Open Stack

On Tue, Nov 13, 2012 at 09:21:11AM -0500, Russell Bryant wrote:
> On 11/13/2012 05:07 AM, Daniel P. Berrange wrote:
> > On Fri, Nov 09, 2012 at 01:04:50PM -0500, Russell Bryant wrote:
> >> Greetings,
> >>
> >> Dan Smith and I are getting pretty close to finishing the first stage of
> >> no-db-compute work for Grizzly.  Specifically, that means these two things:
> >>
> >> 1) Sending more data from the nova-api service to avoid db reads in
> >> nova-compute.
> >>
> >> 2) Pulling db access out of nova virt drivers and having the only code
> >> in nova-compute that touches the db in nova/compute/manager.py.
> > 
> > [snip]
> > 
> >> Some questions, complications, vagueness:
> > 
> > I'm curious about what kind of information flow / control you see
> > happenning between the new component (whatever its name is :-) and
> > the compute nodes. From a security POV, the nova-compute service is
> > probably the least trusted part of our entire stack. Talking to the
> > DB implies a fairly high level of trust for the new service. As such
> > I'd hope that RPC calls are primarly /from/ the new service, to the
> > compute and minimal (or even none) in the other direction, so that
> > we're always goiong from high trusted component to a low trusted
> > component
> 
> What you suggest is the eventual goal.  We'd like to get to a point
> where nova-compute is stripped down to a very simple slave service.
> 
> In the short term, we were thinking that nova-compute *would* be doing
> some rpc calls up to the new service.  It would be turning db writes
> into rpc calls to the new service.  That's just the quick "move db
> access out right now" part.  As we re-work how various operations in
> nova-compute work, all of these would go away.
> 
> Of course, this begs the question, "does changing db writes to rpc calls
> to a new service improve security?"
> 
> I think it does ... at least instead of direct db access to do
> *anything*, you're limited to what is exposed via rpc.  If any of this
> is still around by the time secure messaging is in place, we could do
> further checking to make sure the rpc calls are only coming from compute
> nodes that would have a reason to update information about a given instance.

Ok, that makes sense as an approach to me.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|