[openstack-dev] [nova][trove] Protected openstack resources

Doug Hellmann doug at doughellmann.com
Thu Jun 4 13:45:22 UTC 2015

Excerpts from Amrith Kumar's message of 2015-06-04 12:46:37 +0000:
> John,
> Thanks for your note. I've updated the review at https://review.openstack.org/#/c/186357/ with answers to some of your questions (and I added you to that review).
> Trove's use-case like some of the other projects listed is different from Glance in that Trove has a guest agent. I've tried to explain that in more detail in patch set 5. I'd appreciate your comments.

We solved this in Akanda by placing the service VMs in a special
tenant, isolating them with security group rules, and then giving
the agent running in the VM a REST API connected to a private
management network owned by the same tenant that owns the VM. All
communication with the agent starts from a service on the outside,
through that management network. The VMs act as routers, so they
are also attached to the cloud-user's networks, but the agent doesn't
respond on those networks.


More information about the OpenStack-dev mailing list