[openstack-dev] [nova][trove] Protected openstack resources
Doug Hellmann
doug at doughellmann.com
Thu Jun 4 13:45:22 UTC 2015
Excerpts from Amrith Kumar's message of 2015-06-04 12:46:37 +0000:
> John,
>
> Thanks for your note. I've updated the review at https://review.openstack.org/#/c/186357/ with answers to some of your questions (and I added you to that review).
>
> Trove's use-case like some of the other projects listed is different from Glance in that Trove has a guest agent. I've tried to explain that in more detail in patch set 5. I'd appreciate your comments.
We solved this in Akanda by placing the service VMs in a special
tenant, isolating them with security group rules, and then giving
the agent running in the VM a REST API connected to a private
management network owned by the same tenant that owns the VM. All
communication with the agent starts from a service on the outside,
through that management network. The VMs act as routers, so they
are also attached to the cloud-user's networks, but the agent doesn't
respond on those networks.
Doug
More information about the OpenStack-dev
mailing list