Hi Dave,
Can't a host become untrusted without being rebooted?
If that is really the case, there is no need for a periodic check - the trigger for the
check would be the host rebooting (which is visible to the engine).
Thanks,
Ofri
----- Original Message -----
From: "Wei D Chen" <wei.d.chen(a)intel.com>
To: "Itamar Heim" <iheim(a)redhat.com>, "Ofri Masad"
<omasad(a)redhat.com>
Cc: "Oved Ourfalli" <ovedo(a)redhat.com>, engine-devel(a)ovirt.org
Sent: Thursday, April 18, 2013 9:19:03 AM
Subject: RE: [Engine-devel] minutes for sync up on Open Attestation integration with
oVirt in 4/9
I think it's more sensible, the initial status should be the real status for
this host (trusted / untrusted) only the untrusted host will be set to
non-operational.
we just need poll this host instead of all of the hosts in the cluster if
this can be done in "InitVdsOnUpCommand", and we suppose this is the first
time when this host add into the cluster.
Follow these steps (conclusion based on your suggestion).
- The first time when one host is added into a trust cluster then poll this
host, the host will be in "up" status if get "trusted" result from
attestation server, or else, set this host as non-operational status.
- The periodic check will poll all of the hosts only once as this will cut
down a lot of time needed instead of poll each host one by one, this
conclusion is based on our experiments because most of time consumed is in
parallel.
- When host is down for a different reason and up again, we suppose
"InitVdsOnUpCommand" will be triggered again (right?), so we will poll this
host again to get the real status(trusted / untrusted). Then mark the host
as up or non-operational.
As a trusted host flip to untrusted and take effective only under the
condition of this host has been hacked and rebooted, so we proposal no need
to add periodic check if any host's reboot will invoke
"InitVdsOnUpCommand"
and we add attestation logic in "InitVdsOnUpCommand" is enough.
My proposal would be like this (no periodic check is needed, will simply our
integration)
- The first time when one host is added into a trust cluster then poll this
host, the host will be in "up" status if get "trusted" result from
attestation server, or else, set this host as non-operational status.
- The periodic check will poll all of the hosts only once as this will cut
down a lot of time needed instead of poll each host one by one, this
conclusion is based on our experiments because most of time consumed is in
parallel.
- (up -> nonoperationl / trusted -> untrusted)When host is down for a
different reason and up again, we suppose "InitVdsOnUpCommand" will be
triggered again (right?) and we also suppose the host will be
non-operational if host is down for some reason (right), so we will poll
this host again to get the real status(trusted / untrusted) after host's
rebooting.
- (nonoperationl -> up / untrusted -> trusted) Admin will activate this host
manually after admin fix the issue of this host. Attestation logic will be
added into "VdsManager:activate ()" as the clue you give me before.
Any suggestion?
Best Regards,
Dave Chen
-----Original Message-----
From: Itamar Heim [mailto:iheim@redhat.com]
Sent: Wednesday, April 17, 2013 8:31 PM
To: Ofri Masad
Cc: Chen, Wei D; Oved Ourfalli; engine-devel(a)ovirt.org
Subject: Re: [Engine-devel] minutes for sync up on Open Attestation
integration with oVirt in 4/9
On 04/17/2013 10:23 AM, Ofri Masad wrote:
> Hi Dave,
> The VdsUpdateRunTimeInfo runs every 3 seconds or so. so it not a good place
> to call the attestation host.
> Instead, like we suggested earlier, create a new Quartz job (like the one
> I've sent you in the QuotaManager class) which run every couple of minutes
> and update the hosts state.
> You can also add the check to InitVdsOnUpCommand, so that if a host was
> down for a different reason, it will be rechecked for attestation.
> You can add a UI to allow manual "refresh attestation".
>
so the new thread will poll all for all hosts and update the db, then during
the normal monitoring "detect" the issue?
> Ofri
>
> ----- Original Message -----
>> From: "Wei D Chen" <wei.d.chen(a)intel.com>
>> To: "Omer Frenkel" <ofrenkel(a)redhat.com>, "Doron
Fediuck"
>> <dfediuck(a)redhat.com>
>> Cc: "Oved Ourfalli" <ovedo(a)redhat.com>, engine-devel(a)ovirt.org
>> Sent: Monday, April 15, 2013 5:53:34 PM
>> Subject: Re: [Engine-devel] minutes for sync up on Open Attestation
>> integration with oVirt in 4/9
>>
>> Good approach, thanks all. How long it needs to invoke periodic check
>> in the class of VdsUpdateRunTimeInfo? Whether this time configurable?
