General updates to Compute for style and convention

Editing the nested sections for the compute chapter. Mostly grammar, wording, style, convention, etc. This patch includes the final nested sections: system-admin, config-firewalls, and compute-pools. Change-Id: I6469364c37c23b57d66b0ddff754ddcb8e92bc28 Closes-Bug: #1251195
2015-02-16 13:48:07 +10:00 · 2015-02-16 13:48:07 +10:00 · 596c8a8fbe
commit 596c8a8fbe
parent 604fb3565b
3 changed files with 625 additions and 644 deletions
--- a/doc/admin-guide-cloud/compute/section_compute-system-admin.xml
+++ b/doc/admin-guide-cloud/compute/section_compute-system-admin.xml
--- a/doc/admin-guide-cloud/compute/section_compute_config-firewalls.xml
+++ b/doc/admin-guide-cloud/compute/section_compute_config-firewalls.xml
@ -4,45 +4,35 @@
  xmlns:xlink="http://www.w3.org/1999/xlink"
  version="5.0"
  xml:id="default_ports">
-    <title>Compute service node firewall requirements</title>
+
-    <para>Console connections for virtual machines, whether direct or through a proxy, are received
+  <title>Compute service node firewall requirements</title>
-        on ports <literal>5900</literal> to <literal>5999</literal>. You must configure the firewall
+  <para>Console connections for virtual machines, whether direct or through a
-        on each Compute service node to enable network traffic on these ports.</para>
+    proxy, are received on ports <literal>5900</literal> to
-    <procedure>
+    <literal>5999</literal>. The firewall on each Compute service node must
-        <title>Configure the service-node firewall</title>
+    allow network traffic on these ports.</para>
-        <step><para>On the server that hosts the Compute service, log in as <systemitem>root</systemitem>.</para></step>
+  <para>This procedure modifies the <systemitem>iptables</systemitem> firewall
-        <step>
+    to allow incoming connections to the Compute services.</para>
-            <para>
+  <procedure>
-                Edit the <filename>/etc/sysconfig/iptables</filename>
+    <title>Configuring the service-node firewall</title>
-                file.
+    <step>
-            </para>
+      <para>Log in to the server that hosts the Compute service, as
-        </step>
+        <systemitem>root</systemitem>.</para>
-        <step>
+    </step>
-            <para>
+    <step>
-                Add an INPUT rule that allows TCP traffic on ports
+      <para>Edit the <filename>/etc/sysconfig/iptables</filename> file, to add an
-                that range from <literal>5900</literal> to
+        INPUT rule that allows TCP traffic on ports from
-                <literal>5999</literal>:
+        <literal>5900</literal> to <literal>5999</literal>. Make sure the new
-            </para>
+        rule appears before any INPUT rules that REJECT traffic:</para>
-            <programlisting language="ini">-A INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT</programlisting>
+<programlisting language="ini">-A INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT</programlisting>
-            <para>
+    </step>
-                The new rule must appear before any INPUT rules that
+    <step>
-                REJECT traffic.
+      <para>Save the changes to <filename>/etc/sysconfig/iptables</filename>,
-            </para>
+        and restart the <systemitem>iptables</systemitem> service to pick up
-        </step>
+        the changes:</para>
        <step>
            <para>
                Save the changes to the
                <filename>/etc/sysconfig/iptables</filename> file.
            </para>
        </step>
        <step>
            <para>
                Restart the <systemitem>iptables</systemitem> service
                to ensure that the change takes effect.
