1. 12 Nov, 2014 1 commit
    • Kirk Webb's avatar
      Add global permissions support for leases. · 00b57bf4
      Kirk Webb authored
      Two types of global permissions are supported:
      
      * Anonymous read-only (to support users without local accounts).
      * Read-only for users with local accounts.
      
      Global permissions are added to leases by way of entries of type "global"
      in the lease_permissions table.  The lease mod tool still needs to be
      updated to make use of the updated library support here.
      
      The new GetAllowedLeases() method in Lease.pm was reworked - it became
      clear that this was needed as I did the global RO permissions stuff.
      00b57bf4
  2. 17 Mar, 2014 1 commit
    • Kirk Webb's avatar
      Add taint state tracking for OSes and Nodes. · 1de4e516
      Kirk Webb authored
      Emulab can now propagate OS taint traits on to nodes that load these OSes.
      The primary reason for doing this is for loading images which
      require special treatment of the node.  For example, an OS that has
      proprietary software, and which will be used as an appliance (blackbox)
      can be marked (tainted) as such.  Code that manages user accounts on such
      OSes, along with other side channel providers (console, node admin, image
      creation) can key off of these taint states to prevent or alter access.
      
      Taint states are defined as SQL sets in the 'os_info' and 'nodes' tables,
      kept in the 'taint_states' column in both.  Currently these sets are comprised
      of the following entries:
      
      * usermode: OS/node should only allow user level access (not root)
      * blackbox: OS/node should allow no direct interaction via shell, console, etc.
      * dangerous: OS image may contain malicious software.
      
      Taint states are inherited by a node from OSes it loads during the OS load
      process.  Similarly, they are cleared from nodes as these OSes are removed.
      Any taint state applied to a node will currently enforce disk zeroing.
      
      No other tools/subsystems consider the taint states currently, but that will
      change soon.
      
      Setting taint states for an OS has to be done via SQL presently.
      1de4e516
  3. 03 Jan, 2014 2 commits
    • Mike Hibler's avatar
      Add project CREATELEASE permission. · 8a4dd1f7
      Mike Hibler authored
      Also distinguished error for leases to indicate that a lease has been
      destroyed (returned from WaitLock).
      8a4dd1f7
    • Mike Hibler's avatar
      First attempt to cleanup some hack jobs. · c5a1812c
      Mike Hibler authored
      Make a createdataset to handle dataset leases and move dataset specific
      code out of approvelease and into Lease.pm (which is now Lease.pm.in as
      it needs to be configured). Lease.pm still needs a bunch of OO-ification
      to properly make datasets a subclass of leases. But, another day...
      c5a1812c
  4. 11 Dec, 2013 3 commits
  5. 17 Sep, 2013 2 commits
    • Kirk Webb's avatar
      8a959b8e
    • Kirk Webb's avatar
      Update Ports abstraction module to better distinguish nodes vs. switches. · 7f422242
      Kirk Webb authored
      The lookup functions now look at the wire type and which location the
      requested node is in (node_id1 or node_id2) to decide which side of the
      link the port represents (switch vs. endpoint).  We don't (yet) query the
      nodes table for the role since we consistently use the node_id1 (and
      related) columns to hold the endpoint (node) information for wires of
      type "Node".
      
      For inter-switch
      trunks, we always mark the port object as being the "switch" side.  Both
      sides are the switch side...  Functions like getPCPort() and getSwitchPort()
      are ambiguous when invoked on a switch port object, and will always return
      a reference to the object the method was invoked on.
      
      Also update the HP snmpit module to explicitly check the wire type for a port
      before deciding whether or not to get the port at the other end in the
      listVlans() function.
      7f422242
  6. 30 Jul, 2013 1 commit
  7. 22 May, 2013 1 commit
  8. 10 Apr, 2013 1 commit
  9. 10 Jan, 2013 1 commit
  10. 24 Sep, 2012 1 commit
    • Eric Eide's avatar
      Replace license symbols with {{{ }}}-enclosed license blocks. · 6df609a9
      Eric Eide authored
      This commit is intended to makes the license status of Emulab and
      ProtoGENI source files more clear.  It replaces license symbols like
      "EMULAB-COPYRIGHT" and "GENIPUBLIC-COPYRIGHT" with {{{ }}}-delimited
      blocks that contain actual license statements.
      
