4a72d213aa
Add simple unit tests to the Trove specs repo which ensure that specifications submitted follow the template correctly and address all the needed sections. Update tox to run these unit tests automatically. At the beginning of each release, test_titles.py will need to be updated and 'current_release' modified to reflect the new release directory. At the same time, the new release directory will be created, the index.rst file in doc/source ammended to include this directory, and any unmerged specs moved there. In this way, changes to the template will only affect specs going forward and avoids having to modify any specs that have merged in previous releases. (It will also have the side effect of signalling the 'opening' of the release to new specs.) Change-Id: I8f1175bceed63d36d96b6c6c6b4188ef27d3102e
128 lines
2.4 KiB
ReStructuredText
128 lines
2.4 KiB
ReStructuredText
..
|
|
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
|
License.
|
|
|
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
|
|
|
=============================
|
|
Make Rsync for Guest Optional
|
|
=============================
|
|
|
|
Blueprint:
|
|
|
|
https://blueprints.launchpad.net/trove-integration/+spec/rsync-optional
|
|
|
|
Today, the instance rsyncs the guestagent code and trove-guestagent.conf
|
|
via http://git.io/qI9ivw (or http://git.io/p88Njw)
|
|
|
|
The proposal is to introduce an alternative that does not require
|
|
guest-to-controller SSH connectivity: bake the guestagent code and
|
|
trove-guestagent.conf into the image.
|
|
|
|
Problem Description
|
|
===================
|
|
|
|
In production, permitting SSH connectivity between guests and the
|
|
control-plane is a security no-no. Although trove-integration is considered
|
|
to be only a sample reference implementation, we owe it to deployers to
|
|
provide insight into how to properly secure Trove.
|
|
|
|
Use Cases
|
|
----------
|
|
|
|
* As a deployer, I want to avoid ssh connectivity between guests and the
|
|
control-plane.
|
|
|
|
Proposed Change
|
|
===============
|
|
|
|
Add additional elements in trove-integration to stage the guestagent code
|
|
and trove-guestagent.conf during the extra-data.d hook, and subsequently
|
|
install them in the install.d hook, vs. relying on upstart/systemd to rsync.
|
|
|
|
See https://review.openstack.org/#/c/119488/
|
|
|
|
This is not turned on by default, and therefore is backwards compatible.
|
|
|
|
Configuration
|
|
-------------
|
|
|
|
To make use of this functionality, it requires setting GUEST_LOCAL_TROVE_DIR
|
|
and GUEST_LOCAL_TROVE_CONF. The aforementioned values are used in the newly
|
|
introduced diskimage-builder elements.
|
|
|
|
Database
|
|
--------
|
|
|
|
No database changes.
|
|
|
|
Public API
|
|
----------
|
|
|
|
No public API changes.
|
|
|
|
Public API Security
|
|
-------------------
|
|
|
|
No public API Security related changes.
|
|
|
|
Internal API
|
|
------------
|
|
|
|
No internal API changes.
|
|
|
|
Guest Agent
|
|
-----------
|
|
|
|
No Guest Agent changes.
|
|
|
|
|
|
Alternatives
|
|
------------
|
|
|
|
No alternatives.
|
|
|
|
|
|
Implementation
|
|
==============
|
|
|
|
Assignee(s)
|
|
-----------
|
|
|
|
Primary assignee:
|
|
Auston McReynolds (amcrn)
|
|
|
|
Milestones
|
|
----------
|
|
|
|
Kilo-1
|
|
|
|
Work Items
|
|
----------
|
|
|
|
See https://review.openstack.org/#/c/119488/
|
|
|
|
Dependencies
|
|
============
|
|
|
|
No dependencies.
|
|
|
|
|
|
Testing
|
|
=======
|
|
|
|
diskimage-builder element additions/changes are not tested via traditional
|
|
means at the moment.
|
|
|
|
|
|
Documentation Impact
|
|
====================
|
|
|
|
No documentation impact.
|
|
|
|
|
|
References
|
|
==========
|
|
|
|
None.
|