[openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter)

2015-06-23 Thread Sylvain Bauza
Hi team, Some discussion occurred over IRC about a bug which was publicly open related to TrustedFilter [1] I want to take the opportunity for raising my concerns about that specific filter, why I dislike it and how I think we could improve the situation - and clarify everyone's thoughts) Th

Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter)

2015-09-23 Thread Matt Riedemann
On 6/25/2015 3:59 AM, Sylvain Bauza wrote: Le 24/06/2015 19:56, Joe Gordon a écrit : On Tue, Jun 23, 2015 at 3:41 AM, Sylvain Bauza mailto:sba...@redhat.com>> wrote: Hi team, Some discussion occurred over IRC about a bug which was publicly open related to TrustedFilter [1]

Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter)

2015-09-23 Thread Sylvain Bauza
Le 23/09/2015 15:31, Matt Riedemann a écrit : On 6/25/2015 3:59 AM, Sylvain Bauza wrote: Le 24/06/2015 19:56, Joe Gordon a écrit : On Tue, Jun 23, 2015 at 3:41 AM, Sylvain Bauza mailto:sba...@redhat.com>> wrote: Hi team, Some discussion occurred over IRC about a bug which was

Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter)

2015-09-23 Thread Matt Riedemann
On 9/23/2015 10:00 AM, Sylvain Bauza wrote: Le 23/09/2015 15:31, Matt Riedemann a écrit : On 6/25/2015 3:59 AM, Sylvain Bauza wrote: Le 24/06/2015 19:56, Joe Gordon a écrit : On Tue, Jun 23, 2015 at 3:41 AM, Sylvain Bauza mailto:sba...@redhat.com>> wrote: Hi team, Some disc

Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter)

2015-06-23 Thread Michael Still
I agree. I feel like this is another example of functionality which is trivially implemented outside nova, and where it works much better if we don't do it. Couldn't an admin just have a cron job which verifies hosts, and then adds them to a compromised-hosts host aggregate if they're owned? I assu

Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter)

2015-06-23 Thread Wang, Shane
[mailto:mi...@stillhq.com] Sent: Wednesday, June 24, 2015 7:49 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter) I agree. I feel like this is another

Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter)

2015-06-23 Thread Bhandaru, Malini K
i -Original Message- From: Wang, Shane [mailto:shane.w...@intel.com] Sent: Tuesday, June 23, 2015 9:26 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilte

Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter)

2015-06-23 Thread Wei, Gang
: Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter) Would like to add to Shane's points below. 1) The Trust filter can be treated as an API, with different underlying implementations. Its default could even be "Not Implem

Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter)

2015-06-24 Thread Sylvain Bauza
-Original Message- From: Bhandaru, Malini K [mailto:malini.k.bhand...@intel.com] Sent: Wednesday, June 24, 2015 1:13 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislik

Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter)

2015-06-24 Thread Dulko, Michal
sted hosts (and for the rest of the VMs you don't care). > > > Thanks > > Jimmy > > > > -Original Message- > > From: Bhandaru, Malini K [mailto:malini.k.bhand...@intel.com] > > Sent: Wednesday, June 24, 2015 1:13 PM > > To: OpenStack Developmen

Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter)

2015-06-24 Thread Sylvain Bauza
ailto:malini.k.bhand...@intel.com] Sent: Wednesday, June 24, 2015 1:13 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter) Would like to add to Shane's

Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter)

2015-06-24 Thread Joe Gordon
On Tue, Jun 23, 2015 at 3:41 AM, Sylvain Bauza wrote: > Hi team, > > Some discussion occurred over IRC about a bug which was publicly open > related to TrustedFilter [1] > I want to take the opportunity for raising my concerns about that specific > filter, why I dislike it and how I think we coul

Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter)

2015-06-25 Thread Sylvain Bauza
Le 24/06/2015 19:56, Joe Gordon a écrit : On Tue, Jun 23, 2015 at 3:41 AM, Sylvain Bauza > wrote: Hi team, Some discussion occurred over IRC about a bug which was publicly open related to TrustedFilter [1] I want to take the opportunity for raising

Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter)

2015-06-25 Thread John Garbutt
t subset of hosts that have the attestation check working. Does that work for your use case? Thanks, John >> > -----Original Message- >> > From: Bhandaru, Malini K [mailto:malini.k.bhand...@intel.com] >> > Sent: Wednesday, June 24, 2015 1:13 PM >> >

Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter)

2015-06-25 Thread Dulko, Michal
> -Original Message- > From: John Garbutt [mailto:j...@johngarbutt.com] > Sent: Thursday, June 25, 2015 2:22 PM > To: OpenStack Development Mailing List (not for usage questions) > Subject: Re: [openstack-dev] [nova] How to properly detect and fence a > compromised host

Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter)

2015-06-25 Thread John Garbutt
Sent: Wednesday, June 24, 2015 9:39 AM >> >> To: OpenStack Development Mailing List (not for usage questions) >> >> Subject: Re: [openstack-dev] [nova] How to properly detect and fence >> >> a compromised host (and why I dislike TrustedFilter) > > (snip) >

Re: [openstack-dev] [nova] How to properly detect and fence a compromised host (and why I dislike TrustedFilter)

2015-06-25 Thread Juvonen, Tomi (Nokia - FI/Espoo)
- >>> >> From: Sylvain Bauza [mailto:sba...@redhat.com] >>> >> Sent: Wednesday, June 24, 2015 9:39 AM >>> >> To: OpenStack Development Mailing List (not for usage questions) >>> >> Subject: Re: [openstack-dev] [nova] How to properly detect and fence