Open Stack

Hi colleagues,

are there ways to control guest VMs which reside in isolated network?

In general, there two methods are available:

 1. use Heat's SoftwareDeployment method
 2. use Qemu Guest Agent

First method requires accessibility of Keystone/Heat (os-collect-agent 
authorizes on Keystone, receives endpoints list and use public Heat's 
endpoint to deploy changes), but, since network is isolated, these 
addresses are inaccessible. It can work if Neutron can provide proxying 
like it do for Metadata server, but I didn't find this kind of 
functionality neither in Neutron's documentation nor in other sources. 
And I don't want to apply another NIC to VM for access to Keystone/Heat, 
since it violates customer's rules (this is, by design, isolated network 
with just VPN connection to premises). So the first question is - 
*whether Neutron can proxy requests to Keystone/Heat like it do this for 
Metadata*?

Second method (using qemu guest agent) gives some control of VM, but, 
again, I wasn't be able to find how this can achieved using Nova. There 
are some mentions about this functionality but no details and examples. 
So, the second question - *whether Nova supports qemu guest agent and 
allows to use available calls of QEMU-ga protocol, including 
'guest-exec**'*?

And, may be, there are another methods or ways to use mentioned above 
methods to bypass isolation while keeping it?

Thank you!

-- 
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20170523/78b10049/attachment-0001.html>