[openstack-dev] [olso][neutron] proxying oslo.messaging from management network into tenant network/VMs
Isaku Yamahata
isaku.yamahata at gmail.com
Wed Apr 9 08:33:49 UTC 2014
Hello developers.
As discussed many times so far[1], there are many projects that needs
to propagate RPC messages into VMs running on OpenStack. Neutron in my case.
My idea is to relay RPC messages from management network into tenant
network over file-like object. By file-like object, I mean virtio-serial,
unix domain socket, unix pipe and so on.
I've wrote some code based on oslo.messaging[2][3] and a documentation
on use cases.[4][5]
Only file-like transport and proxying messages would be in oslo.messaging
and agent side code wouldn't be a part of oslo.messaging.
use cases:([5] for more figures)
file-like object: virtio-serial, unix domain socket, unix pipe
server <-> AMQP <-> agent in host <-virtio serial-> guest agent in VM
per VM
server <-> AMQP <-> agent in host <-unix socket/pipe->
agent in tenant network <-> guest agent in VM
So far there are security concerns to forward oslo.messaging from management
network into tenant network. One approach is to allow only cast-RPC from
server to guest agent in VM so that guest agent in VM only receives messages
and can't send anything to servers. With unix pipe, it's write-only
for server, read-only for guest agent.
Thoughts? comments?
Details of Neutron NFV use case[6]:
Neutron services so far typically runs agents in host, the host agent
in host receives RPCs from neutron server, then it executes necessary
operations. Sometimes the agent in host issues RPC to neutron server
periodically.(e.g. status report etc)
It's desirable to make such services virtualized as Network Function
Virtualizaton(NFV), i.e. make those features run in VMs. So it's quite
natural approach to propagate those RPC message into agents into VMs.
[1] https://wiki.openstack.org/wiki/UnifiedGuestAgent
[2] https://review.openstack.org/#/c/77862/
[3] https://review.openstack.org/#/c/77863/
[4] https://blueprints.launchpad.net/oslo.messaging/+spec/message-proxy-server
[5] https://wiki.openstack.org/wiki/Oslo/blueprints/message-proxy-server
[6] https://blueprints.launchpad.net/neutron/+spec/adv-services-in-vms
--
Isaku Yamahata <isaku.yamahata at gmail.com>
More information about the OpenStack-dev
mailing list