      This change was driven by the fact that today, most people acquire and
      track Emulab and ProtoGENI sources via git.
      
      Before the Emulab source code was kept in git, the Flux Research Group
      at the University of Utah would roll distributions by making tar
      files.  As part of that process, the Flux Group would replace the
      license symbols in the source files with actual license statements.
      
      When the Flux Group moved to git, people outside of the group started
      to see the source files with the "unexpanded" symbols.  This meant
      that people acquired source files without actual license statements in
      them.  All the relevant files had Utah *copyright* statements in them,
      but without the expanded *license* statements, the licensing status of
      the source files was unclear.
      
      This commit is intended to clear up that confusion.
      
      Most Utah-copyrighted files in the Emulab source tree are distributed
      under the terms of the Affero GNU General Public License, version 3
      (AGPLv3).
      
      Most Utah-copyrighted files related to ProtoGENI are distributed under
      the terms of the GENI Public License, which is a BSD-like open-source
      license.
      
      Some Utah-copyrighted files in the Emulab source tree are distributed
      under the terms of the GNU Lesser General Public License, version 2.1
      (LGPL).
      6df609a9
  11. 28 Aug, 2012 1 commit
  12. 21 Apr, 2012 1 commit
  13. 27 Mar, 2012 1 commit
  14. 30 Jan, 2012 1 commit
  15. 16 Dec, 2011 1 commit
  16. 10 Oct, 2011 1 commit
    • Leigh B Stoller's avatar
      Add support for sharing images between projects. New table called · 646b64f6
      Leigh B Stoller authored
      image_permissions stores access info for images. You can share an
      image with a user or a group (project), and you can specify write
      access to allow updating the image in place. Note that write access
      does not allow the descriptor to be modified, only the image itself.
      Well, that is how it will be after Mike changes mfrisbeed.
      
      The front end script to modify permissions is grantimage:
      
      	boss> grantimage -u stoller -w tbres,myimage
      	boss> grantimage -u stoller -w tbres,myimage
      
      which grants write access to stoller. Or:
      
      	boss> grantimage -g testbed,testbed tbres,myimage
      
      which grants access to the testbed project. Notice that you can
      specify subgroups this way.
      
      	boss> grantimage -l tbres,myimage
      
      will give you a list of current permissions. To revoke, just add -r
      option:
      
      	boss> grantimage -g testbed,testbed -r tbres,myimage
      
      Who is allowed to grant access to an image? 1) An adminstrator of
      course, 2) the image creator, and 3) any group_root in the group that
      the image belongs to. Being granted access to use an image does not
      confer permission to grant access to others.
      
      One last task; while the web interface displays the permissions, there
      is no web interface to modify the permissions; users will still have
      to ask us for now.
      646b64f6
  17. 30 Aug, 2011 1 commit
  18. 12 Aug, 2011 1 commit
    • Mike Hibler's avatar
      Initial support for loading Windows7 .wim images via WinPE/ImageX. · ac711ea5
      Mike Hibler authored
      1. Support for "one-shot" PXE booting ala the one-shot osid. Switches to
         pxelinux to boot WinPE and then switch back after done. Painful now
         because we have to HUP dhcpd everytime we change the PXE path, but we
         may be able to fix this in the future by going all-pxelinux-all-the-time.
      
      2. Added pxe_select, analogous to os_select, for changing the pxe_boot_path
         including the one time path.
      
      3. Added the WIMRELOAD state machine to shepherd a node through the process.
         Still has some rough edges and may need refining.
      ac711ea5
  19. 27 Jun, 2011 1 commit
  20. 07 Mar, 2011 1 commit
  21. 07 Dec, 2010 1 commit
  22. 17 Nov, 2010 1 commit
  23. 04 Nov, 2010 1 commit
    • David Johnson's avatar
      Add a new RELOAD-PUSH mode. · d658ea4d
      David Johnson authored
      This op_mode is intended for nodes that require configure to be pushed
      to them.  Initially, it's accessible from MINIMAL.
      d658ea4d
  24. 25 Oct, 2010 1 commit
    • Leigh B Stoller's avatar
      New module, called Emulab Features. The basic usage (see tbswap) is: · 1d430992
      Leigh B Stoller authored
      use EmulabFeatures;
      
      if (EmulabFeatures->FeatureEnabled("NewMapper", $user, $group, $experiment)) {
         # Do something
      }
      else {
         # Do something else.
      }
      
      where $user, $group, and $experiment is the current Emulab user, group, and
      experiment the script is operating as. Any of them can be undef. Note that
      features can easily be globally enabled or disabled (bypassing user/group
      check). See below.
      
      There are two scripts to deal with features. The easy one is the script to
      grant (or revoke) feature usage to a particular user or group or experiment:
      
      boss> wap grantfeature -u stoller NewMapper
      boss> wap grantfeature -p geni NewMapper
      boss> wap grantfeature -e geni,myexp NewMapper
      
      Add -r to revoke the feature.
      
      The other script is for managing features. To create a new feature:
      
      boss> wap emulabfeature create NewFeature 'A pithy description'
      
      which adds the feature to the emulab_features DB table. Use "delete"
      to remove a feature from the DB.
      
      You can globally enable and disable features for all users/groups (the
      user/group checks are bypassed). Global disable overrides global
      enable. There are actually two different flags. Lots of rope, I mean
      flexibility.
      
      boss> wap emulabfeature enable NewFeature 1
      boss> wap emulabfeature enable NewFeature 0
      
      boss> wap emulabfeature disable NewFeature 1
      boss> wap emulabfeature disable NewFeature 0
      
      To display a list of all features and associated settings:
      
      boss> wap emulabfeature list
      
      To show the details (including the users and groups) of a specific
      feature:
      
      boss> wap emulabfeature show NewFeature
      
      Oh, if a test is made in the code for a feature, and that feature is
      not in the emulab_features table (as might be the case on other
      Emulab's), the feature is "disabled".
      1d430992
  25. 15 Oct, 2010 1 commit
    • Mike Hibler's avatar
      Add autoconf variable to control use of SelfLoader. · da55641a
      Mike Hibler authored
      This is a fer-now hack.  Perl 5.10 has issues with bogus taint check
      triggers that appear quite often when using the SelfLoader.  Now if you put:
          SELFLOADER_DATA=""
      In your defs-* file, it will disable the uses that cause problems.  Yes,
      the configure script should figure out if this is needed for you, but...
      another time.
      da55641a
  26. 13 Oct, 2010 3 commits
  27. 11 Oct, 2010 1 commit
    • Leigh B Stoller's avatar
      Work on an optimization to the perl code. Maybe you have noticed, but · 92f83e48
      Leigh B Stoller authored
      starting any one of our scripts can take a second or two. That time is
      spent including and compiling 10000s of thousands of lines of perl
      code, both from our libraries and from the perl libraries.
      
      Mostly this is just a maintenance thing; we just never thought about
      it much and we have a lot more code these days.
      
      So I have done two things.
      
      1) I have used SelfLoader() on some of our biggest perl modules.
         SelfLoader delays compilation until code is used. This is not as
         good as AutoLoader() though, and so I did it with just a few 
         modules (the biggest ones).
      
      2) Mostly I reorganized things:
      
        a) Split libdb into an EmulabConstants module and all the rest of
           the code, which is slowly getting phased out.
      
        b) Move little things around to avoid including libdb or Experiment
           (the biggest files).
      
        c) Change "use foo" in many places to a "require foo" in the
           function that actually uses that module. This was really a big
           win cause we have dozens of cases where we would include a
           module, but use it in only one place and typically not all.
      
      Most things are now starting up in 1/3 the time. I am hoping this will
      help to reduce the load spiking we see on boss, and also help with the
      upcoming Geni tutorial (which kill boss last time).
      92f83e48