<div dir="ltr"><div><div><div><div>Hi,<br><br></div>When we use Murano in production there is a MQ service which is running on OpenStack controllers but it listens on public interface. It means that both Murano which is running on OpenStack controllers and Agent on VMs have an access to this MQ via external (public) network. <br></div>When Murano creates a new deployment it actually deploys a private network and attach it to the router which acts as a gateway to external networking. So it is specific application deployment topology which allows VMs to communicate with MA via external network. <br><br></div>Thanks<br></div>Gosha<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 7, 2015 at 1:28 AM, Filip Blaha <span dir="ltr"><<a href="mailto:filip.blaha@hp.com" target="_blank">filip.blaha@hp.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>yes. I agree that direction is
important from only networking piont of view. Usually is more
probable that VM on neutron network will be able to access O~S
service ( VM --> rabbit) then opposite direction from O~S
service to VM running on neutron network (mistral --> VM).<span class="HOEnZb"><font color="#888888"><br>
<br>
Filip</font></span><div><div class="h5"><br>
<br>
<br>
On 05/06/2015 06:39 PM, Georgy Okrokvertskhov wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>Connection direction here is important only in the
frame of networking connectivity problem solving. The
networking in OpenStack in general works in such a way so
that connections from VM are allowed to almost anywhere.
In Murano production deployment we use separate MQ
instance so that VMs have no access to OpenStack MQ.<br>
<br>
</div>
In the sense who initiates task execution it always a Murano
service which publishes tasks (shell script + necessary
files) in the MQ so that agent can pull them and execute.<br>
<br>
</div>
Thanks<br>
</div>
Gosha<br>
<div>
<div><br>
<br>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, May 6, 2015 at 9:31 AM, Filip
Blaha <span dir="ltr"><<a href="mailto:filip.blaha@hp.com" target="_blank">filip.blaha@hp.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello<br>
<br>
one more note on that. There is difference in direction who
initiates connection. In case of murano agent --> rabbit
MQ is connection initiated from VM to openstack
service(rabbit). In case of std.ssh mistral action is
direction opposite from openstack service (mistral) to ssh
server on VM.<span><font color="#888888"><br>
<br>
Filip</font></span>
<div>
<div><br>
<br>
On 05/06/2015 06:00 PM, Pospisil, Radek wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello,<br>
<br>
I think that the generic question is - can be O~S
services also accessible on Neutron networks, so VM
(created by Nova) can access it? We (I and Filip) were
discussing this today and we were not make a final
decision.<br>
Another example is Murano agent running on VMs - it
connects to RabbitMQ which is also accessed by Murano
engine....<br>
<br>
Regards,<br>
<br>
Radek<br>
<br>
-----Original Message-----<br>
From: Blaha, Filip<br>
Sent: Wednesday, May 06, 2015 5:43 PM<br>
To: <a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a><br>
Subject: [openstack-dev] [Murano] [Mistral] SSH
workflow action<br>
<br>
Hello<br>
<br>
We are considering implementing actions on services
of a murano environment via mistral workflows. We are
considering whether mistral std.ssh action could be
used to run some command on an instance. Example of
such action in murano could be restart action on Mysql
DB service.<br>
Mistral workflow would ssh to that instance running
Mysql and run "service mysql restart". From my point
of view trying to use SSH to access instances from
mistral workflow is not good idea but I would like to
confirm it.<br>
<br>
The biggest problem I see there is openstack
networking. Mistral service running on some openstack
node would not be able to access instance via its
fixed IP (e.g. 10.0.0.5) via SSH. Instance could
accessed via ssh from namespace of its gateway router
e.g. "ip netns exec qrouter-... ssh <a href="mailto:cirros@10.0.0.5" target="_blank">cirros@10.0.0.5</a>" but I think it
is not good to rely on implementation detail of
neutron and use it. In multinode openstack deployment
it could be even more complicated.<br>
<br>
In other words I am asking whether we can use std.ssh
mistral action to access instances via ssh on theirs
fixed IPs? I think no but I would like to confirm it.<br>
<br>
Thanks<br>
Filip<br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage
questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage
questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
<br>
</blockquote>
<br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage
questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>
<div dir="ltr"><font color="#999999"><span style="background-color:rgb(255,255,255)">Georgy
Okrokvertskhov<br>
Architect,<br>
<span style="font-family:arial;font-size:small">OpenStack
Platform Products,</span><br>
Mirantis</span><br>
<a href="http://www.mirantis.com/" target="_blank">http://www.mirantis.com</a><br>
Tel. <a href="tel:%2B1%20650%20963%209828" value="+16509639828" target="_blank">+1 650 963 9828</a><br>
Mob. <a href="tel:%2B1%20650%20996%203284" value="+16509963284" target="_blank">+1 650 996 3284</a></font><br>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><font color="#999999"><span style="background-color:rgb(255,255,255)">Georgy Okrokvertskhov<br>
Architect,<br><span style="font-family:arial;font-size:small">OpenStack Platform Products,</span><br>
Mirantis</span><br>
<a href="http://www.mirantis.com/" target="_blank">http://www.mirantis.com</a><br>
Tel. +1 650 963 9828<br>
Mob. +1 650 996 3284</font><br></div></div>
</div>