1. 27 Aug, 2013 1 commit
  2. 22 Aug, 2013 1 commit
  3. 20 Aug, 2013 1 commit
  4. 19 Aug, 2013 2 commits
  5. 15 Aug, 2013 3 commits
    • Leigh B Stoller's avatar
      f3078723
    • Leigh B Stoller's avatar
      Minor bug fix. · 5b15bc8b
      Leigh B Stoller authored
      5b15bc8b
    • Leigh B Stoller's avatar
      Changes to idle handling in ProtoGeni slivers · ec076c05
      Leigh B Stoller authored
      When a new sliver is created, they are given a relatively short
      lifetime. This is the value of protogeni/initial_sliver_lifetime and
      defaults to six hours.
      
      A user may renew a sliver for up to the number of days in
      protogeni/max_sliver_lifetime (defaults to 90 days), except in Utah
      where it is 5 days (Emulab, Utah Rack, Utah DDC Rack).
      
      The CM daemon idle code looks for idle slivers. An idle sliver is one
      in which 50% of the physical nodes have been idle for three hours.
      (protogeni/idlecheck_threshold). At this point an email message is
      sent to the sliver creator.
      
      If the sitevar protogeni/idlecheck_norenew is set, then the email
      threatens to mark the sliver as unrenewable if it stays idle. Then, at
      2 * protogeni/idlecheck_threshold, if the sliver is still idle, the
      sliver is marked as unrenewable. No matter what the user does at this
      point, he will not be able to renew the sliver and it will expire out
      normally.
      
      If protogeni/idlecheck_norenew is no set, behaviour remains as it is
      now; a followup message is sent every 24 hours.
      
      There is a new backend script called "setexpiration" that allows an
      aggregate admin person to override the settings on a per-slice basis
      so that users who have a need for a long running sliver do not have to
      continually renew and/or bypas the max_sliver_lifetime setting. For
      example:
      
      boss> wap setexpiration -e YYYY-MM-DD mysliceurn
      
      will extend the termination date to the given date. To restore the
      default behavour:
      
      boss> wap setexpiration -E mysliceurn
      
      Note that idle checks are still made. To turn off idle checks for
      a slice:
      
      boss> wap setexpiration -i mysliceurn
      
      To turn then back on:
      
      boss> wap setexpiration -I mysliceurn
      ec076c05
  6. 09 Aug, 2013 3 commits
    • Leigh B Stoller's avatar
    • Leigh B Stoller's avatar
      Remove code that extends slice lifetime, and fix underlying bug. · 60a34cdf
      Leigh B Stoller authored
      We currrently have a few cases where a slice record exists, but
      no sliver, and so Renew was failing. Since we store all of the
      expiration in the slice record, we do not actually need to have
      an aggregate, so remove the check.
      60a34cdf
    • Leigh B Stoller's avatar
      I added two new actions to PerformOperationalAction, which appear to · cfd1974a
      Leigh B Stoller authored
      work fine when the nodes are behaving themselves.
      
      1) geni_update_users: Takes a slice credential and a keys argument. Can
        only be invoked when the sliver is in the started/geni_ready state.
        Moves the slice to the geni_updating_users state until all of the
        nodes have completed the update, at which time the sliver moves back
        to started/geni_ready.
      
      2) geni_updating_users_cancel: We can assume that some nodes will be whacky
        and will not perform the update when told to. This cancels the
        update and moves the sliver back to started/geni_ready.
      
      A couple of notes:
      
      * The current emulab node update time is about three minutes; the
        sliver is in this new state for that time and cannot be restarted or
        stopped. It can of course be deleted.
      
      * Should we allow restart while in the updating phase? We could, but
        then I need more bookkeeping.
      
      * Some nodes might not be running the watch dog, or might not even be
        an emulab image, so the operation will never end, not until
        canceled. I could add a timeout, but that will require a monitor or
        adding DB state to store the start time.
      cfd1974a
  7. 08 Aug, 2013 1 commit
  8. 23 Jul, 2013 2 commits
    • Leigh B Stoller's avatar
      Minor bug fix. · a1207790
      Leigh B Stoller authored
      a1207790
    • Leigh B Stoller's avatar
      ABAC Speaksfor credential support. · 60274694
      Leigh B Stoller authored
      The CM can now receive either an ABAC or a non-ABAC speaksfor
      credential in the list of credentials. Thanks to Gary for getting
      libabac built on boss so that I could use it! The AM probably needs a
      little bit more work since it has a few V3 places where it does not
      invoke CMV2 directly, but that should be easy to fix; all of the AMV2
      functions will work tough.
      
      Caveat; I don't bother to look at the speaksfor option; if we get a
      speaksfor credential, I figure it was cause the user wants to use it!
      
      I added a hacky script called genspeaksfor to create a proper speaks
      for credential that allows me to speak for another user. For example:
      
      	genspeaksfor -a urn:publicid:IDN+emulab.net+user+leebee \
      	         urn:publicid:IDN+emulab.net+user+stoller
      
      which generates an ABAC speaks for credential that allows me to spead
      for leebee. To use the PG test scripts with this credential:
      
      	createsliver.py* -S speaksfor.cred -s slice.cred
      
      Where slice.cred is a plain slice credential issued to leebee and then
      given to me via an out of band mechanism (:-).
      60274694
  9. 22 Jul, 2013 2 commits
  10. 11 Jul, 2013 2 commits
    • Leigh B Stoller's avatar
      Implement speaksfor (non-abac) support. · 8d53b3fd
      Leigh B Stoller authored
      CM V2 (and thus the AM) now accept a type=speaksfor credential along
      with regular credentials. When supplied, the speaksfor caller must be
      equal to the owner of the speaksfor credential and the target must be
      equal to the owner of the regular credential(s). All operations take
      place in the context of the spokenfor user.
      
      Added speaksfor slots to geni_slices,geni_aggregates and geni_tickets.
      Also to the history table. But these are just the most recent data.
      Each transaction is logged as normal, and the metadata now includes
      the speaksfor data and the log always includes all of the credentials.
      
      For testing, there is a new script in the scripts directory to
      generate a speaksfor credential. Not installed since it is really
      a hack. But to create one:
      
        perl genspeaksfor urn:publicid:IDN+emulab.net+user+leebee \
      	urn:publicid:IDN+emulab.net+user+stoller
      
      which generates a speaksfor credential that says stoller is speaking
      for leebee.
      
      Given a slice credential issued to leebee, the test scripts can be
      invoked as follows (by stoller):
      
        createsliver.py -S speaksfor.cred -s slice.cred -c leebee.cred
      
      A copy of leebee's self credential is needed simply cause of the test
      script's desire to talk to the SA (which does not support speaksfor).
      Not otherwise needed.
      
      Oh, not tested on the AM interface yet.
      8d53b3fd
    • Leigh B Stoller's avatar
      Minor changes to Tunnel functions. · f4c339ec
      Leigh B Stoller authored
      f4c339ec
  11. 08 Jul, 2013 1 commit
  12. 04 Jul, 2013 1 commit
  13. 02 Jul, 2013 1 commit
  14. 01 Jul, 2013 3 commits
  15. 28 Jun, 2013 3 commits
  16. 24 Jun, 2013 3 commits
  17. 20 Jun, 2013 1 commit
    • Leigh B Stoller's avatar
      Add XEN knobs: · a76fc359
      Leigh B Stoller authored
          <sliver_type name="emulab-xen">
            <emulab:xen cores="1" ram="512" disk="8"/>
          </sliver_type>
      
      We currently ignore cores ... Ram in MB, disk in GB.
      a76fc359
  18. 19 Jun, 2013 3 commits
  19. 11 Jun, 2013 1 commit
  20. 08 Jun, 2013 1 commit
  21. 05 Jun, 2013 1 commit
  22. 04 Jun, 2013 2 commits
  23. 28 May, 2013 1 commit
    • Leigh B Stoller's avatar
      Reorg the credential checking code, and add Geni chain checks. · dd5c6601
      Leigh B Stoller authored
      From: Leigh Stoller <lbstoller@gmail.com>
      Date: Wed, 22 May 2013 13:49:33 -0700
      Cc: instageni-design@geni.net
      
      So far we have been pretty loose about checking to make sure the
      certificate chains obey the Geni rules. These rules include checking to
      make sure that only approved entities can sign particular kinds of
      credentials. For example; only something known to be a Slice Authority
      should be allowed to create a slice and return a slice credential.
      
      The other check we have been lax about, is verifying that the URN namespace
      is consistent along the chain from CA to the target. For example, a chain
      that starts in Utah:
      
      	URI:urn:publicid:IDN+emulab.net+authority+root
      
      should not be able to sign anything outside its namespace. That is, Utah
      should not be able to sign a user or slice credential like:
      
      	urn:publicid:IDN+panther+user+shufeng
      
      This is made more complicated when we introduce subsa certs along the way,
      where Utah signs its SA cert and that signs a project slice. In this case
      the chain would look something like:
      
      	URI:urn:publicid:IDN+emulab.net+authority+root
      	URI:urn:publicid:IDN+emulab.net+authority+sa
              URI:urn:publicid:IDN+emulab.net:testbed+authority+sa
              URI:urn:publicid:IDN+emulab.net:testbed+slice+myslice
      
      There are also scoping rules; A subsa like:
      
              URI:urn:publicid:IDN+emulab.net:testbed+authority+sa
      
      should not be able to sign:
      
              URI:urn:publicid:IDN+emulab.net:someotherproject+slice+myslice
      
      The entire cert chain is require to verify this. The CA roots are in the
      bundle, and the intermediate certs should be enclosed in the signature
      section of the XML document.
      
      We have to make the same check against the user certificate after apache
      verifies the chain. For apache (or any SSL server) you have to load the
      chain, and as I mentioned in earlier email, this is easy with perl and
      python based clients.
      
      With all that said, we do not plan to start rigorous enforcement of the
      first check above, and for the second class of checks, we just want to
      enforce a simple prefix check until we get our subsa house in order (since
      we don't even conform properly yet!).
      dd5c6601