1. 21 Jun, 2018 1 commit
  2. 30 Oct, 2017 1 commit
  3. 12 Oct, 2017 1 commit
  4. 21 Aug, 2017 2 commits
    • David Johnson's avatar
      Improve logging of m2crypto exceptions. · 97d9ad15
      David Johnson authored
      m2crypto's default SSLServer.handle_error function was just printing to
      stdout; that is an easy fix.  However, what is hard is associating the
      Exception with a client_address due to the
      socket/M2Crypto.SSL.Connection abstraction abuse.  Lots of stuff
      happens in Connection.accept(), and if an Exception is raised in there,
      no client_address is returned to the caller (i.e. handle_request()).
      m2crypto does a real disservice by overlaying the socket API and thus
      masking so many customization points that any real user would want to use.
      97d9ad15
    • David Johnson's avatar
      Adjust client SSL timeout and default again. · fd4dedfe
      David Johnson authored
      Bump the SSL accept phase to 3 seconds to be a tad more gracious to
      legitimately-slow clients.  Also restore the default SSL timeout to None
      (i.e. whatever the underlying default timeout is).
      fd4dedfe
  5. 19 Aug, 2017 1 commit
  6. 18 Aug, 2017 1 commit
  7. 01 Jun, 2017 1 commit
    • Leigh Stoller's avatar
      Another mysql 5.7 fix for this one: · c09b81f3
      Leigh Stoller authored
      'Expression #1 of ORDER BY clause is not in SELECT list, references
       column 'tbdb.m.date_approved' which is not in SELECT list; this is
       incompatible with DISTINCT'
      c09b81f3
  8. 17 Apr, 2017 1 commit
  9. 03 Feb, 2016 1 commit
  10. 17 Aug, 2015 1 commit
  11. 29 Jul, 2015 1 commit
  12. 24 Jun, 2015 1 commit
    • Mike Hibler's avatar
      Updates for new FreeBSD 10.1 based servers. · 480fdc70
      Mike Hibler authored
      Big changes a comin' to try to get us back on the supported path.
      
       * perl 5.14 -> 5.20
       * mysql 5.1 -> 5.5
       * php 5.4   -> 5.6
       * tcl 8.4   -> 8.6
       * number of vim patches up to 683.
      
      Not everything tested yet, but getting there.
      
      Specific changes:
      
       * New install/ports directory. New packages for FreeBSD 10.1 are version
         6.1. Cleaned up the ports' Makefiles getting rid of conditionals for
         all older versions. Also got rid of ports we don't use. Old ports tree
         is now install/oports.
      
       * Install script changes. Make sure /usr/bin/perl and /usr/local/bin/python
         links exist. Ports no longer make these but we use them in '#!'. Changes
         to mysql install and startup script--mysql has changed a LOT since we did
         the support in 4.x. Create syslog entry for named.log. Make sure php.conf
         loads the legacy "mysql" module rather than using "mysqli".
      
       * Elabinelab support. reflect new packages, remove all old packages
         (except perl) before installing new versions, install "extras" package,
         make sure sendmail cert get regenerated, make sure /usr/bin/perl link
         exists, make sure /usr/local/bin/python link exists.
      
       * Custom ports. otcl and xerces-c2 have both been removed from the ports
         tree as of Q2 2015. ipmitool-devel is a port for the latest version of
         ipmitool. The FreeBSD port is still a rev behind here. We need the
         newer version as it appears to make our SOL consoles more stable.
      
       * Random. Fixed prerender as neato output has changed again. Tweak to
         sslxmlrpc_server to reflect change in an underlying library. Tweak to
         db/libdb.py.in to turn on autocommit which matters now as mysql 5.5 will
         hang on a metadata lock otherwise. Remade eventsys perl/python stubs
         with SWIG 2.0. SWIG 1.3 did not produce working stubs for perl 5.20.
      
      Specific un-changes:
      
       * Apache is still at 2.2. I lack the guts and skilz to upgrade to 2.4.
      
       * Xerces library is still at (now unsupported) 2.8. Assign will need
         changes before we can move to 3.x.
      
       * Python is still 2.7.
      
      Thanks to Keith Sklower for all the work he did converting ports!
      480fdc70
  13. 14 Nov, 2012 1 commit
  14. 24 Sep, 2012 1 commit
    • Eric Eide's avatar
      Replace license symbols with {{{ }}}-enclosed license blocks. · 6df609a9
      Eric Eide authored
      This commit is intended to makes the license status of Emulab and
      ProtoGENI source files more clear.  It replaces license symbols like
      "EMULAB-COPYRIGHT" and "GENIPUBLIC-COPYRIGHT" with {{{ }}}-delimited
      blocks that contain actual license statements.
      
      This change was driven by the fact that today, most people acquire and
      track Emulab and ProtoGENI sources via git.
      
      Before the Emulab source code was kept in git, the Flux Research Group
      at the University of Utah would roll distributions by making tar
      files.  As part of that process, the Flux Group would replace the
      license symbols in the source files with actual license statements.
      
      When the Flux Group moved to git, people outside of the group started
      to see the source files with the "unexpanded" symbols.  This meant
      that people acquired source files without actual license statements in
      them.  All the relevant files had Utah *copyright* statements in them,
      but without the expanded *license* statements, the licensing status of
      the source files was unclear.
      
      This commit is intended to clear up that confusion.
      
      Most Utah-copyrighted files in the Emulab source tree are distributed
      under the terms of the Affero GNU General Public License, version 3
      (AGPLv3).
      
      Most Utah-copyrighted files related to ProtoGENI are distributed under
      the terms of the GENI Public License, which is a BSD-like open-source
      license.
      
      Some Utah-copyrighted files in the Emulab source tree are distributed
      under the terms of the GNU Lesser General Public License, version 2.1
      (LGPL).
      6df609a9
  15. 21 Jun, 2012 2 commits
    • Leigh Stoller's avatar
      Fix to previous revision. · 2f4ba4e1
      Leigh Stoller authored
      2f4ba4e1
    • Leigh Stoller's avatar
      Horrible kludge for 16 group limit. · 03a4da39
      Leigh Stoller authored
      The geniuser is now over 16 groups, so try to figure out what project
      the action is going to take place, and use just those groups. This is
      temporary cause Mike says FreeBSD8 8 pushes the limit up to 1024.
      Yippie! When we upgrade, just revert this crap.
      03a4da39
  16. 23 Sep, 2010 1 commit
  17. 17 May, 2010 1 commit
  18. 22 Mar, 2010 1 commit
    • Leigh Stoller's avatar
      Finish up user deletion. The big visible change is that when a user is · 2965922b
      Leigh Stoller authored
      deleted, they still remain in the user table with a status of
      "archived", but since all the queries in the system now use uid_idx
      instead of uid, it is safe to reuse a uid since they are no longer
      ambiguous. 
      
      The reason for not deleting users from the users table is so that the
      stats records can refer to the original record (who was that person
      named "mike"). This is very handy and worth the additional effort it
      has taken.
      
      There is no way to ressurect a user, but it would not be hard to add.
      2965922b
  19. 17 Nov, 2008 1 commit
  20. 01 Oct, 2008 1 commit
  21. 15 Aug, 2008 1 commit
  22. 26 Jun, 2008 1 commit
  23. 21 Sep, 2007 1 commit
  24. 16 May, 2005 1 commit
  25. 15 Nov, 2004 2 commits
    • Timothy Stack's avatar
      Catch and ignore OSError thrown by os.listdir() when adding dev trees · 643384a2
      Timothy Stack authored
      to the list of ALLOWED_PATHS.
      643384a2
    • Leigh Stoller's avatar
      ElabinElab changes: · 956b1d0d
      Leigh Stoller authored
      * sslxmlrpc_server.py: A rather gross hack that needs more thought;
        pass the client IP address to the emulabserver class instantiation,
        which is passed along to the new elabinelab module ...
      
      * emulabserver.py: A new class called elabinelab which exports some methods
        that are to be used by an inner elab. At present, the IP address of the
        client is passed along and a bunch of checks are made that restrict the
        client to the inner emulab boss node, with the credentials of the
        creator of the inner emulab. In other words, the ssl certificate of the
        elabinelab creator is placed on the inner boss, and all proxy
        operations are invoked with this certificate (as the creator) and
        only from the inner boss node.
      
        The elabinelab class currently exports two methods; a power method
        to power cycle an inner node; the command is handed of the power
        command, which does the permission checks. Of course, the inner boss
        does its permission checks, but ultimately, the outer boss will
        allow the power cycle only if the client is allowed to power cycle the
        node.
      
        The other method exported is a vlans command to setup and destroy a
        set of vlans for an inner experiment. Permissions checks are modeled as
        above, with everything passed out to new snmpit.proxy script, which
        then invokes plain snmpit.
      956b1d0d
  26. 08 Nov, 2004 2 commits
  27. 07 Nov, 2004 2 commits
    • Timothy Stack's avatar
      Remove debugging prints. · 3e1986a5
      Timothy Stack authored
      3e1986a5
    • Timothy Stack's avatar
      · f95e336d
      Timothy Stack authored
      Change to the SSL version of the event scheduler.
      
        * db/libdb.py.in, xmlrpc/emulabserver.py.in: Only add the testbed
          library path to sys.path if it is not already there.
      
        * event/sched/GNUmakefile.in: Make the SSL version of the scheduler
          the default instead of the SSH version and statically link the
          executable.
      
        * event/sched/event-sched.c: Pass the default SSL port number (3069)
          to RPC_init.
      
        * event/sched/rpc.cc: Bring the SSL code up to date: read the cert
          from the user's home directory, make the connection persistent,
          and use TBROOT as the request path, so the development version of
          the XML-RPC library is used when appropriate.
      
        * xmlrpc/sslxmlrpc_server.py.in: Updated to let the user select from
          a set of allowed library paths where the 'emulabserver' module
          should be imported from.  Import the 'emulabserver' module after the
          fork so we always get the latest version of the module.  Twiddled
          the necessary bits to turn on persistent connection support.
      f95e336d
  28. 02 Sep, 2004 1 commit
  29. 01 Sep, 2004 3 commits
    • Leigh Stoller's avatar
      e2f62c8e
    • Leigh Stoller's avatar
      Reorder syslog ststements slightly. · 37a19abb
      Leigh Stoller authored
      37a19abb
    • Leigh Stoller's avatar
      SSL version of the XMLRPC server. · a9c1045e
      Leigh Stoller authored
      * SSL based server (sslxmlrpc_server.py) that wraps the existing Python
        classes (what we export via the existing ssh XMLRPC server). I also have a
        demo client that is analogous the ssh demo client (sslxmlrpc_client.py).
        This client looks for an ssl cert in the user's .ssl directory, or you can
        specify one on the command line. The demo client is installed on ops, and
        is in the downloads directory with the rest of the xmlrpc stuff we export
        to users. The server runs as root, forking a child for each connection and
        logs connections to /usr/testbed/log/sslxmlrpc.log via syslog.
      
      * New script (mkusercert) generates SSL certs for users. Two modes of
        operation; when called from the account creation path, generates a
        unencrypted private key and certificate for use on Emulab nodes (this is
        analagous to the unencrypted SSH key we generate for users). The other mode
        of operation is used to generate an encrypted private key so that the user
        can drag a certificate to their home/desktop machine.
      
      * New webpage (gensslcert.php3) linked in from the My Emulab page that
        allows users to create a certificate. The user is prompted for a pass
        phrase to encrypt the private key, as well as the user's current Emulab
        login password. mkusercert is called to generate the certificate, and the
        result is stored in the user's ~/.ssl directory, and spit back to the user
        as a text file that can be downloaded and placed in the users homedir on
        their local machine.
      
      * The server needs to associate a certificate with a user so that it can
        flip to that user in the child after it forks. To do that, I have stored
        the uid of the user in the certificate. When a connection comes in, I grab
        the uid out of the certificate and check it against the DB. If there is a
        match (see below) the child does the usual setgid,setgroups,setuid to the
        user, instantiates the Emulab server class, and dispatches the method. At
        the moment, only one request per connection is dispatched. I'm not sure
        how to do a persistant connection on the SSL path, but probably not a big
        deal right now.
      
      * New DB table user_sslcerts that stores the PEM formatted certificates and
        private keys, as well as the serial number of the certificate, for each
        user. I also mark if the private key is encrypted or not, although not
        making any use of this data. At the moment, each user is allowed to get
        one unencrypted cert/key pair and one encrypted cert/key pair. No real
        reason except that I do not want to spend too much time on this until we
        see how/if it gets used. Anyway, the serial number is used as a crude form
        of certificate revocation. When the connection is made, I suck the serial
        number and uid out of the certificate, and look for a match in the table.
        If cert serial number does not match, the connection is rejected. In other
        words, revoking a certificate just means removing its entry from the DB
        for that user. I could also compare the certificate itself, but I am not
        sure what purpose that would serve since that is what the SSL handshake is
        supposed to take of, right?
      
      * Updated the documentation for the XMLRPC server to mention the existence
        of the SSL server and client, with a pointer into the downloads directory
        where users can pick up the client.
      a9c1045e
  30. 27 Aug, 2004 1 commit
    • Leigh Stoller's avatar
      Guts of the new ssl server implemented. The server operates more or less · 5a025f36
      Leigh Stoller authored
      like this:
      
      * Listen for connections on port 3069. The server requires client
        authentication, and will fail if a certificate is not provided by
        the client.
      
      * Once the certificate is accepted, the server forks a new child.
      
      * The child looks inside the certificate to get the CN field of the
        Distinguished Name (subject). The CN field must hold the uid of the
        user, which is checked against the DB for a matching user. We get
        the groupslist from the DB, and do a setgid,setgroups,setuid to flip
        to the user in the child.
      
      * A instance of the emulabserver class is created, and the request is
        dispatched.
      
      I added an sslxmlrpc_client.py script that mirrors the ssh version of
      the client script. I could probably roll these into one, but decided
      not to to avoid confusing people who might download it.
      5a025f36
  31. 23 Aug, 2004 1 commit
  32. 18 Aug, 2004 1 commit
    • Leigh Stoller's avatar
      Some rather crude privledge level hacks to allow admin people (real · c2a4acd4
      Leigh Stoller authored
      shells on boss) to use the rpc server without an agent running.
      Using the no-passphrase key, these changes allow us to use the server
      from ops in a very restricted manner. This change is temporary, until
      I have something better in place. In the meantime, admin people change
      their auth keys files on *boss* as such:
      
      command="/usr/testbed/sbin/sshxmlrpc_server.py -ro",from="ops.emulab.net" ... rest of emulab generated key ...
      
      Note the -ro argument; very important!
      c2a4acd4
  33. 03 Aug, 2004 1 commit
    • Leigh Stoller's avatar
      A couple more minor changes before I turn the new stuff loose. · 8fddf3ce
      Leigh Stoller authored
      * Added a wrapper class so that you can invoke methods as
        experiment.swapexp or node.reboot. So instead of invoking as
        /XMLRPC/experiment can calling swapexp, you can call the server as
        /XMLRPC and call experiment.swapexp. This allows you to use a single
        connection to talk to different parts of the API. Note this is standard
        (or is it defacto) syntax in XMLRPC.
      
      * Changed the demonstration client to talk the server this way.
      
      * Changed paperbag to allow this as well; the xmlrpc server is invoked with
        no args, which tells it to export the wrapper interface instead of a
        specific module interface.
      
      * A few more cleanups in the server, more permission checks, etc.
      8fddf3ce