130 likes | 265 Views
Virtualisation Working Group Report Tony Cass HEPiX Fall 2011 October 26 th 2011. Agenda. Image Generation Policy Image Exchange Summary. Agenda. Image Generation Policy Image Exchange Summary. Policy for Trusted Image Generation.
E N D
VirtualisationWorking GroupReportTony Cass HEPiX Fall 2011 October 26th 2011
Agenda • Image Generation Policy • Image Exchange • Summary
Agenda • Image Generation Policy • Image Exchange • Summary
Policy for Trusted Image Generation • You recognise that VM base images, VO environments and VM complete images, must be generated according to current best practice, the details of which may be documented elsewhere by the Grid. These include but are not limited to: • any image generation tool used must be fully patched and up to date; • all operating system security patches must be applied to all images and be up to date; • images are assumed to be world-readable and as such must not contain any confidential information; • there should be no installed accounts, host/service certificates, ssh keys or user credentials of any form in an image; • images must be configured such that they do not prevent Sites from meeting the fine-grained monitoring and control requirements defined in the Grid Security Traceability and Logging policy to allow for security incident response; • the image must not prevent Sites from implementing local authorisation and/or policy decisions, e.g. blocking the running of Grid work for a particular user. • http://www.jspg.org/wiki/Policy_Trusted_Virtual_Machines The EGI document "Security Policy for the Endorsement and Operation of Virtual Machine Images" has completed the consultation process (21st Oct) and will be submitted for approval and adoption soon. This policy covers the HEPiX virtualisation use case plus others. WLCG GDB was also consulted. Approval will also be sought from the WLCG MB. New link: https://documents.egi.eu/document/771
Agenda • Image Generation Policy • Image Exchange • Summary
Summary @ GSI • The working group has made good progress in establishing policies to allow the exchange of VM images… • … but not such good progress in delivering a distributed catalogue of endorsed images. • CVMFS is probably the neatest solution to the problem of VO software distribution… • … but VM exchange remains interesting • as an option for sites to run hypervisors not OSes and automatically migrate to latest patched system as images instantiate, and • if the VM images can contact pilot job frameworks directly, simplifying the scheduling problems at sites. Work in Progress! There has been progress in this area over the pastfew months—c.f. talks by Owen Synge and Cal Loomis. Also, images created at one site (Victoria) have beeninstantiated and contextualised at another (CERN).However, work in different places is only looselycoupled at present and needs to be brought togethermore coherently. This will be feasible by Fall HEPiX!Who is interested? Contact us now! Something I would like to see…Still trying to bring expt on board. ATLAS? Video conference “days” planned to achieve this.
So, where are with image exchange? • Not as far advanced as I predicted… • … and largely due to my lack of effort in past couple of months… • Initial video conference “work days” ironed out problems in some areas but Summer Holidays came along and we never managed to really test the fledgling infrastructure options as a group • even if work at sites advanced, c.f. presentations from Owen and Belmiro. • A face-to-face meeting is being pencilled in for early December at RAL to kick things back into life. • Personally, I still find the StratusLabMarketplace to be interesting as a cross-site layer • especially now they have delivered the promised administrator interface. • … and there is always cernvm…
Administrator: Define Policy • Create machine image policy • Validate metadata file • White/Blacklist for images • White/Blacklist for endorsers • Blacklist for checksums • Policy evaluation • stratus-policy-image: invokes site policy to determine if the referenced image can be used • stratus-download-image: will download (and cache) a validated image to be used by a VM instance; uses the location URL(s) in the metadata entry [whitelistendorsers] group1 = loomis@lal.in2p3.fr [whitelistimages] group1 = MMZu9WvwKIro-rtBQfDk4PsKO7_ [blacklistimages] group1 = XXXy9WvwKIro-rtBQfDk4PsKKzz [blacklistendorsers] group1 = hacker@example.org [blacklistchecksums] group1 = … [validatemetadatafile] activate = true
So, where are with image exchange? • Not as far advanced as I predicted… • … and largely due to my lack of effort in past couple of months… • Initial video conference “work days” ironed out problems in some areas but Summer Holidays came along and we never managed to really test the fledgling infrastructure options as a group • even if work at sites advanced, c.f. presentations from Owen and Belmiro. • A face-to-face meeting is being pencilled in for early December at RAL to kick things back into life. • Personally, I still find the StratusLab Marketplace to be interesting as a cross-site layer • especially now they have delivered the promised administrator interface. • … and there is always cernvm…
Agenda • Image Generation Policy • Image Exchange • Summary
Summary • The working group has made good progress in establishing policies to allow the exchange of VM images… • … but not such good progress in delivering a distributed catalogue of endorsed images. • CVMFS is probably the neatest solution to the problem of VO software distribution… • … but VM exchange remains interesting • as an option for sites to run hypervisors not OSes and automatically migrate to latest patched system as images instantiate, and • if the VM images can contact pilot job frameworks directly, simplifying the scheduling problems at sites. Work in Progress! There has been progress in this area over the pastfew months—c.f. talks by Owen and Belmiro. Also, images created at one site (Victoria) have beeninstantiated and contextualised at another (CERN).However, work in different places is only looselycoupled at present and needs to be brought togethermore coherently. This will be feasible by HEPiX in Prague!Who is interested? Contact us now! More thought needed in this area… WLCG TEG? F2F meeting at RAL planned to restart activities