            </para>
 <screen><prompt>$</prompt> <userinput>service iptables restart</userinput></screen>
-        </step>
+    </step>
-    </procedure>
+    <step>
-    <para>The <systemitem>iptables</systemitem> firewall now enables incoming connections to the
+      <para>Repeat this process for each Compute service node.</para>
-        Compute services. Repeat this process for each Compute service node.</para>
+    </step>
-    </section>
+  </procedure>
 </section>
--- a/doc/admin-guide-cloud/compute/section_trusted-compute-pools.xml
+++ b/doc/admin-guide-cloud/compute/section_trusted-compute-pools.xml
@ -4,70 +4,69 @@
  xmlns:xlink="http://www.w3.org/1999/xlink"
  version="5.0"
  xml:id="trusted-compute-pools">
-    <title>Trusted compute pools</title>
+
-    <para>Trusted compute pools enable administrators to designate a group of compute hosts as
+  <title>Trusted compute pools</title>
-        trusted. These hosts use hardware-based security features, such as the Intel Trusted
+  <para>Administrators can designate a group of compute hosts as trusted using
-        Execution Technology (TXT), to provide an additional level of security. Combined with an
+    trusted compute pools. The trusted hosts use hardware-based security
-        external stand-alone, web-based remote attestation server, cloud providers can ensure that
+    features, such as the Intel Trusted Execution Technology (TXT), to provide
-        the compute node runs only software with verified measurements and can ensure a secure cloud
+    an additional level of security. Combined with an external stand-alone,
-        stack.</para>
+    web-based remote attestation server, cloud providers can ensure that the
-    <para>Using the trusted compute pools, cloud subscribers can request services to run on verified
+    compute node runs only software with verified measurements and can ensure
-        compute nodes.</para>
+    a secure cloud stack.</para>
-    <para>The remote attestation server performs node verification as
+  <para>Trusted compute pools provide the ability for cloud subscribers to
-        follows:</para>
+    request services run only on verified compute nodes.</para>
-    <orderedlist>
+  <para>The remote attestation server performs node verification like this:</para>
-        <listitem>
+  <orderedlist>
-            <para>Compute nodes boot with Intel TXT technology
+    <listitem>
-                enabled.</para>
+      <para>Compute nodes boot with Intel TXT technology enabled.</para>
-        </listitem>
+    </listitem>
-        <listitem>
+    <listitem>
-            <para>The compute node BIOS, hypervisor, and OS are
+      <para>The compute node BIOS, hypervisor, and operating system are
-                measured.</para>
+        measured.</para>
-        </listitem>
+    </listitem>
-        <listitem>
+    <listitem>
-            <para>Measured data is sent to the attestation server when challenged by the attestation
+      <para>When the attestation server challenges the compute node, the
-                server.</para>
+        measured data is sent to the attestation server.</para>
-        </listitem>
+    </listitem>
-        <listitem>
+    <listitem>
-            <para>The attestation server verifies those measurements against a good and known
+      <para>The attestation server verifies the measurements against a known
-                database to determine node trustworthiness.</para>
+        good database to determine node trustworthiness.</para>
-        </listitem>
+    </listitem>
-    </orderedlist>
+  </orderedlist>
-    <para>A description of how to set up an attestation service is
+  <para>A description of how to set up an attestation service is beyond the
-        beyond the scope of this document. For an open source project
+    scope of this document. For an open source project that you can use to
-        that you can use to implement an attestation service, see the
+    implement an attestation service, see the
-            <link
+    <link xlink:href="https://github.com/OpenAttestation/OpenAttestation">
-            xlink:href="https://github.com/OpenAttestation/OpenAttestation"
+    Open Attestation</link> project.</para>
-            >Open Attestation</link> project.</para>
+  <mediaobject>
-    <mediaobject>
+    <imageobject role="fo">
-        <imageobject role="fo">
+      <imagedata
-            <imagedata
+        fileref="../../common/figures/OpenStackTrustedComputePool1.png"
-                fileref="../../common/figures/OpenStackTrustedComputePool1.png"
+        format="PNG" contentwidth="6in"/>
-                format="PNG" contentwidth="6in"/>
+    </imageobject>
-        </imageobject>
+    <imageobject role="html">
-        <imageobject role="html">
