openstack team mailing list archive

Thread
Date

Re: Getting Trusted Compute Pools working in Open Stack Folsom

To: "Jiang, Yunhong" <yunhong.jiang@xxxxxxxxx>
From: Lorin Hochstein <lorin@xxxxxxxxxxxxxxxxxx>
Date: Thu, 22 Nov 2012 19:54:48 -0500
Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <DDCAE26804250545B9934A2056554AA03540CA@SHSMSX101.ccr.corp.intel.com>

I noticed that Trusted Compute Pools weren't documented and took a shot at it here, based on the wiki and these emails: https://review.openstack.org/16783

I believe that adding these lines to nova.conf in Folsom will enable the trust filter:

scheduler_available_filters=nova.scheduler.filters.standard_filters
scheduler_available_filters=nova.scheduler.filters.trusted_filter
scheduler_default_filters=AvailabilityZoneFilter,RamFilter,ComputeFilter,TrustedFilter

However, if this isn't right, somebody let me know and I'll fix it in the docs.


Take care,

Lorin
--
Lorin Hochstein
Lead Architect - Cloud Services
Nimbis Services, Inc.
www.nimbisservices.com





On Nov 22, 2012, at 3:23 AM, "Jiang, Yunhong" <yunhong.jiang@xxxxxxxxx> wrote:

> I think trusted_filter is not in the scheduler_default_filters, so you have to make sure it’s used by the filter scheduler.
>  
> Thanks
> --jyh
>  
> From: openstack-bounces+yunhong.jiang=intel.com@xxxxxxxxxxxxxxxxxxx [mailto:openstack-bounces+yunhong.jiang=intel.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Dale, StewartX T
> Sent: Thursday, November 22, 2012 7:28 AM
> To: openstack@xxxxxxxxxxxxxxxxxxx
> Subject: [Openstack] Getting Trusted Compute Pools working in Open Stack Folsom
>  
> Hi All,
>  
>  I am trying to get trusted compute pools working in my installation of open stack Folsom but so far am unable to get it to work.  Currently when I spawn a new instance I don't see any interaction with the attestation server and the instance spawns just fine on a untrusted host.  I have followed all the documentation I could find on TCP (http://wiki.openstack.org/TrustedComputingPools , https://github.com/openstack/nova/blob/stable/folsom/nova/scheduler/filters/trusted_filter.py ) but am still having no luck so I am hoping I missed something while setting it up.  Hopefully someone can point out what I am doing wrong.
>  
> Steps to Setup TCP:
> 1.  Set the following value in nova.conf
>       scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
>  2. Add "trusted_computing" section to nova.conf
>       [trusted_computing]
>       server=10.x.x.x
>       port=8181
>       server_ca_file=/etc/nova/ssl.10.1.71.206.crt
>       api_url=/AttestationService/resources/PollHosts
>       auth_blob=i-am-openstack    
> 3.  Add the "trusted" requirement to an existing flavor by running
>      nova-manage instance_type set_key m1.tiny trust:trusted_host trusted
> 4.  Restart nova-compute and nova-scheduler service
>  
> At this point I test it by going to openstack page -> projects -> instances and launching a new instance of m1.tiny.   At this point I should see a connection attempt on the attestion server (which I don't) and then the instance fail to launch (which it doesn't) since the host is untrusted.  My version of open stack is Folsom and nova is 2012.2.  
>  Hopefully someone can point out my mistake or what I am missing.
>  
> -Stewart
>  
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

References

Getting Trusted Compute Pools working in Open Stack Folsom
From: Dale, StewartX T, 2012-11-21
Re: Getting Trusted Compute Pools working in Open Stack Folsom
From: Jiang, Yunhong, 2012-11-22