Trove/trove-managed-instances
Description
The purpose of this feature is to provide improved control over Compute Instances that are managed by Trove. Currently, any Trove Instance that a user creates, has two ID and two access points: one through Trove; and the other through Nova. The point of Trove being to manage datastores in a way that provides a stable and optimized platform. The option for the user to also configure the Compute Instance directly through Nova compromises this integrity. The intention here then is to "lock" Compute Instances that were created through the Trove interface. While this is currently an issue for Trove, other Services that sit on top of Nova can also benefit from this. *Note* There is a project that is forming called "Service VMs". In the future this may replace this functionality.
Trove Management
The focus of this feature is that a system-based Tenant will own a lock on all Trove Guest Instances.
Overview of Trove Instances on Management Network
Interaction of Trove-Nova
Justification/Benefits
Benefits of Trove-Locked Instances
Once Trove locks the Instances in Nova, Customers/Users can no longer go directly to Nova to perform functions on the Trove Instances. This prevents issues where a Customer may create an Instance Snapshot and then restore that Snapshot on an unmanaged Instance gaining access to potentially sensitive data. The primary benefit of this feature is that all access and control goes through Trove API. The Trove API leverages the Trove Admin credentials to Unlock/Lock the Instance during "critical" functions.
Use Case Requirements
Before Installing Trove-Integration/Devstack
- Operator has enabled Trove-Managed Instances
During Installation
- Trove-Integration/DevStack creates a Trove Admin Tenant and User.
During Instance Creation
As soon as the Instance is created and found to be in Active status, the Instance will be "locked" by Task Manager.
During Instance Actions
For any action requiring action from Nova, Trove API or Task Manager, will unlock the instance. Then regardless of the outcome, it will lock the instance just before returning a response back to the User. Such actions would include: Resize and Resize Volume
Other Use Cases
Security Groups
Security Groups are currently not a lockable resource in Nova. The result is that the user can still manipulate the Security Groups associated to the the Instance.
Scope
The scope of this is primarily limited to Trove API and Task Manager but there is need for support from Trove-Integration in that it must prepare the Tenant. There will be no resulting changes to public API's nor internal.
Impacts
There will be a bit more chattiness to the Trove/Nova interaction. That is, for every call to Nova (unoptimized) would be enclosed in a "unlock/lock" pair. The overhead for this check in Nova is fairly efficient as it simply checks the state in the database and updates the flag.
Configuration
| configuration name | value | description |
|---|---|---|
| trove.managed.instances | boolean | determines whether all instances are owned by Trove (default: false) |
Database
There are no expected changes to the database
Public API
There are no changes to the API
Internal API
There are no changes to the Internal API
Guest Agent
This will not affect the Guest Agent
Trove-Integration
The script for Trove Integration will have to change in such a way that it provides the following infrastructure…
Creates a Trove Tenant and User that is going to Manage the Guest Instances Add configurations to the conf files so that the Tenant, User and Password are available to Trove API and Task Manager
