-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Blog post on adjustements for SCS compliance. (#1029)
* Blog post on adjustements for SCS compliance. * Put Kurt as single author Signed-off-by: Kurt Garloff <[email protected]> Co-authored-by: Max Wolfs <[email protected]> Co-authored-by: Matthias Büchse <[email protected]>
- Loading branch information
3 people
authored
Oct 15, 2024
1 parent
75d204d
commit 1794448
Showing
2 changed files
with
180 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../../en/_posts/blog/2024-10-14-cert-adapt-example.md |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,179 @@ | ||
| --- | ||
| layout: post | ||
| title: "SCS-compatible IaaS: Example test and adapt" | ||
| author: | ||
| - "Kurt Garloff" | ||
| avatar: | ||
| - "kgarloff.jpg" | ||
| about: | ||
| - "garloff" | ||
| --- | ||
|
|
||
|
|
||
|
|
||
| # SCS-compatible IaaS: Example test and adjust | ||
|
|
||
| ## Run the tests | ||
|
|
||
| Get the test suite by cloning [the SCS standards repo](https://github.com/SovereignCloudStack/standards/). | ||
| In order to run the tests, you need to have normal customer (tenant) access to the cloud or | ||
| container infrastructure that you want to test. (This is by design; we explicitly do not | ||
| require nor recommend admin level access for normal compliance testing.) | ||
|
|
||
| You can run the test suite from any machine that has a working `python3-openstacksdk` (for the | ||
| IaaS tests) or working `python3`, `kubectl` and `helm` (for the KaaS tests). Go to the | ||
| checked out tree into the `Tests/` directory to run tests. Check that the tooling works, | ||
| e.g. by issuing a command like `openstack --os-cloud=MYCLOUD catalog list` or | ||
| `KUBECONFIG=~/.kube/MYCLUSTER.yaml kubectl get nodes -o wide`. | ||
|
|
||
| Let's do a run against a sample environment: | ||
|
|
||
| ```bash | ||
| garloff@framekurt(//):/casa/src/SCS/standards/Tests [1]$ ./scs-compliance-check.py -V v4 -s CIAB -a os_cloud=ciab-test scs-compatible-iaas.yaml | ||
| INFO: module opc-v2022.11 missing checks or test cases | ||
| DEBUG: Fetching flavors from cloud 'ciab-test' | ||
| DEBUG: Checking 28 flavor specs against 18 flavors | ||
| WARNING: Flavor 'SCS-4V-16' found via name only, missing property 'scs:name-v2' | ||
| ERROR: Flavor 'SCS-4V-16' violating property constraints: scs:cpu-type: None should be 'shared-core'; scs:name-v1: None should be 'SCS-4V:16'; scs:name-v2: None should be 'SCS-4V-16' | ||
| WARNING: Flavor 'SCS-8V-32' found via name only, missing property 'scs:name-v2' | ||
| ERROR: Flavor 'SCS-8V-32' violating property constraints: scs:cpu-type: None should be 'shared-core'; scs:name-v1: None should be 'SCS-8V:32'; scs:name-v2: None should be 'SCS-8V-32' | ||
| WARNING: Missing recommended flavor 'SCS-1V-4-10' | ||
| WARNING: Missing recommended flavor 'SCS-2V-8-20' | ||
| WARNING: Missing recommended flavor 'SCS-4V-16-50' | ||
| WARNING: Missing recommended flavor 'SCS-8V-32-100' | ||
| WARNING: Missing recommended flavor 'SCS-1V-2-5' | ||
| WARNING: Missing recommended flavor 'SCS-2V-4-10' | ||
| WARNING: Missing recommended flavor 'SCS-4V-8-20' | ||
| WARNING: Missing recommended flavor 'SCS-8V-16-50' | ||
| WARNING: Missing recommended flavor 'SCS-16V-32-100' | ||
| WARNING: Missing recommended flavor 'SCS-1V-8-20' | ||
| WARNING: Missing recommended flavor 'SCS-2V-16-50' | ||
| WARNING: Missing recommended flavor 'SCS-4V-32-100' | ||
| WARNING: Missing recommended flavor 'SCS-1L-1-5' | ||
| DEBUG: Total critical / error / info: 0 / 2 / 0 | ||
| DEBUG: Fetching image list from cloud 'ciab-test' | ||
| DEBUG: Images present: Cirros 0.6.1, Cirros 0.6.2, Debian 12, Ubuntu 22.04 Minimal, openSUSE 15.6 | ||
| DEBUG: Checking 6 image specs against 10 images | ||
| ERROR: Missing mandatory image 'Ubuntu 22.04' | ||
| WARNING: Missing recommended image 'ubuntu-capi-image' | ||
| DEBUG: Missing optional image 'Ubuntu 20.04' | ||
| DEBUG: Missing optional image 'Debian 11' | ||
| DEBUG: Missing optional image 'Debian 10' | ||
| DEBUG: Total critical / error / warning: 0 / 1 / 1 | ||
| ******************************************************************************** | ||
| CIAB SCS-compatible IaaS v4 (effective): | ||
| - main: FAIL (3 passed, 2 failed) | ||
| - FAILED: | ||
| - standard-flavors-check: | ||
| > Must fulfill all requirements of https://docs.scs.community/standards/scs-0103-v1-standard-flavors | ||
| - standard-images-check: | ||
| > Must fulfill all requirements of https://docs.scs.community/standards/scs-0104-v1-standard-images | ||
| ``` | ||
|
|
||
| So we run the *SCS-compatible IaaS* tests defined in `scs-compatible-iaas.yaml` in version `v4`; without option `-V`, | ||
| all active versions would have been used, producing more output. We further define the cloud to be named `CIAB` (short for | ||
| Cloud-in-a-Box) in the report. And we set the parameter `os_cloud` to `ciab-test`. This references the | ||
| name of the cloud as configured in OpenStack `clouds.yaml` and `secure.yaml` which contain the configuration | ||
| and credentials to access the cloud as tenant user via the API (SDK or CLI). | ||
|
|
||
| Let's have a look at the results: | ||
|
|
||
| * We seem to have all 15 mandatory compute flavors, but two of them miss mandatory properties (`extra_specs`). | ||
| We also receive 13 warnings for not having recommended flavors, we can ignore them for now. | ||
| * On the images side, the mandatory image `Ubuntu 22.04` is not registered. | ||
| * The end result is that we passed three tests and failed to comply with two specs: | ||
|
|
||
| ```yaml | ||
| - FAILED: | ||
| - standard-flavors-check: | ||
| > Must fulfill all requirements of https://docs.scs.community/standards/scs-0103-v1-standard-flavors | ||
| - standard-images-check: | ||
| > Must fulfill all requirements of https://docs.scs.community/standards/scs-0104-v1-standard-images | ||
| ``` | ||
| With option `-v`, we can make the test suite more verbose to e.g. see that we pass the flavor naming test, | ||
| the entropy test and the image metadata test. | ||
|
|
||
| ## Address issues | ||
|
|
||
| To fix the failures, we will thus need to: | ||
|
|
||
| * Add properties to the two flavors where they are missing. | ||
| * Register the `Ubuntu 22.04` image (with the appropriate metadata). | ||
|
|
||
| Neither is difficult to do manually, but a more systematic and automated process is preferable. | ||
| For the first issue, there is a [blog article on flavor metadata](https://scs.community/de/tech/2024/08/20/flavor-extra-specs-compliance/). | ||
| For the image registration, the [OpenStack Image Manager](https://github.com/osism/openstack-image-manager) can be used. | ||
|
|
||
| For adjusting the environment, we of course do need admin access to the cloud. | ||
| We use the tools referenced above: | ||
|
|
||
| ```shell | ||
| garloff@framekurt(//):/casa/src/SCS/standards/Tests [3]$ OS_CLOUD=ciab-admin ./iaas/flavor-naming/flavor-add-extra-specs.py -a apply | ||
| INFO: Flavor SCS-8V-32: SET scs:cpu-type=shared-core | ||
| INFO: Flavor SCS-8V-32: SET scs:name-v1=SCS-8V:32 | ||
| INFO: Flavor SCS-8V-32: SET scs:name-v2=SCS-8V-32 | ||
| INFO: Flavor SCS-4V-16: SET scs:cpu-type=shared-core | ||
| INFO: Flavor SCS-4V-16: SET scs:name-v1=SCS-4V:16 | ||
| INFO: Flavor SCS-4V-16: SET scs:name-v2=SCS-4V-16 | ||
| INFO: Processed 15 flavors, 6 changes | ||
| ``` | ||
|
|
||
| and as this is a OSISM-based SCS system, we can on the manager just run the image manager: | ||
|
|
||
| ```shell | ||
| dragon@manager:~$ osism manage images --cloud admin --filter "Ubuntu 22.04" | ||
| 2024-09-23 13:21:43 | INFO | Processing image 'Ubuntu 22.04 (20240705)' | ||
