Merge "General updates to Compute for style and convention"
This commit is contained in:
commit
45648e26ca
File diff suppressed because it is too large
Load Diff
@ -4,45 +4,35 @@
|
|||||||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||||||
version="5.0"
|
version="5.0"
|
||||||
xml:id="default_ports">
|
xml:id="default_ports">
|
||||||
<title>Compute service node firewall requirements</title>
|
|
||||||
<para>Console connections for virtual machines, whether direct or through a proxy, are received
|
<title>Compute service node firewall requirements</title>
|
||||||
on ports <literal>5900</literal> to <literal>5999</literal>. You must configure the firewall
|
<para>Console connections for virtual machines, whether direct or through a
|
||||||
on each Compute service node to enable network traffic on these ports.</para>
|
proxy, are received on ports <literal>5900</literal> to
|
||||||
<procedure>
|
<literal>5999</literal>. The firewall on each Compute service node must
|
||||||
<title>Configure the service-node firewall</title>
|
allow network traffic on these ports.</para>
|
||||||
<step><para>On the server that hosts the Compute service, log in as <systemitem>root</systemitem>.</para></step>
|
<para>This procedure modifies the <systemitem>iptables</systemitem> firewall
|
||||||
<step>
|
to allow incoming connections to the Compute services.</para>
|
||||||
<para>
|
<procedure>
|
||||||
Edit the <filename>/etc/sysconfig/iptables</filename>
|
<title>Configuring the service-node firewall</title>
|
||||||
file.
|
<step>
|
||||||
</para>
|
<para>Log in to the server that hosts the Compute service, as
|
||||||
</step>
|
<systemitem>root</systemitem>.</para>
|
||||||
<step>
|
</step>
|
||||||
<para>
|
<step>
|
||||||
Add an INPUT rule that allows TCP traffic on ports
|
<para>Edit the <filename>/etc/sysconfig/iptables</filename> file, to add an
|
||||||
that range from <literal>5900</literal> to
|
INPUT rule that allows TCP traffic on ports from
|
||||||
<literal>5999</literal>:
|
<literal>5900</literal> to <literal>5999</literal>. Make sure the new
|
||||||
</para>
|
rule appears before any INPUT rules that REJECT traffic:</para>
|
||||||
<programlisting language="ini">-A INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT</programlisting>
|
<programlisting language="ini">-A INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT</programlisting>
|
||||||
<para>
|
</step>
|
||||||
The new rule must appear before any INPUT rules that
|
<step>
|
||||||
REJECT traffic.
|
<para>Save the changes to <filename>/etc/sysconfig/iptables</filename>,
|
||||||
</para>
|
and restart the <systemitem>iptables</systemitem> service to pick up
|
||||||
</step>
|
the changes:</para>
|
||||||
<step>
|
|
||||||
<para>
|
|
||||||
Save the changes to the
|
|
||||||
<filename>/etc/sysconfig/iptables</filename> file.
|
|
||||||
</para>
|
|
||||||
</step>
|
|
||||||
<step>
|
|
||||||
<para>
|
|
||||||
Restart the <systemitem>iptables</systemitem> service
|
|
||||||
to ensure that the change takes effect.
