucks less.
- CI/CD pipelines are repeatable.
Practical Federation
by Jamie Lennox
- SAML is the initially supported WebSSO.
- Ipsilon has SAML frontend, supports SSSD / PAM on the backend.
- Requires Keystone V3 API everywhere.
- Jamie successfully did live demo that demonstrated the work flow.
Privesep
by Angus Lees
- Uses Linux kernel separation to restrict available privileges.
- Gave a brief history of rootwrap`.
- Fast and safe.
- Still in beta
OpenStack Works, so now what?
by Monty Taylor
- Shade's existence is a bug.
- Take OpenStack back to basics
- Keeps things simple.
