[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [DRAFT 1] XenSock protocol design document



On Fri, 8 Jul 2016, David Vrabel wrote:
> On 08/07/16 12:23, Stefano Stabellini wrote:
> > 
> > XenSocks provides the following benefits:
> > * guest networking works out of the box with VPNs, wireless networks and
> >   any other complex configurations on the host
> 
> Only in the trivial case where the host only has one external network.

Which is the most common case and the one we care about the most.


> Otherwise, you are going to have to have some sort of configuration to
> keep guest traffic isolated from the management or storage network (for
> example).

I admit I don't think I understand your example, please add more
details.

In any case how would you achieve this benefit with netfront/netback?


> > * guest services listen on ports bound directly to the backend domain IP
> >   addresses
> 
> I think this could be done with SDN but I'm no expert on this area.

Maybe. But a simple Google search didn't turn up anything useful on
this. The solution used by Docker to achieve this is very expensive in
terms of resources.

In fact even if you are right, these are complex and expensive solutions
you are talking about. It would likely require some sort of address and
port translation. XenSock is a simple solution and the best way to solve
this problem. I don't want to configure an SDN, iptables and whatnot
just to have guest ports bound on the host. More complexity one
introduces, the more difficult becomes handling security and
maintenance. Performance suffers too.


> > * localhost becomes a secure namespace for intra-VMs communications
> 
> I presume you mean "inter-VM" communication here?

Yes, I meant inter-VM, sorry for the confusion.


> This is already achievable with a private bridged network for VMs on a
> host.

Wouldn't that require one more virtual interface per VM?


> > * full visibility of the guest behavior on the backend domain, allowing
> >   for inexpensive filtering and manipulation of any guest calls
> 
> There's many existing solutions in this space for networking.

One the most important points of this work is that users don't need to
use those "existing solutions in this space for networking". They are
expensive (both in terms of money and performance) and suboptimal. They
are never going to have the level of visibility and control that we
could have with XenSock.


> > * excellent performance
> 
> netback/netfront is pretty good now and further improvements to them
> would have wider benefits.
 
You are saying that one could achieve the same benefits of XenSock with:

netfront/netback + some zero configuration tool for netfront/netback +
SDN + a network based application firewall + one more virtual interface
per VM

I feel confortable in stating that XenSock is far better than a
combination of 4 or 5 complex moving pieces.

I admit that Citrix XenServer won't directly benefit from XenSock, at
least not in the short term. But the Xen Community is much wider than
XenServer. People have already pointed out to me why this would be
useful for them.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.