>> My concern is if the initial status of each host added into trusted
>> cluster is non-operational, we need wait a long time for the invoking
>> of this periodic check, so a trusted host's with initial status of
>> non-operational will take a long time to flip to a trusted host.
>>
>> As I have not seen the configuration of periodic check in
>> VdsUpdateRunTimeInfo, would you give me some tips if you has some clue.
>> Thanks a lot.
>>
>> Best Regards,
>> Dave Chen
>>
>> -----Original Message-----
>> From: engine-devel-bounces(a)ovirt.org
>> [mailto:engine-devel-bounces@ovirt.org]
>> On Behalf Of Omer Frenkel
>> Sent: Monday, April 15, 2013 7:01 PM
>> To: Doron Fediuck
>> Cc: Oved Ourfalli; engine-devel(a)ovirt.org
>> Subject: Re: [Engine-devel] minutes for sync up on Open Attestation
>> integration with oVirt in 4/9
>>
>>
>>
>> ----- Original Message -----
>>> From: "Doron Fediuck" <dfediuck(a)redhat.com>
>>> To: "Itamar Heim" <iheim(a)redhat.com>
>>> Cc: "Oved Ourfalli" <ovedo(a)redhat.com>,
engine-devel(a)ovirt.org
>>> Sent: Monday, April 15, 2013 10:05:57 AM
>>> Subject: Re: [Engine-devel] minutes for sync up on Open Attestation
>>> integration with oVirt in 4/9
>>>
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Itamar Heim" <iheim(a)redhat.com>
>>>> To: "Oved Ourfalli" <ovedo(a)redhat.com>
>>>> Cc: engine-devel(a)ovirt.org
>>>> Sent: Monday, April 15, 2013 9:49:12 AM
>>>> Subject: Re: [Engine-devel] minutes for sync up on Open Attestation
>>>> integration with oVirt in 4/9
>>>>
>>>> On 04/15/2013 09:20 AM, Oved Ourfalli wrote:
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Wei D Chen" <wei.d.chen(a)intel.com>
>>>>>> To: "Doron Fediuck" <dfediuck(a)redhat.com>,
"Ofri Masad"
>>>>>> <omasad(a)redhat.com>
>>>>>> Cc: engine-devel(a)ovirt.org
>>>>>> Sent: Monday, April 15, 2013 8:54:18 AM
>>>>>> Subject: Re: [Engine-devel] minutes for sync up on Open
>>>>>> Attestation integration with oVirt in 4/9
>>>>>>
>>>>>> Hi Doron and Ofri,
>>>>>>
>>>>>> Thanks for your reply, here is some other question.
>>>>>>
>>>>>> ii. When adding a host into the trusted cluster, the host will
>>>>>> be attested via OAT service, only trusted hosted can be added.
>>>>>>
>>>>>> Would you also kindly tell me if there is any mandatory logic
>>>>>> check when adding a host into a cluster, so we can also put
>>>>>> attestation logic with these mandatory check together? Some
>>>>>> example or code location is better.
>>>>>> Thanks a lot.
>>>>>>
>>>>>
>>>>> I think there are two approaches, depending on the use case.
>>>>> #1:
>>>>> If the host trusted property is static, then you can narrow the
>>>>> tests to two locations:
>>>>> * AddVdsCommand - (Vds = Host) - This command is triggered when a
>>>>> new host is added to the system. You can use the canDoAction
>>>>> method (which we have on all commands, and it determines whether
>>>>> an action can be run or not), and there, if cluster requires
>>>>> trusted hosts only, you can test whether this host is trusted or
>>>>> not.
>>>>> * ChangeVdsClusterCommand - this command is used when you change
>>>>> the cluster of a host. So, if the target cluster requires tursted
>>>>> hosts, you can do a similar test in its canDoAction method.
>>>>>
>>>>> #2:
>>>>> If the host trusted property can change, then I'd suggest using
>>>>> the NonOperational property of a host.
>>>>> We have a class called VdsUpdateRunTimeInfo that does periodic
>>>>> tests of hosts, deciding what's their status, according to
>>>>> specific flags.
>>>>> The code there is quite complex, and would require refactoring at
>>>>> some point, but in the meantime you can use the MonitoringStrategy
>>>>> interface that is being used there, and implement a new monitoring
>>>>> strategy for Open Attestation.
