Merge "General updates to Compute for style and convention"

This commit is contained in:
Jenkins 2015-02-18 10:45:34 +00:00 committed by Gerrit Code Review
commit 45648e26ca
3 changed files with 625 additions and 644 deletions

View File

@ -4,45 +4,35 @@
xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0" version="5.0"
xml:id="default_ports"> xml:id="default_ports">
<title>Compute service node firewall requirements</title>
<para>Console connections for virtual machines, whether direct or through a proxy, are received <title>Compute service node firewall requirements</title>
on ports <literal>5900</literal> to <literal>5999</literal>. You must configure the firewall <para>Console connections for virtual machines, whether direct or through a
on each Compute service node to enable network traffic on these ports.</para> proxy, are received on ports <literal>5900</literal> to
<procedure> <literal>5999</literal>. The firewall on each Compute service node must
<title>Configure the service-node firewall</title> allow network traffic on these ports.</para>
<step><para>On the server that hosts the Compute service, log in as <systemitem>root</systemitem>.</para></step> <para>This procedure modifies the <systemitem>iptables</systemitem> firewall
<step> to allow incoming connections to the Compute services.</para>
<para> <procedure>
Edit the <filename>/etc/sysconfig/iptables</filename> <title>Configuring the service-node firewall</title>
file. <step>
</para> <para>Log in to the server that hosts the Compute service, as
</step> <systemitem>root</systemitem>.</para>
<step> </step>
<para> <step>
Add an INPUT rule that allows TCP traffic on ports <para>Edit the <filename>/etc/sysconfig/iptables</filename> file, to add an
that range from <literal>5900</literal> to INPUT rule that allows TCP traffic on ports from
<literal>5999</literal>: <literal>5900</literal> to <literal>5999</literal>. Make sure the new
</para> rule appears before any INPUT rules that REJECT traffic:</para>
<programlisting language="ini">-A INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT</programlisting> <programlisting language="ini">-A INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT</programlisting>
<para> </step>
The new rule must appear before any INPUT rules that <step>
REJECT traffic. <para>Save the changes to <filename>/etc/sysconfig/iptables</filename>,
</para> and restart the <systemitem>iptables</systemitem> service to pick up
</step> the changes:</para>
<step>
<para>
Save the changes to the
<filename>/etc/sysconfig/iptables</filename> file.
</para>
</step>
<step>
<para>
Restart the <systemitem>iptables</systemitem> service
to ensure that the change takes effect.
</para>
<screen><prompt>$</prompt> <userinput>service iptables restart</userinput></screen> <screen><prompt>$</prompt> <userinput>service iptables restart</userinput></screen>
</step> </step>
</procedure> <step>
<para>The <systemitem>iptables</systemitem> firewall now enables incoming connections to the <para>Repeat this process for each Compute service node.</para>
Compute services. Repeat this process for each Compute service node.</para> </step>
</section> </procedure>
</section>

