The nova.scheduler.filters.trusted_filter
Module¶
Filter to add support for Trusted Computing Pools (EXPERIMENTAL).
Filter that only schedules tasks on a host if the integrity (trust)
of that host matches the trust requested in the extra_specs
for the
flavor. The extra_specs
will contain a key/value pair where the
key is trust
. The value of this pair (trusted
/untrusted
) must
match the integrity of that host (obtained from the Attestation
service) before the task can be scheduled on that host.
Note that the parameters to control access to the Attestation Service
are in the nova.conf
file in a separate trust
section. For example,
the config file will look something like:
[DEFAULT] verbose=True ... [trust] server=attester.mynetwork.com
Details on the specific parameters can be found in the file
trust_attest.py
.
Details on setting up and using an Attestation Service can be found at the Open Attestation project at:
-
class
AttestationService
¶ Bases:
object
-
do_attestation
(hosts)¶ Attests compute nodes through OAT service.
Parameters: hosts – hosts list to be attested Returns: dictionary for trust level and validate time
-
-
class
ComputeAttestationCache
¶ Bases:
object
Cache for compute node attestation
Cache compute node’s trust level for sometime, if the cache is out of date, poll OAT service to flush the cache.
OAT service may have cache also. OAT service’s cache valid time should be set shorter than trusted filter’s cache valid time.
-
get_host_attestation
(host)¶ Check host’s trust level.
-