+      <imagedata
-            <imagedata
+        fileref="../../common/figures/OpenStackTrustedComputePool1.png"
-                fileref="../../common/figures/OpenStackTrustedComputePool1.png"
+        format="PNG" contentwidth="6in"/>
-                format="PNG" contentwidth="6in"/>
+    </imageobject>
-        </imageobject>
+  </mediaobject>
-    </mediaobject>
+
-    <section xml:id="configure_trusted_compute_pools">
+  <procedure>
-        <title>Configure Compute to use trusted compute pools</title>
+    <title>Configuring Compute to use trusted compute pools</title>
-        <procedure>
+    <step>
-            <step>
+      <para>Enable scheduling support for trusted compute pools by adding
-                <para>Enable scheduling support for trusted compute pools by adding the following
+        these lines to the <literal>DEFAULT</literal> section of the
-                    lines in the <literal>DEFAULT</literal> section in the
+        <filename>/etc/nova/nova.conf</filename> file:</para>
-                        <filename>/etc/nova/nova.conf</filename> file:</para>
+<programlisting language="ini">[DEFAULT]
                <programlisting language="ini">[DEFAULT]
 compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
 scheduler_available_filters=nova.scheduler.filters.all_filters
 scheduler_default_filters=AvailabilityZoneFilter,RamFilter,ComputeFilter,TrustedFilter</programlisting>
-            </step>
+    </step>
-            <step>
+    <step>
-                <para>Specify the connection information for your attestation service by adding the
+      <para>Specify the connection information for your attestation service by
-                    following lines to the <literal>trusted_computing</literal> section in the
+        adding these lines to the <literal>trusted_computing</literal> section
-                        <filename>/etc/nova/nova.conf</filename> file:</para>
+        of the <filename>/etc/nova/nova.conf</filename> file:</para>
-                <programlisting language="ini">[trusted_computing]
+<programlisting language="ini">[trusted_computing]
 attestation_server = 10.1.71.206
 attestation_port = 8443
 # If using OAT v2.0 after, use this port:
@ -78,88 +77,83 @@ attestation_api_url = /AttestationService/resources
 # If using OAT pre-v1.5, use this api_url:
 # attestation_api_url = /OpenAttestationWebServices/V1.0
 attestation_auth_blob = i-am-openstack</programlisting>
-            <para>Where:</para>
+      <para>In this example:</para>
-                <variablelist>
+      <variablelist>
-                    <varlistentry>
+        <varlistentry>
-                        <term>server</term>
+          <term>server</term>
-                        <listitem>
+          <listitem>
-                            <para>Host name or IP address of the host that runs the attestation
+            <para>Host name or IP address of the host that runs the attestation
-                                service.</para>
+              service</para>
-                        </listitem>
+          </listitem>
-                    </varlistentry>
+        </varlistentry>
-                    <varlistentry>
+        <varlistentry>
-                        <term>port</term>
+          <term>port</term>
-                        <listitem>
+          <listitem>
-                            <para>HTTPS port for the attestation service.</para>
+            <para>HTTPS port for the attestation service</para>
-                        </listitem>
+          </listitem>
-                    </varlistentry>
+        </varlistentry>
-                    <varlistentry>
+        <varlistentry>
-                        <term>server_ca_file</term>
+          <term>server_ca_file</term>
-                        <listitem>
+          <listitem>
-                            <para>Certificate file used to verify the
+            <para>Certificate file used to verify the attestation server's
-                                attestation server's identity.</para>
+              identity</para>
-                        </listitem>
+          </listitem>
-                    </varlistentry>
+        </varlistentry>
-                    <varlistentry>
+        <varlistentry>
-                        <term>api_url</term>
+          <term>api_url</term>
-                        <listitem>
+          <listitem>
-                            <para>The attestation service's URL path.</para>
+            <para>The attestation service's URL path</para>
-                        </listitem>
+          </listitem>
-                    </varlistentry>
+        </varlistentry>
-                    <varlistentry>
+        <varlistentry>
-                        <term>auth_blob</term>
+          <term>auth_blob</term>
