On Thu, Apr 5, 2012 at 11:06 AM, Yun Mao <[email protected]> wrote: > What's the fundamental design decision to make the distinction? > Presumably, it is not *that* hard to run nova-compute in a KVM VM, > since the libvirt control socket works on tcp. I can see updating > iptables rules would be painful but shouldn't we have the same problem > with Xen? Conversely, it's also not impossible to run nova-compute in > Dom-0. I understand running something in a VM is more secure in some > sense than running in Dom0. But shouldn't the same argument apply to > KVM's case as well?
Fundamentally the answer is more about the architectural differences between Xen (standalone, type-1 hypervisor) and KVM (integrated, type 2 hypervisor). You can in fact push more into Dom0 at the risk of reliability, availability, and security issues. You can also run services in KVM guests to increase security. However Xen is designed to support disaggregated [1] service domains and KVM is designed to be more integrated. [1] http://wiki.xen.org/wiki/Dom0_Disaggregation Here are some slides and vidoe that go into more detail for the Xen side of things: http://www.slideshare.net/cloudstack/vbacd-xen-cloud-computing http://vimeo.com/38636349 Slide 28 summarizes the pros and cons of the two approaches. Installing in a VM Pros * Isolation of cloud VM * Security properties * Pre-packaged appliance Installing in a VM Cons * More complex * Less flexible/lacks tight integration Installing directly in Dom0 (or somewhat equivalently the KVM host) Pros * Simple install * Flexibility/tight integration Installing directly in Dom0 (or somewhat equivalently the KVM host) Cons * Less isolation * Cloud service is potential entry point to compromise Dom0/KVM host system Hope that helps. Thanks, Todd -- Todd Deshane http://www.linkedin.com/in/deshantm http://blog.xen.org/ http://wiki.xen.org/ _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
