Set TrustedFilter as experimental

The TrustedFilter is the only in-tree scheduler filter that calls an external 3rd-party service (OpenAttestation) for decision-making. Thus, the OAT service is not listed as an official Nova dependency and consequently not even gated, even by a 3rd-party CI. Besides, some discussions have been captured in a ML thread that show that running this filter is not the best way for enforcing trusted compute nodes [1] but I leave that out of the review (just a FYI) because the main reason for making experimental the filter is to send a signal to operators that they will either have to find another solution or accept the current gaps. [1] http://lists.openstack.org/pipermail/openstack-dev/2015-June/067766.html Related-Bug: #1456228 Change-Id: I6ab013faf22a0e88424207830ec399724f827622
2015-09-18 12:38:12 +02:00
parent 5d34c572cb
commit e134536d0a
2 changed files with 9 additions and 2 deletions
--- a/doc/source/filter_scheduler.rst
+++ b/doc/source/filter_scheduler.rst
@@ -137,7 +137,7 @@ There are some standard filter classes to use (:mod:`nova.scheduler.filters`):
  a set of instances.
 * |RetryFilter| - filters hosts that have been attempted for scheduling.
  Only passes hosts that have not been previously attempted.
-* |TrustedFilter| - filters hosts based on their trust.  Only passes hosts
+* |TrustedFilter| (EXPERIMENTAL) - filters hosts based on their trust.  Only passes hosts
  that meet the trust requirements specified in the instance properties.
 * |TypeAffinityFilter| - Only passes hosts that are not already running an
  instance of the requested type.
--- a/nova/scheduler/filters/trusted_filter.py
+++ b/nova/scheduler/filters/trusted_filter.py
@@ -15,7 +15,7 @@
 #    under the License.

 """
-Filter to add support for Trusted Computing Pools.
+Filter to add support for Trusted Computing Pools (EXPERIMENTAL).

 Filter that only schedules tasks on a host if the integrity (trust)
 of that host matches the trust requested in the ``extra_specs`` for the
@@ -50,6 +50,7 @@ from oslo_utils import timeutils
 import requests

 from nova import context
+from nova.i18n import _LW
 from nova import objects
 from nova.scheduler import filters

@@ -254,6 +255,12 @@ class TrustedFilter(filters.BaseHostFilter):

    def __init__(self):
        self.compute_attestation = ComputeAttestation()
+        LOG.warning(_LW('The TrustedFilter is considered experimental '
+                        'by the OpenStack project because it receives much '
+                        'less testing than the rest of Nova. This may change '
+                        'in the future, but current deployers should be aware '
+                        'that the use of it in production right now may be '
+                        'risky.'))

    # The hosts the instances are running on doesn't change within a request
    run_filter_once_per_request = True