View File

@ -4,70 +4,69 @@
xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0" version="5.0"
xml:id="trusted-compute-pools"> xml:id="trusted-compute-pools">
<title>Trusted compute pools</title>
<para>Trusted compute pools enable administrators to designate a group of compute hosts as <title>Trusted compute pools</title>
trusted. These hosts use hardware-based security features, such as the Intel Trusted <para>Administrators can designate a group of compute hosts as trusted using
Execution Technology (TXT), to provide an additional level of security. Combined with an trusted compute pools. The trusted hosts use hardware-based security
external stand-alone, web-based remote attestation server, cloud providers can ensure that features, such as the Intel Trusted Execution Technology (TXT), to provide
the compute node runs only software with verified measurements and can ensure a secure cloud an additional level of security. Combined with an external stand-alone,
stack.</para> web-based remote attestation server, cloud providers can ensure that the
<para>Using the trusted compute pools, cloud subscribers can request services to run on verified compute node runs only software with verified measurements and can ensure
compute nodes.</para> a secure cloud stack.</para>
<para>The remote attestation server performs node verification as <para>Trusted compute pools provide the ability for cloud subscribers to
follows:</para> request services run only on verified compute nodes.</para>
<orderedlist> <para>The remote attestation server performs node verification like this:</para>
<listitem> <orderedlist>
<para>Compute nodes boot with Intel TXT technology <listitem>
enabled.</para> <para>Compute nodes boot with Intel TXT technology enabled.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>The compute node BIOS, hypervisor, and OS are <para>The compute node BIOS, hypervisor, and operating system are
measured.</para> measured.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Measured data is sent to the attestation server when challenged by the attestation <para>When the attestation server challenges the compute node, the
server.</para> measured data is sent to the attestation server.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>The attestation server verifies those measurements against a good and known <para>The attestation server verifies the measurements against a known
database to determine node trustworthiness.</para> good database to determine node trustworthiness.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>A description of how to set up an attestation service is <para>A description of how to set up an attestation service is beyond the
beyond the scope of this document. For an open source project scope of this document. For an open source project that you can use to
that you can use to implement an attestation service, see the implement an attestation service, see the
<link <link xlink:href="https://github.com/OpenAttestation/OpenAttestation">
xlink:href="https://github.com/OpenAttestation/OpenAttestation" Open Attestation</link> project.</para>
>Open Attestation</link> project.</para> <mediaobject>
<mediaobject> <imageobject role="fo">
<imageobject role="fo"> <imagedata
<imagedata fileref="../../common/figures/OpenStackTrustedComputePool1.png"
fileref="../../common/figures/OpenStackTrustedComputePool1.png" format="PNG" contentwidth="6in"/>
format="PNG" contentwidth="6in"/> </imageobject>
</imageobject> <imageobject role="html">
<imageobject role="html"> <imagedata
<imagedata fileref="../../common/figures/OpenStackTrustedComputePool1.png"
fileref="../../common/figures/OpenStackTrustedComputePool1.png" format="PNG" contentwidth="6in"/>
format="PNG" contentwidth="6in"/> </imageobject>
</imageobject> </mediaobject>
</mediaobject>
<section xml:id="configure_trusted_compute_pools"> <procedure>
<title>Configure Compute to use trusted compute pools</title> <title>Configuring Compute to use trusted compute pools</title>
<procedure> <step>
<step> <para>Enable scheduling support for trusted compute pools by adding
<para>Enable scheduling support for trusted compute pools by adding the following these lines to the <literal>DEFAULT</literal> section of the
lines in the <literal>DEFAULT</literal> section in the <filename>/etc/nova/nova.conf</filename> file:</para>
<filename>/etc/nova/nova.conf</filename> file:</para> <programlisting language="ini">[DEFAULT]
<programlisting language="ini">[DEFAULT]
compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
scheduler_available_filters=nova.scheduler.filters.all_filters scheduler_available_filters=nova.scheduler.filters.all_filters
scheduler_default_filters=AvailabilityZoneFilter,RamFilter,ComputeFilter,TrustedFilter</programlisting> scheduler_default_filters=AvailabilityZoneFilter,RamFilter,ComputeFilter,TrustedFilter</programlisting>
</step> </step>
<step> <step>
<para>Specify the connection information for your attestation service by adding the <para>Specify the connection information for your attestation service by
following lines to the <literal>trusted_computing</literal> section in the adding these lines to the <literal>trusted_computing</literal> section
