OpenStack choice


I would like to know the reason why Enough is build on top of OpenStack.

A received idea seems to be that OpenStack should only be used by large organizations so I’m curious why Enough has made this choice.

If possible could you describe pros and cons of using OpenStack at Enough ?



I’m also very interested in this exact question

(sorry, I didn’t introduce myself yet but I couldn’t avoid to back up this question)


The short answer is that I knew OpenStack before starting Enough.

Indeed. Although I hoped it could go in a different direction. I setup a distributed OpenStack cluster on my free time which I used during a few years, about six years ago. I’m not sure I would be able to do the same nowadays.

The primary cons is that I don’t see OpenStack expanding significantly in the next 10 years. It looks like k8s is trending. Assuming k8s is the alternative, the pros of OpenStack is that virtual machines are more durable (i.e. you can boot a qcow2 from 10 years ago and you’ll be able to boot it in 10 years) and can be used to run all the services you need, even those that are not refactored into containers.

The secondary cons is that the OpenStack API is unreliable which makes it impossible to run a CI that rely on it. The API provided by OVH fails in very creative ways, to the point that it is useless to try to cope with it. Sometimes you just have to wait until the storm passes. I’m not sure what the situation is with k8s but I assume it’s better.

A few months back I made changes into Enough so that most of it would run on a single host docker. With the idea to run a CI based on it, instead of relying on manual retry. With the help of @pilou, we explored the idea of using k3s instead (because k8s proved difficult to harness). That would require a completely different architecture but that’s not the main blocker: software such as Discourse are not k8s ready and they would just not run at all in this context.

I hope that answers the question :slight_smile:

Hello @loic,

Thanks a lot for your answer, I appreciate your objectivity about OpenStack.

1 Like
  1. Do you know if issue is with OpenStack API or with OVH OpenStack API ?
  2. Did you try to reach someone at OVH about these issues ?

Edit: issue seems to be on OVH side according to

I apologize for the delay and for the fact that I didn’t yet give to Enough the attention it’s worth of. I’m in some deep water these days and probably for some weeks to come.


Over the last couple of years I’ve been trying to achieve something very similar to Enough (at least from the user’s stand point). I called it Lobster network.

At the beginning I used Digital Ocean droplets managed via debops/ansible but then I realized it would be too easy to dump the droplets ram which makes encryption useless. So I moved my prototype to bare-metal encrypted server (Hetzner) still managed via debops/ansible running Proxmox and serving vms providing a very similar scenario to DO’s one.

My prototype is not at production level (I have difficulties with some services) but it’s good enough to work with the other project that I called Uopo: a stripped down LineageOs running on OnePlus devices meant to provide a bit more privacy to the user.

I started Lobster because I felt outraged after reading E.S. revelations etc. It happened automatically and I couldn’t stop it. Judging from the name it seems like Enough was started in a similar way.

You can imagine how happy I was when @nqb told me about Enough especially when I realized that Enough is far more mature and it includes also SecureDrop.
Even the list of software you have chosen matches almost entirely my own (but you provide more)


Now, I’ve a few questions about Enough, OpenStack and OVH. Please consider my absolute ignorance regarding all of them.

  1. have you ever considered to run Enough on bare-metal servers with vms instead of using OpenStack?

  2. if 1 == true, what were the reasons for dropping it?

  3. would it make sense to have an Enough clone (like Lobster) which runs on more old-school bare-metal servers?

I spinned off another topic here which is somehow connected to this one


The general idea is that an Enough instance should be able to migrate from cloud to bare metal depending on the threat model. There currently is no documented migration path and I’ve only done it a couple of times. It’s not rocket science: if a service can run on a VM it can also run on a bare metal :slight_smile: And migrating from a VM to bare metal is not much more than rsync + start a service.

Installing SecureDrop on bare metal is already well documented and, as far as I can tell, it is the only use case that deserves it. The ad-hoc part is how to connect the two and when. To be honest I’m not sure how to document it properly because it very much depends on the context.

Yes. There are two distinct steps in Enough: creating hosts (via OpenStack) and provisioning them (via Ansible). If you already have hosts, it is possible (and I actually do that sometimes) to manually add the host IP to the Ansible list of hosts and run Enough as if it was provisioned by OpenStack.

1 Like

sorry @loic I wasn’t clear, I meant a bare-metal server running an hypervisor (like proxmox) which hosting the necessary vms to provide the services provided by Enough

So the question becomes:

have you ever considered to run Enough on one or more bare-metal hypervisor(s) hosting the required vms instead of using OpenStack?

No, I did not :slight_smile: