[openstack-dev] [Nova] no-db-compute, a new service
Russell Bryant
rbryant at redhat.com
Tue Nov 13 14:21:11 UTC 2012
On 11/13/2012 05:07 AM, Daniel P. Berrange wrote:
> On Fri, Nov 09, 2012 at 01:04:50PM -0500, Russell Bryant wrote:
>> Greetings,
>>
>> Dan Smith and I are getting pretty close to finishing the first stage of
>> no-db-compute work for Grizzly. Specifically, that means these two things:
>>
>> 1) Sending more data from the nova-api service to avoid db reads in
>> nova-compute.
>>
>> 2) Pulling db access out of nova virt drivers and having the only code
>> in nova-compute that touches the db in nova/compute/manager.py.
>
> [snip]
>
>> Some questions, complications, vagueness:
>
> I'm curious about what kind of information flow / control you see
> happenning between the new component (whatever its name is :-) and
> the compute nodes. From a security POV, the nova-compute service is
> probably the least trusted part of our entire stack. Talking to the
> DB implies a fairly high level of trust for the new service. As such
> I'd hope that RPC calls are primarly /from/ the new service, to the
> compute and minimal (or even none) in the other direction, so that
> we're always goiong from high trusted component to a low trusted
> component
What you suggest is the eventual goal. We'd like to get to a point
where nova-compute is stripped down to a very simple slave service.
In the short term, we were thinking that nova-compute *would* be doing
some rpc calls up to the new service. It would be turning db writes
into rpc calls to the new service. That's just the quick "move db
access out right now" part. As we re-work how various operations in
nova-compute work, all of these would go away.
Of course, this begs the question, "does changing db writes to rpc calls
to a new service improve security?"
I think it does ... at least instead of direct db access to do
*anything*, you're limited to what is exposed via rpc. If any of this
is still around by the time secure messaging is in place, we could do
further checking to make sure the rpc calls are only coming from compute
nodes that would have a reason to update information about a given instance.
--
Russell Bryant
More information about the OpenStack-dev
mailing list