<filename>/etc/nova/nova.conf</filename> file:</para> of the <filename>/etc/nova/nova.conf</filename> file:</para>
<programlisting language="ini">[trusted_computing] <programlisting language="ini">[trusted_computing]
attestation_server = 10.1.71.206 attestation_server = 10.1.71.206
attestation_port = 8443 attestation_port = 8443
# If using OAT v2.0 after, use this port: # If using OAT v2.0 after, use this port:
@ -78,88 +77,83 @@ attestation_api_url = /AttestationService/resources
# If using OAT pre-v1.5, use this api_url: # If using OAT pre-v1.5, use this api_url:
# attestation_api_url = /OpenAttestationWebServices/V1.0 # attestation_api_url = /OpenAttestationWebServices/V1.0
attestation_auth_blob = i-am-openstack</programlisting> attestation_auth_blob = i-am-openstack</programlisting>
<para>Where:</para> <para>In this example:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>server</term> <term>server</term>
<listitem> <listitem>
<para>Host name or IP address of the host that runs the attestation <para>Host name or IP address of the host that runs the attestation
service.</para> service</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>port</term> <term>port</term>
<listitem> <listitem>
<para>HTTPS port for the attestation service.</para> <para>HTTPS port for the attestation service</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>server_ca_file</term> <term>server_ca_file</term>
<listitem> <listitem>
<para>Certificate file used to verify the <para>Certificate file used to verify the attestation server's
attestation server's identity.</para> identity</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>api_url</term> <term>api_url</term>
<listitem> <listitem>
<para>The attestation service's URL path.</para> <para>The attestation service's URL path</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>auth_blob</term> <term>auth_blob</term>
<listitem> <listitem>
<para>An authentication blob, which is <para>An authentication blob, required by the attestation service.</para>
required by the attestation </listitem>
service.</para> </varlistentry>
</listitem> </variablelist>
</varlistentry> </step>
</variablelist> <step>
</step> <para>Save the file, and restart the
<step> <systemitem class="service">nova-compute</systemitem> and
<para>Restart the <systemitem class="service" <systemitem class="service">nova-scheduler</systemitem> services to
>nova-compute</systemitem> and <systemitem pick up the changes.</para>
class="service">nova-scheduler</systemitem> </step>
services.</para> </procedure>
</step>
</procedure> <para>To customize the trusted compute pools, use these configuration option
<section xml:id="config_ref"> settings:</para>
<title>Configuration reference</title>
<para>To customize the trusted compute pools, use the following configuration <xi:include href="../../common/tables/nova-trustedcomputing.xml"/>
option settings:
</para> <procedure>
<xi:include href="../../common/tables/nova-trustedcomputing.xml"/> <title>Specifying trusted flavors</title>
</section> <step>
</section> <para>Flavors can be designated as trusted using the
<section xml:id="trusted_flavors"> <command>nova flavor-key set</command> command. In this example, the
<title>Specify trusted flavors</title> <literal>m1.tiny</literal> flavor is being set as trusted:</para>
<para>To designate hosts as trusted:</para> <screen><prompt>$</prompt> <userinput>nova flavor-key m1.tiny set trust:trusted_host=trusted</userinput></screen>
<procedure> </step>
<step> <step>
<para>Configure one or more flavors as trusted by using the <command>nova <para>You can request that your instance is run on a trusted host by
flavor-key set</command> command. For example, to set the specifying a trusted flavor when booting the instance:</para>
<literal>m1.tiny</literal> flavor as trusted:</para> <screen><prompt>$</prompt> <userinput>nova boot --flavor m1.tiny --key_name myKeypairName --image myImageID newInstanceName</userinput></screen>
<screen><prompt>$</prompt> <userinput>nova flavor-key m1.tiny set trust:trusted_host=trusted</userinput></screen> </step>
</step> </procedure>
<step><para>Request that your instance be run on a trusted host, by specifying a trusted flavor when
booting the instance. For example:</para> <figure xml:id="concept_trusted_pool">
<screen><prompt>$</prompt> <userinput>nova boot --flavor m1.tiny --key_name myKeypairName --image myImageID newInstanceName</userinput></screen> <title>Trusted compute pool</title>
<figure xml:id="concept_trusted_pool"> <mediaobject>
<title>Trusted compute pool</title> <imageobject role="fo">
<mediaobject> <imagedata
<imageobject role="fo"> fileref="../../common/figures/OpenStackTrustedComputePool2.png"
<imagedata format="PNG" contentwidth="6in"/>
fileref="../../common/figures/OpenStackTrustedComputePool2.png" </imageobject>
format="PNG" contentwidth="6in"/> <imageobject role="html">
</imageobject> <imagedata
<imageobject role="html"> fileref="../../common/figures/OpenStackTrustedComputePool2.png"
<imagedata format="PNG" contentwidth="6in"/>
fileref="../../common/figures/OpenStackTrustedComputePool2.png" </imageobject>
format="PNG" contentwidth="6in"/> </mediaobject>
</imageobject> </figure>
</mediaobject> </section>
</figure>
</step>
</procedure>
</section>
</section>