[openstack-dev] Unified Guest Agent proposal
Jay Pipes
jaypipes at gmail.com
Thu Dec 12 18:15:13 UTC 2013
On 12/10/2013 03:49 PM, Ian Wells wrote:
> On 10 December 2013 20:55, Clint Byrum <clint at fewbar.com
> <mailto:clint at fewbar.com>> wrote:
>
> If it is just a network API, it works the same for everybody. This
> makes it simpler, and thus easier to scale out independently of compute
> hosts. It is also something we already support and can very easily
> expand
> by just adding a tiny bit of functionality to neutron-metadata-agent.
>
> In fact we can even push routes via DHCP to send agent traffic through
> a different neutron-metadata-agent, so I don't see any issue where we
> are piling anything on top of an overstressed single resource. We can
> have neutron route this traffic directly to the Heat API which hosts it,
> and that can be load balanced and etc. etc. What is the exact scenario
> you're trying to avoid?
>
>
> You may be making even this harder than it needs to be. You can create
> multiple networks and attach machines to multiple networks. Every point
> so far has been 'why don't we use <idea> as a backdoor into our VM
> without affecting the VM in any other way' - why can't that just be one
> more network interface set aside for whatever management instructions
> are appropriate? And then what needs pushing into Neutron is nothing
> more complex than strong port firewalling to prevent the slaves/minions
> talking to each other. If you absolutely must make the communication
> come from a system agent and go to a VM, then that can be done by
> attaching the system agent to the administrative network - from within
> the system agent, which is the thing that needs this, rather than within
> Neutron, which doesn't really care how you use its networks. I prefer
> solutions where other tools don't have to make you a special case.
I've read through this email thread with quite a bit of curiosity, and I
have to say what Ian says above makes a lot of sense to me. If Neutron
can handle the creation of a "management vNIC" that has some associated
iptables rules governing it that provides a level of security for guest
<-> host and guest <-> $OpenStackService, then the transport problem
domain is essentially solved, and Neutron can be happily ignorant (as it
should be) of any guest agent communication with anything else.
Best,
-jay
More information about the OpenStack-dev
mailing list