GitLab

a single slice image, since we can now pull the kernel (ramdisk) out
from the guest filesystem (using pygrub for linux, or just mounting
BSD filesystems). This is a lot faster and easier to deal with. I
added an option to the newimage page so that people can set this, but
in general we need a better way to guess that we need it. Always set
for EC2 images.

dom0mem setting for the node, since that varies and reduces the
amount of guest memory available.

with this now, but want to get it in before I push new XEN image out.

This would kill off the entire "power" invocation. For example, if the
first node in the list given to power failed to connect to its icebox,
power would die and not even attempt to power cycle any other node in
the list.

This manifested itself by lots of nodes getting stuck in reloading
because the reload_daemon would try to reboot every node in a single command.

Console config is handled by pxeboot in the most recent MFS.

From: Leigh Stoller <lbstoller@gmail.com>
Date: Wed, 22 May 2013 13:49:33 -0700
Cc: instageni-design@geni.net

So far we have been pretty loose about checking to make sure the
certificate chains obey the Geni rules. These rules include checking to
make sure that only approved entities can sign particular kinds of
credentials. For example; only something known to be a Slice Authority
should be allowed to create a slice and return a slice credential.

The other check we have been lax about, is verifying that the URN namespace
is consistent along the chain from CA to the target. For example, a chain
that starts in Utah:

	URI:urn:publicid:IDN+emulab.net+authority+root

should not be able to sign anything outside its namespace. That is, Utah
should not be able to sign a user or slice credential like:

	urn:publicid:IDN+panther+user+shufeng

This is made more complicated when we introduce subsa certs along the way,
where Utah signs its SA cert and that signs a project slice. In this case
the chain would look something like:

	URI:urn:publicid:IDN+emulab.net+authority+root
	URI:urn:publicid:IDN+emulab.net+authority+sa
        URI:urn:publicid:IDN+emulab.net:testbed+authority+sa
        URI:urn:publicid:IDN+emulab.net:testbed+slice+myslice

There are also scoping rules; A subsa like:

        URI:urn:publicid:IDN+emulab.net:testbed+authority+sa

should not be able to sign:

        URI:urn:publicid:IDN+emulab.net:someotherproject+slice+myslice

The entire cert chain is require to verify this. The CA roots are in the
bundle, and the intermediate certs should be enclosed in the signature
section of the XML document.

We have to make the same check against the user certificate after apache
verifies the chain. For apache (or any SSL server) you have to load the
chain, and as I mentioned in earlier email, this is easy with perl and
python based clients.

With all that said, we do not plan to start rigorous enforcement of the
first check above, and for the second class of checks, we just want to
enforce a simple prefix check until we get our subsa house in order (since
we don't even conform properly yet!).

and if it really is running, we have to kill it with vnode_setup -k.

appears to be working.

Set a couple of frisbee bandwidth sitevars as per Mike.

through the 172 phony router we have setup on the control node. This
is silly to do for local traffic, but getting XEN guests to not do it,
turned into a pit that I didn't want to enter. We want this so that
arplockdown works properly; the mac address is really the client not a
router. Revisit later.

Take care of an iSCSI race condition in Fedora15.

Not sure how I got on this side track, but it is done.

loc-bstore: local blockstore support
rem-bstore: remote blockstore support

Check for these when a user attaches a blockstore to a local node (local
blockstores), or to a link/lan (remote blockstores).  All nodes in a lan
containing one or more remote blockstores must have an OS with the
remote blockstores feature.

boot. Need a better way to figure out wait times based on
the host OS.

boot. Need a better way to figure out wait times based on
the host OS.

kernel command line, according to new loadinfo variable returned from
tmcd. This is so we can tailor the amount of memory per node type.

Mike's instruction. Faster, better, slicker then snot.

when we get the RPC results.

Return the dom0mem node attribute so that slicefix can use it
to set it in the grub config file.
Small fix to how loadinfo determine the image for a pcvm; use
the def_boot_osid joined with the partitions table, like we do
for real nodes. Did not like the special case.