cci-moc / esi Goto Github PK
View Code? Open in Web Editor NEWElastic Secure Infrastructure project
Elastic Secure Infrastructure project
Ironic doesn't allow duplicate node names; may as well make it easier on ourselves and follow them.
DoD:
Keylime has some gaps that may restrict behavior. These gaps should be documented, and perhaps lead to planning of a future milestone.
┆Issue is synchronized with this Asana task by Unito
Users should be able to filter leases by resource ID
┆Issue is synchronized with this Asana task by Unito
Although our code has unit tests, some functional tests would be good as well. Defining these tests is the first step.
From testing, there are some OpenStack bugs that prevent multipath support.
┆Issue is synchronized with this Asana task by Unito
When a user tries to do something they don't have permission for, they get a "disallowed by policy" error; this could be made more clear.
Multiple resource types are convenient to allow us to test ESI-Leap without Ironic nodes; however defaulting to ironic is good for end users.
DoD:
CloudLab apparently needs no lessee capabilities beyond the ability to control node networking; is this correct?
Owner changes are dangerous; allow for future permissions are hard, and there are all sorts of complex use cases that may result in unexpected behavior.
This requirement may be fulfilled by an alternative workflow, such as:
If we have a lot of leases/offers, are queries still fast and responsive?
┆Issue is synchronized with this Asana task by Unito
This brings esi-leap in line with Ironic, and also makes it easier to customize policy-based behavior.
Once we have a testing plan, we can create scripts that use the CLI in order to execute these tests. These scripts should be repeatable, and make it clear where an error has occurred.
┆Issue is synchronized with this Asana task by Unito
Hopefully this is simply a subset of an offer or lease list report, as we would like to remove the owner change requirement. Documentation may be required.
This video should highlight:
An accompanying slide deck would be useful for interested people.
These should be linked to from our readthedocs site.
┆Issue is synchronized with this Asana task by Unito
Fix code in Ironic for Security Interface validation and scheduling
┆Issue is synchronized with this Asana task by Unito
Systems tests noted here:
https://docs.google.com/document/d/1pdAn_RnATBryebs9sk_6PvKHDp6Bd4NYnMlIPdYXGOA/edit
┆Issue is synchronized with this Asana task by Unito
openstack esi lease create --start-time 2021-07-01 --end-time 2021-07-14
Generate another workaround: passing the keylime info as environment variables during image building.
Admins can already do this through Ironic; however, if we want reports to be generated based on changes in a node's ownership, then we'll want to record those changes in ESI-Leap
This is a little open ended as this is just something keylime recommends but does not provide any advised way of doing. Ironic will need to settle on a hash function and document it so user's know how they should generate their checksums
┆Issue is synchronized with this Asana task by Unito
Verify that changes made and features added have added documentation. This should cover:
┆Issue is synchronized with this Asana task by Unito
If someone wants to attach a data volume to a server in an ESI environment...how does that work? Is it possible to request that cinder create an iscsi endpoint for a volume without "attaching" it to something? This would allow an operator to manually configured the iscsi connection in their host os.
'-f csv' allows all 'list' CLI operations to output a CSV, but we may want to verify that expected filter options exist.
┆Issue is synchronized with this Asana task by Unito
Implement and merge the generic security interface to Ironic upstream
Ironic patch: https://review.opendev.org/c/openstack/ironic/+/755836
Ironic client patch: https://review.opendev.org/c/openstack/python-ironicclient/+/755837/1
┆Issue is synchronized with this Asana task by Unito
OperateFirst has the requirement of being able to use these sorts of power tools to control the power state of the machine. However we can't allow lessees to get the actual power credentials. A proxy going through Ironic would solve this problem
This is for the MOC
┆Issue is synchronized with this Asana task by Unito
Having these statements in the log are good for debugging and for tracking.
Do we have any desire to send email notifications when an event happens - when a lease is created, when it starts, when it expires, etc?
This could be a Phase 2 exploration.
┆Issue is synchronized with this Asana task by Unito
We should run the functional test scripts against the production environment.
┆Issue is synchronized with this Asana task by Unito
It was mentioned that these concurrency tests may not be reliable. They may be worth another look.
This is slightly trickier than it should be as Keylime is not in PYPI and does not have an api for doing this. There is only the keylime tenant cli and the keylime webapp. The webapp is likely the solution we need
The steps needed to attach a volume to a node are many and complex. We can simplify them by creating custom ESI CLI commands.
Production cloud for MOC and Cloud labs.
DoD:
This will make the status consistent with the CLI command
The UUID of the Keylime Agent has to be passed via heartbeat to the Ironic controller and saved via instance_info
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.