Re: [Openstack-operators] Dealing with ITAR in OpenStack private clouds

2017-03-22 Thread Blair Bethwaite
Could just avoid Glance snapshots and indeed Nova ephemeral storage altogether by exclusively booting from volume with your ITAR volume type or AZ. I don't know what other ITAR regulations there might be, but if it's just what JM mentioned earlier then doing so would let you have ITAR and non-ITAR

Re: [Openstack-operators] Dealing with ITAR in OpenStack private clouds

2017-03-22 Thread Jonathan D. Proulx
On Tue, Mar 21, 2017 at 09:03:36PM -0400, Davanum Srinivas wrote: :Oops, Hit send before i finished : :https://info.massopencloud.org/wp-content/uploads/2016/03/Workshop-Resource-Federation-in-a-Multi-Landlord-Cloud.pdf :https://git.openstack.org/cgit/openstack/mixmatch : :Essentially you can do a

Re: [Openstack-operators] Dealing with ITAR in OpenStack private clouds

2017-03-21 Thread Blair Bethwaite
On 22 March 2017 at 13:33, Jonathan Mills wrote: > > To what extent is it possible to “lock” a tenant to an availability zone, > to guarantee that nova scheduler doesn’t land an ITAR VM (and possibly the > wrong glance/cinder) into a non-ITAR space (and vice versa)… > Yes,

Re: [Openstack-operators] Dealing with ITAR in OpenStack private clouds

2017-03-21 Thread Jonathan Mills
Blaire, To what extent is it possible to “lock” a tenant to an availability zone, to guarantee that nova scheduler doesn’t land an ITAR VM (and possibly the wrong glance/cinder) into a non-ITAR space (and vice versa)… For just that concern, Mike Lowe was chatting with me off list about using

Re: [Openstack-operators] Dealing with ITAR in OpenStack private clouds

2017-03-21 Thread Blair Bethwaite
Dims, it might be overkill to introduce multi-Keystone + federation (I just quickly skimmed the PDF so apologies if I have the wrong end of it)? Jon, you could just have multiple cinder-volume services and backends. We do this in the Nectar cloud - each site has cinder AZs matching nova AZs. By

Re: [Openstack-operators] Dealing with ITAR in OpenStack private clouds

2017-03-21 Thread Jonathan Mills
Thank you, Dims. I will read over this material. > On Mar 21, 2017, at 9:03 PM, Davanum Srinivas wrote: > > Oops, Hit send before i finished > > https://info.massopencloud.org/wp-content/uploads/2016/03/Workshop-Resource-Federation-in-a-Multi-Landlord-Cloud.pdf >

Re: [Openstack-operators] Dealing with ITAR in OpenStack private clouds

2017-03-21 Thread Davanum Srinivas
Oops, Hit send before i finished https://info.massopencloud.org/wp-content/uploads/2016/03/Workshop-Resource-Federation-in-a-Multi-Landlord-Cloud.pdf https://git.openstack.org/cgit/openstack/mixmatch Essentially you can do a single cinder proxy that can work with multiple cinder backends (one

Re: [Openstack-operators] Dealing with ITAR in OpenStack private clouds

2017-03-21 Thread Davanum Srinivas
Jonathan, The folks from Boston University have done some work around this idea: https://github.com/openstack/mixmatch/blob/master/doc/source/architecture.rst On Tue, Mar 21, 2017 at 7:33 PM, Jonathan Mills wrote: > Friends, > > I’m reaching out for assistance from anyone

[Openstack-operators] Dealing with ITAR in OpenStack private clouds

2017-03-21 Thread Jonathan Mills
Friends, I’m reaching out for assistance from anyone who may have confronted the issue of dealing with ITAR data in an OpenStack cloud being used in some department of the Federal Gov. ITAR (https://www.pmddtc.state.gov/regulations_laws/itar.html) is a less restrictive level of security than