Murano Policy Based Modification of Environment Example

Introduction

Goal is to be able to define modification of an environment by Congress policies prior deployment. This allows to add components (for example monitoring), change/set properties (for example to enforce given zone, flavors, ...) and relationships into environment, so modified environment is after that deployed.

Example Use Cases:

  • install monitoring agent on each VM instance (adding component with the agent and creating relationship between

    agent and instance)

  • all Apache server instances must have given certified version (version property is set on all Apache applications

    within environment to given version)

These policies are evaluated over data in the form of tables (Congress data structures). A deployed Murano environment must be decomposed to Congress data structures. The decomposed environment is sent to congress for simulation. Congress simulates whether the resulting state needs to be modified. In case that modifications of deployed environment are needed congress returns list of actions which needs to be performed on given environment prior the deployment. Actions and its parameters are returned from congress in YAML format.

Example of action specification returned from congress:

  • set keyname property on instance identified by object_id to value production-key

    set-property: {object_id: c46770dec1db483ca2322914b842e50f, prop_name: keyname, value: production-key}
    

Administrator can use above one line action specification as output of congress rules. This action specification is parsed in murano. Given action class is loaded. Action instance is created. Parsed parameters are supplied to action __init__ method. Then action is performed on given environment (modify method).

Example

In this example assume that we are in production environment. Administrator needs to enforce that all VM instances will be deployed with secure key pair used for production environment.

Prior creating rules your OpenStack installation has to be configured as described in Setting up policy enforcement.

Example rules

  1. Create predeploy_modify rule

    Policy validation engine checks rule predeploy_modify and rules referenced inside this rule are evaluated by congress engine.

    predeploy_modify(eid, obj_id, action) :-
       murano:objects(obj_id, pid, type),
       murano:objects(eid, tid, "io.murano.Environment"),
       murano:connected(eid, pid),
       murano:properties(obj_id, "keyname", kn),
       concat("set-property: {object_id: ", obj_id, first_part),
       concat(first_part, ", prop_name: keyname, value: production-key}", action)
    

    Use this command to create the rule:

    congress policy rule create murano_system 'predeploy_modify(eid, obj_id, action):-murano:objects(obj_id, pid, type), murano_env_of_object(obj_id, eid), murano:properties(obj_id, "keyname", kn), concat("set-property: {object_id: ", obj_id, first_part), concat(first_part, ", prop_name: keyname, value: production-key}", action)'
    

    Key pair production-key must exists or change it to any existing key pair.

  2. Deploy environment and check modification

    Deploy any environment and check that instances within the environment were deployed with the key pair specified above.

Table Of Contents

Previous topic

Murano Policy Enforcement Example

Next topic

Murano Policy Enforcement Setup Guide

Project Source

This Page