|
|
||||||
</para>
|
|
||||||
<screen><prompt>$</prompt> <userinput>service iptables restart</userinput></screen>
|
<screen><prompt>$</prompt> <userinput>service iptables restart</userinput></screen>
|
||||||
</step>
|
</step>
|
||||||
</procedure>
|
<step>
|
||||||
<para>The <systemitem>iptables</systemitem> firewall now enables incoming connections to the
|
<para>Repeat this process for each Compute service node.</para>
|
||||||
Compute services. Repeat this process for each Compute service node.</para>
|
</step>
|
||||||
</section>
|
</procedure>
|
||||||
|
</section>
|
||||||
|
@ -4,70 +4,69 @@
|
|||||||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||||||
version="5.0"
|
version="5.0"
|
||||||
xml:id="trusted-compute-pools">
|
xml:id="trusted-compute-pools">
|
||||||
<title>Trusted compute pools</title>
|
|
||||||
<para>Trusted compute pools enable administrators to designate a group of compute hosts as
|
<title>Trusted compute pools</title>
|
||||||
trusted. These hosts use hardware-based security features, such as the Intel Trusted
|
<para>Administrators can designate a group of compute hosts as trusted using
|
||||||
Execution Technology (TXT), to provide an additional level of security. Combined with an
|
trusted compute pools. The trusted hosts use hardware-based security
|
||||||
external stand-alone, web-based remote attestation server, cloud providers can ensure that
|
features, such as the Intel Trusted Execution Technology (TXT), to provide
|
||||||
the compute node runs only software with verified measurements and can ensure a secure cloud
|
an additional level of security. Combined with an external stand-alone,
|
||||||
stack.</para>
|
web-based remote attestation server, cloud providers can ensure that the
|
||||||
<para>Using the trusted compute pools, cloud subscribers can request services to run on verified
|
compute node runs only software with verified measurements and can ensure
|
||||||
compute nodes.</para>
|
a secure cloud stack.</para>
|
||||||
<para>The remote attestation server performs node verification as
|
<para>Trusted compute pools provide the ability for cloud subscribers to
|
||||||
follows:</para>
|
request services run only on verified compute nodes.</para>
|
||||||
<orderedlist>
|
<para>The remote attestation server performs node verification like this:</para>
|
||||||
<listitem>
|
<orderedlist>
|
||||||
<para>Compute nodes boot with Intel TXT technology
|
<listitem>
|
||||||
enabled.</para>
|
<para>Compute nodes boot with Intel TXT technology enabled.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The compute node BIOS, hypervisor, and OS are
|
<para>The compute node BIOS, hypervisor, and operating system are
|
||||||
measured.</para>
|
measured.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Measured data is sent to the attestation server when challenged by the attestation
|
<para>When the attestation server challenges the compute node, the
|
||||||
server.</para>
|
measured data is sent to the attestation server.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The attestation server verifies those measurements against a good and known
|
<para>The attestation server verifies the measurements against a known
|
||||||
database to determine node trustworthiness.</para>
|
good database to determine node trustworthiness.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
<para>A description of how to set up an attestation service is
|
<para>A description of how to set up an attestation service is beyond the
|
||||||
beyond the scope of this document. For an open source project
|
scope of this document. For an open source project that you can use to
|
||||||
that you can use to implement an attestation service, see the
|
implement an attestation service, see the
|
||||||
<link
|
<link xlink:href="https://github.com/OpenAttestation/OpenAttestation">
|
||||||
xlink:href="https://github.com/OpenAttestation/OpenAttestation"
|
Open Attestation</link> project.</para>
|
||||||
>Open Attestation</link> project.</para>
|
<mediaobject>
|
||||||
<mediaobject>
|
<imageobject role="fo">
|
||||||
<imageobject role="fo">
|
<imagedata
|
||||||
<imagedata
|
fileref="../../common/figures/OpenStackTrustedComputePool1.png"
