Sander Klous wrote:
Hi Mark, In the BiG Grid VM working group we distinguished between trusted VMs and untrusted VMs. This policy deals with trusted VMs and will be applicable for BiG Grid. We are also working on an infrastructure to run untrusted VMs. This policy does not apply to untrusted VMs, so it does not limit the way you may want to make use of untrusted VMs in the future.
Trusted VMs will have the same access to resources as the current worker nodes. The untrusted VMs will be sand boxed, most likely causing some (yet unknown) performance loss compared to the trusted VMs and e.g. no access to the trusted network infrastructure. So this policy will limit you in the following way:
- If the performance losses are not acceptable for your future VM, or if you need access to the trusted network infrastructure your VM has to comply with this policy.
- If you want to be completely free in the way you create your VM, it can not make use of the site trusted network infrastructure and it will suffer from some performance losses due to the sand boxing.
These limitations are inline with conclusions from the BiG Grid VM working group presented to the Executive Team. A detailed progress report of this working group can be found here: https://wiki.nbic.nl/images/f/f6/ProgressReport-1.0.pdf
and to add to that:
- "trusted network resources" in this case means access to local NFS-type disks, e.g. the local software installation area, and internal websites - for untrusted VMs outbound connectivity will be possible but will be severely limited for security reasons. You may or may not get *outbound* access on ports 80, 443, 2811 (gridftp) and possible a few others but don't expect a whole range. Inbound access is always restricted (as is currently the case for worker nodes).
JM2CW,
JJK
On Apr 22, 2010, at 10:56 AM, Mark Santcroos wrote:
Hi,
To what degree will this policy affect Big Grid and/or our community?
The venue this is discussed in, gives the impression that it's outside our scope. (What I want to assure is that it does not limit the way we may want to make use of vm's in the future)
Thanks
Cheers,
Mark
On Apr 22, 2010, at 9:05 , Sander Klous wrote:
Hi, Comments please. Preferably before the meeting starts at 16:00 this afternoon. -- Sander
Begin forwarded message:
Resent-From: hepix-virtualisation@cern.ch From: david.kelsey@stfc.ac.uk Date: April 22, 2010 12:32:26 AM GMT+02:00 To: hepix-virtualisation@cern.ch Subject: Updated draft of VM policy
Dear all,
The updated draft (V1.2) of the Virtualisation Policy may be found at the JSPG wiki...
http://www.jspg.org/wiki/Policy_Trusted_Virtual_Machines
I also attach a PDF version just in case this is not reachable.
Lots of things to be discussed I am sure :=)
For discussion tomorrow.