Set TrustedFilter as experimental
The TrustedFilter is the only in-tree scheduler filter that calls an external 3rd-party service (OpenAttestation) for decision-making. Thus, the OAT service is not listed as an official Nova dependency and consequently not even gated, even by a 3rd-party CI. Besides, some discussions have been captured in a ML thread that show that running this filter is not the best way for enforcing trusted compute nodes [1] but I leave that out of the review (just a FYI) because the main reason for making experimental the filter is to send a signal to operators that they will either have to find another solution or accept the current gaps. [1] http://lists.openstack.org/pipermail/openstack-dev/2015-June/067766.html Related-Bug: #1456228 Change-Id: I6ab013faf22a0e88424207830ec399724f827622
This commit is contained in:
Sylvain Bauza
committed by
Matt Riedemann
Matt Riedemann
parent
5d34c572cb
commit
e134536d0a
@@ -137,7 +137,7 @@ There are some standard filter classes to use (:mod:`nova.scheduler.filters`):
|
|||||||
a set of instances.
|
a set of instances.
|
||||||
* |RetryFilter| - filters hosts that have been attempted for scheduling.
|
* |RetryFilter| - filters hosts that have been attempted for scheduling.
|
||||||
Only passes hosts that have not been previously attempted.
|
Only passes hosts that have not been previously attempted.
|
||||||
* |TrustedFilter| - filters hosts based on their trust. Only passes hosts
|
* |TrustedFilter| (EXPERIMENTAL) - filters hosts based on their trust. Only passes hosts
|
||||||
that meet the trust requirements specified in the instance properties.
|
that meet the trust requirements specified in the instance properties.
|
||||||
* |TypeAffinityFilter| - Only passes hosts that are not already running an
|
* |TypeAffinityFilter| - Only passes hosts that are not already running an
|
||||||
instance of the requested type.
|
instance of the requested type.
|
||||||
|
|||||||
@@ -15,7 +15,7 @@
|
|||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
Filter to add support for Trusted Computing Pools.
|
Filter to add support for Trusted Computing Pools (EXPERIMENTAL).
|
||||||
|
|
||||||
Filter that only schedules tasks on a host if the integrity (trust)
|
Filter that only schedules tasks on a host if the integrity (trust)
|
||||||
of that host matches the trust requested in the ``extra_specs`` for the
|
of that host matches the trust requested in the ``extra_specs`` for the
|
||||||
@@ -50,6 +50,7 @@ from oslo_utils import timeutils
|
|||||||
import requests
|
import requests
|
||||||
|
|
||||||
from nova import context
|
from nova import context
|
||||||
|
from nova.i18n import _LW
|
||||||
from nova import objects
|
from nova import objects
|
||||||
from nova.scheduler import filters
|
from nova.scheduler import filters
|
||||||
|
|
||||||
@@ -254,6 +255,12 @@ class TrustedFilter(filters.BaseHostFilter):
|
|||||||
|
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
self.compute_attestation = ComputeAttestation()
|
self.compute_attestation = ComputeAttestation()
|
||||||
|
LOG.warning(_LW('The TrustedFilter is considered experimental '
|
||||||
|
'by the OpenStack project because it receives much '
|
||||||
|
'less testing than the rest of Nova. This may change '
|
||||||
|
'in the future, but current deployers should be aware '
|
||||||
|
'that the use of it in production right now may be '
|
||||||
|
'risky.'))
|
||||||
|
|
||||||
# The hosts the instances are running on doesn't change within a request
|
# The hosts the instances are running on doesn't change within a request
|
||||||
run_filter_once_per_request = True
|
run_filter_once_per_request = True
|
||||||
|
|||||||
Reference in New Issue
Block a user