Commit 5446760e authored by Mike Hibler's avatar Mike Hibler

Support "no NFS mount" experiments.

We have had the mechanism implemented in the client for some time and
available at the site-level or, in special cases, at the node level.
New NS command:

    tb-set-nonfs 1

will ensure that no nodes in the experiment attempt to mount shared
filesystems from ops (aka, "fs"). In this case, a minimal homdir is
created on each node with basic dotfiles and your .ssh keys. There will
also be empty /proj, /share, etc. directories created.

One additional mechanism that we have now is that we do not export filesystems
from ops to those nodes. Previously, it was all client-side and you could
mount the shared FSes if you wanted to. By prohibiting the export of these
filesystems, the mechanism is more suitable for "security" experiments.
parent acb151cc
#!/usr/bin/perl -wT #!/usr/bin/perl -wT
# #
# Copyright (c) 2009-2012 University of Utah and the Flux Group. # Copyright (c) 2009-2014 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -135,7 +135,8 @@ my $debug = 0; ...@@ -135,7 +135,8 @@ my $debug = 0;
"elabinelab_singlenet" => 1, "elabinelab_singlenet" => 1,
"security_level" => 1, "security_level" => 1,
"delay_capacity" => 1, "delay_capacity" => 1,
"dpdb" => 1); "dpdb" => 1,
"nonfsmounts" => 1);
# #
# Grab the virtual topo for an experiment. # Grab the virtual topo for an experiment.
......
...@@ -953,6 +953,7 @@ REPLACE INTO table_regex VALUES ('experiments','use_ipassign','int','redirect',' ...@@ -953,6 +953,7 @@ REPLACE INTO table_regex VALUES ('experiments','use_ipassign','int','redirect','
REPLACE INTO table_regex VALUES ('experiments','ipassign_args','text','regex','^[\\w\\s-]*$',0,255,NULL); REPLACE INTO table_regex VALUES ('experiments','ipassign_args','text','regex','^[\\w\\s-]*$',0,255,NULL);
REPLACE INTO table_regex VALUES ('experiments','expt_name','text','redirect','default:fulltext',1,255,NULL); REPLACE INTO table_regex VALUES ('experiments','expt_name','text','redirect','default:fulltext',1,255,NULL);
REPLACE INTO table_regex VALUES ('experiments','dpdb','int','redirect','default:tinyint',0,1,NULL); REPLACE INTO table_regex VALUES ('experiments','dpdb','int','redirect','default:tinyint',0,1,NULL);
REPLACE INTO table_regex VALUES ('experiments','nonfsmounts','int','redirect','default:tinyint',0,1,NULL);
REPLACE INTO table_regex VALUES ('experiments','description','text','redirect','default:fulltext',1,256,NULL); REPLACE INTO table_regex VALUES ('experiments','description','text','redirect','default:fulltext',1,256,NULL);
REPLACE INTO table_regex VALUES ('experiments','idle_ignore','int','redirect','default:boolean',0,0,NULL); REPLACE INTO table_regex VALUES ('experiments','idle_ignore','int','redirect','default:boolean',0,0,NULL);
......
#
# Add regex for experiments.nonfsmounts
#
use strict;
use libdb;
sub DoUpdate($$$)
{
my ($dbhandle, $dbname, $version) = @_;
DBQueryFatal("REPLACE INTO table_regex VALUES ".
" ('experiments','nonfsmounts','int','redirect',".
"'default:tinyint',0,1,NULL)");
return 0;
}
# Local Variables:
# mode:perl
# End:
#!/usr/bin/perl -wT #!/usr/bin/perl -wT
# #
# Copyright (c) 2000-2012 University of Utah and the Flux Group. # Copyright (c) 2000-2014 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -197,19 +197,20 @@ if ($WINSUPPORT) { ...@@ -197,19 +197,20 @@ if ($WINSUPPORT) {
# avoid extra db queries (see lastpid/lastgid/lastadmin). # avoid extra db queries (see lastpid/lastgid/lastadmin).
# #
$nodes_result = $nodes_result =
DBQueryFatal("select r.node_id,r.pid,r.eid,e.gid,i.IP,u.admin, ". DBQueryFatal("select r.node_id,r.pid,r.eid,e.gid,".
