[openstack-dev] [Congress] Policy Enforcement logic

Tim Hinrichs thinrichs at vmware.com
Thu Aug 21 15:54:32 UTC 2014

Hi Madhu,

For the alpha release (due soon), we’re focusing on just monitoring policy violations—we’ve disabled all the enforcement code in master.  (Though we never actually hooked up the enforcement policy to the real world, so all Congress has ever done is compute what actions to take to enforce policy.)  There’s a ton of interest in enforcement, so we’re planning to add enforcement features to the beta release.


On Aug 21, 2014, at 7:07 AM, Madhu Mohan <mmohan at mvista.com<mailto:mmohan at mvista.com>> wrote:


I am quite new to the Congress and Openstack as well and this question may seem very trivial and basic.

I am trying to figure out the policy enforcement logic,

Can some body help me understand how exactly, a policy enforcement action is taken.

>From the example policy there is an action defined as:

nova:network-(vm, network) :- disconnect_network(vm, network)

I assume that this statement when applied would translate to deletion of entry in the database.

But, how does this affect the actual setup (i.e) How is this database update translated to actual disconnection of the VM from the network.
How does nova know that it has to disconnect the VM from the network ?

Thanks and Regards,
Madhu Mohan

OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140821/9169fb0e/attachment.html>

More information about the OpenStack-dev mailing list