1. 16 Jan, 2018 1 commit
  2. 22 Nov, 2017 3 commits
  3. 19 Nov, 2017 1 commit
  4. 09 Nov, 2017 1 commit
    • Mike Hibler's avatar
      Introduce a "failed" state for resource allocation. · 7e13f79b
      Mike Hibler authored
      If a background resource allocation fails, we put the lease in the "failed"
      state instead of destroying it. There were some ripple effects, specifically,
      the lease_daemon now checks for "failed" leases and send messages to us at
      the same frequency as for "unapproved" leases. The correct response here is
      almost certainly to destroy the lease, though you can put it back in the
      "unapproved" state (via modlease) and try to approve it to see what happened.
      
      Also add background mode to approvelease since it can do time consuming
      resource allocation.
      
      Nit: cleanup logfiles used in backgroud operation.
      7e13f79b
  5. 12 Sep, 2017 1 commit
  6. 06 Sep, 2017 1 commit
    • Mike Hibler's avatar
      Implement slightly different policy for root keypair distribution. · 9a4eb5dc
      Mike Hibler authored
      If the site default is "distribute both keys to all nodes" (1), but the user
      specifies at least one explicit key distribution in an experiment, then
      default all the unspecified distributions for that experiment to "do not
      distribute." This avoids unexpected trust relationships with the unspecified
      nodes.
      9a4eb5dc
  7. 05 Sep, 2017 1 commit
  8. 30 Aug, 2017 1 commit
  9. 18 Aug, 2017 1 commit
  10. 27 Jul, 2017 1 commit
  11. 26 Jul, 2017 1 commit
    • Mike Hibler's avatar
      Support for per-experiment root keypairs (Round 1). See issue #302. · c6150425
      Mike Hibler authored
      Provide automated setup of an ssh keypair enabling root to login without
      a password between nodes. The biggest challenge here is to get the private
      key onto nodes in such a way that a non-root user on those nodes cannot
      obtain it. Otherwise that user would be able to ssh as root to any node.
      This precludes simple distribution of the private key using tmcd/tmcc as
      any user can do a tmcc (tmcd authentication is based on the node, not the
      user).
      
      This version does a post-imaging "push" of the private key from boss using
      ssh. The key is pushed from tbswap after nodes are imaged but before the
      event system, and thus any user startup scripts, are started. We actually
      use "pssh" (really "pscp") to scale a bit better, so YOU MUST HAVE THE
      PSSH PACKAGE INSTALLED. So be sure to do a:
      
          pkg install -r Emulab pssh
      
      on your boss node. See the new utils/pushrootkeys.in script for more.
      
      The public key is distributed via the "tmcc localization" command which
      was already designed to handle adding multiple public keys to root's
      authorized_keys file on a node.
      
      This approach should be backward compatible with old images. I BUMPED THE
      VERSION NUMBER OF TMCD so that newer clients can also get back (via
      rc.localize) a list of keys and the names of the files they should be stashed
      in. This is used to allow us to pass along the SSL and SSH versions of the
      public key so that they can be placed in /root/.ssl/<node>.pub and
      /root/.ssh/id_rsa.pub respectively. Note that this step is not necessary for
      inter-node ssh to work.
      
      Also passed along is an indication of whether the returned key is encrypted.
      This might be used in Round 2 if we securely implant a shared secret on every
      node at imaging time and then use that to encrypt the ssh private key such
      that we can return it via rc.localize. But the client side script currently
      does not implement any decryption, so the client side would need to be changed
      again in this future.
      