" r.sharing_mode,r.erole,nt.isvirtnode ". " e.nonfsmounts as enonfs,n.nonfsmounts as nnonfs,".
" i.IP,u.admin,r.sharing_mode,r.erole,nt.isvirtnode ".
"from reserved as r ". "from reserved as r ".
"left join experiments as e on r.pid=e.pid and r.eid=e.eid ". "left join experiments as e on r.pid=e.pid and r.eid=e.eid ".
"left join nodes on r.node_id=nodes.node_id ". "left join nodes as n on r.node_id=n.node_id ".
"left join node_types as nt on nt.type=nodes.type ". "left join node_types as nt on nt.type=n.type ".
"left join interfaces as i on r.node_id=i.node_id ". "left join interfaces as i on r.node_id=i.node_id ".
"left join users as u on e.swapper_idx=u.uid_idx ". "left join users as u on e.swapper_idx=u.uid_idx ".
" where i.IP!='NULL' and ". " where i.IP!='NULL' and ".
" i.role='" . TBDB_IFACEROLE_CONTROL() . "' ". " i.role='" . TBDB_IFACEROLE_CONTROL() . "' ".
" and (nodes.role='testnode' or nodes.role='virtnode')". " and (n.role='testnode' or n.role='virtnode')".
" and nt.isremotenode=0 ". " and nt.isremotenode=0 ".
"order by r.pid,e.gid,r.eid,u.admin,nodes.priority"); "order by r.pid,e.gid,r.eid,u.admin,n.priority");
my %ipgroups = (); my %ipgroups = ();
my %globalsmbshares = (); my %globalsmbshares = ();
...@@ -240,6 +241,8 @@ while ($row = $nodes_result->fetchrow_hashref) { ...@@ -240,6 +241,8 @@ while ($row = $nodes_result->fetchrow_hashref) {
my $isvirt = $row->{'isvirtnode'}; my $isvirt = $row->{'isvirtnode'};
my $shared = (defined($row->{'sharing_mode'}) ? 1 : 0); my $shared = (defined($row->{'sharing_mode'}) ? 1 : 0);
my $erole = $row->{'erole'}; my $erole = $row->{'erole'};
my $enonfs = $row->{'enonfs'};
my $nnonfs = $row->{'nnonfs'};
my %fslist = (); my %fslist = ();
my @dirlist = (); my @dirlist = ();
my @smbshares = (); my @smbshares = ();
...@@ -253,6 +256,10 @@ while ($row = $nodes_result->fetchrow_hashref) { ...@@ -253,6 +256,10 @@ while ($row = $nodes_result->fetchrow_hashref) {
next; next;
} }
# Skip nodes that belong to a "no nfs" experiment or are marked "no nfs".
next
if ($enonfs || $nnonfs);
# Skip non-shared virtnode nodes; NFS mounts are handled differently. # Skip non-shared virtnode nodes; NFS mounts are handled differently.
next next
if ($isvirt && !$shared); if ($isvirt && !$shared);
......
# -*- tcl -*- # -*- tcl -*-
# #
# Copyright (c) 2000-2013 University of Utah and the Flux Group. # Copyright (c) 2000-2014 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -121,6 +121,7 @@ proc tb-set-node-lan-backfill {node lan bw} {} ...@@ -121,6 +121,7 @@ proc tb-set-node-lan-backfill {node lan bw} {}
proc tb-set-lan-simplex-backfill {lan node tobw frombw} {} proc tb-set-lan-simplex-backfill {lan node tobw frombw} {}
proc tb-set-node-plab-role {node role} {} proc tb-set-node-plab-role {node role} {}
proc tb-set-node-plab-plcnet {node lanlink} {} proc tb-set-node-plab-plcnet {node lanlink} {}
proc tb-set-nonfs {onoff} {}
proc tb-set-dpdb {onoff} {} proc tb-set-dpdb {onoff} {}
proc tb-fix-interface {vnode lanlink iface} {} proc tb-fix-interface {vnode lanlink iface} {}
proc tb-set-node-usesharednode {node weight} {} proc tb-set-node-usesharednode {node weight} {}
......
