[openstack-dev] [Murano] [Mistral] SSH workflow action
Georgy Okrokvertskhov
gokrokvertskhov at mirantis.com
Thu May 7 19:20:37 UTC 2015
Yes, Rabbit MQ is kind of shared. Each VM gets its own Queue which is
dynamically created in MQ when application is being deployed. Technically
we can create separate MQ users and virtual hosts for each VM, but this is
an overkill for now. So by default it is just separate Queue with random
generated name.
If you want more protection you wiull have to change Murano default
behaviour by adding a new vhost for each tenant.
Thanks
Gosha
On Thu, May 7, 2015 at 10:26 AM, Fox, Kevin M <Kevin.Fox at pnnl.gov> wrote:
> So... rabbit is not multitenant I think. You share a rabbit across
> multiple tenants's vms? How do you protect one tenant's vm's from getting
> commands sent to it by another tenant?
>
> Thanks,
> Kevin
> ------------------------------
> *From:* Georgy Okrokvertskhov [gokrokvertskhov at mirantis.com]
> *Sent:* Thursday, May 07, 2015 9:18 AM
> *To:* OpenStack Development Mailing List (not for usage questions)
> *Subject:* Re: [openstack-dev] [Murano] [Mistral] SSH workflow action
>
> Hi,
>
> When we use Murano in production there is a MQ service which is running
> on OpenStack controllers but it listens on public interface. It means that
> both Murano which is running on OpenStack controllers and Agent on VMs have
> an access to this MQ via external (public) network.
> When Murano creates a new deployment it actually deploys a private
> network and attach it to the router which acts as a gateway to external
> networking. So it is specific application deployment topology which allows
> VMs to communicate with MA via external network.
>
> Thanks
> Gosha
>
> On Thu, May 7, 2015 at 1:28 AM, Filip Blaha <filip.blaha at hp.com> wrote:
>
>> yes. I agree that direction is important from only networking piont of
>> view. Usually is more probable that VM on neutron network will be able to
>> access O~S service ( VM --> rabbit) then opposite direction from O~S
>> service to VM running on neutron network (mistral --> VM).
>>
>> Filip
>>
>>
>>
>> On 05/06/2015 06:39 PM, Georgy Okrokvertskhov wrote:
>>
>> Connection direction here is important only in the frame of networking
>> connectivity problem solving. The networking in OpenStack in general works
>> in such a way so that connections from VM are allowed to almost anywhere.
>> In Murano production deployment we use separate MQ instance so that VMs
>> have no access to OpenStack MQ.
>>
>> In the sense who initiates task execution it always a Murano service
>> which publishes tasks (shell script + necessary files) in the MQ so that
>> agent can pull them and execute.
>>
>> Thanks
>> Gosha
>>
>>
>>
>> On Wed, May 6, 2015 at 9:31 AM, Filip Blaha <filip.blaha at hp.com> wrote:
>>
>>> Hello
>>>
>>> one more note on that. There is difference in direction who initiates
>>> connection. In case of murano agent --> rabbit MQ is connection initiated
>>> from VM to openstack service(rabbit). In case of std.ssh mistral action is
>>> direction opposite from openstack service (mistral) to ssh server on VM.
>>>
>>> Filip
>>>
>>>
>>> On 05/06/2015 06:00 PM, Pospisil, Radek wrote:
>>>
>>>> Hello,
>>>>
>>>> I think that the generic question is - can be O~S services also
>>>> accessible on Neutron networks, so VM (created by Nova) can access it? We
>>>> (I and Filip) were discussing this today and we were not make a final
>>>> decision.
>>>> Another example is Murano agent running on VMs - it connects to
>>>> RabbitMQ which is also accessed by Murano engine....
>>>>
>>>> Regards,
>>>>
>>>> Radek
>>>>
>>>> -----Original Message-----
>>>> From: Blaha, Filip
>>>> Sent: Wednesday, May 06, 2015 5:43 PM
>>>> To: openstack-dev at lists.openstack.org
>>>> Subject: [openstack-dev] [Murano] [Mistral] SSH workflow action
>>>>
>>>> Hello
>>>>
>>>> We are considering implementing actions on services of a murano
>>>> environment via mistral workflows. We are considering whether mistral
>>>> std.ssh action could be used to run some command on an instance. Example of
>>>> such action in murano could be restart action on Mysql DB service.
>>>> Mistral workflow would ssh to that instance running Mysql and run
>>>> "service mysql restart". From my point of view trying to use SSH to access
>>>> instances from mistral workflow is not good idea but I would like to
>>>> confirm it.
>>>>
>>>> The biggest problem I see there is openstack networking. Mistral
>>>> service running on some openstack node would not be able to access instance
>>>> via its fixed IP (e.g. 10.0.0.5) via SSH. Instance could accessed via ssh
>>>> from namespace of its gateway router e.g. "ip netns exec qrouter-... ssh
>>>> cirros at 10.0.0.5" but I think it is not good to rely on implementation
>>>> detail of neutron and use it. In multinode openstack deployment it could
>>>> be even more complicated.
>>>>
>>>> In other words I am asking whether we can use std.ssh mistral action to
>>>> access instances via ssh on theirs fixed IPs? I think no but I would like
>>>> to confirm it.
>>>>
>>>> Thanks
>>>> Filip
>>>>
>>>>
>>>> __________________________________________________________________________
>>>> OpenStack Development Mailing List (not for usage questions)
>>>> Unsubscribe:
>>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>> __________________________________________________________________________
>>>> OpenStack Development Mailing List (not for usage questions)
>>>> Unsubscribe:
>>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>>
>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>
>>
>>
>> --
>> Georgy Okrokvertskhov
>> Architect,
>> OpenStack Platform Products,
>> Mirantis
>> http://www.mirantis.com
>> Tel. +1 650 963 9828
>> Mob. +1 650 996 3284
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribehttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Georgy Okrokvertskhov
> Architect,
> OpenStack Platform Products,
> Mirantis
> http://www.mirantis.com
> Tel. +1 650 963 9828
> Mob. +1 650 996 3284
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
Georgy Okrokvertskhov
Architect,
OpenStack Platform Products,
Mirantis
http://www.mirantis.com
Tel. +1 650 963 9828
Mob. +1 650 996 3284
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150507/d1542fea/attachment.html>
More information about the OpenStack-dev
mailing list