openstack team mailing list archive

Thread
Date

Re: Getting Trusted Compute Pools working in Open Stack Folsom

To: "Dale, StewartX T" <stewartx.t.dale@xxxxxxxxx>, "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
From: "Jiang, Yunhong" <yunhong.jiang@xxxxxxxxx>
Date: Thu, 22 Nov 2012 08:23:05 +0000
Accept-language: en-US
In-reply-to: <C5D4F4E0C490C4419E47643D570FC50423C3FE@FMSMSX101.amr.corp.intel.com>
Thread-index: Ac3IP79oEiLZ7DoqQyCoEAi9UyprqgAR66iA
Thread-topic: [Openstack] Getting Trusted Compute Pools working in Open Stack Folsom

I think trusted_filter is not in the scheduler_default_filters, so you have to make sure it's used by the filter scheduler.

Thanks
--jyh

From: openstack-bounces+yunhong.jiang=intel.com@xxxxxxxxxxxxxxxxxxx [mailto:openstack-bounces+yunhong.jiang=intel.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Dale, StewartX T
Sent: Thursday, November 22, 2012 7:28 AM
To: openstack@xxxxxxxxxxxxxxxxxxx
Subject: [Openstack] Getting Trusted Compute Pools working in Open Stack Folsom

Hi All,

 I am trying to get trusted compute pools working in my installation of open stack Folsom but so far am unable to get it to work.  Currently when I spawn a new instance I don't see any interaction with the attestation server and the instance spawns just fine on a untrusted host.  I have followed all the documentation I could find on TCP (http://wiki.openstack.org/TrustedComputingPools , https://github.com/openstack/nova/blob/stable/folsom/nova/scheduler/filters/trusted_filter.py ) but am still having no luck so I am hoping I missed something while setting it up.  Hopefully someone can point out what I am doing wrong.

Steps to Setup TCP:
1.  Set the following value in nova.conf
      scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
 2. Add "trusted_computing" section to nova.conf
      [trusted_computing]
      server=10.x.x.x
      port=8181
      server_ca_file=/etc/nova/ssl.10.1.71.206.crt
      api_url=/AttestationService/resources/PollHosts
      auth_blob=i-am-openstack
3.  Add the "trusted" requirement to an existing flavor by running
     nova-manage instance_type set_key m1.tiny trust:trusted_host trusted
4.  Restart nova-compute and nova-scheduler service

At this point I test it by going to openstack page -> projects -> instances and launching a new instance of m1.tiny.   At this point I should see a connection attempt on the attestion server (which I don't) and then the instance fail to launch (which it doesn't) since the host is untrusted.  My version of open stack is Folsom and nova is 2012.2.
 Hopefully someone can point out my mistake or what I am missing.

-Stewart

Follow ups

Re: Getting Trusted Compute Pools working in Open Stack Folsom
From: Lorin Hochstein, 2012-11-23

References

Getting Trusted Compute Pools working in Open Stack Folsom
From: Dale, StewartX T, 2012-11-21