1. 02 Jan, 2014 1 commit
    • Mike Hibler's avatar
      Attempt to auto-configure NTP for server machines at install time. · cd4a03a5
      Mike Hibler authored
      The template configurations in the new ntpd subdir also address the
      recent NTP amplification attacks that have been going on recently.
      
      NTP configuration is controlled by a few defs-* variables:
      
      NTPSERVER: boss|ops|fs|<external-server-name-or-IP>
        Default: "ops"
        Normally, one of boss, ops, or fs is designated as a local NTP server
        but this can be set to a fully qualified name of some other machine.
        If NTPSERVER is set to an external server, then boss/ops/fs are made
        clients of that server just as any testbed node is.
      
      EXTERNAL_NTPSERVER[1-4]: <external-server-name-or-IP>
        Default: "[0-3].pool.ntp.org"
        If NTPSERVER is one of boss/ops/fs, then these values are used as the
        upstream servers for the local server. These can be changed to four of
        your favorite NTP servers.
      
      NTPDRIFTFILE: <path>
        Default: "/var/db/ntp.drift"
        If NTPSERVER is one of boss/ops/fs, then this is the name of the drift
        file for the local server.
      cd4a03a5
  2. 12 Oct, 2013 1 commit
  3. 20 Dec, 2012 1 commit
  4. 06 Dec, 2012 1 commit
    • Mike Hibler's avatar
      Support FreeBSD 8.3 for boss/ops install. · d6196ab5
      Mike Hibler authored
      Uses the "5.0" package set (like FBSD 9.0, but unlike FBSD 8.2) which
      includes perl 5.12, python 2.7 and apache 2.22. This is what will be
      installed on our boss and ops later this month.
      
      Some additional updates to the meta ports as well to make them "work better".
      d6196ab5
  5. 30 Nov, 2012 1 commit
    • Mike Hibler's avatar
      More ARP lockdown related changes. · f4871f4a
      Mike Hibler authored
      Make sure sitevars get initialized on initial installation of an Emulab.
      Fixes to the update_sitevars script, mostly in case we someday want to
      run it on every testbed software install (which we do not do right now).
      
      For ops and fs there is a race with boss that prevents us from locking
      down ARP entries early. For now, we do the lock down later in the boot.
      If someone spoofs boss or the gateway before then, we will detect it
      when we request the ARP info via SSL-enabled tmcc.
      f4871f4a
  6. 28 Nov, 2012 1 commit
    • Leigh Stoller's avatar
      Another checkpoint of the firewall code. At this point, you can swapin · bd01da19
      Leigh Stoller authored
      a XEN based ElabInElab with boss and ops running firewall rules based
      on the ruleset we use on Utah's firewall. To turn this on, add this to
      your NS file:
      
      tb-set-elabinelab-attribute CONFIG_FIREWALL_BOSS "yep"
      tb-set-elabinelab-attribute CONFIG_FIREWALL_OPS  "yep"
      
      You do not have define both.
      bd01da19
  7. 24 Sep, 2012 1 commit
    • Eric Eide's avatar
      Replace license symbols with {{{ }}}-enclosed license blocks. · 6df609a9
      Eric Eide authored
      This commit is intended to makes the license status of Emulab and
      ProtoGENI source files more clear.  It replaces license symbols like
      "EMULAB-COPYRIGHT" and "GENIPUBLIC-COPYRIGHT" with {{{ }}}-delimited
      blocks that contain actual license statements.
      
      This change was driven by the fact that today, most people acquire and
      track Emulab and ProtoGENI sources via git.
      
      Before the Emulab source code was kept in git, the Flux Research Group
      at the University of Utah would roll distributions by making tar
      files.  As part of that process, the Flux Group would replace the
      license symbols in the source files with actual license statements.
      
      When the Flux Group moved to git, people outside of the group started
      to see the source files with the "unexpanded" symbols.  This meant
      that people acquired source files without actual license statements in
      them.  All the relevant files had Utah *copyright* statements in them,
      but without the expanded *license* statements, the licensing status of
      the source files was unclear.
      
      This commit is intended to clear up that confusion.
      
      Most Utah-copyrighted files in the Emulab source tree are distributed
      under the terms of the Affero GNU General Public License, version 3
      (AGPLv3).
      
      Most Utah-copyrighted files related to ProtoGENI are distributed under
      the terms of the GENI Public License, which is a BSD-like open-source
      license.
      
      Some Utah-copyrighted files in the Emulab source tree are distributed
      under the terms of the GNU Lesser General Public License, version 2.1
      (LGPL).
      6df609a9
  8. 01 Aug, 2012 1 commit
    • Mike Hibler's avatar
      Support 64-bit FreeBSD on the server side. · 9036d314
      Mike Hibler authored
      NOTE: currently only for FreeBSD 7.3 installs because that is the only
      set of boss/ops/fs packages I have built so far!
      
      This mostly involved minor changes to event agents. Too often we were
      passing a pointer to a "long" to *get_int32, which on a 64-bit x86 OS would
      fill the wrong half of a 64-bit variable. There was also one instance of
      TCL code that had to be tweaked to account for 32- vs 64-bit.
      
      These changes also required regeneration of SWIG stubs and an ugly change
      to the SWIG generated code to use va_copy rather than direct assignment in
      a couple of places.
      
      Also related to SWIG is ensuring that the components that go into the
      perl/python stub .so files are built with PIC. The amd64 linker requires
      this.
      
