Commit 5446760e authored by Mike Hibler's avatar Mike Hibler

Support "no NFS mount" experiments.

We have had the mechanism implemented in the client for some time and
available at the site-level or, in special cases, at the node level.
New NS command:

    tb-set-nonfs 1

will ensure that no nodes in the experiment attempt to mount shared
filesystems from ops (aka, "fs"). In this case, a minimal homdir is
created on each node with basic dotfiles and your .ssh keys. There will
also be empty /proj, /share, etc. directories created.

One additional mechanism that we have now is that we do not export filesystems
from ops to those nodes. Previously, it was all client-side and you could
mount the shared FSes if you wanted to. By prohibiting the export of these
filesystems, the mechanism is more suitable for "security" experiments.
parent acb151cc
#!/usr/bin/perl -wT
#
# Copyright (c) 2009-2012 University of Utah and the Flux Group.
# Copyright (c) 2009-2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -135,7 +135,8 @@ my $debug = 0;
"elabinelab_singlenet" => 1,
"security_level" => 1,
"delay_capacity" => 1,
"dpdb" => 1);
"dpdb" => 1,
"nonfsmounts" => 1);
#
# Grab the virtual topo for an experiment.
......
......@@ -953,6 +953,7 @@ REPLACE INTO table_regex VALUES ('experiments','use_ipassign','int','redirect','
REPLACE INTO table_regex VALUES ('experiments','ipassign_args','text','regex','^[\\w\\s-]*$',0,255,NULL);
REPLACE INTO table_regex VALUES ('experiments','expt_name','text','redirect','default:fulltext',1,255,NULL);
REPLACE INTO table_regex VALUES ('experiments','dpdb','int','redirect','default:tinyint',0,1,NULL);
REPLACE INTO table_regex VALUES ('experiments','nonfsmounts','int','redirect','default:tinyint',0,1,NULL);
REPLACE INTO table_regex VALUES ('experiments','description','text','redirect','default:fulltext',1,256,NULL);
REPLACE INTO table_regex VALUES ('experiments','idle_ignore','int','redirect','default:boolean',0,0,NULL);
......
#
# Add regex for experiments.nonfsmounts
#
use strict;
use libdb;
sub DoUpdate($$$)
{
my ($dbhandle, $dbname, $version) = @_;
DBQueryFatal("REPLACE INTO table_regex VALUES ".
" ('experiments','nonfsmounts','int','redirect',".
"'default:tinyint',0,1,NULL)");
return 0;
}
# Local Variables:
# mode:perl
# End:
#!/usr/bin/perl -wT
#
# Copyright (c) 2000-2012 University of Utah and the Flux Group.
# Copyright (c) 2000-2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -197,19 +197,20 @@ if ($WINSUPPORT) {
# avoid extra db queries (see lastpid/lastgid/lastadmin).
#
$nodes_result =
DBQueryFatal("select r.node_id,r.pid,r.eid,e.gid,i.IP,u.admin, ".
" r.sharing_mode,r.erole,nt.isvirtnode ".
DBQueryFatal("select r.node_id,r.pid,r.eid,e.gid,".
" e.nonfsmounts as enonfs,n.nonfsmounts as nnonfs,".
" i.IP,u.admin,r.sharing_mode,r.erole,nt.isvirtnode ".
"from reserved as r ".
"left join experiments as e on r.pid=e.pid and r.eid=e.eid ".
"left join nodes on r.node_id=nodes.node_id ".
"left join node_types as nt on nt.type=nodes.type ".
"left join nodes as n on r.node_id=n.node_id ".
"left join node_types as nt on nt.type=n.type ".
"left join interfaces as i on r.node_id=i.node_id ".
"left join users as u on e.swapper_idx=u.uid_idx ".
" where i.IP!='NULL' and ".
" i.role='" . TBDB_IFACEROLE_CONTROL() . "' ".
" and (nodes.role='testnode' or nodes.role='virtnode')".
" and (n.role='testnode' or n.role='virtnode')".
" and nt.isremotenode=0 ".
"order by r.pid,e.gid,r.eid,u.admin,nodes.priority");
"order by r.pid,e.gid,r.eid,u.admin,n.priority");
my %ipgroups = ();
my %globalsmbshares = ();
......@@ -240,6 +241,8 @@ while ($row = $nodes_result->fetchrow_hashref) {
my $isvirt = $row->{'isvirtnode'};
my $shared = (defined($row->{'sharing_mode'}) ? 1 : 0);
my $erole = $row->{'erole'};
my $enonfs = $row->{'enonfs'};