      The per experiment root keypair mechanism has been exposed to the user via
      old school NS experiments right now by adding a node "rootkey" method. To
      export the private key to "nodeA" and the public key to "nodeB" do:
      
          $nodeA rootkey private 1
          $nodeB rootkey public 1
      
      This enables an asymmetric relationship such that "nodeA" can ssh into
      "nodeB" as root but not vice-versa. For a symmetric relationship you would do:
      
          $nodeA rootkey private 1
          $nodeB rootkey private 1
          $nodeA rootkey public 1
          $nodeB rootkey public 1
      
      These user specifications will be overridden by hardwired Emulab restrictions.
      The current restrictions are that we do *not* distribute a root pubkey to
      tainted nodes (as it opens a path to root on a node where no one should be
      root) or any keys to firewall nodes, virtnode hosts, delay nodes, subbosses,
      storagehosts, etc. which are not really part of the user topology.
      
      For more on how we got here and what might happen in Round 2, see:
      
          #302
      c6150425
  12. 31 May, 2017 1 commit
  13. 22 May, 2017 1 commit
  14. 01 Feb, 2017 1 commit
  15. 12 Oct, 2016 1 commit
  16. 06 Oct, 2016 1 commit
  17. 12 Sep, 2016 1 commit
  18. 10 Jun, 2016 1 commit
  19. 06 May, 2016 1 commit
    • Mike Hibler's avatar
      Add a node/node_type "cyclewhenoff" attribute. · c29cc790
      Mike Hibler authored
      This will be used by the power command to tell it to try to power on a
      machine that fails to "cycle". ipmitool (or IPMI) seems to fail by default
      if you try to cycle a powered-off node.
      c29cc790
  20. 25 Apr, 2016 1 commit
  21. 04 Apr, 2016 2 commits
  22. 28 Mar, 2016 1 commit
  23. 22 Feb, 2016 1 commit
  24. 05 Feb, 2016 3 commits
  25. 04 Feb, 2016 1 commit
    • Gary Wong's avatar
      Fix Node::HaveRoutableIPs. · f2e7e6f3
      Gary Wong authored
      It was checking the count of database rows (which would always have
      been 1), not the count of free addresses.
      f2e7e6f3
  26. 03 Feb, 2016 1 commit
    • Leigh Stoller's avatar
      Add support for multiple pre-reservations per project: · 103e0385
      Leigh Stoller authored
      When creating a pre-reserve, new -n option to specify a name for the
      reservation, defaults to "default". All other operations require an
      -n option to avoid messing with the wrong reservation. You are not allowed
      to reuse a reservation name in a project, of course. Priorities are
      probably more important now, we might want to change the default from 0 to
      some thing higher, and change all the current priorities.
      
      For bookkeeping, the nodes table now has a reservation_name slot that is
      set with the reserved_pid. This allows us to revoke the nodes associated
      with a specific reservation. Bonus feature is that when setting the
      reserved_pid via the web interface, we leave the reservation_name null, so
      those won't ever be revoked by the prereserve command line tool.
      
      New feature; when revoking a pre-reserve, we now look to see if nodes being
      revoked are free and can be assigned to other pre-reserves. We used to not
      do anything, and so had to wait until that node was allocated and released
      later, to see if it could move into a pre-reserve.
      
      Also a change required by node specific reservations; when we free a node,
      need to make sure we actually use that node, so have to cycle through all
      reservations in priority order until it can used. We did not need to do
      this before.
      103e0385
  27. 01 Feb, 2016 1 commit
  28. 29 Jan, 2016 1 commit
    • Leigh Stoller's avatar
      New syntax for pre-reserving specific nodes: · 6be50741
      Leigh Stoller authored
      	boss> wap perl prereserve lbsbox pcxxx pcyyy ...
      
      Overall pre-reserve handling is unchanged; if there is a another higher
      priority type pre-reserve, it will be filled first. Moral, be sure to think
      about the priority argument, which you had to do anyway.
      6be50741
  29. 28 Jan, 2016 1 commit
  30. 27 Jan, 2016 1 commit
  31. 16 Dec, 2015 1 commit
  32. 16 Nov, 2015 1 commit
  33. 10 Nov, 2015 1 commit
  34. 27 Aug, 2015 1 commit
  35. 29 Jul, 2015 1 commit