Bug #1343562 “Security Guide - Remove out of date reference to O...” : Bugs : openstack-manuals

Bryan D. Payne (bdpayne) on 2014-07-17

Changed in openstack-manuals:
status:	New → Confirmed
importance:	Undecided → High

N Dillon (sicarie) on 2014-07-18

Changed in openstack-manuals:
assignee:	nobody → N Dillon (sicarie)

Revision history for this message

N Dillon (sicarie) wrote on 2014-07-18:

#1

Download full text (6.9 KiB)

bk-openstack-security-guide.xml: <para>Havana release.</para>
ch_compute.xml: <para><link xlink:href="http://openstack.redhat.com/forum/discussion/67/resolved-spice-support-in-rdo-grizzly/p1">SPICE support in RDO Grizzly</link></para>
ch_database-access-control.xml: <para>Finally, it should be noted that as of the Grizzly release, gaps exist where <systemitem class="service">nova-conductor</systemitem> is not used throughout OpenStack Compute. Depending on one's configuration, the use of <systemitem class="service">nova-conductor</systemitem> may not allow deployers to avoid the necessity of providing database GRANTs to individual compute host systems.</para>
ch_database-access-control.xml: <para>Implementors should weigh the benefits and risks of both configurations before enabling or disabling the <systemitem class="service">nova-conductor</systemitem> service. We are not yet prepared to recommend the use of <systemitem class="service">nova-conductor</systemitem> in the Grizzly release. However, we do believe that this recommendation will change as additional features are added into OpenStack.</para>
ch_data-encryption.xml: <para>A feature aimed for the Havana release provides encryption of the VM's data before it is written to disk. This allows the privacy of data to be maintained while residing on the storage device. The idea is similar to how self-encrypting drives work. This feature presents a normal block storage device to the VM but encrypts the bytes in the virtualization host before writing them to the disk. The block server operates exactly as it does when reading and writing unencrypted blocks, except special handling will be required for Block Storage features such as snapshots and live migration. Note that this feature uses an independent key manager.</para>
ch_management-interfaces.xml: <para><link xlink:href="https://wiki.openstack.org/wiki/ReleaseNotes/Grizzly"><citetitle>Grizzly Release Notes</citetitle></link></para>
ch_networking-services.xml: <para>OpenStack Networking currently only supports GRE encapsulation with planned future support of VXLAN due in the Havana release.</para>
ch_networking-services.xml: <para>The ability to set QoS on the virtual interface ports of tenant instances is a current deficiency for OpenStack Networking. The application of QoS for traffic shaping and rate-limiting at the physical network edge device is insufficient due to the dynamic nature of workloads in an OpenStack deployment and can not be leveraged in the traditional way. QoS-as-a-Service (QoSaaS) is currently in development for the OpenStack Networking Havana release as an experimental feature. QoSaaS is planning to provide the following services:</para>
ch_networking-services.xml: <para>An experimental feature in the Grizzly release of OpenStack Networking is Load-Balancer-as-a-service (LBaaS). The LBaaS API gives early adopters and vendors a chance to build implementations of the technology. The reference implementation however, is still experimental and...

