[openstack-dev] Unified Guest Agent proposal
Clint Byrum
clint at fewbar.com
Thu Dec 12 18:48:25 UTC 2013
Excerpts from Jay Pipes's message of 2013-12-12 10:15:13 -0800:
> On 12/10/2013 03:49 PM, Ian Wells wrote:
> > On 10 December 2013 20:55, Clint Byrum <clint at fewbar.com
> > <mailto:clint at fewbar.com>> wrote:
> >
> > If it is just a network API, it works the same for everybody. This
> > makes it simpler, and thus easier to scale out independently of compute
> > hosts. It is also something we already support and can very easily
> > expand
> > by just adding a tiny bit of functionality to neutron-metadata-agent.
> >
> > In fact we can even push routes via DHCP to send agent traffic through
> > a different neutron-metadata-agent, so I don't see any issue where we
> > are piling anything on top of an overstressed single resource. We can
> > have neutron route this traffic directly to the Heat API which hosts it,
> > and that can be load balanced and etc. etc. What is the exact scenario
> > you're trying to avoid?
> >
> >
> > You may be making even this harder than it needs to be. You can create
> > multiple networks and attach machines to multiple networks. Every point
> > so far has been 'why don't we use <idea> as a backdoor into our VM
> > without affecting the VM in any other way' - why can't that just be one
> > more network interface set aside for whatever management instructions
> > are appropriate? And then what needs pushing into Neutron is nothing
> > more complex than strong port firewalling to prevent the slaves/minions
> > talking to each other. If you absolutely must make the communication
> > come from a system agent and go to a VM, then that can be done by
> > attaching the system agent to the administrative network - from within
> > the system agent, which is the thing that needs this, rather than within
> > Neutron, which doesn't really care how you use its networks. I prefer
> > solutions where other tools don't have to make you a special case.
>
> I've read through this email thread with quite a bit of curiosity, and I
> have to say what Ian says above makes a lot of sense to me. If Neutron
> can handle the creation of a "management vNIC" that has some associated
> iptables rules governing it that provides a level of security for guest
> <-> host and guest <-> $OpenStackService, then the transport problem
> domain is essentially solved, and Neutron can be happily ignorant (as it
> should be) of any guest agent communication with anything else.
>
Indeed I think it could work, however I think the NIC is unnecessary.
Seems likely even with a second NIC that said address will be something
like 169.254.169.254 (or the ipv6 equivalent?).
If we want to attach that network as a second NIC instead of pushing a
route to it via DHCP, that is fine. But I don't think it actually gains
much, and the current neutron-metadata-agent already facilitates the
conversation between private guests and 169.254.169.254. We just need to
make sure we can forward more than port 80 through that.
More information about the OpenStack-dev
mailing list