>>>>>
>>>>> There, in the processHardwareCapabilities, you can test that the
>>>>> host is trusted.
>>>>>
>>>>> When creating the strategy, using the MonitoringStrategyFactory,
>>>>> you'll need to create the appropriate strategy.
>>>>> Currently we support either virt strategy or gluster strategy or
>>>>> both. In your case you would need virt+attestation /
>>>>> gluster+attestation /
>>>>> virt+gluster+attestation, according to the services deployed on
>>>>> virt+gluster+the
>>>>> cluster.
>>>>
>>>> I'd go with the 2nd approach. i.e., not block the host from being
>>>> added, only from being used, based on monitoring / non-op status
>>>>
>>> +1.
>>> It means that the admin can add the host, but the host will not be
>>> operational until we get a positive indication from the attestation
>>> service.
>>>
>> +1
>> if we want to test attestation only once, every time before host moves to
>> up.
>> the right place for it, imo, is InitVdsOnUpCommand if its periodic
>> also after host is up, then it should be somewhere in the monitoring
>> code
>>
>>>>
>>>>>
>>>>>
>>>>> Does that make sense?
>>>>> Doron and Ofri, what did you have in mind for this feature?
>>>>>
>>>>> Regards,
>>>>> Oved
>>>>>
>>>>>>
>>>>>> Best Regards,
>>>>>> Dave Chen
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Doron Fediuck [mailto:dfediuck@redhat.com]
>>>>>> Sent: Wednesday, April 10, 2013 8:03 PM
>>>>>> To: Ofri Masad
>>>>>> Cc: Wei, Gang; Chen, Wei D; Cao, Buddy; Zhang, Lijuan
>>>>>> Subject: Re: minutes for sync up on Open Attestation
integration
>>>>>> with oVirt in 4/9
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Ofri Masad" <omasad(a)redhat.com>
>>>>>>> To: "Gang Wei" <gang.wei(a)intel.com>
>>>>>>> Cc: "Wei D Chen" <wei.d.chen(a)intel.com>,
"Buddy Cao"
>>>>>>> <buddy.cao(a)intel.com>, "Lijuan Zhang"
<lijuan.zhang(a)intel.com>,
>>>>>>> "Doron Fediuck" <dfediuck(a)redhat.com>
>>>>>>> Sent: Wednesday, April 10, 2013 2:23:57 PM
>>>>>>> Subject: Re: minutes for sync up on Open Attestation
integration
>>>>>>> with oVirt in 4/9
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> answers inside the mail body.
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Doron Fediuck"
<dfediuck(a)redhat.com>
>>>>>>>> To: "Wei D Chen" <wei.d.chen(a)intel.com>
>>>>>>>> Cc: "Gang Wei" <gang.wei(a)intel.com>,
"Buddy Cao"
>>>>>>>> <buddy.cao(a)intel.com>, "Lijuan Zhang"
<lijuan.zhang(a)intel.com>,
>>>>>>>> "Ofri Masad" <omasad(a)redhat.com>
>>>>>>>> Sent: Wednesday, April 10, 2013 12:12:26 PM
>>>>>>>> Subject: Re: minutes for sync up on Open Attestation
>>>>>>>> integration with oVirt in 4/9
>>>>>>>>
>>>>>>>> Hi Dave,
>>>>>>>> Adding Ofri to answer your questions.
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>>> From: "Wei D Chen"
<wei.d.chen(a)intel.com>
>>>>>>>>> To: "Gang Wei" <gang.wei(a)intel.com>,
"Doron Fediuck"
>>>>>>>>> <dfediuck(a)redhat.com>,
>>>>>>>>> "Buddy Cao" <buddy.cao(a)intel.com>,
"Lijuan Zhang"
>>>>>>>>> <lijuan.zhang(a)intel.com>
>>>>>>>>> Sent: Wednesday, April 10, 2013 6:31:05 AM
>>>>>>>>> Subject: RE: minutes for sync up on Open
Attestation
>>>>>>>>> integration with oVirt in 4/9
>>>>>>>>>
>>>>>>>>> Hi Doron,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> iii. Then periodic trust check will be added into
background
>>>>>>>>> process
>>>>>>>>> for
>>>>>>>>> all existing hosts, once becoming non-trusted, mark
it as
>>>>>>>>> non-operational.