#!/usr/local/bin/otclsh #!/usr/local/bin/otclsh
# #
# Copyright (c) 2000-2006, 2010 University of Utah and the Flux Group. # Copyright (c) 2000-2014 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -283,6 +283,10 @@ namespace eval GLOBALS { ...@@ -283,6 +283,10 @@ namespace eval GLOBALS {
variable elabinelab_eid {} variable elabinelab_eid {}
variable elabinelab_cvstag {} variable elabinelab_cvstag {}
variable elabinelab_singlenet 0 variable elabinelab_singlenet 0
variable elabinelab_fw_type "ipfw2-vlan"
# Disable NFS mounts for experiment?
variable nonfs 0
# Does user want a per-experiment DB? # Does user want a per-experiment DB?
variable dpdb 0 variable dpdb 0
......
# -*- tcl -*- # -*- tcl -*-
# #
# Copyright (c) 2000-2013 University of Utah and the Flux Group. # Copyright (c) 2000-2014 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -528,6 +528,7 @@ Simulator instproc run {} { ...@@ -528,6 +528,7 @@ Simulator instproc run {} {
var_import ::GLOBALS::optarray_order var_import ::GLOBALS::optarray_order
var_import ::GLOBALS::optarray_count var_import ::GLOBALS::optarray_count
var_import ::GLOBALS::dpdb var_import ::GLOBALS::dpdb
var_import ::GLOBALS::nonfs
#for oml begin #for oml begin
var_import ::TBCOMPAT::oml_use_control var_import ::TBCOMPAT::oml_use_control
...@@ -802,6 +803,11 @@ Simulator instproc run {} { ...@@ -802,6 +803,11 @@ Simulator instproc run {} {
lappend values $security_level lappend values $security_level
} }
if {$nonfs} {
lappend fields "nonfsmounts"
lappend values $nonfs
}
if {$dpdb} { if {$dpdb} {
lappend fields "dpdb" lappend fields "dpdb"
lappend values $dpdb lappend values $dpdb
......
# -*- tcl -*- # -*- tcl -*-
# #
# Copyright (c) 2000-2013 University of Utah and the Flux Group. # Copyright (c) 2000-2014 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -2026,6 +2026,19 @@ proc tb-elab-in-elab {onoff} { ...@@ -2026,6 +2026,19 @@ proc tb-elab-in-elab {onoff} {
} }
} }
#
# Mark this experiment as not needing/wanting/allowed NFS mounts.
#
proc tb-set-nonfs {onoff} {
var_import ::GLOBALS::nonfs
if {$onoff} {
set nonfs 1
} else {
set nonfs 0
}
}
# #
# Mark this experiment as needing a per-experiment DB on ops. # Mark this experiment as needing a per-experiment DB on ops.
# #
......
...@@ -3095,13 +3095,14 @@ COMMAND_PROTOTYPE(doaccounts) ...@@ -3095,13 +3095,14 @@ COMMAND_PROTOTYPE(doaccounts)
goto skipkeys; goto skipkeys;
/* /*
* Locally, everything is NFS mounted so no point in * Skip pubkeys locally unless the node/experiment has
* sending back pubkey stuff; it's never used except on CygWin. * no shared mounts (nonfsmounts), is a GENI sliver
* Add an argument of "pubkeys" to get the PUBKEY data. * (genisliver_idx), is running Windows ("windows" arg),
* An "windows" argument also returns a user's Windows Password. * or explicitly asks for them ("pubkeys" arg).
