← Back to team overview

openstack team mailing list archive

Re: trusted computing and nova

 

> Behalf Of Mark Washenberger
> Do we need anything more than a way to inject a third-party filter into
> schedulers?
> 
> I'm assuming that we need to schedule based on whether or not the
> attestation server verifies the host. And I understand that this
> situation introduces some peculiar and novel requirements on the
> scheduler. But I don't think it makes sense to deduce from that that we
> should write an attestation client into nova and create a new scheduler
> and manager service. Instead, we should robustify (is that even a
> word? :-) the plug-ability of the scheduler with these requirements in
> mind.

Mark,

There may be some mis-understanding here, The trusted computing patch has already taken the plug-in approach in Nova. That is
1. A new filter driver, inherited from json_filter, to filter Trust_state specific information.  This is using existing filter FLAGS.default_host_filter to configuted in
2. A manager_integrity, invoked as part of SchedulerManager, to pull trust_state data periodically - this is configured in through FLAGS.scheduler_manager

One thing to improve is how to get a common HTTPS client service to be supported in Nova, is there any other component may use external http connection?

Other support needed from existing Nova is to support extra capability that differ from existing Compute/Network/Volume capabilities (Described in the other thread)

Hope this clarify the plug-in discussion

-Fred




References