Use when deploying the ovstorage-broker daemon to production - covers TOML config, listener authn modes, TLS, policy plug-in, and state directory layout.
설치
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
Use when deploying the ovstorage-broker daemon to production - covers TOML config, listener authn modes, TLS, policy plug-in, and state directory layout.
license
CC-BY-4.0
version
0.1.0
author
NVIDIA Omniverse
tags
["ovstorage","broker","deployment"]
tools
["Read","Write","Bash"]
compatibility
Requires operator access to deployment hosts or manifests, TLS material, authn configuration, and approved secret-management paths.
Deploy the ovstorage Broker
Goal
Stand up a single-tenant ovstorage-broker daemon with the right
listener authn mode, valid TLS (for public TCP), a configured authz
plugin, and persistent state_root for policy-epoch survival across
restarts.
Recipe
Read docs/public/broker-operator/README.md
for the full operator surface (config shape, listener authn modes,
TLS, policy management, observability).
Build the binary + plugins:
make dist
# dist/bin/ovstorage-broker plus dist/plugins/lib*.so
Pick a listener authn mode. Defaults: peer_cred for UDS / npipe,
jwt_verify for TCP. Production public TCP requires
[listener.tls] and jwt_verify with valid issuer, audience,
jwks_url. mtls is reserved in 0.4 and fails startup with
Unsupported.
Choose an authz plugin. [authz] plugin = "ovstorage-authz-toml"
is the in-tree default. With no [authz] section, the broker
runs allow-all (dev mode) — never deploy this publicly.
Provision a persistent state_root (and cache_root if
[routes.cache] max_object_bytes > 0 is set on any route).
Without state_root, the policy-epoch counter starts at 0 on
every process restart.
Validate the config without binding sockets:
cargo run -p xtask -- list-routes --config /etc/ovstorage/broker.toml
Bad routes, unresolvable secret refs, and invalid listener authn
config all fail here.
Plug OVSTORAGE_PLUGIN_DIR and OVSTORAGE_AUTHZ_PLUGIN_DIR into
the systemd unit (or your process supervisor) so the loaders find
the cdylibs.
Configure SIGHUP for reload (Unix; Windows has no SIGHUP — config
changes need a process restart) and SIGTERM / SIGINT for
drain-first shutdown.
Checks before going live
[listener.authn] mode = "jwt_verify" on a public TCP bind with
[listener.tls] populated.
[authz] section present and pointing at a valid plugin manifest.
state_root is on durable, broker-owned storage.
[routes.redirect] ttl_seconds is set per route (default 300; max
3600; min 30; clamped at config load).
OVSTORAGE_PLUGIN_DIR / OVSTORAGE_AUTHZ_PLUGIN_DIR resolve to
directories the broker user can read.
The broker user has no shell / no login privileges.
What's not in scope
systemd / Docker / Kubernetes / Helm packaging assets are NOT
provided in-tree. Certificate hot-reload is NOT implemented (rotate
via SIGHUP or process restart). mTLS is reserved.
This skill is only for the lightweight ovstorage-broker daemon. It does not
deploy or operate the Kubernetes-based ovstorage-services stack; for that
service stack, use the ovstorage-services routing in a source checkout.