>>>>>>>>>
>>>>>>>>> - [Dave] Would you give me some details
about the
>>>>>>>>> “background
>>>>>>>>> process” mentioned in our sync up meeting? What’s
the process
>>>>>>>>> and where is related code?
>>>>>>>>>
>>>>>>>
>>>>>>> The use Quartz Job to scheduled background processes.
>>>>>>> An example can be found in:
>>>>>>>
ovirt-engine/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/Backend.java(Line:
>>>>>>> 222)
>>>>>>>
>>>>>>> This code calls a method that is located in:
>>>>>>>
ovirt-engine/backend/manager/modules/bll/src/main/java/org/ovirt
>>>>>>> /engin e/core/bll/quota/QuotaManager.java
>>>>>>> (Line: 1000)
>>>>>>> the @OnTimerMethodAnnotation annotation and the unique job
name
>>>>>>> connects the two in runtime.
>>>>>>>
>>>>>>> The job can query the attestation server for all the host
and
>>>>>>> then set untrusted hosts to Non-Operational.
>>>>>>> the best way would be to call SetNonOperationalVdsCommand
with a
>>>>>>> new NonOperationalReason.
>>>>>>> This command tries to migrate all VMs from the host and then
set
>>>>>>> it non operational.
>>>>>>> (We need to think about non-migrational VMs - should we
close
>>>>>>> those VMs or keep the host running)
>>>>>>>
>>>>>>
>>>>>> One more thing you may want to consider; If we get a positive
>>>>>> response for a host which is currently non-operational, issue
an
>>>>>> activate command to try and make it operational again.
>>>>>> Alternatively, you may decide not to handle it, assuming
>>>>>> untrusted hosts can only be activated manually (see below
Ofri's
>>>>>> response on activating a host).
>>>>>>
>>>>>>>>>
>>>>>>>>> iv. If admin fixed the non-operational node and
try to switch
>>>>>>>>> it
>>>>>>>>> to
>>>>>>>>> operational mode again, a trust check will happen to
gate the
>>>>>>>>> switching.
>>>>>>>>>
>>>>>>>>> - [Dave] If there is a button provided from
UI for
>>>>>>>>> checking
>>>>>>>>> the
>>>>>>>>> logic? or we need add an extra-button for
attestation check only?
>>>>>>>>>
>>>>>>>
>>>>>>> In the UI we already have the "Activate" option.
What still
>>>>>>> needs to be added is the check with the attestation provider
to
>>>>>>> make sure that if the cluster is defined 'Trusted'.
If so, only
>>>>>>> trusted host will succeed in the activate command (and, of
>>>>>>> course, a proper Audit Log error in case the host failed to
>>>>>>> activate due to trust issue.
>>>>>>>
>>>>>>> the correct place to add this check would be in:
>>>>>>>
ovirt-engine/backend/manager/modules/vdsbroker/src/main/java/org
>>>>>>> /ovirt
>>>>>>> /engine/core/vdsbroker/VdsManager.java:activate()
>>>>>>> this is where the re-activation process begins.
>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks very much.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Best Regards,
>>>>>>>>> Dave Chen
>>>>>> _______________________________________________
>>>>>> Engine-devel mailing list
>>>>>> Engine-devel(a)ovirt.org
>>>>>>
http://lists.ovirt.org/mailman/listinfo/engine-devel
>>>>>>
>>>>> _______________________________________________
>>>>> Engine-devel mailing list
>>>>> Engine-devel(a)ovirt.org
>>>>>
http://lists.ovirt.org/mailman/listinfo/engine-devel
>>>>>
>>>>
>>>> _______________________________________________
>>>> Engine-devel mailing list
>>>> Engine-devel(a)ovirt.org
>>>>
http://lists.ovirt.org/mailman/listinfo/engine-devel
>>>>
>>> _______________________________________________
>>> Engine-devel mailing list
>>> Engine-devel(a)ovirt.org
>>>
http://lists.ovirt.org/mailman/listinfo/engine-devel
>>>
>> _______________________________________________
>> Engine-devel mailing list
>> Engine-devel(a)ovirt.org
>>
http://lists.ovirt.org/mailman/listinfo/engine-devel
>> _______________________________________________
>> Engine-devel mailing list
>> Engine-devel(a)ovirt.org
>>
http://lists.ovirt.org/mailman/listinfo/engine-devel
>>
> _______________________________________________
> Engine-devel mailing list
> Engine-devel(a)ovirt.org
>
http://lists.ovirt.org/mailman/listinfo/engine-devel
>