[openstack-dev] Cells design issue
Robert Collins
robertc at robertcollins.net
Fri Jun 14 02:09:30 UTC 2013
On 14 June 2013 10:11, Kevin L. Mitchell <kevin.mitchell at rackspace.com> wrote:
> On Fri, 2013-06-14 at 09:52 +1200, Robert Collins wrote:
>> On 14 June 2013 09:50, Kevin L. Mitchell <kevin.mitchell at rackspace.com> wrote:
>> > Thoughts?
>>
>> How/why is a cell different from a node in this respect? [Serious question].
>
> So, for inter-node communication within a given nova instance (cell),
> there is a single Rabbit queue (or whatever) that all the nova services
> connect to. Since there's only one, this queue can be identified via
> configuration.
Ok. Also note that every compute host can have it's own rabbit
credentials - and IMNSHO should - so that when a compromise happens
the tainted host can be cut off without affecting other hosts. Same as
you do for mysql access, etc.
> With cells, it's different; each cell essentially has its own queue that
> it listens to. (This could be the single Rabbit queue that all its
> services listen to, I think, or could be something totally different
> reserved solely for inter-cell communication.) This means that, for one
> cell to talk to another, it must know how to talk to that other cell,
> and thus that data must be bound together with the information about
> what cells exist. At present, we do this through the database.
>
> Make sense?
Not entirely.
You have a rabbit bus for cross-cell communications, and an endpoint
on that bus for each cell. Cells need to know about other endpoints
for some reason [what cross-cell comms go on?]. That doesn't imply
globally accessible credential, because getting on the bus is a
separate concern.
Or - are you saying that its actually a set of triples - (source cell,
target cell, rabbit bus to use) - and because of this we don't know
which credentials to use? In that case I'd suggest that we still want
each machine connecting to each bus to have unique credentials, and
the only places they should be stored are the rabbit server, and the
machine using the credentials.
-Rob
--
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Cloud Services
More information about the OpenStack-dev
mailing list