Functionality for checking integrity of instances

Note

For this functionality to work, you must correctly configure the afick service.

Note

The integrity check functionality is only supported on AccentOS CE modules.

  1. It is necessary to install and configure aos-agent on all nodes where integrity checking is planned.

  2. For correct operation, it is necessary to add a section to the nova.conf file for all hosts with aos-agent:

    [oslo_messaging_notifications]
driver = messagingv2

  3. To enable integrity checking, you need to go to hypervisors and select the “Enable Control” action:

    ../_images/control_hypervisor.png

    Putting the hypervisor under control

  4. After this, all instances of this hypervisor will be locked (will be visible by the “lock” icon):

    ../_images/locked_instance.png

    Locked instance

    Regular user cannot perform any actions on a locked inctance (actions will be available, but when trying to perform them, a message will appear stating that it cannot be performed).

  5. The status of the signed instance can be seen on the Administrator – Hypervisors tab:

    Green - integrity is not broken;

    Red - integrity is broken;

    Yellow - integrity may have been violated (if the instance was re-put under control, or control was launched for the hypervisor with already created instances).

  6. If an integrity violation is detected for instance, it will be forcibly shut down:

    ../_images/integrity_violation.png

    Violation of the integrity of the instance

  7. If instances were created on the hypervisor before it was placed under control, they will receive the “Integrity Possibly Violated” status. For such instances, it is necessary to update the integrity state, for which the Cloud Administrator must perform the “Recalculate integrity” action.

    ../_images/recalculate_integrity.png

    Integrity State Update

    Important

    If the integrity of instance is compromised, it is not possible to restart it. In this case, it is recommended to recreate the instance.

  8. Also, when placing the hypervisor under control, the BIOS folders used to launch instances are checked.

  9. If an integrity violation is detected in one of the BIOS folders, the computing node will be put into maintenance mode, which will prevent the launch of new instances on this node.

  10. To disable integrity checking, you need to go to hypervisors and select the “Disable control” action. In this case, all hypervisor instances are unlocked:

    ../_images/disable_control.png