|
||||||
fileref="../../common/figures/OpenStackTrustedComputePool1.png"
|
format="PNG" contentwidth="6in"/>
|
||||||
format="PNG" contentwidth="6in"/>
|
</imageobject>
|
||||||
</imageobject>
|
<imageobject role="html">
|
||||||
<imageobject role="html">
|
<imagedata
|
||||||
<imagedata
|
fileref="../../common/figures/OpenStackTrustedComputePool1.png"
|
||||||
fileref="../../common/figures/OpenStackTrustedComputePool1.png"
|
format="PNG" contentwidth="6in"/>
|
||||||
format="PNG" contentwidth="6in"/>
|
</imageobject>
|
||||||
</imageobject>
|
</mediaobject>
|
||||||
</mediaobject>
|
|
||||||
<section xml:id="configure_trusted_compute_pools">
|
<procedure>
|
||||||
<title>Configure Compute to use trusted compute pools</title>
|
<title>Configuring Compute to use trusted compute pools</title>
|
||||||
<procedure>
|
<step>
|
||||||
<step>
|
<para>Enable scheduling support for trusted compute pools by adding
|
||||||
<para>Enable scheduling support for trusted compute pools by adding the following
|
these lines to the <literal>DEFAULT</literal> section of the
|
||||||
lines in the <literal>DEFAULT</literal> section in the
|
<filename>/etc/nova/nova.conf</filename> file:</para>
|
||||||
<filename>/etc/nova/nova.conf</filename> file:</para>
|
<programlisting language="ini">[DEFAULT]
|
||||||
<programlisting language="ini">[DEFAULT]
|
|
||||||
compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
|
compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
|
||||||
scheduler_available_filters=nova.scheduler.filters.all_filters
|
scheduler_available_filters=nova.scheduler.filters.all_filters
|
||||||
scheduler_default_filters=AvailabilityZoneFilter,RamFilter,ComputeFilter,TrustedFilter</programlisting>
|
scheduler_default_filters=AvailabilityZoneFilter,RamFilter,ComputeFilter,TrustedFilter</programlisting>
|
||||||
</step>
|
</step>
|
||||||
<step>
|
<step>
|
||||||
<para>Specify the connection information for your attestation service by adding the
|
<para>Specify the connection information for your attestation service by
|
||||||
following lines to the <literal>trusted_computing</literal> section in the
|
adding these lines to the <literal>trusted_computing</literal> section
|
||||||
<filename>/etc/nova/nova.conf</filename> file:</para>
|
of the <filename>/etc/nova/nova.conf</filename> file:</para>
|
||||||
<programlisting language="ini">[trusted_computing]
|
<programlisting language="ini">[trusted_computing]
|
||||||
attestation_server = 10.1.71.206
|
attestation_server = 10.1.71.206
|
||||||
attestation_port = 8443
|
attestation_port = 8443
|
||||||
# If using OAT v2.0 after, use this port:
|
# If using OAT v2.0 after, use this port:
|
||||||
@ -78,88 +77,83 @@ attestation_api_url = /AttestationService/resources
|
|||||||
# If using OAT pre-v1.5, use this api_url:
|
# If using OAT pre-v1.5, use this api_url:
|
||||||
# attestation_api_url = /OpenAttestationWebServices/V1.0
|
# attestation_api_url = /OpenAttestationWebServices/V1.0
|
||||||
attestation_auth_blob = i-am-openstack</programlisting>
|
attestation_auth_blob = i-am-openstack</programlisting>
|
||||||
<para>Where:</para>
|
<para>In this example:</para>
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>server</term>
|
<term>server</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Host name or IP address of the host that runs the attestation
|
<para>Host name or IP address of the host that runs the attestation
|
||||||
service.</para>
|
service</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>port</term>
|
<term>port</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>HTTPS port for the attestation service.</para>
|
<para>HTTPS port for the attestation service</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>server_ca_file</term>
|
<term>server_ca_file</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Certificate file used to verify the
|
<para>Certificate file used to verify the attestation server's
|
||||||
attestation server's identity.</para>
|
identity</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>api_url</term>
|
<term>api_url</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The attestation service's URL path.</para>
