Open Stack

> I'm curious about what kind of information flow / control you see
> happenning between the new component (whatever its name is :-) and
> the compute nodes. From a security POV, the nova-compute service is
> probably the least trusted part of our entire stack. Talking to the
> DB implies a fairly high level of trust for the new service. As such
> I'd hope that RPC calls are primarly /from/ the new service, to the
> compute and minimal (or even none) in the other direction, so that
> we're always goiong from high trusted component to a low trusted
> component

That would be nice, of course, but I'm not sure how realistic it is. 
Unless the conductor (or whatever) knows what virt driver (and probably, 
version) is in use on the actual compute node, it would be hard to dig 
up and send the information it's going to need ahead of time. The xen 
driver is quite a bit more db-happy than the libvirt one, and I'd hate 
to spend a bunch of cycles looking up agent build and aggregate 
information before each call that *might* use it on the compute node. If 
we try to enlighten the conductor in such a way, I think we would be 
further exacerbating our upgrade problems.

-- 
Dan Smith
IBM Linux Technology Center