virtualisation working group report tony cass hepix fall 2011 october 26 th 2011
DESCRIPTION
Virtualisation Working Group Report Tony Cass HEPiX Fall 2011 October 26 th 2011. Agenda. Image Generation Policy Image Exchange Summary. Agenda. Image Generation Policy Image Exchange Summary. Policy for Trusted Image Generation. - PowerPoint PPT PresentationTRANSCRIPT
VirtualisationWorking Group
Report
Tony Cass HEPiX Fall 2011 October 26th 2011
Policy for Trusted Image Generation You recognise that VM base images, VO environments and VM
complete images, must be generated according to current best practice, the details of which may be documented elsewhere by the Grid. These include but are not limited to:– any image generation tool used must be fully patched and up to date;– all operating system security patches must be applied to all images
and be up to date;– images are assumed to be world-readable and as such must not
contain any confidential information;– there should be no installed accounts, host/service certificates, ssh
keys or user credentials of any form in an image;– images must be configured such that they do not prevent Sites from
meeting the fine-grained monitoring and control requirements defined in the Grid Security Traceability and Logging policy to allow for security incident response;
– the image must not prevent Sites from implementing local authorisation and/or policy decisions, e.g. blocking the running of Grid work for a particular user.
http://www.jspg.org/wiki/Policy_Trusted_Virtual_Machines4
The EGI document "Security Policy for the Endorsement and Operation of Virtual Machine Images" has completed the consultation process (21st Oct) and will be submitted for approval and adoption soon. This policy covers the HEPiX virtualisation use case plus others. WLCG GDB was also consulted. Approval will also be sought from the WLCG MB. New link: https://documents.egi.eu/document/771
Summary @ GSI The working group has made good progress in
establishing policies to allow the exchange of VM images…
… but not such good progress in delivering a distributed catalogue of endorsed images.
CVMFS is probably the neatest solution to the problem of VO software distribution…
… but VM exchange remains interesting– as an option for sites to run hypervisors not OSes
and automatically migrate to latest patched system as images instantiate, and
– if the VM images can contact pilot job frameworks directly, simplifying the scheduling problems at sites.
6
There has been progress in this area over the pastfew months—c.f. talks by Owen Synge and Cal Loomis.Also, images created at one site (Victoria) have beeninstantiated and contextualised at another (CERN).However, work in different places is only looselycoupled at present and needs to be brought togethermore coherently.
Work in Progress!
This will be feasible by Fall HEPiX!
Who is interested? Contact us now!
Something I would like to see…
Still trying to bring expt on board. ATLAS?
Video conference “days” planned to achieve this.
So, where are with image exchange? Not as far advanced as I predicted…
– … and largely due to my lack of effort in past couple of months…
Initial video conference “work days” ironed out problems in some areas but Summer Holidays came along and we never managed to really test the fledgling infrastructure options as a group– even if work at sites advanced, c.f. presentations from Owen
and Belmiro. A face-to-face meeting is being pencilled in for early
December at RAL to kick things back into life. Personally, I still find the StratusLab Marketplace to be
interesting as a cross-site layer– especially now they have delivered the promised administrator
interface. … and there is always cernvm…
7
8
Workflows
9
Administrator: Define Policy
Create machine image policy Validate metadata file White/Blacklist for images White/Blacklist for endorsers Blacklist for checksums
Policy evaluation stratus-policy-image: invokes site
policy to determine if the referenced image can be used
stratus-download-image: will download (and cache) a validated image to be used by a VM instance; uses the location URL(s) in the metadata entry
[whitelistendorsers]group1 = [email protected]
[whitelistimages]group1 = MMZu9WvwKIro-rtBQfDk4PsKO7_
[blacklistimages]group1 = XXXy9WvwKIro-rtBQfDk4PsKKzz
[blacklistendorsers]group1 = [email protected]
[blacklistchecksums]group1 = …
[validatemetadatafile]activate = true
So, where are with image exchange? Not as far advanced as I predicted…
– … and largely due to my lack of effort in past couple of months…
Initial video conference “work days” ironed out problems in some areas but Summer Holidays came along and we never managed to really test the fledgling infrastructure options as a group– even if work at sites advanced, c.f. presentations from Owen
and Belmiro. A face-to-face meeting is being pencilled in for early
December at RAL to kick things back into life. Personally, I still find the StratusLab Marketplace to be
interesting as a cross-site layer– especially now they have delivered the promised administrator
interface. … and there is always cernvm…
10
Summary The working group has made good progress in
establishing policies to allow the exchange of VM images…
… but not such good progress in delivering a distributed catalogue of endorsed images.
CVMFS is probably the neatest solution to the problem of VO software distribution…
… but VM exchange remains interesting– as an option for sites to run hypervisors not OSes
and automatically migrate to latest patched system as images instantiate, and
– if the VM images can contact pilot job frameworks directly, simplifying the scheduling problems at sites.
12
There has been progress in this area over the pastfew months—c.f. talks by Owen and Belmiro.Also, images created at one site (Victoria) have beeninstantiated and contextualised at another (CERN).However, work in different places is only looselycoupled at present and needs to be brought togethermore coherently.
Work in Progress!
This will be feasible by HEPiX in Prague!
Who is interested? Contact us now!
F2F meeting at RAL planned to restart activitiesMore thought needed in this area…
WLCG TEG?