Tracking OpenStack provider support

[tarumizu]

This issue is created to track the development progress. I have listed the development items below to add support for the OpenStack provider. For each development item submitted as a PR, a corresponding Issue will be created. If you have any tasks related to adding support for the OpenStack provider, please feel free to leave a comment.

Motivation

By supporting OpenStack, I expect to enable secure container execution in more areas. I am eager to work on the necessary tasks to achieve this goal, particularly focusing on Arm CCA. I welcome any insights or collaboration from others who are also exploring this area.

Development Item

I am planning to incrementally add support for the OpenStack provider. The OpenStack community is currently working on SEV-ES support[1], which is still in progress. My approach is to begin with non-CVM support and gradually integrate CVM support as development progresses.

[1] Confidential VM and TDX support in upstream Openstack

Implementation

• Adding initial support for OpenStack
  • Add support for a new built-in provider by following the addnewprovider.md
• Integrate CVM support (such as SNP, TDX and CCA)
  • These items will be considered once the dependent features in OpenStack are completed.

Testing

• E2E tests for the OpenStack provider

Documentation

• How to build a Pod VM image

[zvonkok]

/cc @zvonkok This is great. Please keep us in the loop. Do you want to present your work or plans in our weekly meeting sometime?

[tarumizu]

@zvonkok Thanks for your interest.

We're currently facing a resource bottleneck, slowing down progress. We plan to add developers in June/July should improve it.

Interested in presenting. We would appreciate the opportunity to consider presenting once the team expands and development progresses further.

[kevinzs2048]

Hi @tarumizu ,any update recently on that? We also have interests on that.

[tarumizu]

Hi @kevinzs2048, sorry for the late reply.
Thanks for your interest. I'm planning to post a PR for the initial features within this month.

[tarumizu]

The patch submission planned for December will be delayed, as development is taking longer than expected. I'm now aiming for mid-to-late January. Apologies for the delay.

[zvonkok]

Keep us in the loop on this!

[yanndegat]

hi @tarumizu

have you started working on this feature? If ever it's not the case, i have an almost working setup. The remaining issue i have is with the CSI wrapper to mount cinder backed persistent storage.

do you want me to create a PR with my current patch or are you already at an advanced stage of development for this feature?

thanks a lot and best regards

[tarumizu]

Hi @yanndegat

Thanks a lot for reaching out!

Yes, we have indeed been working on it. We've just submitted a Pull Request (PR) for the initial support a short while ago: #2805

Your mention of having an almost working setup and tackling the CSI wrapper issue is very interesting! Our PR covers the initial support, but it's entirely possible your patch might be more advanced or addresses aspects we haven't fully covered yet.

Would you mind taking a look at our PR when you have a moment? If your work is more advanced, we'd be keen to explore how we can integrate your contributions and determine the best way forward together.

Best regards,

[yanndegat]

hi @tarumizu thanks a lot !
as the integration of openstack is straightforward, my impl is quite just the same as yours.

what i additionnally featuers i support are:

• provide network id OR subnet id
• provide additional network or subnet ids
• provide ssh pub key OR keypair

[yanndegat]

regarding CSI. i've opted for a brand new approach l'd like to discuss. i've opened a new issue : #2806

[cw-kojima1003]

Hi @yanndegat, Thank you for looking at our PR.

Regarding your subnet ID support, could you share any specific use cases or scenarios that led you to implement it, if any?
We're assessing its necessity on our end.

[yanndegat]

hi @cw-kojima1003 : you may want to expose your vm in multiple networks, like customer + service provider