[openstack-dev] [Nova] no-db-compute, a new service
Joshua Harlow
harlowja at yahoo-inc.com
Tue Nov 13 22:00:59 UTC 2012
Maybe we should start asking everyone why we can't just send it a libvirt
like xml and this xml or whatever will contain all the information needed
to form the VM (possibly it could even be the libvirt xml if we could get
focus on libvirt as the common VM interface).
Seems like it we can't have a common interface to the compute nodes, then
an abstraction is broken somewhere that needs to be fixed or enforced more
than it is right now since when something is using the DB for special
features that means its also lacking in other hypervisors as well.
On 11/13/12 6:21 AM, "Dan Smith" <danms at us.ibm.com> wrote:
>> I'm curious about what kind of information flow / control you see
>> happenning between the new component (whatever its name is :-) and
>> the compute nodes. From a security POV, the nova-compute service is
>> probably the least trusted part of our entire stack. Talking to the
>> DB implies a fairly high level of trust for the new service. As such
>> I'd hope that RPC calls are primarly /from/ the new service, to the
>> compute and minimal (or even none) in the other direction, so that
>> we're always goiong from high trusted component to a low trusted
>> component
>
>That would be nice, of course, but I'm not sure how realistic it is.
>Unless the conductor (or whatever) knows what virt driver (and probably,
>version) is in use on the actual compute node, it would be hard to dig
>up and send the information it's going to need ahead of time. The xen
>driver is quite a bit more db-happy than the libvirt one, and I'd hate
>to spend a bunch of cycles looking up agent build and aggregate
>information before each call that *might* use it on the compute node. If
>we try to enlighten the conductor in such a way, I think we would be
>further exacerbating our upgrade problems.
>
>--
>Dan Smith
>IBM Linux Technology Center
>
>_______________________________________________
>OpenStack-dev mailing list
>OpenStack-dev at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list