OSG PROVISIONING TOPICS

General topic is determining a medium/long-term OSG strategy for virtualization and IaaS. 

High Level Questions:
-- Default strategy: do nothing? What are the costs/risks?
-- What is the concrete, high-value use case that has VO(s) ready to use?

Proposals for OSG provisioning-related services:

OSG Brokering of EC2 or private cloud resources
-- VO's get/buy time on EC2/private clouds and provide OSG w/ credentials? 
-- OSG negotiates for block grants of time on commercial or private clouds. 
    -- Enable spillover processing under specified conditions
    -- Protects VOs from having to negotiate/track cloud usage. 
    -- Handle billing/accounting for EC2/EC2 spot?
-- Issues of trust and risks of financial losses.

Exposing Site Resources via IaaS APIs:
-- Provide configuration and management for EC2-compatible cloud platform (e.g. OpenStack) as part of site middleware. Provide appropriately configured client tools.  
   -- Include standard OSG accounting.
   -- X509-based authorization? Obvious alternative is glideinWMS access via 1-tenant-per-VO account. 
  
VM Image Standardization,  Curation, and Distribution
-- Provide imagefactory-based node templates for VO customization 
-- Establish standard/best-practice build-time and run-time configuration and contextualization.
   -- Imagefactory?
   -- CloudInit?
   -- Puppet (masterless)?
-- Provide VM image repository, with capability to transfer/upload to other clouds.
-- Provide pre-built, standardized OSG-specific node types
   -- e.g. OSG/HTCondor execute host (userdata requires pool password and CM host only). 
   -- All reasonable OSes: RHEL/SL 5, 6, Fedora?, Debian? 
-- Standardized mechanism for registering and distributing standard and custom images to specific sites. 

S3/Swift-based Storage Model?
-- Provide general-purpose S3-compatible storage for all experiments to use. 
-- Provide mountable S3-backed filesystem on standard images? This could serve as the generalized storage element model for both site-based computing and elastic resources outside BNL. 

Authentication/Authorization
-- IaaS platforms use username/password or tenant keypairs. (i.e. one credential per project). But current infrastructure is X509+VOMS. How to integrate or hide?

Enabling/Prerequisite Technologies
-- OASIS/CVMFS (needed for software distribution to VM-based systems)
-- HTTP caches become critical for proper functionality (site/region?)
  -- As CVMFS cache
  -- As remote VM image download cache?
  -- Inbound data transfer caching