| 2024-09-23 13:21:43 | INFO | Tested URL https://swift.services.a.regiocloud.tech/swift/v1/AUTH_b182637428444b9aa302bb8d5a5a418c/openstack-images/ubuntu-22.04/20240705-ubuntu-22.04.qcow2: 200 | ||
| 2024-09-23 13:21:43 | INFO | Importing image Ubuntu 22.04 (20240705) | ||
| 2024-09-23 13:21:43 | INFO | Importing from URL https://swift.services.a.regiocloud.tech/swift/v1/AUTH_b182637428444b9aa302bb8d5a5a418c/openstack-images/ubuntu-22.04/20240705-ubuntu-22.04.qcow2 | ||
| 2024-09-23 13:21:44 | INFO | Waiting for image to leave queued state... | ||
| 2024-09-23 13:21:46 | INFO | Waiting for import to complete... | ||
| 2024-09-23 13:21:56 | INFO | Waiting for import to complete... | ||
| 2024-09-23 13:22:06 | INFO | Waiting for import to complete... | ||
| 2024-09-23 13:22:16 | INFO | Import of 'Ubuntu 22.04 (20240705)' successfully completed, reloading images | ||
| 2024-09-23 13:22:17 | INFO | Checking parameters of 'Ubuntu 22.04 (20240705)' | ||
| 2024-09-23 13:22:17 | INFO | Setting internal_version = 20240705 | ||
| 2024-09-23 13:22:17 | INFO | Setting image_original_user = ubuntu | ||
| 2024-09-23 13:22:17 | INFO | Adding tag os:ubuntu | ||
| 2024-09-23 13:22:17 | INFO | Setting property architecture: x86_64 | ||
| 2024-09-23 13:22:17 | INFO | Setting property hw_disk_bus: scsi | ||
| 2024-09-23 13:22:17 | INFO | Setting property hw_rng_model: virtio | ||
| 2024-09-23 13:22:17 | INFO | Setting property hw_scsi_model: virtio-scsi | ||
| 2024-09-23 13:22:17 | INFO | Setting property hw_watchdog_action: reset | ||
| 2024-09-23 13:22:17 | INFO | Setting property hypervisor_type: qemu | ||
| 2024-09-23 13:22:17 | INFO | Setting property os_distro: ubuntu | ||
| 2024-09-23 13:22:18 | INFO | Setting property os_version: 22.04 | ||
| 2024-09-23 13:22:18 | INFO | Setting property replace_frequency: quarterly | ||
| 2024-09-23 13:22:18 | INFO | Setting property uuid_validity: last-3 | ||
| 2024-09-23 13:22:18 | INFO | Setting property provided_until: none | ||
| 2024-09-23 13:22:18 | INFO | Setting property image_description: Ubuntu 22.04 | ||
| 2024-09-23 13:22:18 | INFO | Setting property image_name: Ubuntu 22.04 | ||
| 2024-09-23 13:22:18 | INFO | Setting property internal_version: 20240705 | ||
| 2024-09-23 13:22:18 | INFO | Setting property image_original_user: ubuntu | ||
| 2024-09-23 13:22:18 | INFO | Setting property image_source: https://cloud-images.ubuntu.com/jammy/20240705/jammy-server-cloudimg-amd64.img | ||
| 2024-09-23 13:22:18 | INFO | Setting property image_build_date: 2024-07-05 | ||
| 2024-09-23 13:22:18 | INFO | Checking status of 'Ubuntu 22.04 (20240705)' | ||
| 2024-09-23 13:22:18 | INFO | Checking visibility of 'Ubuntu 22.04 (20240705)' | ||
| 2024-09-23 13:22:18 | INFO | Setting visibility of 'Ubuntu 22.04 (20240705)' to 'public' | ||
| 2024-09-23 13:22:19 | INFO | Renaming Ubuntu 22.04 (20240705) to Ubuntu 22.04 | ||
| 2024-09-23 13:22:19 | INFO | Processing image 'Ubuntu 22.04 Minimal (20240701)' | ||
| dragon@manager:~$ | ||
| ``` | ||
|
|
||
| A description how *SCS-compatible IaaS* compliance can be achieved on environments that use different | ||
| OpenStack implementations is written up in a blog article | ||
| [Cost of making an OpenStack Cluster SCS compliant](https://scs.community/de/2024/05/13/cost-of-making-an-openstack-cluster-scs-compliant/). | ||
|
|
||
| ## Rerun tests | ||
|
|
||
| We now succeed: | ||
|
|
||
| ```shell | ||
| garloff@framekurt(//):/casa/src/SCS/standards/Tests [130]$ ./scs-compliance-check.py -V v4 -s CIAB -a os_cloud=ciab-test scs-compatible-iaas.yaml | ||
| INFO: module opc-v2022.11 missing checks or test cases | ||
| CIAB SCS-compatible IaaS v4 (effective): | ||
| - main: PASS (5 passed) | ||
| ``` | ||
|
|
||
| If you don't pass the tests yet, you'll need further adjustments. |