1. 02 Jul, 2013 1 commit
  2. 01 Jul, 2013 3 commits
  3. 28 Jun, 2013 3 commits
  4. 24 Jun, 2013 3 commits
  5. 20 Jun, 2013 1 commit
    • Leigh B Stoller's avatar
      Add XEN knobs: · a76fc359
      Leigh B Stoller authored
          <sliver_type name="emulab-xen">
            <emulab:xen cores="1" ram="512" disk="8"/>
          </sliver_type>
      
      We currently ignore cores ... Ram in MB, disk in GB.
      a76fc359
  6. 19 Jun, 2013 3 commits
  7. 11 Jun, 2013 1 commit
  8. 08 Jun, 2013 1 commit
  9. 05 Jun, 2013 1 commit
  10. 04 Jun, 2013 2 commits
  11. 28 May, 2013 2 commits
    • Leigh B Stoller's avatar
      Reorg the credential checking code, and add Geni chain checks. · dd5c6601
      Leigh B Stoller authored
      From: Leigh Stoller <lbstoller@gmail.com>
      Date: Wed, 22 May 2013 13:49:33 -0700
      Cc: instageni-design@geni.net
      
      So far we have been pretty loose about checking to make sure the
      certificate chains obey the Geni rules. These rules include checking to
      make sure that only approved entities can sign particular kinds of
      credentials. For example; only something known to be a Slice Authority
      should be allowed to create a slice and return a slice credential.
      
      The other check we have been lax about, is verifying that the URN namespace
      is consistent along the chain from CA to the target. For example, a chain
      that starts in Utah:
      
      	URI:urn:publicid:IDN+emulab.net+authority+root
      
      should not be able to sign anything outside its namespace. That is, Utah
      should not be able to sign a user or slice credential like:
      
      	urn:publicid:IDN+panther+user+shufeng
      
      This is made more complicated when we introduce subsa certs along the way,
      where Utah signs its SA cert and that signs a project slice. In this case
      the chain would look something like:
      
      	URI:urn:publicid:IDN+emulab.net+authority+root
      	URI:urn:publicid:IDN+emulab.net+authority+sa
              URI:urn:publicid:IDN+emulab.net:testbed+authority+sa
              URI:urn:publicid:IDN+emulab.net:testbed+slice+myslice
      
      There are also scoping rules; A subsa like:
      
              URI:urn:publicid:IDN+emulab.net:testbed+authority+sa
      
      should not be able to sign:
      
              URI:urn:publicid:IDN+emulab.net:someotherproject+slice+myslice
      
      The entire cert chain is require to verify this. The CA roots are in the
      bundle, and the intermediate certs should be enclosed in the signature
      section of the XML document.
      
      We have to make the same check against the user certificate after apache
      verifies the chain. For apache (or any SSL server) you have to load the
      chain, and as I mentioned in earlier email, this is easy with perl and
      python based clients.
      
      With all that said, we do not plan to start rigorous enforcement of the
      first check above, and for the second class of checks, we just want to
      enforce a simple prefix check until we get our subsa house in order (since
      we don't even conform properly yet!).
      dd5c6601
    • Leigh B Stoller's avatar
      Some fixes for pcvm restart; lets not reload them unless we need too, · 6a7e03f1
      Leigh B Stoller authored
      and if it really is running, we have to kill it with vnode_setup -k.
      6a7e03f1
  12. 23 May, 2013 1 commit
  13. 22 May, 2013 2 commits
  14. 20 May, 2013 1 commit
  15. 17 May, 2013 1 commit
  16. 15 May, 2013 4 commits
  17. 14 May, 2013 1 commit
  18. 06 May, 2013 1 commit
  19. 03 May, 2013 3 commits
  20. 02 May, 2013 2 commits
  21. 26 Apr, 2013 1 commit
  22. 23 Apr, 2013 2 commits