Feature #1697
User supplied Attributes on one.template.instantiate and VM Template merge
| Status: | Closed | Start date: | 12/17/2012 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Carlos Martín | % Done: | 0% | |
| Category: | - | |||
| Target version: | Release 4.0 | |||
| Resolution: | fixed | Pull request: |
Description
This patch adds a forth (optional) parameter to one.template.instantiate that allow the User to pass extra User Attributes. Those User Attributes are checked against the Restricted Attributes before being merged to the chosen template.
It allows users to instantiate an existing template while providing custom attributes such as the CONTEXT or IMAGE_ID, without the need to Clone / create a user template.
It also allows for Administrators to set the MEMORY or CPU attributes to be Restricted and still allowing users to launch custom VMs (something not currently possible, because setting MEMORY or CPU as Restricted Attributes prevent the User from submitting VM with a User provided template).
Ref. http://lists.opennebula.org/pipermail/users-opennebula.org/2012-December/021345.html
This is a fairly recent patch that haven't gone through a lot of testing yet. There is at least one known limitation: when modifying a template that has multiple attributes of the same name (ex. multiple NIC attributes) the merge operation will always applies changes to the first attribute found in the template.
Feedbacks are more than welcome.
Simon
Associated revisions
Feature #1697: Initial commit for user supplied Attributes on one.template.instantiate
Feature #1697: Add the new template instantiate param to ruby oca and cli
Feature #1697: Change Template::merge to replace and add attributes
This allows to merge a template with repeated attributes, like
several DISK or NIC atts.
Feature #1697: Add VM creation options to onetemplate instantiate (--cpu, --memory...)
Feature #1697: Add new template instantiate argument to java oca
feature #1697: Added CREATE perms for instantiate. Group user template code.
Feature #1697: Change the PoolObjectAuth used for the CREATE TEMPLATE
Feature #1697: Use add_create_auth for the merged template
History
#1
Updated by Ruben S. Montero over 8 years ago
- Target version set to Release 4.0
#2
Updated by Ruben S. Montero over 8 years ago
- Status changed from New to Assigned
- Assignee set to Carlos Martín
#3
Updated by Carlos Martín over 8 years ago
I just applied the patch. The only thing I changed is that Template::merge allows repeated Attributes.
You can now execute something like 'onetemplate instantiate 0 --cpu 2 --memory 512', which is really cool.
Thanks for this great contribution!
#4
Updated by Carlos Martín over 8 years ago
Now that I think of it, we may have broken the following use case:
The admin wants to have absolute control over the VMs created, what can be done denying the operations TEMPLATE:CREATE and VM:CREATE (onetemplate create & onevm create); and only allows users to USE some templates created by him (onetemplate list/show/instantiate).
With this change, the users can now instantiate one of the available templates, and replace any attribute...
Since merging an existing template is basically a shortcut to clone & update, we could change the required permissions for one.template.instantiate to:- TEMPLATE:USE if no extra template is provided
- TEMPLATE:USE + TEMPLATE:CREATE if the extra template is provided
#5
Updated by Simon Boulet over 8 years ago
Hi Carlos
With this change, the users can now instantiate one of the available
templates, and replace any attribute...
Well, yes, the user can replace any attribute, as long as it's not in the VM_RESTRICTED_ATTR list.
I didn't realize there was a TEMPLATE:CREATE permission, I don't currently use the ACLs (other than the default). Checking the TEMPLATE:CREATE permission ACL to allow for extra attributes seems to make a lot of sense!
Thanks for the feedback :)
#6
Updated by Ruben S. Montero over 8 years ago
- Status changed from Assigned to Closed
- Resolution set to fixed