-                        <listitem>
+          <listitem>
-                            <para>An authentication blob, which is
+            <para>An authentication blob, required by the attestation service.</para>
-                                required by the attestation
+          </listitem>
-                                service.</para>
+        </varlistentry>
-                        </listitem>
+      </variablelist>
-                    </varlistentry>
+    </step>
-                </variablelist>
+    <step>
-            </step>
+      <para>Save the file, and restart the
-            <step>
+        <systemitem class="service">nova-compute</systemitem> and
-                <para>Restart the <systemitem class="service"
+        <systemitem class="service">nova-scheduler</systemitem> services to
-                        >nova-compute</systemitem> and <systemitem
+        pick up the changes.</para>
-                        class="service">nova-scheduler</systemitem>
+    </step>
-                    services.</para>
+  </procedure>
-            </step>
+
-        </procedure>
+  <para>To customize the trusted compute pools, use these configuration option
-        <section xml:id="config_ref">
+    settings:</para>
-            <title>Configuration reference</title>
+
-            <para>To customize the trusted compute pools, use the following configuration
+  <xi:include href="../../common/tables/nova-trustedcomputing.xml"/>
-                option settings:
+
-            </para>
+  <procedure>
-            <xi:include href="../../common/tables/nova-trustedcomputing.xml"/>
+    <title>Specifying trusted flavors</title>
-        </section>
+    <step>
-    </section>
+      <para>Flavors can be designated as trusted using the
-    <section xml:id="trusted_flavors">
+        <command>nova flavor-key set</command> command. In this example, the
-        <title>Specify trusted flavors</title>
+        <literal>m1.tiny</literal> flavor is being set as trusted:</para>
-        <para>To designate hosts as trusted:</para>
+<screen><prompt>$</prompt> <userinput>nova flavor-key m1.tiny set trust:trusted_host=trusted</userinput></screen>
-        <procedure>
+    </step>
-                <step>
+    <step>
-                    <para>Configure one or more flavors as trusted by using the <command>nova
+      <para>You can request that your instance is run on a trusted host by
-                        flavor-key set</command> command. For example, to set the
+        specifying a trusted flavor when booting the instance:</para>
-                        <literal>m1.tiny</literal> flavor as trusted:</para>
+<screen><prompt>$</prompt> <userinput>nova boot --flavor m1.tiny --key_name myKeypairName --image myImageID newInstanceName</userinput></screen>
-                    <screen><prompt>$</prompt> <userinput>nova flavor-key m1.tiny set trust:trusted_host=trusted</userinput></screen>
+    </step>
-                </step>
+  </procedure>
-            <step><para>Request that your instance be run on a trusted host, by specifying a trusted flavor when
+
-                    booting the instance. For example:</para>
+    <figure xml:id="concept_trusted_pool">
-                <screen><prompt>$</prompt> <userinput>nova boot --flavor m1.tiny --key_name myKeypairName --image myImageID newInstanceName</userinput></screen>
+      <title>Trusted compute pool</title>
-                <figure xml:id="concept_trusted_pool">
+      <mediaobject>
-                    <title>Trusted compute pool</title>
+        <imageobject role="fo">
-                    <mediaobject>
+          <imagedata
-                        <imageobject role="fo">
+            fileref="../../common/figures/OpenStackTrustedComputePool2.png"
-                            <imagedata
+            format="PNG" contentwidth="6in"/>
-                                fileref="../../common/figures/OpenStackTrustedComputePool2.png"
+        </imageobject>
-                                format="PNG" contentwidth="6in"/>
+        <imageobject role="html">
-                        </imageobject>
+          <imagedata
-                        <imageobject role="html">
+            fileref="../../common/figures/OpenStackTrustedComputePool2.png"
-                            <imagedata
+            format="PNG" contentwidth="6in"/>
-                                fileref="../../common/figures/OpenStackTrustedComputePool2.png"
+        </imageobject>
-                                format="PNG" contentwidth="6in"/>
+      </mediaobject>
-                        </imageobject>
+    </figure>
-                    </mediaobject>
+  </section>
                </figure>
            </step>
            </procedure>
    </section>
 </section>