[openstack-dev] [Oslo] oslo.messaging on VMs

Daniel P. Berrange berrange at redhat.com
Thu Mar 6 17:24:32 UTC 2014

On Thu, Mar 06, 2014 at 07:25:37PM +0400, Dmitry Mescheryakov wrote:
> Hello folks,
> A number of OpenStack and related projects have a need to perform
> operations inside VMs running on OpenStack. A natural solution would
> be an agent running inside the VM and performing tasks.
> One of the key questions here is how to communicate with the agent. An
> idea which was discussed some time ago is to use oslo.messaging for
> that. That is an RPC framework - what is needed. You can use different
> transports (RabbitMQ, Qpid, ZeroMQ) depending on your preference or
> connectivity your OpenStack networking can provide. At the same time
> there is a number of things to consider, like networking, security,
> packaging, etc.
> So, messaging people, what is your opinion on that idea? I've already
> raised that question in the list [1], but seems like not everybody who
> has something to say participated. So I am resending with the
> different topic. For example, yesterday we started discussing security
> of the solution in the openstack-oslo channel. Doug Hellmann at the
> start raised two questions: is it possible to separate different
> tenants or applications with credentials and ACL so that they use
> different queues? My opinion that it is possible using RabbitMQ/Qpid
> management interface: for each application we can automatically create
> a new user with permission to access only her queues. Another question
> raised by Doug is how to mitigate a DOS attack coming from one tenant
> so that it does not affect another tenant. The thing is though
> different applications will use different queues, they are going to
> use a single broker.

Looking at it from the security POV, I'd absolutely not want to
have any tenant VMs connected to the message bus that openstack
is using between its hosts. Even if you have security policies
in place, the inherent architectural risk of such a design is
just far too great. One small bug or misconfiguration and it
opens the door to a guest owning the entire cloud infrastructure.
Any channel between a guest and host should be isolated per guest,
so there's no possibility of guest messages finding their way out
to either the host or to other guests.

If there was still a desire to use oslo.messaging, then at the
very least you'd want a completely isolated message bus for guest
comms, with no connection to the message bus used between hosts.
Ideally the message bus would be separate per guest too, which
means it ceases to be a bus really - just a point-to-point link
between the virt host + guest OS that happens to use the oslo.messaging
wire format.

|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the OpenStack-dev mailing list