Trove guest-agent unable to talk to RabbitMQ

asked 2016-10-19 12:51:22 -0500

I setup openstack (Mitaka) using openstack ansible scripts (and my own playbooks for Trove), and Neutron for networking. Each service is in a separate linux container. The controller and compute nodes are separate physical systems. There is an external network for trove instances to use (so users can get to the databases) and a management network for the containers (in the controller nodes) and the compute nodes to talk to each other. However, Trove needs the guest-agent in a nova instance to be able to talk to RabbitMQ which is in a container. This would mean giving a nova instance access to the management network, which seems like a security issue and not really addressed in the trove/neutron pubs as far as I can tell. Has any one tried this and maybe found a way to make it work?

1 answer

answered 2016-10-20 11:06:33 -0500

Thanks for the question. This is a topic that is addressed in the Trove documentation (installation and configuration). Please refer that, and yes this is something that several have addressed and got to work.

Thanks Amrith. I did read the documentation. I was asking about the security aspect. The doc suggests adding a guest private network (using default_neutron_networks option), and I need to provide a net-id there. What's to prevent anyone else from joining this network? Or did I misunderstand the doc?

Neutron security; just knowing a network ID doesn't mean that you can join it. you need also the credentials to connect to that. You need to ensure that your guest instance (a service VM) is secure and many methods exist to ensure this.

