Skip to content
Snippets Groups Projects

Bring back console access and node reboot to experimental nodes

    • Open Issue created by Leigh Stoller @stoller

    This came up in a discussion between me and @hibler and a user recently, the ability to directly power cycle and access the tipline directly. This used to be possible cause everyone had accounts on ops, so users were able to run the xmlrpc (old emulab server) to do things like power cycle and get the acls for the tipline. We used to install this stuff on nodes too, but we stopped doing that a long time ago when I split all the clientside stuff into its own subdir. tip and xmlrpc did not come along with it.

    In addition, users must have access to their Emulab user certificate on the node, which Cloudlab users no longer see cause we do not do NFS mounts of homedirs. As it turns out, we can just return these with tmcd when all of the users in the project (who get accounts on the nodes) are at least local_root, since local_root users have sudo and they can read anyone's .ssl directory anyway!

    So the task list:

    • Move tip to the clientside build and install console.bin and the console wrapper (which gets the acls via xmlrpc).
    • Move xmlrpc to the clientside build and install so console.bin can get the acls
    • Add tmcc/tmcd support sending across the ssl certificates.
    • SSl proxy to run on ops; experimental nodes cannot talk to boss, which is where IPMI based captures run, so need a proxy on ops.

    But the ssl certificate dos have some trickiness to deal with; the user set at remote clusters comes from the ssh key set in the request. The only user in the ssh list we can feasibly match to a local user account is the creator of the experiment. Which is probably just fine for what this is intended to do.

    Writing all this down for now while I think about it some more.

    3 of 4 checklist items completed · Edited

    Designs

      Child items ...

      2. Activity

      • Leigh Stoller changed the description

        changed the description

      • Leigh Stoller mentioned in commit 33b207d3

        mentioned in commit 33b207d3

      • Leigh Stoller marked the checklist item Move tip to the clientside build and install console.bin and the console wrapper (which gets the acls via xmlrpc). as completed

        marked the checklist item Move tip to the clientside build and install console.bin and the console wrapper (which gets the acls via xmlrpc). as completed

      • Leigh Stoller marked the checklist item Move xmlrpc to the clientside build and install so console.bin can get the acls as completed

        marked the checklist item Move xmlrpc to the clientside build and install so console.bin can get the acls as completed

      • Leigh Stoller marked the checklist item Add tmcc/tmcd support sending across the ssl certificates. as completed

        marked the checklist item Add tmcc/tmcd support sending across the ssl certificates. as completed

      • Leigh Stoller
        Leigh Stoller @stoller ·
        Author Maintainer

        By completing 3 above, we now support node_reboot since.

      • Leigh Stoller
        Leigh Stoller @stoller ·
        Author Maintainer

        For @kwebb, here is what you can do today on the recent images:

        mkdir ~/.ssl
geni-get rpccert > ~/.ssl/emulab.pem
node_reboot pcXXX

        The certificate is for the creator of the experiment, any user on the node can get it, there is no access restrictions on it (tmcd/tmcc does not really allow for that). So it gives the creator (user) permission to do whatever the classic XMLRPC server allows the creator to do.

      Please register or sign in to reply