Amend spec to use regular rst table instead of code block
Change-Id: I9be6902af17d957a0b5187087e76461cdf0dec94
This commit is contained in:
parent
f0ffcb6ddf
commit
f79e857320
|
@ -144,48 +144,46 @@ one swap disk. Each disk will have its own secret.
|
|||
This table is intended to illustrate the way secrets are handled in various
|
||||
scenarios.
|
||||
|
||||
.. code:: rst
|
||||
|
||||
+--------------------+-------------+--------------+------------------------------------------------------+
|
||||
| Instance or Image | Disk | Secret | Notes |
|
||||
| | | (passphrase) | |
|
||||
+====================+=============+==============+======================================================+
|
||||
| Instance A | disk (root) | Secret 1 | Secret 1, 2, and 3 will be automatically deleted |
|
||||
| +-------------+--------------+ by Nova when Instance A is deleted and its disks are |
|
||||
| | disk.eph0 | Secret 2 | destroyed |
|
||||
| +-------------+--------------+ |
|
||||
| | disk.swap | Secret 3 | |
|
||||
+--------------------+-------------+--------------+------------------------------------------------------+
|
||||
| Image Z (snapshot) | disk (root) | Secret 4 | Secret 4 will *not* be automatically deleted and |
|
||||
| created from | | (new secret | manual deletion will be needed if/when Image Z is |
|
||||
| Instance A | | is created) | deleted from Glance |
|
||||
+--------------------+-------------+--------------+------------------------------------------------------+
|
||||
| Instance B | disk (root) | Secret 5 | Secret 5, 6, and 7 will be automatically deleted |
|
||||
| created from +-------------+--------------+ by Nova when Instance B is deleted and its disks are |
|
||||
| Image Z (snapshot) | disk.eph0 | Secret 6 | destroyed |
|
||||
| +-------------+--------------+ |
|
||||
| | disk.swap | Secret 7 | |
|
||||
+--------------------+-------------+--------------+------------------------------------------------------+
|
||||
| Instance C | disk (root) | Secret 8 | Secret 8, 9, and 10 will be automatically deleted |
|
||||
| +-------------+--------------+ by Nova when Instance C is deleted and its disks are |
|
||||
| | disk.eph0 | Secret 9 | destroyed |
|
||||
| +-------------+--------------+ |
|
||||
| | disk.swap | Secret 10 | |
|
||||
+--------------------+-------------+--------------+------------------------------------------------------+
|
||||
| Image Y (snapshot) | disk (root) | Secret 8 | Secret 8 is *retained* when Instance C is shelved in |
|
||||
| created by shelve | | | part to prevent the possibility of a change in |
|
||||
| of Instance C | | | ownership of the root disk secret if, for example, |
|
||||
| | | | an admin user shelves a non-admin user's instance. |
|
||||
| | | | This approach could be avoided if there is some way |
|
||||
| | | | we could create a new secret using the instance's |
|
||||
| | | | user/project rather than the shelver's user/project |
|
||||
+--------------------+-------------+--------------+------------------------------------------------------+
|
||||
| Rescue disk | disk (root) | Secret 11 | Secret 11 is stashed in the instance's system |
|
||||
| created by rescue | | (new secret | metadata with key |
|
||||
| of Instance A | | is created) | ``rescue_disk_ephemeral_encryption_secret_uuid``. |
|
||||
| | | | This is done because a BDM record for the rescue |
|
||||
| | | | disk is not going to be persisted to the database. |
|
||||
+--------------------+-------------+--------------+------------------------------------------------------+
|
||||
+--------------------+-------------+--------------+------------------------------------------------------+
|
||||
| Instance or Image | Disk | Secret | Notes |
|
||||
| | | (passphrase) | |
|
||||
+====================+=============+==============+======================================================+
|
||||
| Instance A | disk (root) | Secret 1 | Secret 1, 2, and 3 will be automatically deleted |
|
||||
| +-------------+--------------+ by Nova when Instance A is deleted and its disks are |
|
||||
| | disk.eph0 | Secret 2 | destroyed |
|
||||
| +-------------+--------------+ |
|
||||
| | disk.swap | Secret 3 | |
|
||||
+--------------------+-------------+--------------+------------------------------------------------------+
|
||||
| Image Z (snapshot) | disk (root) | Secret 4 | Secret 4 will *not* be automatically deleted and |
|
||||
| created from | | (new secret | manual deletion will be needed if/when Image Z is |
|
||||
| Instance A | | is created) | deleted from Glance |
|
||||
+--------------------+-------------+--------------+------------------------------------------------------+
|
||||
| Instance B | disk (root) | Secret 5 | Secret 5, 6, and 7 will be automatically deleted |
|
||||
| created from +-------------+--------------+ by Nova when Instance B is deleted and its disks are |
|
||||
| Image Z (snapshot) | disk.eph0 | Secret 6 | destroyed |
|
||||
| +-------------+--------------+ |
|
||||
| | disk.swap | Secret 7 | |
|
||||
+--------------------+-------------+--------------+------------------------------------------------------+
|
||||
| Instance C | disk (root) | Secret 8 | Secret 8, 9, and 10 will be automatically deleted |
|
||||
| +-------------+--------------+ by Nova when Instance C is deleted and its disks are |
|
||||
| | disk.eph0 | Secret 9 | destroyed |
|
||||
| +-------------+--------------+ |
|
||||
| | disk.swap | Secret 10 | |
|
||||
+--------------------+-------------+--------------+------------------------------------------------------+
|
||||
| Image Y (snapshot) | disk (root) | Secret 8 | Secret 8 is *retained* when Instance C is shelved in |
|
||||
| created by shelve | | | part to prevent the possibility of a change in |
|
||||
| of Instance C | | | ownership of the root disk secret if, for example, |
|
||||
| | | | an admin user shelves a non-admin user's instance. |
|
||||
| | | | This approach could be avoided if there is some way |
|
||||
| | | | we could create a new secret using the instance's |
|
||||
| | | | user/project rather than the shelver's user/project |
|
||||
+--------------------+-------------+--------------+------------------------------------------------------+
|
||||
| Rescue disk | disk (root) | Secret 11 | Secret 11 is stashed in the instance's system |
|
||||
| created by rescue | | (new secret | metadata with key |
|
||||
| of Instance A | | is created) | ``rescue_disk_ephemeral_encryption_secret_uuid``. |
|
||||
| | | | This is done because a BDM record for the rescue |
|
||||
| | | | disk is not going to be persisted to the database. |
|
||||
+--------------------+-------------+--------------+------------------------------------------------------+
|
||||
|
||||
Snapshots of instances with ephemeral encryption
|
||||
````````````````````````````````````````````````
|
||||
|
|
Loading…
Reference in New Issue