      The meta-ports had to be changed to reflect that linuxthreads and
      ulsshxmlrpcpp don't work on amd64. The former had little effect as we
      had mostly eliminated uses of linuxthreads already. The one thing that
      did change was that we do not build nfstrace on amd64 (and we don't
      currently use this anyway). Removing ulsshxmlrpcpp required switching
      to the new event scheduler (event/new_sched) that Ryan did awhile back.
      Note that it is only "new" in the sense that it uses a standard XMLRPC
      package, there should be no functional differences. However, to be safe
      we only use new_sched as the standard scheduler on 64-bit server installs.
      
      Finally, added support to elabinelab setup to do a 64-bit server install.
      Just specify FBSD73-64-STD as the boss/ops/fs osid and rc.mkelab should
      do the rest.
      
      That is pretty much it other than some random nits here and there.
      9036d314
  9. 19 Jun, 2012 1 commit
    • Mike Hibler's avatar
      Make frisbee more directly IGMP (v2) aware. · 66e07584
      Mike Hibler authored
      Add "-Q <interval>" option to the master server to allow it to act as an
      IGMP V2 querier in environment where there is otherwise not one. It does
      essentially what the perl-based querier (code.google.com/p/perl-igmp-querier/)
      does, sending out a v2 membership query at the specified interval.
      
      This eliminates the need to run mrouted in some environments (e.g., elabinelab)
      just to issue IGMP queries. As a result, all the boss-install and elabinelab
      setup related to using mrouted to perform this function has been removed.
      The elabinelab CONFIG_MROUTED option has been changed to CONFIG_QUERIER
      (the former is still recognized and mapped to the latter). The undocumented
      defs-* variable NEEDMROUTED has been changed to NEEDMCQUERIER (the former
      still exists in install/installvars.pm.in but is always set to 0) to more
      accurately reflect the variable's purpose. If NEEDMCQUERIER is set, then
      the mfrisbeed startup script is modified to add the "-Q 30" option.
      
      The implementation of the client and server "-K <interval>" keep-alive option
      has been changed to directly send IGMP v2 membership reports containing the
      associated MC address.
      
      Note that the -K options have always been a hack to work-around assorted
      IGMP-related misconfigurations and incompatibilities, and really should
      only be used as a last resort. As implemented, they could cause the host
      machine to be pruned out of other MC groups at the nearest switch since
      they only report membership in the frisbee MC group. With the master server
      acting as an IGMP querier, instances of the frisbee server on that host
      should no longer need to do keep alives. We still have one case where it
      is needed on the client-side: a FreeBSD 8.x or later host connected to an
      IGMPv2-only switch. It appears that the IGMPv3 implementation added in
      FreeBSD 8.x always sends v3 reports, even when the default is configured
      (via sysctl or even recompiling the kernel) as v2.
      66e07584
  10. 01 Jun, 2012 1 commit
  11. 30 Apr, 2012 1 commit
    • Mike Hibler's avatar
      First cut at FreeBSD 9.0 support. · 1f83c9c6
      Mike Hibler authored
      Upgrade to perl 5.12 means no more "suidperl" (setuid perl scripts).
      So we now have yet another little wrapper (security/runsuid.c) which
      runs suid and whose sole function is to exec the perl script of the
      same name in the /usr/testbed/suidbin directory. So a formerly setuid
      perl script install now goes like:
        create /usr/testbed/sbin/mkproj as a symlink to /usr/testbed/libexec/runsuid
        install real mkproj perl script in /usr/testbed/suidbin/mkproj
      When the setuid-wrapper is invoked under the name "mkproj" it execs
      /usr/testbed/suidbin/mkproj. We could almost use sudo for this purpose
      instead (see security/sudoers.in) but sudo loses one of the groups in
      the group list.
      
      /usr/include/utmp.h is gone in FreeBSD 9.0. In most places we nevered
      needed it, but in the one case that did (tg source), it just used a
      couple of the constants exposed (UT_*) and not the struct, so I just
      hardwired values for the constants.
      
      The usual tweakage to the install stuff to reflect yet another set of
      packages!
      1f83c9c6
  12. 02 Apr, 2012 1 commit
  13. 27 Mar, 2012 1 commit
  14. 16 Mar, 2012 1 commit
  15. 15 Mar, 2012 2 commits
  16. 08 Mar, 2012 2 commits
  17. 07 Mar, 2012 1 commit
    • Mike Hibler's avatar
      Add a NODECONSOLE defs* variable. · 2b46ad88
      Mike Hibler authored
      This is not as general or as useful as you might think.
      Right now it simply controls what device gets used as console when
      customizing the MFSes. "sio" is the default. Other choices correspond
      to pxeboot variants: sio2, vga, null. Choosing vga also sets the magic
      VGAONLY setting in the frisbee MFS ensuring that any customized (via slicefix)
      FreeBSD image doesn't try to use the serial port as console.
      
      A real solution for choosing node consoles would not be per-testbed.
      It would be per-node-type and per-node. Right now the console type is
      selected in that fashion via a combination of the pxe_boot_path and
      frisbee/admin MFS OSIDs. At some point we should make the console setting
      explicit.
      2b46ad88
  18. 06 Mar, 2012 2 commits
  19. 17 Feb, 2012 1 commit
    • Leigh Stoller's avatar
      BIG reorganization of the install code. · 82e1d812
      Leigh Stoller authored
      * Split up boss/ops/fs install into indvidual modules; generally, what
        was a toplevel phase in the original files is not a file. This
        allowed for better code/variable reuse. No longer monolithic, which
        makes it easy to test and rerun parts.
      
      * Incorporate "update" into the install process. Certain phase file
        can be used in update mode, as when the IP/subnet/domain changes.
      
      * Moved the MFS setup from rc.mkelab into the normal install process.
        Users no longer have to do this themselves. Good thing.
      
      * installvars.pm is a new library that has the merged set of the
        zillion variables that were at the top of boss/fs/ops install.
      82e1d812