So... rabbit is not multitenant I think. You share a rabbit across multiple tenants's vms? How do you protect one tenant's vm's from getting commands sent to it by another tenant?
Thanks, Kevin ________________________________ From: Georgy Okrokvertskhov [gokrokvertsk...@mirantis.com] Sent: Thursday, May 07, 2015 9:18 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [Murano] [Mistral] SSH workflow action Hi, When we use Murano in production there is a MQ service which is running on OpenStack controllers but it listens on public interface. It means that both Murano which is running on OpenStack controllers and Agent on VMs have an access to this MQ via external (public) network. When Murano creates a new deployment it actually deploys a private network and attach it to the router which acts as a gateway to external networking. So it is specific application deployment topology which allows VMs to communicate with MA via external network. Thanks Gosha On Thu, May 7, 2015 at 1:28 AM, Filip Blaha <filip.bl...@hp.com<mailto:filip.bl...@hp.com>> wrote: yes. I agree that direction is important from only networking piont of view. Usually is more probable that VM on neutron network will be able to access O~S service ( VM --> rabbit) then opposite direction from O~S service to VM running on neutron network (mistral --> VM). Filip On 05/06/2015 06:39 PM, Georgy Okrokvertskhov wrote: Connection direction here is important only in the frame of networking connectivity problem solving. The networking in OpenStack in general works in such a way so that connections from VM are allowed to almost anywhere. In Murano production deployment we use separate MQ instance so that VMs have no access to OpenStack MQ. In the sense who initiates task execution it always a Murano service which publishes tasks (shell script + necessary files) in the MQ so that agent can pull them and execute. Thanks Gosha On Wed, May 6, 2015 at 9:31 AM, Filip Blaha <filip.bl...@hp.com<mailto:filip.bl...@hp.com>> wrote: Hello one more note on that. There is difference in direction who initiates connection. In case of murano agent --> rabbit MQ is connection initiated from VM to openstack service(rabbit). In case of std.ssh mistral action is direction opposite from openstack service (mistral) to ssh server on VM. Filip On 05/06/2015 06:00 PM, Pospisil, Radek wrote: Hello, I think that the generic question is - can be O~S services also accessible on Neutron networks, so VM (created by Nova) can access it? We (I and Filip) were discussing this today and we were not make a final decision. Another example is Murano agent running on VMs - it connects to RabbitMQ which is also accessed by Murano engine.... Regards, Radek -----Original Message----- From: Blaha, Filip Sent: Wednesday, May 06, 2015 5:43 PM To: openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org> Subject: [openstack-dev] [Murano] [Mistral] SSH workflow action Hello We are considering implementing actions on services of a murano environment via mistral workflows. We are considering whether mistral std.ssh action could be used to run some command on an instance. Example of such action in murano could be restart action on Mysql DB service. Mistral workflow would ssh to that instance running Mysql and run "service mysql restart". From my point of view trying to use SSH to access instances from mistral workflow is not good idea but I would like to confirm it. The biggest problem I see there is openstack networking. Mistral service running on some openstack node would not be able to access instance via its fixed IP (e.g. 10.0.0.5) via SSH. Instance could accessed via ssh from namespace of its gateway router e.g. "ip netns exec qrouter-... ssh cirros@10.0.0.5<mailto:cirros@10.0.0.5>" but I think it is not good to rely on implementation detail of neutron and use it. In multinode openstack deployment it could be even more complicated. In other words I am asking whether we can use std.ssh mistral action to access instances via ssh on theirs fixed IPs? I think no but I would like to confirm it. Thanks Filip __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Georgy Okrokvertskhov Architect, OpenStack Platform Products, Mirantis http://www.mirantis.com<http://www.mirantis.com/> Tel. +1 650 963 9828<tel:%2B1%20650%20963%209828> Mob. +1 650 996 3284<tel:%2B1%20650%20996%203284> __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<mailto:openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Georgy Okrokvertskhov Architect, OpenStack Platform Products, Mirantis http://www.mirantis.com<http://www.mirantis.com/> Tel. +1 650 963 9828 Mob. +1 650 996 3284
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
