[openstack-dev] [Nova] no-db-compute, a new service

Joshua Harlow harlowja at yahoo-inc.com
Tue Nov 13 21:59:08 UTC 2012


Why not just go to the end goal immediately.

Or do u think that¹s not possible?

On 11/13/12 6:21 AM, "Russell Bryant" <rbryant at redhat.com> wrote:

>On 11/13/2012 05:07 AM, Daniel P. Berrange wrote:
>> On Fri, Nov 09, 2012 at 01:04:50PM -0500, Russell Bryant wrote:
>>> Greetings,
>>>
>>> Dan Smith and I are getting pretty close to finishing the first stage
>>>of
>>> no-db-compute work for Grizzly.  Specifically, that means these two
>>>things:
>>>
>>> 1) Sending more data from the nova-api service to avoid db reads in
>>> nova-compute.
>>>
>>> 2) Pulling db access out of nova virt drivers and having the only code
>>> in nova-compute that touches the db in nova/compute/manager.py.
>> 
>> [snip]
>> 
>>> Some questions, complications, vagueness:
>> 
>> I'm curious about what kind of information flow / control you see
>> happenning between the new component (whatever its name is :-) and
>> the compute nodes. From a security POV, the nova-compute service is
>> probably the least trusted part of our entire stack. Talking to the
>> DB implies a fairly high level of trust for the new service. As such
>> I'd hope that RPC calls are primarly /from/ the new service, to the
>> compute and minimal (or even none) in the other direction, so that
>> we're always goiong from high trusted component to a low trusted
>> component
>
>What you suggest is the eventual goal.  We'd like to get to a point
>where nova-compute is stripped down to a very simple slave service.
>
>In the short term, we were thinking that nova-compute *would* be doing
>some rpc calls up to the new service.  It would be turning db writes
>into rpc calls to the new service.  That's just the quick "move db
>access out right now" part.  As we re-work how various operations in
>nova-compute work, all of these would go away.
>
>Of course, this begs the question, "does changing db writes to rpc calls
>to a new service improve security?"
>
>I think it does ... at least instead of direct db access to do
>*anything*, you're limited to what is exposed via rpc.  If any of this
>is still around by the time secure messaging is in place, we could do
>further checking to make sure the rpc calls are only coming from compute
>nodes that would have a reason to update information about a given
>instance.
>-- 
>Russell Bryant
>
>_______________________________________________
>OpenStack-dev mailing list
>OpenStack-dev at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list