e4fe8b3973
Documentation for murano users includes example. Implements: blueprint policy-based-env-modification Change-Id: If363528d1dabf8acb698004fbbb0a3df3d1aab36
75 lines
3.5 KiB
ReStructuredText
75 lines
3.5 KiB
ReStructuredText
=======================================================
|
|
Murano Policy Based Modification of Environment Example
|
|
=======================================================
|
|
|
|
Introduction
|
|
============
|
|
Goal is to be able to define modification of an environment by Congress policies prior
|
|
deployment. This allows to add components (for example monitoring), change/set properties
|
|
(for example to enforce given zone, flavors, ...) and relationships into environment,
|
|
so modified environment is after that deployed.
|
|
|
|
Example Use Cases:
|
|
|
|
* install monitoring agent on each VM instance (adding component with the agent and creating relationship between
|
|
agent and instance)
|
|
* all Apache server instances must have given certified version (version property is set on all Apache applications
|
|
within environment to given version)
|
|
|
|
These policies are evaluated over data in the form of tables (Congress data structures). A deployed Murano environment must be
|
|
decomposed to Congress data structures. The decomposed environment is sent to congress for simulation. Congress simulates
|
|
whether the resulting state needs to be modified. In case that modifications of deployed environment are needed congress returns
|
|
list of actions which needs to be performed on given environment prior the deployment. Actions and its parameters are returned
|
|
from congress in YAML format.
|
|
|
|
Example of action specification returned from congress:
|
|
|
|
* set ``keyname`` property on instance identified by ``object_id`` to value ``production-key``
|
|
|
|
.. code-block:: yaml
|
|
|
|
set-property: {object_id: c46770dec1db483ca2322914b842e50f, prop_name: keyname, value: production-key}
|
|
..
|
|
|
|
Administrator can use above one line action specification as output of congress rules. This action specification
|
|
is parsed in murano. Given action class is loaded. Action instance is created. Parsed parameters are supplied to action
|
|
``__init__`` method. Then action is performed on given environment (``modify`` method).
|
|
|
|
Example
|
|
=======
|
|
In this example assume that we are in production environment. Administrator needs to enforce that all VM instances
|
|
will be deployed with secure key pair used for production environment.
|
|
|
|
Prior creating rules your OpenStack installation has to be configured as described in :ref:`policyenf_setup`.
|
|
|
|
Example rules
|
|
-------------
|
|
|
|
#. Create ``predeploy_modify`` rule
|
|
|
|
Policy validation engine checks rule ``predeploy_modify`` and rules referenced inside this rule are evaluated by congress engine.
|
|
|
|
.. code-block:: console
|
|
|
|
predeploy_modify(eid, obj_id, action) :-
|
|
murano:objects(obj_id, pid, type),
|
|
murano:objects(eid, tid, "io.murano.Environment"),
|
|
murano:connected(eid, pid),
|
|
murano:properties(obj_id, "keyname", kn),
|
|
concat("set-property: {object_id: ", obj_id, first_part),
|
|
concat(first_part, ", prop_name: keyname, value: production-key}", action)
|
|
..
|
|
|
|
Use this command to create the rule:
|
|
|
|
.. code-block:: console
|
|
|
|
congress policy rule create murano_system 'predeploy_modify(eid, obj_id, action):-murano:objects(obj_id, pid, type), murano_env_of_object(obj_id, eid), murano:properties(obj_id, "keyname", kn), concat("set-property: {object_id: ", obj_id, first_part), concat(first_part, ", prop_name: keyname, value: production-key}", action)'
|
|
..
|
|
|
|
Key pair ``production-key`` must exists or change it to any existing key pair.
|
|
|
|
#. Deploy environment and check modification
|
|
|
|
Deploy any environment and check that instances within the environment were deployed with the key pair specified above.
|