sfs.html 4.01 KB
Newer Older
1 2
   Copyright (c) 2000-2002 University of Utah and the Flux Group.
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
   This file is part of the Emulab network testbed software.
   This file is free software: you can redistribute it and/or modify it
   under the terms of the GNU Affero General Public License as published by
   the Free Software Foundation, either version 3 of the License, or (at
   your option) any later version.
   This file is distributed in the hope that it will be useful, but WITHOUT
   ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
   FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public
   License for more details.
   You should have received a copy of the GNU Affero General Public License
   along with this file.  If not, see <http://www.gnu.org/licenses/>.
22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49

We use <a href=http://www.fs.net>SFS</a> to provide a secure
distributed filesystem. Both emulab classic nodes and widearea netbed
nodes in your experiments can be accessed via the SFS filesystem,
either from <tt>users.emulab.net</tt> or from any machine you have
access to that is running the SFS client software. Further, you can
access any node in your experiment from any other node in your
experiment, all via the <tt>/sfs/netbed</tt> directory.

When your Emulab account is created, we create an SFS public/private
key pair for you and store the public part in our database. Your
private key is stored in your ~/.sfs directory, and just like your
Emulab generated <a href=docwrapper.php3?docname=security.html>SSH</a>
key, there is no passphrase protecting your SFS key; you should not
reuse this key anywhere else. It is fine to copy this private key back
to your home machine, but only if your home machine is 
secure and your home directory is not NFS mounted on a public network!
This will allow you to access your experimental nodes without having
to first log into <tt>users.emulab.net</tt>. Either way, accessing
your experimental nodes is easy. When you are logged into
	cd /sfs/netbed/nodeA.myexp.myproj		</code></pre>
51 52 53 54 55 56 57 58

If instead you have copied your emulab private key to your home
machine, and have added it to your agent, then you can add the
following <em>certprog</em> to your agent:
	sfskey certprog -p netbed dirsearch \
	cd /sfs/netbed/nodeA.myexp.myproj		</code></pre>
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79

As with SSH public keys, we distribute SFS public keys to all of the
nodes in your experiment (for all of the users in your project or
group). This allows anyone in your project to access the fileystems on
all of the experimental nodes. Further, when your experimental nodes
boot for the first time, a new SFS host key is generated and passed
back to <tt>ops.emulab.net</tt>. These host keys are used to generate
the /sfs/netbed directory so that you see the same view of your nodes,
no matter where you are logged in.

You can also use the SFS <em>rex</em> program to log into your nodes
(or to <tt>users.emulab.net</tt>). Rex is the SFS equivalent of SSH;
once you have started your SFS agent, rex will forward your private
keys, much like SSH forwards your private keys when you use it to log
in to another node. To log into one of your experimental nodes with
	rex -x /sfs/netbed/nodeA.myexp.myproj		</code></pre>
81 82 83 84 85

To rex into <tt>users.emulab.net</tt>:
	rex -x /sfs/netbed/users.emulab.net		</code></pre>
86 87 88 89 90 91 92 93 94 95

As with SSH keys, you may also upload the public parts of your own SFS
keys. We store those public keys in our database, and distribute them
to all of the nodes in your experiments. This is better and safer than
copying the Emulab generated key back to your home machine, since
generally your own keys are passphrase protected and secure from theft
when on a (semi)public network. You may add and delete SFS public keys
from your user profile by going to the <a href=../moduserinfo.php3>
Update User Information</a> page.