Bug 978631
| Summary: | [Docs] [RFE] Give more in depth details on Trusted Compute Pools feature based on OpenAttestation | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Andrew Burden <aburden> |
| Component: | Documentation | Assignee: | Tahlia Richardson <trichard> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Megan Lewis <melewis> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.5.0 | CC: | aburden, bazulay, dfediuck, gang.wei, lbopf, lpeer, michal.skrivanek, rbalakri, rgolan, rhev-docs, sgordon, sherold, srevivo, tjelinek, ylavi, zdover |
| Target Milestone: | ovirt-3.6.8 | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 977165 | Environment: | |
| Last Closed: | 2016-07-28 00:03:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Docs | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 929057, 977165 | ||
| Bug Blocks: | 978623, 978629, 978630, 978632 | ||
|
Description
Andrew Burden
2013-06-27 01:30:27 UTC
The material on the oVirt wiki is here: http://wiki.ovirt.org/Trusted_compute_pools Much of the information there will be used in the docs. This is a major addition to the docs suite. From what I can tell, the relevant bit is here: Restful API Create a trusted cluster via restful API, curl command may like this. curl -v -u "admin@internal:abc123" -H "Content-type: application/xml" -d '<cluster><name>my_trust_cluster</name><data_center><name>"Default"</name></data_center> <version minor="2" major="3"/> <cpu id="Intel SandyBridge Family"/><trusted_service>true</trusted_service></cluster>' 'http://engine.***.com:80/api/clusters' Key relevant modification includes api.xsd and ClusterMapper.java. I have changed this bug to 3.4 and made it into a feature bug. The material in Comment 2 above should go into the REST API or Developer Guide (both of which are now in the 3.4 Technical Guide). Attention aburden. There is also a lot of content in the link on the oVirt Wiki that should be in the Administration Guide, and I will begin performing the work on that now. Created the following topic: Creating a Trusted Cluster [30328] Created the following topic: Adding a Trusted Host [30334] I have added the two topics above to the 3.4 Administration Guide.
Tasks that remain:
1. Add the curl command for creating a trusted cluster to the REST
API portion of the Technical Guide. (probably a job for aburden)
2. Write some overview material about OAT (OpenAttestation) and its
relationship to Intel TXT (Trusted Execution Technology).
3. Explain that trusted hosts behave like untrusted hosts once they have
made contact with the OAT servers.
*** Bug 977165 has been marked as a duplicate of this bug. *** Tim Hildred, from BZ#977165: From email conversations about this bug with Doron: "The integration with OAT requires using the config utility in order to update the relevant information, the same way we do with the manage-domains. So the user should be using engine-config instead of manually updating the DB. What we need to document is the relevant ~3-4 keys and what they mean, as well as the meaning of the checkbox we have in the UI. What we can do, is possibly add a tooltip with a question mark in the UI which will indicate that this requires OAT setup." Here are the values that have to be added to the table of rhevm-config values: SecureConnectionWithOATServers default value: true PollUri default value: "AttestationService/resources/PollHosts" Comment: this is determined by the OAT installation. AttestationTruststore default value: TrustStore.jks. AttestationPort default value: 8443 AttestationServer default value: "". Adding missing entries; AttestationTruststorePass: "The password used to access trust store" (Value Type: String) default value: "password". AttestationFirstStageSize: "Attestation size for first stage" (Value Type: Integer) default value: 10. Comment: used for quick initialization. Do not change unless you know why. Re: Comment 6: "Explain that trusted hosts behave like untrusted hosts once they have made contact with the OAT servers." means that once the host has been verified by the OAT server, it can be manipulated in RHEVM the same way that untrusted hosts are manipulated. It does not mean that they behave like untrusted hosts in that they are not trusted. this is an automated message. oVirt 3.6.0 RC3 has been released and GA is targeted to next week, Nov 4th 2015. Please review this bug and if not a blocker, please postpone to a later release. All bugs not postponed on GA release will be automatically re-targeted to - 3.6.1 if severity >= high - 4.0 if severity < high Assigning to Tahlia for review. Tahlia, it looks like this feature is partially documented in the Administration Guide and the REST API Guide. It appears we are missing a procedure for integrating OAT with RHEV using engine-config (parameters explained in Comment 8), and that we need to check the outstanding tasks from Comment 6. Now available at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/sect-Trusted_Compute_Pools.html Content will also be included in the next 4.0 publication. |