bk-openstack-security-guide.xml:                            <para>Havana release.</para>
ch_compute.xml:          <para><link xlink:href="http://openstack.redhat.com/forum/discussion/67/resolved-spice-support-in-rdo-grizzly/p1">SPICE support in RDO Grizzly</link></para>
ch_database-access-control.xml:      <para>Finally, it should be noted that as of the Grizzly release, gaps exist where <systemitem class="service">nova-conductor</systemitem> is not used throughout OpenStack Compute. Depending on one's configuration, the use of <systemitem class="service">nova-conductor</systemitem> may not allow deployers to avoid the necessity of providing database GRANTs to individual compute host systems.</para>
ch_database-access-control.xml:      <para>Implementors should weigh the benefits and risks of both configurations before enabling or disabling the <systemitem class="service">nova-conductor</systemitem> service. We are not yet prepared to recommend the use of <systemitem class="service">nova-conductor</systemitem> in the Grizzly release. However, we do believe that this recommendation will change as additional features are added into OpenStack.</para>
ch_data-encryption.xml:      <para>A feature aimed for the Havana release provides encryption of the VM's data before it is written to disk. This allows the privacy of data to be maintained while residing on the storage device. The idea is similar to how self-encrypting drives work. This feature presents a normal block storage device to the VM but encrypts the bytes in the virtualization host before writing them to the disk. The block server operates exactly as it does when reading and writing unencrypted blocks, except special handling will be required for Block Storage features such as snapshots and live migration. Note that this feature uses an independent key manager.</para>
ch_management-interfaces.xml:        <para><link xlink:href="https://wiki.openstack.org/wiki/ReleaseNotes/Grizzly"><citetitle>Grizzly Release Notes</citetitle></link></para>
ch_networking-services.xml:        <para>OpenStack Networking currently only supports GRE encapsulation with planned future support of VXLAN due in the Havana release.</para>
ch_networking-services.xml:        <para>The ability to set QoS on the virtual interface ports of tenant instances is a current deficiency for OpenStack Networking. The application of QoS for traffic shaping and rate-limiting at the physical network edge device is insufficient due to the dynamic nature of workloads in an OpenStack deployment and can not be leveraged in the traditional way. QoS-as-a-Service (QoSaaS) is currently in development for the OpenStack Networking Havana release as an experimental feature. QoSaaS is planning to provide the following services:</para>
ch_networking-services.xml:        <para>An experimental feature in the Grizzly release of OpenStack Networking is Load-Balancer-as-a-service (LBaaS). The LBaaS API gives early adopters and vendors a chance to build implementations of the technology. The reference implementation however, is still experimental and should likely not be run in a production environment. The current reference implementation is based on HA-Proxy. There are third-party plug-ins in development for extensions in OpenStack Networking to provide extensive L4-L7 functionality for virtual interface ports.</para>
ch_networking-services.xml:        <para>FW-as-a-Service (FWaaS) is currently in development for the OpenStack Networking Havana release as an experimental feature. FWaaS will address the need to manage and leverage the rich set of security features provided by typical firewall products which are typically far more comprehensive than what is currently provided by security groups. There are third-party plug-ins in development for extensions in OpenStack Networking to support this.</para>
ch_state-of-networking.xml:    <para>OpenStack Networking in the Grizzly release enables the end-user or tenant to define, utilize, and consume networking resources in new ways that had not been possible in previous OpenStack Networking releases. OpenStack Networking provides a tenant-facing API for defining network connectivity and IP addressing for instances in the cloud in addition to orchestrating the network configuration. With the transition to an API-centric networking service, cloud architects and administrators should take into consideration best practices to secure physical and virtual network infrastructure and services.</para>
glossary-terms.xml:      <glossterm>Austin<indexterm class="singular">
glossary-terms.xml:          <primary>Austin</primary>
glossary-terms.xml:        Austin, Texas, US.</para>
glossary-terms.xml:      <glossterm>Bexar<indexterm class="singular">
glossary-terms.xml:          <primary>Bexar</primary>
glossary-terms.xml:        <para>Bexar is the code name for the second release of
glossary-terms.xml:        San Antonio, Texas, US, which is the county seat for Bexar county.</para>
glossary-terms.xml:      <glossterm>Cactus<indexterm class="singular">
glossary-terms.xml:          <primary>Cactus</primary>
glossary-terms.xml:        <para>Cactus is a city in Texas, US and is the code name for
glossary-terms.xml:        module (heat) are integrated projects as of the Havana release. In the
glossary-terms.xml:      <glossterm>Diablo<indexterm class="singular">
glossary-terms.xml:          <primary>Diablo</primary>
glossary-terms.xml:        <para>Diablo is the code name for the fourth release of
glossary-terms.xml:        California, US and Diablo is a nearby city.</para>
glossary-terms.xml:      <glossterm>Essex<indexterm class="singular">
glossary-terms.xml:          <primary>Essex</primary>
glossary-terms.xml:        <para>Essex is the code name for the fifth release of
glossary-terms.xml:        Boston, Massachusetts, US and Essex is a nearby city.</para>
glossary-terms.xml:      <glossterm>Folsom<indexterm class="singular">
glossary-terms.xml:          <primary>Folsom</primary>
glossary-terms.xml:        <para>Folsom is the code name for the sixth release of
glossary-terms.xml:        San Francisco, California, US and Folsom is a nearby city.
glossary-terms.xml:      <glossterm>Grizzly<indexterm class="singular">
glossary-terms.xml:          <primary>Grizzly</primary>
glossary-terms.xml:        San Diego, California, US and Grizzly is an element of the state flag of
glossary-terms.xml:      <glossterm>Havana<indexterm class="singular">
glossary-terms.xml:          <primary>Havana</primary>
glossary-terms.xml:        design summit took place in Portland, Oregon, US and Havana is
glossary-terms.xml:          alphabetical order: Austin, Bexar, Cactus, Diablo, Essex,
glossary-terms.xml:          Folsom, Grizzly, Havana, Icehouse, and Juno.  Code names are
glossary-terms.xml:        supported in OpenStack Havana and later releases.</para>
glossary-terms.xml:        virtual device. Currently supported in OpenStack Havana and later

