<div dir="ltr">
<p style="margin-bottom:0cm;line-height:100%">Hi all,</p>
<p style="margin-bottom:0cm;line-height:100%">At this moment we
have a couple of services that need to consume connections from a
message queue on the client side.</p>
<p style="margin-bottom:0cm;line-height:100%">This raised change
requests to fix the issue with different approaches. Those change
requests have several implications on Kolla's overall architecture
and security, being said, will need a discussion for message queue
consumers from client side in order to apply the best solution,
avoiding as far we can all risk in the infrastructure.</p>
<p style="margin-bottom:0cm;line-height:100%"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%">As far as I know,
murano-agent and trove-agent need to connect to RabbitMQ in order to
consume configurations and status tracking from the deployed
services. The agent is installed in the instances. [0] [1]</p>
<p style="margin-bottom:0cm;line-height:100%"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%">Using Murano as
example, when a new application is deployed, murano-agent
configuration is injected in the instances through cloud-init with
RabbitMQ connection information (user, URL and password). Once the
instance start, murano-agent communicates with murano-engine through
RabbitMQ in order to get application configurations.</p>
<p style="margin-bottom:0cm;line-height:100%"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%">As we have in Kolla
at the moment, Murano won't work unless using older Murano
applications on which the application has been previously installed
and configured in the base image.</p>
<p style="margin-bottom:0cm;line-height:100%"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%">From this design I
have three different options to fix the issue.</p>
<p style="margin-bottom:0cm;line-height:100%"><br>
</p>
<ul><li>
<p style="margin-bottom:0cm;line-height:100%">Allow
services to use actual RabbitMQ cluster in a different vhost: [3]
[4]</p>
<ul><li>
<p style="margin-bottom:0cm;line-height:100%">Pros:</p>
<ul><li>
<p style="margin-bottom:0cm;line-height:100%">Easy to fix
now, there are PS under review at the moment for Murano.</p>
</li><li>
<p style="margin-bottom:0cm;line-height:100%">Provides
some kind of isolation per service as well as more secure with
different user/password.</p>
</li></ul>
</li><li>
<p style="margin-bottom:0cm;line-height:100%">Cons:</p>
<ul><li>
<p style="margin-bottom:0cm;line-height:100%">Expose
OpenStack infrastructure RabbitMQ to to end-users.</p>
</li><li>
<p style="margin-bottom:0cm;line-height:100%">Risk of
DDoS attacks to the whole OpenStack infrastructure, end-user
instances will have access to a shared RabbitMQ between OpenStack
and them.</p>
</li></ul>
</li></ul>
</li><li>
<p style="margin-bottom:0cm;line-height:100%">New RabbitMQ
instances (per service or shared with other services): [5]</p>
<ul><li>
<p style="margin-bottom:0cm;line-height:100%">Pros:
</p>
<ul><li>
<p style="margin-bottom:0cm;line-height:100%">More secure
option, avoid DDoS against the infrastructure and network access
to OpenStack RabbitMQ.</p>
</li></ul>
</li><li>
<p style="margin-bottom:0cm;line-height:100%">Cons:</p>
<ul><li>
<p style="margin-bottom:0cm;line-height:100%">Overload
underlay infrastructure with more RabbitMQ instances.</p>
</li><li>
<p style="margin-bottom:0cm;line-height:100%">Inability
to use standard ports because more than one RabbitMQ can share the
same node.</p>
</li><li>
<p style="margin-bottom:0cm;line-height:100%">Complex
option to deploy, debug and maintain.</p>
</li></ul>
</li></ul>
</li><li>
<p style="margin-bottom:0cm;line-height:100%">Expose
current RabbitMQ to end-user services.</p>
<ul><li>
<p style="margin-bottom:0cm;line-height:100%">Pros:</p>
<ul><li>
<p style="margin-bottom:0cm;line-height:100%">Simple,
easy and less resource consuming.</p>
</li></ul>
</li><li>
<p style="margin-bottom:0cm;line-height:100%">Cons:</p>
<ul><li>
<p style="margin-bottom:0cm;line-height:100%">Hell no,
this is not an option.</p>
</li><li>
<p style="margin-bottom:0cm;line-height:100%">Share
OpenStack's RabbitMQ cluster admin password and expose network
access to end-users.</p>
</li></ul>
</li></ul>
</li></ul>
<p style="margin-bottom:0cm;line-height:100%"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%">There is a thread
which explains the issue and solutions recommended by other teams.
[6]</p>
<p style="margin-bottom:0cm;line-height:100%"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%">Please, share your
opinion on this matter.</p>
<p style="margin-bottom:0cm;line-height:100%"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%">[0]
<a href="https://github.com/openstack/murano/blob/master/doc/source/administrator-guide/murano_agent.rst">https://github.com/openstack/murano/blob/master/doc/source/administrator-guide/murano_agent.rst</a></p>
<p style="margin-bottom:0cm;line-height:100%">[1]
<a href="https://wiki.openstack.org/wiki/Trove/guest_agent_communication">https://wiki.openstack.org/wiki/Trove/guest_agent_communication</a></p>
<p style="margin-bottom:0cm;line-height:100%">[3]
<a href="https://review.openstack.org/#/c/410825/">https://review.openstack.org/#/c/410825/</a></p>
<p style="margin-bottom:0cm;line-height:100%">[4]
<a href="https://review.openstack.org/#/c/411760/">https://review.openstack.org/#/c/411760/</a></p>
<p style="margin-bottom:0cm;line-height:100%">[5]
<a href="https://review.openstack.org/#/c/374525/">https://review.openstack.org/#/c/374525/</a></p>
<p style="margin-bottom:0cm;line-height:100%">[6]
<a href="http://www.gossamer-threads.com/lists/openstack/operators/57816">http://www.gossamer-threads.com/lists/openstack/operators/57816</a></p>
<p style="margin-bottom:0cm;line-height:100%"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%"><br>
Regards,
Eduardo Gonzalez</p>
</div>