Dave Chen has posted comments on this change.
Change subject: Trusted Compute Pools - Open Attestation integration with oVirt
engine proposal
......................................................................
Patch Set 1: (5 inline comments)
....................................................
File backend/manager/dbscripts/create_tables.sql
Line 279: migration_support INTEGER NOT NULL default 0,
Line 280: userdefined_properties VARCHAR(4000),
Line 281: predefined_properties VARCHAR(4000),
Line 282: min_allocated_mem INTEGER not null default 0, --indicates how much
memory at least VM need to run, value is in MB
Line 283: trust_lvl VARCHAR(20) default '',
Done
Line 284: CONSTRAINT PK_vm_static PRIMARY KEY(vm_guid)
Line 285: ) WITH OIDS;
Line 286:
Line 287:
....................................................
File
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/VdsSelector.java
Line 518: vmNICs =
getVmNetworkInterfaceDao().getAllForVm(getVm().getId());
Line 519: }
Line 520: return vmNICs;
Line 521: }
Line 522: private static boolean validateHostIsTrusted(VDS curVds) {
yes, valuable suggestion. we are plan to wrapper code in an Broker which will
follow Doron Fediuck's advice. Also, we will strip cache relevant code in utils.
Line 523: String attestationWSURL, trustStorePath;
Line 524: attestationWSURL = Config.<String>
GetValue(ConfigValues.AttestationWebServicesUrl);
Line 525: trustStorePath=Config.<String>
GetValue(ConfigValues.TrustStore);
Line 526: DefaultHttpClient httpclient = new DefaultHttpClient();
Line 518: vmNICs =
getVmNetworkInterfaceDao().getAllForVm(getVm().getId());
Line 519: }
Line 520: return vmNICs;
Line 521: }
Line 522: private static boolean validateHostIsTrusted(VDS curVds) {
Really great design, we are plan to add a new class similar with AD broker in
"org/ovirt/engine/core/bll" directory. does this feasible in this directory?
As to the performance issue, I think we can cache the all of node's
trustworthiness while the virtual machine's launching and the period of
validity would be one hour or so, cache wil be updated accompany with host's
actual status.
Besides, we have a timeout configuration in Attestation server's side, saying,
if cannot complete the attestation process within the configured value, timeout
result will return.
Line 523: String attestationWSURL, trustStorePath;
Line 524: attestationWSURL = Config.<String>
GetValue(ConfigValues.AttestationWebServicesUrl);
Line 525: trustStorePath=Config.<String>
GetValue(ConfigValues.TrustStore);
Line 526: DefaultHttpClient httpclient = new DefaultHttpClient();
Line 570: }finally {
Line 571: httpclient.getConnectionManager().shutdown();
Line 572: }
Line 573: return flag;
Line 574: }
Good advice, we will try to remove all of the hard-coded values, but as to
access host and get the trustworthiness from attestation server, we need
declare that it's different from engine/node interactive model, we are just
need a command to run it, does this okay from your opinion?
Line 575: private static final Log log =
LogFactory.getLog(VdsSelector.class);
....................................................
File
backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java
Line 1337: AttestationWebServicesUrl(411),
Line 1338:
Line 1339: @TypeConverterAttribute(String.class)
Line 1340: @DefaultValueAttribute("/etc/pki/ovirt-engine/certs")
Line 1341: TrustStore(412),
Actually, exsited TruststoreUrl is not a directory and not we need, we need
"truststore.jks" created from attestation server.
Line 1342:
Line 1343: Invalid(65535);
Line 1344:
Line 1345: private int intValue;
--
To view, visit http://gerrit.ovirt.org/11237
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I4de780cd46069638433255f3f9c994575f752e55
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Dave Chen <[email protected]>
Gerrit-Reviewer: Dave Chen <[email protected]>
Gerrit-Reviewer: Doron Fediuck <[email protected]>
Gerrit-Reviewer: Itamar Heim <[email protected]>
Gerrit-Reviewer: Omer Frenkel <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches
