openstack team mailing list archive

[Sylvain Bauza <sylvain.bauza@xxxxxxxxxxxx>]

Hi Shawn,

Le 25/02/2013 06:20, Shawn Starr a écrit :
> Hello folks,
>
> I am starting to look at OpenStack and noticed there are some things it
> doesn't seem to be able to do right now?
>
> 1) Managing the nova-compute (hypervisor) - I see no options on how to control
> what nova-compute nodes can be 'provisioned' into an OpenStack cloud, I'd
> consider that a security risk (potentially) if any computer could just
> register to become a nova-compute?
There are various ways for implementing security on Nova-compute. One 
would be to grant mysql access for keystone and nova to only some IPs, 
it would be enough for preventing nova-compute to start (and 
consequently avoiding this hypervisor to be elected for new instances).
I do admit this is a very basic test which doesn't prevent the host to 
be compromised, of course.

> The reason I ask this question is how do we handle hardware failures? How can
> we manually move a instance/VM off a nova-compute? I see instructions on
> setting up the hypervisor to move VM instances but no actual commands to issue
> a move manually.
>
> 2) Can we build a diskless nova-compute? just one kernel/initramfs with the
> various configurations, libvirt, file storage network mounts, openvswitch setup
> etc inside it?

These two questions can be answered by implementing a shared resource 
system for Nova instances, like GlusterFS and allowing libvirt to 
perform live migrations.
http://docs.openstack.org/trunk/openstack-compute/admin/content/live-migration-usage.html
http://gluster.org/community/documentation//index.php/OSConnect

> 3) keystone seems a lot of work to setup with all the various URLs, we plan to
> streamline this somehow?
I don't get the point. There is only an initial setup to do for creating 
endpoints and services, but that's it.
Even this step can be automated thanks to some 3rd-party tools, like Puppet.
http://docs.openstack.org/trunk/openstack-compute/admin/content/ch_openstack-compute-automated-installations.html



> When I used OpenNebula I found the installation similar but simpler (a
> clear distinction between hypervisors themselves and managing them and
> managing the VM instances overall). While OpenStack is new I would expect it
> to be missing functionality currently.

Could you please explain what is your need ?

Hope it helps,
-Sylvain

> Thanks,
> Shawn
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp