1. 09 Aug, 2013 6 commits
    • Leigh Stoller's avatar
    • Leigh Stoller's avatar
      Remove code that extends slice lifetime, and fix underlying bug. · 60a34cdf
      Leigh Stoller authored
      We currrently have a few cases where a slice record exists, but
      no sliver, and so Renew was failing. Since we store all of the
      expiration in the slice record, we do not actually need to have
      an aggregate, so remove the check.
      60a34cdf
    • Leigh Stoller's avatar
      Add setexpiration script. · 8b6d018c
      Leigh Stoller authored
      8b6d018c
    • Leigh Stoller's avatar
      New script to set geni_slice expiration_max,renew_limit, and idle. · 5c417cf4
      Leigh Stoller authored
      Usage: setexpiration [-f] [-m <time> | -M] [-e <datetime> | -E] [-i | -I] <slice>
      Options:
        -f      - Force operation even it makes no sense.
        -m      - Max increment time for a renew. In minutes.
                  Use zero to allow anything. Use "null" to clear.
                  Use "NN days" or "NN hours" also.
        -M      - Clear max increment time for a renew.
        -e      - Termination date; sliver may not be renewed past this
                  date. Use standard date format (YYYY-MM-DD HH:MM:SS)
        -E      - Clear max termination date.
        -i      - Set 'idle ignore'; no idle checks or email.
        -I      - Turn idle checks back on.
      5c417cf4
    • Leigh Stoller's avatar
      01eedf62
    • Leigh Stoller's avatar
      I added two new actions to PerformOperationalAction, which appear to · cfd1974a
      Leigh Stoller authored
      work fine when the nodes are behaving themselves.
      
      1) geni_update_users: Takes a slice credential and a keys argument. Can
        only be invoked when the sliver is in the started/geni_ready state.
        Moves the slice to the geni_updating_users state until all of the
        nodes have completed the update, at which time the sliver moves back
        to started/geni_ready.
      
      2) geni_updating_users_cancel: We can assume that some nodes will be whacky
        and will not perform the update when told to. This cancels the
        update and moves the sliver back to started/geni_ready.
      
      A couple of notes:
      
      * The current emulab node update time is about three minutes; the
        sliver is in this new state for that time and cannot be restarted or
        stopped. It can of course be deleted.
      
      * Should we allow restart while in the updating phase? We could, but
        then I need more bookkeeping.
      
      * Some nodes might not be running the watch dog, or might not even be
        an emulab image, so the operation will never end, not until
        canceled. I could add a timeout, but that will require a monitor or
        adding DB state to store the start time.
      cfd1974a
  2. 08 Aug, 2013 1 commit
  3. 23 Jul, 2013 2 commits
    • Leigh Stoller's avatar
      Minor bug fix. · a1207790
      Leigh Stoller authored
      a1207790
    • Leigh Stoller's avatar
      ABAC Speaksfor credential support. · 60274694
      Leigh Stoller authored
      The CM can now receive either an ABAC or a non-ABAC speaksfor
      credential in the list of credentials. Thanks to Gary for getting
      libabac built on boss so that I could use it! The AM probably needs a
      little bit more work since it has a few V3 places where it does not
      invoke CMV2 directly, but that should be easy to fix; all of the AMV2
      functions will work tough.
      
      Caveat; I don't bother to look at the speaksfor option; if we get a
      speaksfor credential, I figure it was cause the user wants to use it!
      
      I added a hacky script called genspeaksfor to create a proper speaks
      for credential that allows me to speak for another user. For example:
      
      	genspeaksfor -a urn:publicid:IDN+emulab.net+user+leebee \
      	         urn:publicid:IDN+emulab.net+user+stoller
      
      which generates an ABAC speaks for credential that allows me to spead
      for leebee. To use the PG test scripts with this credential:
      
      	createsliver.py* -S speaksfor.cred -s slice.cred
      
      Where slice.cred is a plain slice credential issued to leebee and then
      given to me via an out of band mechanism (:-).
      60274694
  4. 22 Jul, 2013 5 commits
  5. 19 Jul, 2013 1 commit
  6. 17 Jul, 2013 1 commit
  7. 11 Jul, 2013 7 commits
    • Leigh Stoller's avatar
      Implement speaksfor (non-abac) support. · 8d53b3fd
      Leigh Stoller authored
      CM V2 (and thus the AM) now accept a type=speaksfor credential along
      with regular credentials. When supplied, the speaksfor caller must be
      equal to the owner of the speaksfor credential and the target must be
      equal to the owner of the regular credential(s). All operations take
      place in the context of the spokenfor user.
      
      Added speaksfor slots to geni_slices,geni_aggregates and geni_tickets.
      Also to the history table. But these are just the most recent data.
      Each transaction is logged as normal, and the metadata now includes
      the speaksfor data and the log always includes all of the credentials.
      
      For testing, there is a new script in the scripts directory to
      generate a speaksfor credential. Not installed since it is really
      a hack. But to create one:
      
        perl genspeaksfor urn:publicid:IDN+emulab.net+user+leebee \
      	urn:publicid:IDN+emulab.net+user+stoller
      
      which generates a speaksfor credential that says stoller is speaking
      for leebee.
      
      Given a slice credential issued to leebee, the test scripts can be
      invoked as follows (by stoller):
      
        createsliver.py -S speaksfor.cred -s slice.cred -c leebee.cred
      
      A copy of leebee's self credential is needed simply cause of the test
      script's desire to talk to the SA (which does not support speaksfor).
      Not otherwise needed.
      
      Oh, not tested on the AM interface yet.
      8d53b3fd
    • Leigh Stoller's avatar
      Speaksfor changes; full logging of all destructive operations. · 748f2f66
      Leigh Stoller authored
      Also an upcall to add speaksfor metadata to logfile.
      748f2f66
    • Leigh Stoller's avatar
      Utility script to generate a speaksfor (non-abac) credential. · a625848e
      Leigh Stoller authored
      In this prototype, a speaksfor credential has type=speaksfor,
      owner=speaker/tool, target=user, and is signed by the user.
      a625848e
    • Leigh Stoller's avatar
      Minor changes to Tunnel functions. · f4c339ec
      Leigh Stoller authored
      f4c339ec
    • Leigh Stoller's avatar
      Add "speaksfor" to credential type array. · 261e469a
      Leigh Stoller authored
      261e469a
    • Leigh Stoller's avatar
      b726ffd2
    • Leigh Stoller's avatar
      Minor changes to support speaksfor (non-abac) operation. · 0b65e129
      Leigh Stoller authored
      Add -S option to supply a speaksfor credential.
      Other small changes to prevent superfluous calls to SA, which
      does not support speaksfor.
      0b65e129
  8. 08 Jul, 2013 2 commits
  9. 04 Jul, 2013 1 commit
  10. 02 Jul, 2013 1 commit
  11. 01 Jul, 2013 4 commits
  12. 28 Jun, 2013 3 commits
  13. 24 Jun, 2013 4 commits
  14. 20 Jun, 2013 2 commits
    • Leigh Stoller's avatar
      Add knobs. · 07aa0400
      Leigh Stoller authored
      07aa0400
    • Leigh Stoller's avatar
      Add XEN knobs: · a76fc359
      Leigh Stoller authored
          <sliver_type name="emulab-xen">
            <emulab:xen cores="1" ram="512" disk="8"/>
          </sliver_type>
      
      We currently ignore cores ... Ram in MB, disk in GB.
      a76fc359