Crowd cloud » History » Version 1
Evil Ham, 06/01/2019 06:45 PM
| 1 | 1 | Evil Ham | h1. Crowd cloud / Kraut Computing (KC's) |
|---|---|---|---|
| 2 | |||
| 3 | Following is a first sketch of a design document / analysis of the idea. |
||
| 4 | |||
| 5 | h2. Use-cases |
||
| 6 | |||
| 7 | h3. Create a VM: |
||
| 8 | |||
| 9 | 1. Pick an image |
||
| 10 | 2. Pick network(s) |
||
| 11 | 3. Pick machine type |
||
| 12 | [4. Pick machine type parameters] |
||
| 13 | [X. Add nic to VM / mod VM] |
||
| 14 | [Y. Upload images to be used for 1] |
||
| 15 | [Z. Destroy a VM] |
||
| 16 | |||
| 17 | Note: this actually includes most of the life-cycle of a VM. |
||
| 18 | |||
| 19 | h2. Components |
||
| 20 | |||
| 21 | Following components were identified and commented out, sorted out by subjective order of importance. |
||
| 22 | |||
| 23 | These components are thought as being some kind of key/value (JSON seems likely, a priori no NOSQL) with possibilities for opaque customer metadata. |
||
| 24 | |||
| 25 | * This key/value + metadata information should be usable for filtering / operations. |
||
| 26 | * It should be versioned. |
||
| 27 | |||
| 28 | h3. VM |
||
| 29 | Defined as an instance of different settings and multiplicities of the other components |
||
| 30 | |||
| 31 | h3. Machine types / Templates |
||
| 32 | |||
| 33 | General definition with fixed sets of settings and, in a future stage, parametrised options. |
||
| 34 | |||
| 35 | Examples of settings: |
||
| 36 | * CPU/RAM |
||
| 37 | * HW Type: arm64 / x86 |
||
| 38 | * HW / VM |
||
| 39 | * ... |
||
| 40 | |||
| 41 | h3. Network(s) |
||
| 42 | |||
| 43 | Layer2-based, allow common use-cases like: static, dhcp, slaac, dhcpv6, custom gateway. |
||
| 44 | |||
| 45 | Outside connections: VXLAN |
||
| 46 | |||
| 47 | Note: it is quite important that the gateway can be set to another VM / something customised. That way, we can see firewalls and VPNs as special cases to be considered. |
||
| 48 | |||
| 49 | h3. Firewall / routing |
||
| 50 | |||
| 51 | Thought as: extra VM, that is potentially "invisible" to customers/users and that can: |
||
| 52 | * deal with basic sets of rules (e.g. allow TCP 80, 22 from $SUBNET, ...) |
||
| 53 | * ratelimit |
||
| 54 | * standard ACLs |
||
| 55 | * geek_mode: on --> "I know what I'm doing, gimme SSH" |
||
| 56 | |||
| 57 | Note: By treating this component as a special case of VMs, we simplify things and keep them simple. |
||
| 58 | |||
| 59 | h3. Storage |
||
| 60 | |||
| 61 | Thought as being out-of-scope to begin with since it can vary so much. We shouldn't rely on a specific implementation. |
||
| 62 | |||
| 63 | h3. Images |
||
| 64 | |||
| 65 | Basically a rw repository of prepared images. Uploads can be thought as being "raw" to begin with, and we can later add pre-processors that convert them as needed. |
||
| 66 | |||
| 67 | h3. Auth |
||
| 68 | |||
| 69 | Thought as "not being our problem". |
||
| 70 | *BUT*: we should have provisions for checkers as follows: |
||
| 71 | |||
| 72 | Use some HTTP Auth Header, which should be treated as opaque. |
||
| 73 | This value of the header, along with the details of the request, should offload Auth to an implementation. |
||
| 74 | That implementation should reply with the result of such request. |
||
| 75 | |||
| 76 | To facilitate adoption / testing, we should implement a few such Authenticators: |
||
| 77 | * httpasswd file |
||
| 78 | * ldap |
||
| 79 | * god-like tokens |
||
| 80 | * OTP |
||
| 81 | * limited-scope tokens |
||
| 82 | Note: by treating the header as something opaque, it can be e.g. base64(user:name) à la HTTP Basic Auth or a uuid or jwt or ... |
||
| 83 | |||
| 84 | h2. Things to consider |
||
| 85 | |||
| 86 | * The whole thing should aim to be a set of integrated tools that work well together and build on top of standard technologies as much as possible. |
||
| 87 | * Language of implementation should be consistent, but is open for discussion |
||
| 88 | * For the JSON metadata, Azure has some interesting tools / Schemas that are worth taking a look into. |
||
| 89 | * Take a look at ETCD, consul and the like. |