1. 01 Jul, 2013 2 commits
  2. 28 Jun, 2013 1 commit
  3. 20 Jun, 2013 1 commit
    • Leigh B Stoller's avatar
      Add XEN knobs: · a76fc359
      Leigh B Stoller authored
          <sliver_type name="emulab-xen">
            <emulab:xen cores="1" ram="512" disk="8"/>
      We currently ignore cores ... Ram in MB, disk in GB.
  4. 28 May, 2013 1 commit
    • Leigh B Stoller's avatar
      Reorg the credential checking code, and add Geni chain checks. · dd5c6601
      Leigh B Stoller authored
      From: Leigh Stoller <lbstoller@gmail.com>
      Date: Wed, 22 May 2013 13:49:33 -0700
      Cc: instageni-design@geni.net
      So far we have been pretty loose about checking to make sure the
      certificate chains obey the Geni rules. These rules include checking to
      make sure that only approved entities can sign particular kinds of
      credentials. For example; only something known to be a Slice Authority
      should be allowed to create a slice and return a slice credential.
      The other check we have been lax about, is verifying that the URN namespace
      is consistent along the chain from CA to the target. For example, a chain
      that starts in Utah:
      should not be able to sign anything outside its namespace. That is, Utah
      should not be able to sign a user or slice credential like:
      This is made more complicated when we introduce subsa certs along the way,
      where Utah signs its SA cert and that signs a project slice. In this case
      the chain would look something like:
      There are also scoping rules; A subsa like:
      should not be able to sign:
      The entire cert chain is require to verify this. The CA roots are in the
      bundle, and the intermediate certs should be enclosed in the signature
      section of the XML document.
      We have to make the same check against the user certificate after apache
      verifies the chain. For apache (or any SSL server) you have to load the
      chain, and as I mentioned in earlier email, this is easy with perl and
      python based clients.
      With all that said, we do not plan to start rigorous enforcement of the
      first check above, and for the second class of checks, we just want to
      enforce a simple prefix check until we get our subsa house in order (since
      we don't even conform properly yet!).
  5. 15 May, 2013 1 commit
  6. 14 May, 2013 1 commit
  7. 26 Apr, 2013 1 commit
  8. 23 Apr, 2013 2 commits
  9. 07 Apr, 2013 1 commit
  10. 04 Apr, 2013 1 commit
  11. 25 Mar, 2013 1 commit
    • Leigh B Stoller's avatar
      Look for IsTaggedLan() so that users can force vlan encap even on · c2028677
      Leigh B Stoller authored
      links that would not normally use them. This will allow Niky to use
      the pc3000s that have only two interfaces.
      Do not return sliver_gid anymore; we won't be creating certificate for
      slivers anymore.
      Look for duplicate experiment names before we try to create the
  12. 13 Mar, 2013 1 commit
  13. 25 Feb, 2013 1 commit
  14. 14 Feb, 2013 1 commit
  15. 07 Feb, 2013 1 commit
    • Leigh B Stoller's avatar
      Fix for "orphaned certificate" warnings we got this week. · f405eb2d
      Leigh B Stoller authored
      So this happened twice this week. Two Utah Emulab users, starting a
      sliver at the Utah Emulab CM. Basically, while Flack was starting up a
      sliver for the user, they decided to log into the web interface and
      recreate their encrypted certificates. So they register a slice, and
      Flack gets the slice certificate. Then the user changes their
      certificate on Emulab. The CM notices that the certificate in the
      slice credential and the certificate the user presented are
      different. For a nonlocal user we want to update our record (dubious
      on its own), but for a local user we really do not want to do
      Users do wacky things.
  16. 30 Jan, 2013 1 commit
  17. 29 Jan, 2013 2 commits
    • Leigh B Stoller's avatar
      Add a "monitor" process to start/restart sliver to watch nodes. · 0c749af4
      Leigh B Stoller authored
      This is very similar to what Emulab does on the swapin path for
      normal experiments; wait and watch the nodes to see which ones
      fail or otherwise timeout. Up till now, we did not do this on the
      PG path, and so failed nodes were never signaled, and the slice
      was left in a changing state forever. This also allows us to capture
      the node bootlogs and convert them to logfiles that we can associate
      with the slice on the showslice web page.
      Details: start/restart forks a child (WrapperFork()) and allows
      the parent to return to the client. The slice is unlocked so that
      the client can call SliverStatus(), etc. But the client cannot
      do anything that actually changes the sliver (update, stop, etc)
      until the monitor finishes (or times out on its own). The lone
      exception is Deleteslice(), which will asynchronously kill the
      monitor and then terminate the slice. Ditto the command line
      script "cleanupslice".
      We will probably need to add another way to allow the client to
      terminate the monitor early, but have not decided where yet.
    • Leigh B Stoller's avatar
      Set the publicid for new slices; this allows for unathenticated · 66fac993
      Leigh B Stoller authored
      viewing of the basic slice info and logs by unathenticated web
  18. 24 Jan, 2013 1 commit
  19. 22 Jan, 2013 1 commit
  20. 18 Jan, 2013 1 commit
  21. 02 Jan, 2013 1 commit
  22. 20 Dec, 2012 1 commit
  23. 18 Dec, 2012 1 commit
  24. 17 Dec, 2012 1 commit
  25. 29 Nov, 2012 3 commits
  26. 07 Nov, 2012 1 commit
  27. 15 Oct, 2012 1 commit
  28. 08 Oct, 2012 2 commits
  29. 04 Oct, 2012 1 commit
  30. 26 Sep, 2012 1 commit
    • Jonathon Duerig's avatar
      Various fixes for AM API v3. · c49a1df9
      Jonathon Duerig authored
      All incoming rspecs are now validated with rspeclint.
      Multiple Create calls are now permitted.
      Slivers now have URNs at allocation time.
      Delete now returns a list of ex-slivers.
      Advertisement now specifies an operational state machine.
      Other minor fixes.
  31. 24 Sep, 2012 1 commit
    • Eric Eide's avatar
      Replace license symbols with {{{ }}}-enclosed license blocks. · 6df609a9
      Eric Eide authored
      This commit is intended to makes the license status of Emulab and
      ProtoGENI source files more clear.  It replaces license symbols like
      "EMULAB-COPYRIGHT" and "GENIPUBLIC-COPYRIGHT" with {{{ }}}-delimited
      blocks that contain actual license statements.
      This change was driven by the fact that today, most people acquire and
      track Emulab and ProtoGENI sources via git.
      Before the Emulab source code was kept in git, the Flux Research Group
      at the University of Utah would roll distributions by making tar
      files.  As part of that process, the Flux Group would replace the
      license symbols in the source files with actual license statements.
      When the Flux Group moved to git, people outside of the group started
      to see the source files with the "unexpanded" symbols.  This meant
      that people acquired source files without actual license statements in
      them.  All the relevant files had Utah *copyright* statements in them,
      but without the expanded *license* statements, the licensing status of
      the source files was unclear.
      This commit is intended to clear up that confusion.
      Most Utah-copyrighted files in the Emulab source tree are distributed
      under the terms of the Affero GNU General Public License, version 3
      Most Utah-copyrighted files related to ProtoGENI are distributed under
      the terms of the GENI Public License, which is a BSD-like open-source
      Some Utah-copyrighted files in the Emulab source tree are distributed
      under the terms of the GNU Lesser General Public License, version 2.1
  32. 19 Sep, 2012 1 commit
  33. 18 Sep, 2012 1 commit
  34. 04 Sep, 2012 1 commit