1. 08 Aug, 2017 9 commits
  2. 07 Aug, 2017 3 commits
    • Mike Hibler's avatar
    • Mike Hibler's avatar
      Stupid port ranges! Make per experiment range larger. · 484edfc0
      Mike Hibler authored
      We need to get rid of this!
      Since BSD jail days we have attempted to partition up the UDP/TCP port
      range among vnodes as jails and their host shared the same namespace.
      Originally we supported a range of 256 per experiment which wound up
      limiting the number of experiments we could instantiate. In order to get
      a class up and running where we expected a large number of single-vnode
      experiments, I reduced the range to 32 to allow more experiments, forgetting
      that we pick a unique port per-vnode from that range to use for sshd.
      So as a result I limited the number of vnodes per experiment to 32!
      Did I mention that we need to eviscerate this mechanism with extreme
    • Dan Reading's avatar
      Issue #316 emulab/emulab-devel · c5ce9d4c
      Dan Reading authored
      In checknode code for FreeBSD don't check the /dev/ad* device if it is a symlink.
      [I think the a error in the test command for -c]
  3. 04 Aug, 2017 2 commits
  4. 03 Aug, 2017 1 commit
  5. 01 Aug, 2017 2 commits
  6. 31 Jul, 2017 1 commit
  7. 27 Jul, 2017 9 commits
  8. 26 Jul, 2017 6 commits
    • Robert Ricci's avatar
      Fix spelling error · 3c99ed12
      Robert Ricci authored
      Closes #321
    • Leigh B Stoller's avatar
      Changes to apt_announcements table: · 4408843a
      Leigh B Stoller authored
      1. Add a unique uuid for a shared lookup token with the web UI.
      2. Add pid_idx for targeting announcements to projects (issue #258).
    • Mike Hibler's avatar
      Merge branch 'master' into root-keypair-r1 · f3f17806
      Mike Hibler authored
    • Mike Hibler's avatar
      Include the experiment name in all outputs. · 66781988
      Mike Hibler authored
    • Mike Hibler's avatar
      Deep six the "dd" command stderr output. · f2381b07
      Mike Hibler authored
    • Mike Hibler's avatar
      Support for per-experiment root keypairs (Round 1). See issue #302. · c6150425
      Mike Hibler authored
      Provide automated setup of an ssh keypair enabling root to login without
      a password between nodes. The biggest challenge here is to get the private
      key onto nodes in such a way that a non-root user on those nodes cannot
      obtain it. Otherwise that user would be able to ssh as root to any node.
      This precludes simple distribution of the private key using tmcd/tmcc as
      any user can do a tmcc (tmcd authentication is based on the node, not the
      This version does a post-imaging "push" of the private key from boss using
      ssh. The key is pushed from tbswap after nodes are imaged but before the
      event system, and thus any user startup scripts, are started. We actually
      use "pssh" (really "pscp") to scale a bit better, so YOU MUST HAVE THE
      PSSH PACKAGE INSTALLED. So be sure to do a:
          pkg install -r Emulab pssh
      on your boss node. See the new utils/pushrootkeys.in script for more.
      The public key is distributed via the "tmcc localization" command which
      was already designed to handle adding multiple public keys to root's
      authorized_keys file on a node.
      This approach should be backward compatible with old images. I BUMPED THE
      VERSION NUMBER OF TMCD so that newer clients can also get back (via
      rc.localize) a list of keys and the names of the files they should be stashed
      in. This is used to allow us to pass along the SSL and SSH versions of the
      public key so that they can be placed in /root/.ssl/<node>.pub and
      /root/.ssh/id_rsa.pub respectively. Note that this step is not necessary for
      inter-node ssh to work.
      Also passed along is an indication of whether the returned key is encrypted.
      This might be used in Round 2 if we securely implant a shared secret on every
      node at imaging time and then use that to encrypt the ssh private key such
      that we can return it via rc.localize. But the client side script currently
      does not implement any decryption, so the client side would need to be changed
      again in this future.
      The per experiment root keypair mechanism has been exposed to the user via
      old school NS experiments right now by adding a node "rootkey" method. To
      export the private key to "nodeA" and the public key to "nodeB" do:
          $nodeA rootkey private 1
          $nodeB rootkey public 1
      This enables an asymmetric relationship such that "nodeA" can ssh into
      "nodeB" as root but not vice-versa. For a symmetric relationship you would do:
          $nodeA rootkey private 1
          $nodeB rootkey private 1
          $nodeA rootkey public 1
          $nodeB rootkey public 1
      These user specifications will be overridden by hardwired Emulab restrictions.
      The current restrictions are that we do *not* distribute a root pubkey to
      tainted nodes (as it opens a path to root on a node where no one should be
      root) or any keys to firewall nodes, virtnode hosts, delay nodes, subbosses,
      storagehosts, etc. which are not really part of the user topology.
      For more on how we got here and what might happen in Round 2, see:
  9. 25 Jul, 2017 2 commits
  10. 24 Jul, 2017 2 commits
  11. 17 Jul, 2017 1 commit
  12. 14 Jul, 2017 2 commits