Obsoleted - Policy Guided Fulfillment - Demo Predeploy Enforcement

Introduction

This topic is obsoleted, and shall be removed.

This demo presents how to control Murano environment deployment by Congress policies.

Use case is following:

• OpenStack administrator wants to set constraints Murano environments (e.g., use only supported application; use only VM flavors with given RAM size, ...) .
• O~S administrator creates Congress policy rules which defines not allowed Murano environments
• When an O~S user deploys Murano environment, then it is validated by Congress policy enforcement - based on the enforcement result, environment deployment is allowed or denied

Demo

First we have to have O~S running with all necessary services (with content) as defined in Setup section.

Demo scenario

• Administrator creates rules which allows only
  • Telnet application
  • VM flavors of RAM size max 4096MB
• User creates environment with Telnet application with instance of flavor m1.small .
  • Enforcement passes - deployment is started

• User create environment with Git application with instance of flavor m1.large .
  • Enforcement rejects - environment deployment is not started. Log contains reasons
• Administrator is contacted by the user to allow Git
  • Administrator add rule supporting Git .
• User redeploys environment with "Git"
  • Deployment fails - the reason is disallowed flavor
• User edits environment (or creates new one) and deploys it
  • Enforcement passes - deployment is started

Policy Rules Definition

This steps creates rules in Congress policy murano_system . Murano is using predeploy_errors(envId, objId, msg) table (rule) for enforcement. Murano environment is mapped to Congress policy murano on its deploy (technically we are using Congress simulation API, so it is mapped transiently into murano policy. ). See References section for documentation of environment mapping.

As administrator we want to place following enforcements

• use only supported Murano application
• use only VM flavors with given RAM size

To create rules use following O~S CLI commands (use cd devstack; . ./openrc admin admin prior using it):

openstack congress policy rule create murano_system 'predeploy_errors(eid,oid,msg) :- murano:objects(oid,eid,type), murano:parent_types(oid,"io.murano.Application"), not allowedApp(type),concat("Unsupported application detected: ", type, tmsg1),concat(tmsg1, ", ", tmsg2),objName(oid, oname), concat(tmsg2, oname, msg)' openstack congress policy rule create murano_system 'allowedApp("io.murano.databases.MySql")' openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.WordPress")' openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.ZabbixAgent")' openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.ZabbixServer")' openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.apache.ApacheHttpServer")'

openstack congress policy rule create murano_system 'predeploy_errors(eid, oid, msg) :- murano:objects(oid, eid, type), checkIfError(oid), objName(oid, oname), concat( "Instance flavor has RAM size over 4096MB: ", oname, tmsg1), concat( tmsg1, ", of application ", tmsg2), murano:relationships(aid, oid, "instance"), murano:parent_types(aid, "io.murano.Application"),objName(aid, aname), concat(tmsg2, aname, msg)'

openstack congress policy rule create murano_system 'checkIfError(oid) :- murano:parent_types(oid, "io.murano.resources.Instance"), murano:properties(oid, "flavor", fname),nova:flavors(i,fname,v,r,d,e,rx),gt(r,4096)'

openstack congress policy rule create murano_system 'objName(oid,oname) :- murano:properties(oid, "name", oname)'

Murano Environment Deployment

Setup

References

• Murano policy enforcement developer and user guides. Currently in review stage https://review.openstack.org/#/c/149225/