Revision history for this message

N Dillon (sicarie) wrote on 2014-07-18:

#2

Looks like there are only 11 occurrences that are not in the glossary - I will be correlating the compute/dbaccess/encryption/mgmt/networking entries above to ensure they were included so I can say "currently" (vs the architecture), or seeing if they're depricated/still experimental.

I'm going to run Grizzly first as Havana is still supported, but I'm going to try to get to Havana occurrences as well.

Revision history for this message

N Dillon (sicarie) wrote on 2014-07-21:

#3

1) ch_compute.xml – can just remove the reference for Grizzly. (link was to workaround, as it’s no longer in support – and workaround was not needed in Havana).
2) ch_database-access-control.xml – Gaps no longer exist per install guides (GRANTS not used with nova-conductor: http://docs.openstack.org/havana/install-guide/install/apt/content/nova-controller.html
3) ch_database-access-control.xml – remove paragraph mentioning Grizzly
4) ch_data-encryption – Havana release, so will leave in, prettysure we can encrypt vm data, but couldn’t confirm (found only 3rd party sites saying it was possible)
5) ch_management-interfaces.xml – update link to Icehouse documentation
6) ch_networking-services.xml – implemented
7) ch_networking-services.xml – was not in Havana, cannot find in Icehouse (looks like things need to go through 3 releases (or more) to be moved out of experimental status); recommend updating Havana->icehouse
8) ch_networking-services.xml – is in icehouse
9) ch_networking-services.xml – not fully implemented
10) ch_state-of-networking.xml – remove “in the Grizzly release” and “in ways not previously…”

Will update and submit tomorrow

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-22: Fix proposed to security-doc (master)

#4

Fix proposed to branch: master
Review: https://review.openstack.org/108569

Changed in openstack-manuals:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-22:

#5

Fix proposed to branch: master
Review: https://review.openstack.org/108780

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-22: Change abandoned on security-doc (master)

#6

Change abandoned by Nathaniel Dillon (<email address hidden>) on branch: master
Review: https://review.openstack.org/108780
Reason: Still learning git - will fix commit message on https://review.openstack.org/108569

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-22: Fix merged to security-doc (master)

#7

Reviewed: https://review.openstack.org/108569
Committed: https://git.openstack.org/cgit/openstack/security-doc/commit/?id=625dcd822713d4917253ad2a458affb2eaefb3b2
Submitter: Jenkins
Branch: master

commit 625dcd822713d4917253ad2a458affb2eaefb3b2
Author: sicarie <email address hidden>
Date: Mon Jul 21 20:30:33 2014 -0700

Removing references of out-of-date versions of OpenStack

    Fixing typo in ch_networking-services.xml and updating commit message
    Ignored glossary and bk-openstack-security-guide.xml
    Removed Grizzly 'workaround' link from ch_compute.xml
    Removed Grizzly reference from ch_database-access-control.xml
    Removed Grizzly reference from ch_database-sccess-control.xml
    Updated link to Icehouse release notes in ch_management-interfaces.xml
    Rreworded the sentence to be descriptive ch_networking-services.xml
    Updated Grizzly reference to Icehouse in ch_networking-services.xml
    Restructured sentence in ch_networking-services.xml
    Updated Havana to Icehouse concerning FWaaS in ch_networking-sevices.xml
    Removed Grizzly ref & restructured sentence ch_state-of-networking.xml

Change-Id: Idb1416148e8c3182b057d7f010a455a5fb7e956c
Closes-Bug: #1343562

Changed in openstack-manuals:
status:	In Progress → Fix Released

openstack-manuals

Security Guide - Remove out of date reference to OpenStack versions

Bug Description

Other bug subscribers

Remote bug watches