Right now, if you use KVM via libvirt (the default case), on the compute node, nova-compute runs on the host. If you use Xen via xenapi, nova-compute runs on Dom-U. (I'll ignore Xen via libvirt since no one really uses it.)
What's the fundamental design decision to make the distinction? Presumably, it is not *that* hard to run nova-compute in a KVM VM, since the libvirt control socket works on tcp. I can see updating iptables rules would be painful but shouldn't we have the same problem with Xen? Conversely, it's also not impossible to run nova-compute in Dom-0. I understand running something in a VM is more secure in some sense than running in Dom0. But shouldn't the same argument apply to KVM's case as well? Your input is appreciated. Thanks, Yun _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp