1. 09 May, 2013 1 commit
  2. 08 May, 2013 1 commit
    • Mike Hibler's avatar
      First round of client-side support for node-local storage "slices". · c1d21b9a
      Mike Hibler authored
      Supports the three coarse-grained placements we decided on:
      
        "SYSVOL" is special. You can declare a single blockstore with this
             placement and it will create a "native" (ufs/ext) filesystem on
             the 4th partition of the boot disk. This is how you create an
             extra storage partition that can be captured in a custom image.
             We don't use a volume manager here because imagezip doesn't
             recognize any of them (lvm, zfs, vinum).
      
        "ANY" coalesces all "available" storage from all disks into a logical
              volume manager pool and dishes out storage from that for
              individual blockstores. Typically this would include, the 4th
          partition of the boot disk (if not in use) and the second hard
          drive. If the machine has more than 2 drives, it will include
          all the extra drives.
      
        "NONSYSVOL" coalesces all "available" storage that is NOT on the
             boot disk into a logical volume manager pool and dishes out
             storage from that for individual blockstores. This case is if
             you want to avoid interfere with the system disk.
      
      Only implemented on FreeBSD 8/9 with "vinum" right now. It only creates
      "concat" (JBOD) volumes right now.
      
      This stuff will probably get split out into its own perl module(s) at
      some point, as it is getting large.
      
      Next up is LVM on Linux and then maybe ZFS on Freebsd.
      c1d21b9a
  3. 02 Apr, 2013 2 commits
  4. 01 Apr, 2013 1 commit
  5. 04 Feb, 2013 1 commit
  6. 28 Jan, 2013 1 commit
  7. 25 Jan, 2013 1 commit
  8. 27 Nov, 2012 1 commit
  9. 19 Nov, 2012 2 commits
  10. 09 Nov, 2012 2 commits
  11. 05 Nov, 2012 1 commit
  12. 30 Oct, 2012 1 commit
    • Mike Hibler's avatar
      Remaining infrastructure for control network "ARP lockdown". · 4b5e17b0
      Mike Hibler authored
      It works like this. Certain nodes that are on the node control net
      (right now just subbosses, but ops coming soon) can set static ARP entries
      for the nodes they serve. This raises the bar for (but does not eliminate
      the possibility of) nodes spoofing servers. Currently this is only for
      FreeBSD.
      
      When such a server boots, it will early on run /etc/rc.d/arplock.sh
      which will in turn run /usr/local/etc/emulab/fixarpinfo. fixarpinfo
      asks boss via an SSL tmcc call for "arpinfo" (using SSL ensures that the
      info coming back is really from boss). Tmcd on boss returns such arpinfo
      as appropriate for the node (subboss, ops, fs, etc.) along with the type
      of lockdown being done. The script uses this info to update the ARP
      cache on the machine, adding, removing, or making permanent entries
      as appropriate.
      
      fixarpinfo is intended to be called not just at boot, but also whenever
      we might need to update the ARP info on a server. The only other use right
      now is in subboss_dhcpd_makeconf which is called whenever DHCP info may
      need to be changed on a subboss (we hook this because a call to this script
      might also indicate a change in the set of nodes served by the subboss).
      In the future, fixarpinfo might be called from the newnode path (for ops/fs,
      when a node is added to the testbed), the deletenode path, or maybe from
      the watchdog (if we started locking down arp entries on experiment nodes)
      
      The type of the lockdown is controlled by a sitevar on boss,
      general/arplockdown, which can be set to 'none', 'static' or 'staticonly'.
      'none' means do nothing, 'static' means just create static arp entries
      for the given nodes but continue to dynamically arp for others, and
      'staticonly' means use only this set of static arp entries and disable
      dynamic arp on the control net interface. The last implies that the server
      will only be able to talk to the set of nodes for which it got ARP info.
      
      As mentioned, tmcd is responsible for returning the correct set of arp
      info for a given request. The logic currently is:
      
       * Only return ARP info to nodes which are on the CONTROL_NETWORK.
         If the requester is elsewhere (e.g., Utah's boss and ops are currently
         segregated on different IP subnets) then this whole infrastructure
         does not apply and nothing is returned.
      
       * If the requester is a subboss, return info for all other servers that
         are on the node control network as well as for the set of nodes
         which the subboss serves.
      
       * If the requester is an ops or fs node, again return info for all
         other servers and info for all testnodes or virtnodes whose control
         net IP is on the node control net.
      
       * Otherwise, return nothing.
      
      One final note is that the ARP info for servers such as boss/ops/fs or
      the gateway router is not readily available in most Emulab instances
      since those machines are not in the DB nodes or interfaces tables.
      Eventually we will fix that, but for now the info must come from new
      site variables. To help initially populate those variables, I added
      the utils/update_sitevars script which attempts to determine which
      servers are on the node control net and gathers the appropriate IP and
      MAC info from them.
      4b5e17b0
  13. 29 Oct, 2012 1 commit
  14. 25 Oct, 2012 1 commit
  15. 24 Sep, 2012 1 commit
    • Eric Eide's avatar
      Replace license symbols with {{{ }}}-enclosed license blocks. · 6df609a9
      Eric Eide authored
      This commit is intended to makes the license status of Emulab and
      ProtoGENI source files more clear.  It replaces license symbols like
      "EMULAB-COPYRIGHT" and "GENIPUBLIC-COPYRIGHT" with {{{ }}}-delimited
      blocks that contain actual license statements.
      
      This change was driven by the fact that today, most people acquire and
      track Emulab and ProtoGENI sources via git.
      
      Before the Emulab source code was kept in git, the Flux Research Group
      at the University of Utah would roll distributions by making tar
      files.  As part of that process, the Flux Group would replace the
      license symbols in the source files with actual license statements.
      
      When the Flux Group moved to git, people outside of the group started
      to see the source files with the "unexpanded" symbols.  This meant
      that people acquired source files without actual license statements in
      them.  All the relevant files had Utah *copyright* statements in them,
      but without the expanded *license* statements, the licensing status of
      the source files was unclear.
      
      This commit is intended to clear up that confusion.
      
      Most Utah-copyrighted files in the Emulab source tree are distributed
      under the terms of the Affero GNU General Public License, version 3
      (AGPLv3).
      
      Most Utah-copyrighted files related to ProtoGENI are distributed under
      the terms of the GENI Public License, which is a BSD-like open-source
      license.
      
      Some Utah-copyrighted files in the Emulab source tree are distributed
      under the terms of the GNU Lesser General Public License, version 2.1
      (LGPL).
      6df609a9
  16. 02 Jul, 2012 1 commit
  17. 26 Jan, 2012 1 commit
  18. 12 Jan, 2012 1 commit
    • Ryan Jackson's avatar
      Initial client code and rules for Linux firewalls · 2690be45
      Ryan Jackson authored
      Made the following changes to the clientside code to support Linux
      firewalls:
      
      - Made os_fwconfig_line() actually do something.
      - getfwconfig() adds an 'IPS' hash to the fwinfo hash.  This contains
        the IP address for each host, much like how the 'MACS' hash contains
        the MAC address for each host.  This is needed because ebtables (which
        is needed for ARP proxying) doesn't resolve hostnames.
      
      Rules are stored in firewall/iptables-fw-rules.  Syntax is similar to
      fw-rules, but without the rule number (since iptables doesn't use rule
      numbers).  These should be equivalent to our ipfw-based rules, but I
      haven't tested every case yet to confirm this.  I'm sure some changes
      will be necessary.
      2690be45
  19. 21 Jul, 2011 1 commit
  20. 29 Jun, 2011 1 commit
    • Mike Hibler's avatar
      Allow for more flexible setup of pxe_boot_path. · 2abf13da
      Mike Hibler authored
      If nodes.pxe_boot_path is set to '/tftpboot/pxelinux/<something>', then
      dhcpd_makeconf will set the (pxeboot) filename to /tftpboot/pxelinux.0
      and symlink the node's config file (/tftpboot/pxelinux.cfg/<mac>) to
      /tftpboot/pxelinux.cfg/<something>.
      
      In other words, we can customize pxelinux to some small degree, using one
      of some small number of pre-existing configurations. We were using pxelinux
      before for plab-in-elab and we will also need it for loading WinPE for
      configuring Windows7 images. For the latter we will set the pxe_boot_path
      to /tftpboot/pxelinux/winpe.
      
      Anyway, ideally we would allow the user to specify a pxelinux config file
      through the NS file, but need to think about the implications of that some
      more. Small steps...
      2abf13da
  21. 27 Apr, 2011 1 commit
    • David Johnson's avatar
      Better handling of media and speeds with ethtool for linux. · edc59d42
      David Johnson authored
      Allow tmcd to specify speeds of 0 with a warning, and then use
      autonegotiation to select media and speed.  Also, if the speed was Gb,
      turn on autonegotiation first, then force speed/duplex settings.  This
      has to be done because you cannot run at Gb without enabling
      autonegotiation -- it's part of the protocol.
      edc59d42
  22. 20 Oct, 2010 1 commit
    • Mike Hibler's avatar
      Support for no shared filesystem (unsupport for shared filesystem?) and · c1c1bce2
      Mike Hibler authored
      (eventual) support for NFS servers without race conditions!
      
      This means no NFS between nodes and ops/fs. There are still NFS mounts of
      ops on boss however.
      
      Added new defs-* variable NOSHAREDFS, which when set non-zero will disable
      the export of NFS filesystems to nodes.  Involved lots of little changes:
      
       * /users, /proj, and /share filesystems are not exported to nodes.
      
       * Returned mount info now includes an FSTYPE key which will be set to "LOCAL"
         if NOSHAREDFS is in effect (by default it is set to "NFS-RACY"; more on
         this later).  In the case where it is set to LOCAL, the other mount lines
         no longer contain REMOTE=foo settings.  Because of this change,
         THE TMCD VERSION NUMBER HAS BEEN BUMPED TO 32.
      
       * The client rc.mounts script will now create local versions of /users/*,
         /proj/<pid>, and /share when FSTYPE=LOCAL.  It first runs mkextrafs to
         create a large partition for these, since someday we will likely want
         to pre-populate these with a non-trivial amount of data.  Right now,
         the only thing that is put in the user's homedir is the standard dotfiles
         for the OS and the Emulab authorized_keys file (so you can login).
      
       * Linktest had to be modified to fetch the various results files (via
         loghole) rather than just assuming they were in /proj.  And also changed
         to invoke tevc with the local copy of the event key so it won't try to
         read it over NFS.
      
       * create_image was modified to ssh to the node and run the imagezip
         command, capturing the output of ssh.  This is controlled via the "-s"
         option which defaults to on for a NOSHAREDFS system, but can also be
         used on a normal system.
      
       * elabinelab's can be configured with/without a shared FS via the
         CONFIG_SHAREDFS attribute (note polarity change) which defaults to 1.
      
      Another new defs-* variable, NFSRACY, will some day allow you to specify
      (by setting to 0) that your NFS server does NOT have the nefarious mountd
      race condition when changing /etc/exports.  Currently, this defaults to 1
      since all versions of FreeBSD supported as an "fs" node have this "feature."
      Rumor has it that FreeBSD 8 does not have this problem nor, presumably,
      would a Linux NFS server.
      
      The only use of this variable right now is to set the FSTYPE returned by the
      tmcd "mounts" call, which in turn is used by one client script, rc.topomap
      (via a libsetup function) to determine whether it should try copying
      the topo file multiple times.
      
      Random: add python2.6 to list of python's checked for in configure.
      Random: resync defs-example-privatecnet with defs-example.
      Random: did a little code-pissin here and there.
      c1c1bce2
  23. 15 Jul, 2010 1 commit
    • David Johnson's avatar
      Do not automatically merge updates to passwd/group/shadow files. · ed074826
      David Johnson authored
      Now, if experimenters add users or groups to their nodes, and take
      an image, they must explicitly tell prepare to overwrite the master
      passwd/group/shadow files in /etc/emulab.  For Linux,
      os_account_cleanup tried to update the masters automatically, but
      this is not fullproof and can result in the masters getting passwd
      hashes from shadow.  Now, a diff of the non-shadow files is printed
      from prepare so that at least people can see that the masters need
      to be manually updated.
      ed074826
  24. 28 Jun, 2010 1 commit
  25. 03 May, 2010 1 commit
  26. 15 Apr, 2010 1 commit
    • Ryan Jackson's avatar
      Various subboss-related bits · 3d95a752
      Ryan Jackson authored
      - Add support for new tmcd dhcpdconf command to watchdog
      - Fix dhcpd.conf template so that ddns-update-style is set to none
      - Pull some utility functions from boss's libtestbed.pm into the client
        libtestbed.pm for use by subboss_dhcpd_makeconf and daemon_wrapper.
      - Add stuff to simplify getting control interface IP address.
      3d95a752
  27. 03 Mar, 2010 1 commit
  28. 25 Jan, 2010 1 commit
    • Mike Hibler's avatar
      Fixes for Fedora 10. · 9e9c658b
      Mike Hibler authored
      Fix obvious typo in liblocsetup.pm which was getting perl5.10 all cranky.
      Stop statically linking a couple of proxy pieces.  In general, it is/was
      a bad idea, and Fedora 10 doesn't have a static libz anyway.
      9e9c658b
  29. 05 Jan, 2010 1 commit
  30. 13 Nov, 2009 1 commit
  31. 27 Oct, 2009 1 commit
  32. 23 Oct, 2009 2 commits
    • David Johnson's avatar
      Whoops, change undef to 0644 in dbmopen. · a38134ac
      David Johnson authored
      a38134ac
    • David Johnson's avatar
      Don't just splat the master passwd/group files into place from $ETCDIR. · 7adf2f53
      David Johnson authored
      Instead, grab the current Emulab uids/gids, grab the current group/passwd
      files and their shadow counterparts, remove any emulab u/gids from the
      loaded instance of the current files, then push any new/changed uid/gids
      into the master files in $ETCDIR.  Also, we remove accounts from the
      master files if they no longer appear in the current files.  Finally, we
      strip deleted uids from any groups they might appear in (!).
      
      Note that this also rearranges the order in which os_account_cleanup is
      called by rc.accounts; now it comes before the passwd and group dbs in
      /var/emulab/db are wiped.
      7adf2f53
  33. 08 Sep, 2009 1 commit
  34. 03 Aug, 2009 1 commit
  35. 15 Jun, 2009 1 commit
  36. 11 Jun, 2009 1 commit