|
<para>The attestation service's URL path</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>auth_blob</term>
|
<term>auth_blob</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>An authentication blob, which is
|
<para>An authentication blob, required by the attestation service.</para>
|
||||||
required by the attestation
|
</listitem>
|
||||||
service.</para>
|
</varlistentry>
|
||||||
</listitem>
|
</variablelist>
|
||||||
</varlistentry>
|
</step>
|
||||||
</variablelist>
|
<step>
|
||||||
</step>
|
<para>Save the file, and restart the
|
||||||
<step>
|
<systemitem class="service">nova-compute</systemitem> and
|
||||||
<para>Restart the <systemitem class="service"
|
<systemitem class="service">nova-scheduler</systemitem> services to
|
||||||
>nova-compute</systemitem> and <systemitem
|
pick up the changes.</para>
|
||||||
class="service">nova-scheduler</systemitem>
|
</step>
|
||||||
services.</para>
|
</procedure>
|
||||||
</step>
|
|
||||||
</procedure>
|
<para>To customize the trusted compute pools, use these configuration option
|
||||||
<section xml:id="config_ref">
|
settings:</para>
|
||||||
<title>Configuration reference</title>
|
|
||||||
<para>To customize the trusted compute pools, use the following configuration
|
<xi:include href="../../common/tables/nova-trustedcomputing.xml"/>
|
||||||
option settings:
|
|
||||||
</para>
|
<procedure>
|
||||||
<xi:include href="../../common/tables/nova-trustedcomputing.xml"/>
|
<title>Specifying trusted flavors</title>
|
||||||
</section>
|
<step>
|
||||||
</section>
|
<para>Flavors can be designated as trusted using the
|
||||||
<section xml:id="trusted_flavors">
|
<command>nova flavor-key set</command> command. In this example, the
|
||||||
<title>Specify trusted flavors</title>
|
<literal>m1.tiny</literal> flavor is being set as trusted:</para>
|
||||||
<para>To designate hosts as trusted:</para>
|
<screen><prompt>$</prompt> <userinput>nova flavor-key m1.tiny set trust:trusted_host=trusted</userinput></screen>
|
||||||
<procedure>
|
</step>
|
||||||
<step>
|
<step>
|
||||||
<para>Configure one or more flavors as trusted by using the <command>nova
|
<para>You can request that your instance is run on a trusted host by
|
||||||
flavor-key set</command> command. For example, to set the
|
specifying a trusted flavor when booting the instance:</para>
|
||||||
<literal>m1.tiny</literal> flavor as trusted:</para>
|
<screen><prompt>$</prompt> <userinput>nova boot --flavor m1.tiny --key_name myKeypairName --image myImageID newInstanceName</userinput></screen>
|
||||||
<screen><prompt>$</prompt> <userinput>nova flavor-key m1.tiny set trust:trusted_host=trusted</userinput></screen>
|
</step>
|
||||||
</step>
|
</procedure>
|
||||||
<step><para>Request that your instance be run on a trusted host, by specifying a trusted flavor when
|
|
||||||
booting the instance. For example:</para>
|
<figure xml:id="concept_trusted_pool">
|
||||||
<screen><prompt>$</prompt> <userinput>nova boot --flavor m1.tiny --key_name myKeypairName --image myImageID newInstanceName</userinput></screen>
|
<title>Trusted compute pool</title>
|
||||||
<figure xml:id="concept_trusted_pool">
|
<mediaobject>
|
||||||
<title>Trusted compute pool</title>
|
<imageobject role="fo">
|
||||||
<mediaobject>
|
<imagedata
|
||||||
<imageobject role="fo">
|
fileref="../../common/figures/OpenStackTrustedComputePool2.png"
|
||||||
<imagedata
|
format="PNG" contentwidth="6in"/>
|
||||||
fileref="../../common/figures/OpenStackTrustedComputePool2.png"
|
</imageobject>
|
||||||
format="PNG" contentwidth="6in"/>
|
<imageobject role="html">
|
||||||
</imageobject>
|
<imagedata
|
||||||
<imageobject role="html">
|
fileref="../../common/figures/OpenStackTrustedComputePool2.png"
|
||||||
<imagedata
|
format="PNG" contentwidth="6in"/>
|
||||||
fileref="../../common/figures/OpenStackTrustedComputePool2.png"
|
</imageobject>
|
||||||
format="PNG" contentwidth="6in"/>
|
</mediaobject>
|
||||||
</imageobject>
|
</figure>
|
||||||
</mediaobject>
|
</section>
|
||||||
</figure>
|
|
||||||
</step>
|
|
||||||
</procedure>
|
|
||||||
</section>
|
|
||||||
</section>
|
|
||||||
|
Loading…
Reference in New Issue
Block a user