Sorry, I reread what I wrote and it came off.. harsher then I had intended. I don't mean I will never support it, simply that I can't support it as it is.
I have security researchers that use this particular cloud, and don't want to give Murano a black eye if they "discover" something... I would help if I could, but unfortunatly, I already have my fingers in too many pies. If I do manage to get a bit of time, maybe I can help. we'll see. I'm not convinced it will be a simple thing to fix though. Rabbit wasn't build with multitenancy in mind, so fixing it right might take a fair amount of work. http polling is not a good long term solution. Uses more power/resources then necessary. Zaquar, being designed for multi tenancy messaging from the get go, seems like a good way to go. Unfortunatly, they still only support http polling I think, but have it on their roadmap to fix. Most of the hard work is switching over to Zaquar though. So once they add a non polling option, it should be relatively cheep to add support. Thanks, Kevin ________________________________ From: Stan Lagun [[email protected]] Sent: Sunday, May 10, 2015 3:24 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [Murano] [Mistral] SSH workflow action Kevin, I do agree that lack of RabbitMQ multi-tenancy is a problem. However as this is developers mailing list I would suggest to contribute and make Murano guest agent secure for the benefit of all users and all existing applications instead of spending comparable amount of time developing intricate solutions that will make everything way more complex. If Murano application developers need to write additional Mistral workflow for each deployment step that would make application development be extremely harder and Murano be mostly useless. There are several approaches that can be taken to solve agent isolation problem and all of them are relatively easy to implement. This task is one of out top priorities for the Liberty and will be solved very soon anyway. Another approach that IMO also better than SSH is to use HOT software config that uses HTTP polling and doesn't suffer from lack of tenant isolation. I do want to see better Mistral integration in Murano as well as many other tools like puppet etc. And there are some good use cases for Mistral. But when it comes to the most basic things that Murano was designed to do from the foundation I want to make sure that Murano can do them the best way possible without requiring users to learn additional DSLs/tools or go extra step and involve additional services where not necessary. If something important is missing in Murano that makes usage of Mistral for deployment more attractive I'd rather focus on improving Murano and bringing those features to Murano. We can even use Mistral under the hood as long as we not make users to write both MuranoPL and Mistral DSL code for trivial things like service restart. Sincerely yours, Stan Lagun Principal Software Engineer @ Mirantis <mailto:[email protected]> On Sun, May 10, 2015 at 8:44 PM, Fox, Kevin M <[email protected]<mailto:[email protected]>> wrote: Im planning on deploying murano but wont be supporting the murano guest agent. The lack of multi tenant security is a big problem I think. Thanks, Kevin ________________________________ From: Stan Lagun Sent: Saturday, May 09, 2015 7:21:17 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [Murano] [Mistral] SSH workflow action Filip, If I got you right the plan is to have Murano application execute Mistral workflow that SSH to VM and executes particular command? And alternative is Murano->Mistral->Zaquar->Zaquar agent? Why can't you just send this command directly from Murano (to Murano agent on VM)? This is the most common use case that is found in nearly all Murano applications and it is battle-proven. If you need SSH you can contribute SSH plugin to Murano (Mistral will require similar plugin anyway). The more moving parts you involve the more chances you have for everything to fail Sincerely yours, Stan Lagun Principal Software Engineer @ Mirantis <mailto:[email protected]> On Fri, May 8, 2015 at 11:22 AM, Renat Akhmerov <[email protected]<mailto:[email protected]>> wrote: Generally yes, std.ssh action works as long as network infrastructure allows access to a host using specified IP, it doesn’t provide anything on top of that. > On 06 May 2015, at 22:26, Fox, Kevin M > <[email protected]<mailto:[email protected]>> wrote: > > This would also probably be a good use case for Zaqar I think. Have a generic > "run shell commands from Zaqar queue" agent, that pulls commands from a Zaqar > queue, and executes it. > The vm's don't have to be directly reachable from the network then. You just > have to push messages into Zaqar. Yes, in Mistral it would be another action that puts a command into Zaqar queue. This type of action doesn’t exist yet but it can be plugged in easily. > Should Mistral abstract away how to execute the action, leaving it up to > Mistral how to get the action to the vm? Like I mentioned previously it should be just a different type of action: “zaqar.something” instead of “std.ssh”. Mistral engine itself works with all actions equally, they are just basically functions that we can plug in and use in Mistral workflow language. From this standpoint Mistral is already abstract enough. > If that's the case, then ssh vs queue/agent is just a Mistral implementation > detail? More precisely: implementation detail of Mistral action which may not be even hardcoded part of Mistral, we can rather plug them in (using stevedore underneath). Renat Akhmerov @ Mirantis Inc. __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe<http://[email protected]?subject:unsubscribe> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe<http://[email protected]?subject:unsubscribe> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
