prevent deletion of swarm infra containers

Registered by Vijendar Komalla on 2016-08-10

Magnum swarm cluster creates couple of infrastructure containers as part of cluster creation(swarm-manager container and swarm-agent container). User can accidentally delete infrastructure containers from the bay/cluster.

This blueprint is to implement a feature to prevent accidental deletion of infrastructure containers from bay/cluster. Probably we need to implement a docker authorization plugin that returns error message when user tries to delete infra containers.

Implementation Idea:
Docker introduced authorization plugin support in docker version 1.10. Authorization plugin details can be found at https://docs.docker.com/engine/extend/plugins_authorization/ (To know more about authorization plugin model, please look at the sequence diagrams).

Docker authorization plugin can approve or deny requests to the Docker daemon based some logic
(Sample authorization plugin that provide rule based authorization can be found at https://github.com/twistlock/authz).

Magnum can implement a docker authorization plugin that rejects/denies pre-defined infra container deletion. Since docker is written in GO, probably it is easy to implement the authorization plugin in GO language as well (but technically it is possible to implement the plugin in other languages as well).

Plugin installation options:
1. Pre-install docker authorization plugin on the image
2. Download the authorization plugin on cluster creation and install
3. Download the authorization plugin source code on cluster creation and then build and install

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Vijendar Komalla
Direction:
Needs approval
Assignee:
Vijendar Komalla
Definition:
Drafting
Series goal:
None
Implementation:
Unknown
Milestone target:
milestone icon newton-3

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:docker-authz-plugin,n,z

Addressed by: https://review.openstack.org/383061
    (WIP)Docker auth plugin to prevent deletion of infra containers

Gerrit topic: https://review.openstack.org/#q,topic:bp/docker-authz-plugin,n,z

Addressed by: https://review.openstack.org/385700
    Protect swarm infra containers

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.