openstack-manuals/doc/common/section_trusted-compute-pools.xml
Andreas Jaeger bbab391aeb Fix usage of $/# prompts
Use # prompt for root and $ for user actions.

Change-Id: Ia241921d4f3d072cf4d7459557a5d78d31d7049c
2014-03-14 08:30:08 +01:00

171 lines
7.5 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="trusted-compute-pools">
<title>Trusted compute pools</title>
<para>Trusted compute pools enable administrators to designate a
group of compute hosts as trusted. These hosts use hardware-based
security features, such as the Intel Trusted Execution
Technology (TXT), to provide an additional level of security.
Combined with an external stand-alone web-based remote
attestation server, cloud providers can ensure that the
compute node runs only software with verified measurements and
can ensure a secure cloud stack.</para>
<para>Through the trusted compute pools, cloud subscribers can
request services to run on verified compute nodes.</para>
<para>The remote attestation server performs node verification as
follows:</para>
<orderedlist>
<listitem>
<para>Compute nodes boot with Intel TXT technology
enabled.</para>
</listitem>
<listitem>
<para>The compute node BIOS, hypervisor, and OS are
measured.</para>
</listitem>
<listitem>
<para>Measured data is sent to the attestation server when
challenged by attestation server.</para>
</listitem>
<listitem>
<para>The attestation server verifies those measurements
against a good and known database to determine nodes'
trustworthiness.</para>
</listitem>
</orderedlist>
<para>A description of how to set up an attestation service is
beyond the scope of this document. For an open source project
that you can use to implement an attestation service, see the
<link
xlink:href="https://github.com/OpenAttestation/OpenAttestation"
>Open Attestation</link> project.</para>
<mediaobject>
<imageobject role="fo">
<imagedata
fileref="figures/OpenStackTrustedComputePool1.png"
format="PNG" contentwidth="6in"/>
</imageobject>
<imageobject role="html">
<imagedata
fileref="figures/OpenStackTrustedComputePool1.png"
format="PNG" contentwidth="6in"/>
</imageobject>
</mediaobject>
<section xml:id="configure_trusted_compute_pools">
<title>Configure Compute to use trusted compute pools</title>
<procedure>
<step>
<para>Configure the Compute service with the
connection information for the attestation
service.</para>
<para>Specify these connection options in the
<literal>trusted_computing</literal> section
in the <filename>nova.conf</filename>
configuration file:</para>
<variablelist>
<varlistentry>
<term>server</term>
<listitem>
<para>Host name or IP address of the host
that runs the attestation
service</para>
</listitem>
</varlistentry>
<varlistentry>
<term>port</term>
<listitem>
<para>HTTPS port for the attestation
service</para>
</listitem>
</varlistentry>
<varlistentry>
<term>server_ca_file</term>
<listitem>
<para>Certificate file used to verify the
attestation server's identity.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>api_url</term>
<listitem>
<para>The attestation service URL
path.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>auth_blob</term>
<listitem>
<para>An authentication blob, which is
required by the attestation
service.</para>
</listitem>
</varlistentry>
</variablelist>
</step>
<step>
<para>To enable scheduling support for trusted compute
pools, add the following lines to the
<literal>DEFAULT</literal> and
<literal>trusted_computing</literal> sections
in the <filename>/etc/nova/nova.conf</filename>
file. Edit the details in the
<literal>trusted_computing</literal> section
based on the details of your attestation
service:</para>
<programlisting language="ini">[DEFAULT]
compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
scheduler_available_filters=nova.scheduler.filters.all_filters
scheduler_default_filters=AvailabilityZoneFilter,RamFilter,ComputeFilter,TrustedFilter
[trusted_computing]
server=10.1.71.206
port=8443
server_ca_file=/etc/nova/ssl.10.1.71.206.crt
# If using OAT v1.5, use this api_url:
api_url=/AttestationService/resources
# If using OAT pre-v1.5, use this api_url:
#api_url=/OpenAttestationWebServices/V1.0
auth_blob=i-am-openstack</programlisting>
</step>
<step>
<para>Restart the <systemitem class="service"
>nova-compute</systemitem> and <systemitem
class="service">nova-scheduler</systemitem>
services.</para>
</step>
</procedure>
<section xml:id="config_ref">
<title>Configuration reference</title>
<xi:include href="tables/nova-trustedcomputing.xml"/>
</section>
</section>
<section xml:id="trusted_flavors">
<title>Specify trusted flavors</title>
<para>You must configure one or more flavors as
trusted. Users can request
trusted nodes by specifying a trusted flavor when they
boot an instance.</para>
<para>Use the <command>nova flavor-key set</command> command
to set a flavor as trusted. For example, to set the
<literal>m1.tiny</literal> flavor as trusted:</para>
<screen><prompt>$</prompt> <userinput>nova flavor-key m1.tiny set trust:trusted_host trusted</userinput></screen>
<para>To request that their instances run on a trusted host,
users can specify a trusted flavor on the <command>nova
boot</command> command:</para>
<mediaobject>
<imageobject role="fo">
<imagedata
fileref="figures/OpenStackTrustedComputePool2.png"
format="PNG" contentwidth="6in"/>
</imageobject>
<imageobject role="html">
<imagedata
fileref="figures/OpenStackTrustedComputePool2.png"
format="PNG" contentwidth="6in"/>
</imageobject>
</mediaobject>
</section>
</section>