Adding mdbooth given his background in the nova block device and imagebackend code.
I did point out https://review.openstack.org/#/c/511965/ to mnaser but that's really just a spec that's up for discussion at this point, and is mostly an artifact from discussions at the Boston Forum for Pike, and trying to document a lot of the use cases and previous attempts around volume-backed flavors.
For this bug, it's probably not unreasonable to add a config option to nova to determine if a flavor with root disk=0 will not be allowed unless you're booting from volume. We could check this in the API.
For private clouds maybe they don't care. I'm not sure what we'd default this to.
1. Default to enforce makes the most sense for new deployments and security.
2. Default to not enforce would make it backward compatible until a deployer opts into the change.
#1 is probably the better choice though all things considered; the default behavior of something shouldn't be to hand you a loaded gun to shoot yourself with unknowingly, even though I live in 'merica!
I recognize this would introduce config-driven API behavior, which we really try to avoid in Nova, but it's a compromise until we have something built more into the API, like some of the ideas in the spec linked above.
Adding mdbooth given his background in the nova block device and imagebackend code.
I did point out https:/ /review. openstack. org/#/c/ 511965/ to mnaser but that's really just a spec that's up for discussion at this point, and is mostly an artifact from discussions at the Boston Forum for Pike, and trying to document a lot of the use cases and previous attempts around volume-backed flavors.
For this bug, it's probably not unreasonable to add a config option to nova to determine if a flavor with root disk=0 will not be allowed unless you're booting from volume. We could check this in the API.
For private clouds maybe they don't care. I'm not sure what we'd default this to.
1. Default to enforce makes the most sense for new deployments and security.
2. Default to not enforce would make it backward compatible until a deployer opts into the change.
#1 is probably the better choice though all things considered; the default behavior of something shouldn't be to hand you a loaded gun to shoot yourself with unknowingly, even though I live in 'merica!
I recognize this would introduce config-driven API behavior, which we really try to avoid in Nova, but it's a compromise until we have something built more into the API, like some of the ideas in the spec linked above.