Versions Compared

Old Version 86

changes.mady.by.user Hari C S

Saved on

compared with

New Version Current

changes.mady.by.user srinibas@zededa.com

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

We introduce a few terms here for better understanding of this proposal
Edge Container Objects (ECO) -  A VM or Container deployed on an EVE instance. 
ECO Images - The image file for a particular VM or Container. The image that is used for deploying the VM or Container for the first time in the production environment. 
Mutated ECO Image:  As the ECO starts running on an EVE instance, it continuously changes its runtime state, and it starts accumulating data feeds from its external interfaces. All this is stored on its virtual disk. We call this virtual disk that contains the modified ECO state as mutated ECO image
Local File Store - Space on the permanent storage disk on EVE instance that is consumable from ECO, e.g. /persist/img . A file store need not be a secure file system.
Vault -  A Secure secure version of a Local File Store, where the files are encrypted using filesystem encryption support (e.g. fscrypt)

...

App Instance configuration will carry this information  - Whether the App is protected by End-to-End Security, and if yes, what is the Vault to associate this App Instance with.  Zedmanager will consume this configuration, and co-ordinate between Vault manager and Domain Manager to make sure the required Vault is ready before launch of the User Application.

Components Interacting with RW Partition on EVE

ComponentDirectory/FileCommentsContains Sensitive Data?
Domain Mgr

/persist/img

/persist/rkt

for storing the mutable ECO disk imagesYes
Downloader/persist/downloads

for downloading Edge Container Images

No
Verifier/persist/downloadsfor verifying integrity of downloaded imagesNo
ZedAgent/persist/config

for storing EVE device configuration

Yes
TPM Mgr/persist/config/tpm_in_usefor marking TPM mode of operationNo
device-steps.sh/persist/IMGA, /persist/IMGBfor storing image specific logs, infoNo
Network Interface Manager (NIM)/persist/statusfor storing 

DevicePortConfigList

No

Providing Security By Default

...

b) A Vault to store ECO related files (for ECO consumption) - let’s call it Image Vault - to store and launch mutated ECO images 

Even though these vaults are created by default, a User (if he wants) can change the policies associated with these Vaults, through the interface specified in this proposal, like he would do for any user-created Vaults.

...