Add sitevar for default root keypair distribution.

6dae3d5c · Mike Hibler · d9d7f036 · 6dae3d5c · 6dae3d5c · 6dae3d5c
Commit 6dae3d5c authored Sep 05, 2017 by Mike Hibler
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 4 deletions

db/Node.pm.in db/Node.pm.in +17 -0

sql/database-fill.sql sql/database-fill.sql +2 -2

tbsetup/ns2ir/node.tcl tbsetup/ns2ir/node.tcl +2 -2

No files found.
--- a/db/Node.pm.in
+++ b/db/Node.pm.in
@@ -1352,6 +1352,12 @@ sub OnSharedNode($) {
 # the result into the reserved table. The Get/Set accessor functions below
 # use the values from reserved.
 #
+# If the user-provided value is -1, then we use the system default value
+# from the sitevar general/root_keypair (0 == don't distribute either key
+# to any nodes, 1 == distribute both keys to all nodes). If the sitevar
+# is set to -1 then the mechanism is disabled and we do not distribute
+# any keys to anyone.
+#
 # The current restrictions are that we do *not* distribute a root pubkey
 # to tainted nodes (as it opens a path to root on a node where no one should
 # be root) or any keys to firewall nodes, virtnode hosts, delay nodes,
@@ -1372,6 +1378,13 @@ sub InitKeyDist($;$)
 	    if (!$experiment);
    }
    
+    # If the system default is "disabled", no key distribution
+    my $sysdef;
+    if (!TBGetSiteVar("general/root_keypair", \$sysdef) || $sysdef == -1) {
+	$priv = $pub = 0;
+	goto done;
+    }
+
    # XXX only PC class nodes for now, since we have to ssh to it
    if ($self->class ne "pc" && $self->class ne "pcvm") {
 	$priv = $pub = 0;
@@ -1391,6 +1404,10 @@ sub InitKeyDist($;$)
 	($priv, $pub) = $result->fetchrow_array();
 	my $fwnode;
 	
+	# start with default if user didn't specify
+	$priv = $sysdef if ($priv == -1);
+	$pub = $sysdef if ($pub == -1);
+
 	# tainted node: no pub key
 	if ($self->IsTainted()) {
 	    $pub = 0;

--- a/sql/database-fill.sql
+++ b/sql/database-fill.sql
@@ -942,8 +942,8 @@ REPLACE INTO table_regex VALUES ('virt_nodes','sharing_mode','text','regex','^[-
 REPLACE INTO table_regex VALUES ('virt_nodes','osname','text','regex','^((([-\\w]+\\/{0,1})[-\\w\\.+]+(:\\d+){0,1})|((http|https|ftp)\\:\\/\\/[-\\w\\.\\/\\@\\:\\~\\?\\=\\&]*))$',2,128,NULL);
 REPLACE INTO table_regex VALUES ('virt_nodes','parent_osname','text','redirect','virt_nodes:osname',2,128,NULL);
 REPLACE INTO table_regex VALUES ('virt_nodes','nfsmounts','text','redirect','experiments:nfsmounts',0,0,NULL);
-REPLACE INTO table_regex VALUES ('virt_nodes','rootkey_private','int','redirect','default:boolean',0,0,NULL);
-REPLACE INTO table_regex VALUES ('virt_nodes','rootkey_public','int','redirect','default:boolean',0,0,NULL);
+REPLACE INTO table_regex VALUES ('virt_nodes','rootkey_private','int','redirect','default:tinyint',0,0,NULL);
+REPLACE INTO table_regex VALUES ('virt_nodes','rootkey_public','int','redirect','default:tinyint',0,0,NULL);
 REPLACE INTO table_regex VALUES ('virt_programs','pid','text','redirect','projects:pid',0,0,NULL);
 REPLACE INTO table_regex VALUES ('virt_programs','eid','text','redirect','experiments:eid',0,0,NULL);
 REPLACE INTO table_regex VALUES ('virt_programs','vnode','text','redirect','virt_nodes:vname',0,0,NULL);

--- a/tbsetup/ns2ir/node.tcl
+++ b/tbsetup/ns2ir/node.tcl
@@ -161,8 +161,8 @@ Node instproc init {s} {
    array set fw_rules {}

    # Distribution of per-experiment root keypair
-    $self set rootkey_private 0
-    $self set rootkey_public 0
+    $self set rootkey_private -1
+    $self set rootkey_public -1
 }

 Bridge instproc init {s} {