← Back to team overview

openstack team mailing list archive

Re: where nova-compute runs: KVM vs Xen

 

On Thu, Apr 5, 2012 at 11:06 AM, Yun Mao <yunmao@xxxxxxxxx> wrote:
> What's the fundamental design decision to make the distinction?
> Presumably, it is not *that* hard to run nova-compute in a KVM VM,
> since the libvirt control socket works on tcp. I can see updating
> iptables rules would be painful but shouldn't we have the same problem
> with Xen? Conversely, it's also not impossible to run nova-compute in
> Dom-0. I understand running something in a VM is more secure in some
> sense than running in Dom0. But shouldn't the same argument apply to
> KVM's case as well?

Fundamentally the answer is more about the architectural differences
between Xen  (standalone, type-1 hypervisor) and KVM  (integrated,
type 2 hypervisor). You can in fact push more into Dom0 at the risk of
reliability, availability, and security issues. You can also run
services in KVM guests to increase security. However Xen is designed
to support disaggregated [1] service domains and KVM is designed to be
more integrated.

[1] http://wiki.xen.org/wiki/Dom0_Disaggregation

Here are some slides and vidoe that go into more detail for the Xen
side of things:
http://www.slideshare.net/cloudstack/vbacd-xen-cloud-computing
http://vimeo.com/38636349

Slide 28 summarizes the pros and cons of the two approaches.


Installing in a VM Pros
* Isolation of cloud VM
* Security properties
* Pre-packaged appliance

Installing in a VM Cons
* More complex
* Less flexible/lacks tight integration

Installing directly in Dom0 (or somewhat equivalently the KVM host) Pros
* Simple install
* Flexibility/tight integration

Installing directly in Dom0 (or somewhat equivalently the KVM host) Cons
* Less isolation
* Cloud service is potential entry point to compromise Dom0/KVM host system

Hope that helps.

Thanks,
Todd

-- 
Todd Deshane
http://www.linkedin.com/in/deshantm
http://blog.xen.org/
http://wiki.xen.org/


References