*/ */
#ifndef NOSHAREDFS #ifndef NOSHAREDFS
if (reqp->islocal && if (reqp->islocal &&
! reqp->nonfsmounts &&
! reqp->genisliver_idx && ! reqp->genisliver_idx &&
! reqp->sharing_mode[0] && ! reqp->sharing_mode[0] &&
! (strncmp(rdata, "pubkeys", 7) == 0 ! (strncmp(rdata, "pubkeys", 7) == 0
...@@ -6794,7 +6795,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey) ...@@ -6794,7 +6795,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey)
" AS isdedicated_wa, " " AS isdedicated_wa, "
" r.genisliver_idx,r.tmcd_redirect, " " r.genisliver_idx,r.tmcd_redirect, "
" r.sharing_mode,e.geniflags,n.uuid, " " r.sharing_mode,e.geniflags,n.uuid, "
" n.nonfsmounts " " n.nonfsmounts,e.nonfsmounts AS enonfs "
"FROM nodes AS n " "FROM nodes AS n "
"LEFT JOIN reserved AS r ON " "LEFT JOIN reserved AS r ON "
" r.node_id=n.node_id " " r.node_id=n.node_id "
...@@ -6823,7 +6824,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey) ...@@ -6823,7 +6824,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey)
" (SELECT node_id FROM widearea_nodeinfo " " (SELECT node_id FROM widearea_nodeinfo "
" WHERE privkey='%s') " " WHERE privkey='%s') "
" AND notmcdinfo_types.attrvalue IS NULL", " AND notmcdinfo_types.attrvalue IS NULL",
36, nodekey); 37, nodekey);
} }
else if (reqp->isvnode) { else if (reqp->isvnode) {
char clause[BUFSIZ]; char clause[BUFSIZ];
...@@ -6859,7 +6860,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey) ...@@ -6859,7 +6860,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey)
" u.admin,null, " " u.admin,null, "
" r.genisliver_idx,r.tmcd_redirect, " " r.genisliver_idx,r.tmcd_redirect, "
" r.sharing_mode,e.geniflags,nv.uuid, " " r.sharing_mode,e.geniflags,nv.uuid, "
" nv.nonfsmounts " " nv.nonfsmounts,e.nonfsmounts AS enonfs "
"from nodes as nv " "from nodes as nv "
"left join nodes as np on " "left join nodes as np on "
" np.node_id=nv.phys_nodeid " " np.node_id=nv.phys_nodeid "
...@@ -6880,7 +6881,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey) ...@@ -6880,7 +6881,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey)
"left join users as u on " "left join users as u on "
" u.uid_idx=e.swapper_idx " " u.uid_idx=e.swapper_idx "
"where nv.node_id='%s' and (%s)", "where nv.node_id='%s' and (%s)",
36, reqp->vnodeid, clause); 37, reqp->vnodeid, clause);
} }
else { else {
char clause[BUFSIZ]; char clause[BUFSIZ];
...@@ -6909,7 +6910,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey) ...@@ -6909,7 +6910,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey)
" as isdedicated_wa, " " as isdedicated_wa, "
" r.genisliver_idx,r.tmcd_redirect, " " r.genisliver_idx,r.tmcd_redirect, "
" r.sharing_mode,e.geniflags,n.uuid, " " r.sharing_mode,e.geniflags,n.uuid, "
" n.nonfsmounts " " n.nonfsmounts,e.nonfsmounts AS enonfs "
"from interfaces as i " "from interfaces as i "
"left join nodes as n on n.node_id=i.node_id " "left join nodes as n on n.node_id=i.node_id "
"left join reserved as r on " "left join reserved as r on "
...@@ -6937,7 +6938,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey) ...@@ -6937,7 +6938,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey)
" on n.type=dedicated_wa_types.type " " on n.type=dedicated_wa_types.type "
"where (%s) " "where (%s) "
" and notmcdinfo_types.attrvalue is NULL", " and notmcdinfo_types.attrvalue is NULL",
36, clause); 37, clause);
} }
if (!res) { if (!res) {
...@@ -7060,8 +7061,10 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey) ...@@ -7060,8 +7061,10 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey)
reqp->iscontrol = (! strcasecmp(row[10], "ctrlnode") ? 1 : 0); reqp->iscontrol = (! strcasecmp(row[10], "ctrlnode") ? 1 : 0);
/* nonfsmounts */ /* nonfsmounts - per-experiment disable overrides per-node setting */
if (row[35]) if (row[36] && atoi(row[36]) != 0)
reqp->nonfsmounts = atoi(row[36]);
else if (row[35])
reqp->nonfsmounts = atoi(row[35]); reqp->nonfsmounts = atoi(row[35]);
else else
reqp->nonfsmounts = 0; reqp->nonfsmounts = 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment