cci-moc / esi Goto Github PK

Ironic doesn't allow duplicate node names; may as well make it easier on ourselves and follow them.

DoD:

• The required code should be merged upstream.

Keylime has some gaps that may restrict behavior. These gaps should be documented, and perhaps lead to planning of a future milestone.

• Ironic cannot trigger attestation if the user brings their own keylime server. This - along with workarounds - should be documented
• ??

┆Issue is synchronized with this Asana task by Unito

Users should be able to filter leases by resource ID

┆Issue is synchronized with this Asana task by Unito

Although our code has unit tests, some functional tests would be good as well. Defining these tests is the first step.

From testing, there are some OpenStack bugs that prevent multipath support.

┆Issue is synchronized with this Asana task by Unito

When a user tries to do something they don't have permission for, they get a "disallowed by policy" error; this could be made more clear.

Multiple resource types are convenient to allow us to test ESI-Leap without Ironic nodes; however defaulting to ironic is good for end users.

DoD:

• Tasks are broken down and create in the GitHub project space.

CloudLab apparently needs no lessee capabilities beyond the ability to control node networking; is this correct?

Owner changes are dangerous; allow for future permissions are hard, and there are all sorts of complex use cases that may result in unexpected behavior.

This requirement may be fulfilled by an alternative workflow, such as:

• Owner A offers up their node to Owner B's project tree
• We allow for subleases

If we have a lot of leases/offers, are queries still fast and responsive?

┆Issue is synchronized with this Asana task by Unito

This brings esi-leap in line with Ironic, and also makes it easier to customize policy-based behavior.

Once we have a testing plan, we can create scripts that use the CLI in order to execute these tests. These scripts should be repeatable, and make it clear where an error has occurred.

┆Issue is synchronized with this Asana task by Unito

Hopefully this is simply a subset of an offer or lease list report, as we would like to remove the owner change requirement. Documentation may be required.

This video should highlight:

• our production instance
• leasing capabilities

An accompanying slide deck would be useful for interested people.

These should be linked to from our readthedocs site.

┆Issue is synchronized with this Asana task by Unito

Fix code in Ironic for Security Interface validation and scheduling

┆Issue is synchronized with this Asana task by Unito

Systems tests noted here:

https://docs.google.com/document/d/1pdAn_RnATBryebs9sk_6PvKHDp6Bd4NYnMlIPdYXGOA/edit

┆Issue is synchronized with this Asana task by Unito

openstack esi lease create --start-time 2021-07-01 --end-time 2021-07-14

• It will be easy to replace UUID with the name.

Generate another workaround: passing the keylime info as environment variables during image building.

Admins can already do this through Ironic; however, if we want reports to be generated based on changes in a node's ownership, then we'll want to record those changes in ESI-Leap

This is a little open ended as this is just something keylime recommends but does not provide any advised way of doing. Ironic will need to settle on a hash function and document it so user's know how they should generate their checksums

┆Issue is synchronized with this Asana task by Unito

Verify that changes made and features added have added documentation. This should cover:

• git repos
• https://esi.readthedocs.io/en/latest/index.html
• ??

┆Issue is synchronized with this Asana task by Unito

If someone wants to attach a data volume to a server in an ESI environment...how does that work? Is it possible to request that cinder create an iscsi endpoint for a volume without "attaching" it to something? This would allow an operator to manually configured the iscsi connection in their host os.

'-f csv' allows all 'list' CLI operations to output a CSV, but we may want to verify that expected filter options exist.

┆Issue is synchronized with this Asana task by Unito

Implement and merge the generic security interface to Ironic upstream

Ironic patch: https://review.opendev.org/c/openstack/ironic/+/755836

Ironic client patch: https://review.opendev.org/c/openstack/python-ironicclient/+/755837/1

┆Issue is synchronized with this Asana task by Unito

OperateFirst has the requirement of being able to use these sorts of power tools to control the power state of the machine. However we can't allow lessees to get the actual power credentials. A proxy going through Ironic would solve this problem

This is for the MOC

• volume support
• leasing changes??
• ??

┆Issue is synchronized with this Asana task by Unito

Having these statements in the log are good for debugging and for tracking.

Do we have any desire to send email notifications when an event happens - when a lease is created, when it starts, when it expires, etc?

This could be a Phase 2 exploration.

┆Issue is synchronized with this Asana task by Unito

We should run the functional test scripts against the production environment.

┆Issue is synchronized with this Asana task by Unito

It was mentioned that these concurrency tests may not be reliable. They may be worth another look.

This is slightly trickier than it should be as Keylime is not in PYPI and does not have an api for doing this. There is only the keylime tenant cli and the keylime webapp. The webapp is likely the solution we need

The steps needed to attach a volume to a node are many and complex. We can simplify them by creating custom ESI CLI commands.

Production cloud for MOC and Cloud labs.

DoD:

• Please identify the tasks required for production-ready ESI and associate those tasks to the 'Production ESI Setup' milestone.

This will make the status consistent with the CLI command

The UUID of the Keylime Agent has to be passed via heartbeat to the Ironic controller and saved via instance_info