1. 28 Jun, 2013 2 commits
  2. 24 Jun, 2013 3 commits
  3. 20 Jun, 2013 1 commit
    • Leigh B Stoller's avatar
      Add XEN knobs: · a76fc359
      Leigh B Stoller authored
          <sliver_type name="emulab-xen">
            <emulab:xen cores="1" ram="512" disk="8"/>
      We currently ignore cores ... Ram in MB, disk in GB.
  4. 19 Jun, 2013 3 commits
  5. 11 Jun, 2013 1 commit
  6. 08 Jun, 2013 1 commit
  7. 05 Jun, 2013 1 commit
  8. 04 Jun, 2013 2 commits
  9. 28 May, 2013 2 commits
    • Leigh B Stoller's avatar
      Reorg the credential checking code, and add Geni chain checks. · dd5c6601
      Leigh B Stoller authored
      From: Leigh Stoller <lbstoller@gmail.com>
      Date: Wed, 22 May 2013 13:49:33 -0700
      Cc: instageni-design@geni.net
      So far we have been pretty loose about checking to make sure the
      certificate chains obey the Geni rules. These rules include checking to
      make sure that only approved entities can sign particular kinds of
      credentials. For example; only something known to be a Slice Authority
      should be allowed to create a slice and return a slice credential.
      The other check we have been lax about, is verifying that the URN namespace
      is consistent along the chain from CA to the target. For example, a chain
      that starts in Utah:
      should not be able to sign anything outside its namespace. That is, Utah
      should not be able to sign a user or slice credential like:
      This is made more complicated when we introduce subsa certs along the way,
      where Utah signs its SA cert and that signs a project slice. In this case
      the chain would look something like:
      There are also scoping rules; A subsa like:
      should not be able to sign:
      The entire cert chain is require to verify this. The CA roots are in the
      bundle, and the intermediate certs should be enclosed in the signature
      section of the XML document.
      We have to make the same check against the user certificate after apache
      verifies the chain. For apache (or any SSL server) you have to load the
      chain, and as I mentioned in earlier email, this is easy with perl and
      python based clients.
      With all that said, we do not plan to start rigorous enforcement of the
      first check above, and for the second class of checks, we just want to
      enforce a simple prefix check until we get our subsa house in order (since
      we don't even conform properly yet!).
    • Leigh B Stoller's avatar
      Some fixes for pcvm restart; lets not reload them unless we need too, · 6a7e03f1
      Leigh B Stoller authored
      and if it really is running, we have to kill it with vnode_setup -k.
  10. 23 May, 2013 1 commit
  11. 22 May, 2013 2 commits
  12. 20 May, 2013 1 commit
  13. 17 May, 2013 1 commit
  14. 15 May, 2013 4 commits
  15. 14 May, 2013 1 commit
  16. 06 May, 2013 1 commit
  17. 03 May, 2013 3 commits
  18. 02 May, 2013 2 commits
  19. 26 Apr, 2013 1 commit
  20. 23 Apr, 2013 5 commits
  21. 07 Apr, 2013 2 commits