my $nnonfs = $row->{'nnonfs'};
my %fslist = ();
my @dirlist = ();
my @smbshares = ();
......@@ -253,6 +256,10 @@ while ($row = $nodes_result->fetchrow_hashref) {
next;
}
# Skip nodes that belong to a "no nfs" experiment or are marked "no nfs".
next
if ($enonfs || $nnonfs);
# Skip non-shared virtnode nodes; NFS mounts are handled differently.
next
if ($isvirt && !$shared);
......
# -*- tcl -*-
#
# Copyright (c) 2000-2013 University of Utah and the Flux Group.
# Copyright (c) 2000-2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -121,6 +121,7 @@ proc tb-set-node-lan-backfill {node lan bw} {}
proc tb-set-lan-simplex-backfill {lan node tobw frombw} {}
proc tb-set-node-plab-role {node role} {}
proc tb-set-node-plab-plcnet {node lanlink} {}
proc tb-set-nonfs {onoff} {}
proc tb-set-dpdb {onoff} {}
proc tb-fix-interface {vnode lanlink iface} {}
proc tb-set-node-usesharednode {node weight} {}
......
#!/usr/local/bin/otclsh
#
# Copyright (c) 2000-2006, 2010 University of Utah and the Flux Group.
# Copyright (c) 2000-2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -283,6 +283,10 @@ namespace eval GLOBALS {
variable elabinelab_eid {}
variable elabinelab_cvstag {}
variable elabinelab_singlenet 0
variable elabinelab_fw_type "ipfw2-vlan"
# Disable NFS mounts for experiment?
variable nonfs 0
# Does user want a per-experiment DB?
variable dpdb 0
......
# -*- tcl -*-
#
# Copyright (c) 2000-2013 University of Utah and the Flux Group.
# Copyright (c) 2000-2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -528,6 +528,7 @@ Simulator instproc run {} {
var_import ::GLOBALS::optarray_order
var_import ::GLOBALS::optarray_count
var_import ::GLOBALS::dpdb
var_import ::GLOBALS::nonfs
#for oml begin
var_import ::TBCOMPAT::oml_use_control
......@@ -802,6 +803,11 @@ Simulator instproc run {} {
lappend values $security_level
}
if {$nonfs} {
lappend fields "nonfsmounts"
lappend values $nonfs
}
if {$dpdb} {
lappend fields "dpdb"
lappend values $dpdb
......
# -*- tcl -*-
#
# Copyright (c) 2000-2013 University of Utah and the Flux Group.
# Copyright (c) 2000-2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -2026,6 +2026,19 @@ proc tb-elab-in-elab {onoff} {
}
}
#
# Mark this experiment as not needing/wanting/allowed NFS mounts.
#
proc tb-set-nonfs {onoff} {
var_import ::GLOBALS::nonfs
if {$onoff} {
set nonfs 1
} else {
set nonfs 0
}
}
#
# Mark this experiment as needing a per-experiment DB on ops.
#
......
......@@ -3095,13 +3095,14 @@ COMMAND_PROTOTYPE(doaccounts)
goto skipkeys;
/*
* Locally, everything is NFS mounted so no point in
* sending back pubkey stuff; it's never used except on CygWin.
* Add an argument of "pubkeys" to get the PUBKEY data.
* An "windows" argument also returns a user's Windows Password.
* Skip pubkeys locally unless the node/experiment has
* no shared mounts (nonfsmounts), is a GENI sliver
* (genisliver_idx), is running Windows ("windows" arg),
* or explicitly asks for them ("pubkeys" arg).
*/
#ifndef NOSHAREDFS
if (reqp->islocal &&
! reqp->nonfsmounts &&
! reqp->genisliver_idx &&
! reqp->sharing_mode[0] &&
! (strncmp(rdata, "pubkeys", 7) == 0
......@@ -6794,7 +6795,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey)
" AS isdedicated_wa, "
" r.genisliver_idx,r.tmcd_redirect, "
" r.sharing_mode,e.geniflags,n.uuid, "
" n.nonfsmounts "
" n.nonfsmounts,e.nonfsmounts AS enonfs "
"FROM nodes AS n "
"LEFT JOIN reserved AS r ON "
" r.node_id=n.node_id "
......@@ -6823,7 +6824,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey)
" (SELECT node_id FROM widearea_nodeinfo "
" WHERE privkey='%s') "
" AND notmcdinfo_types.attrvalue IS NULL",
36, nodekey);
37, nodekey);
}
else if (reqp->isvnode) {
char clause[BUFSIZ];
......@@ -6859,7 +6860,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey)
" u.admin,null, "
" r.genisliver_idx,r.tmcd_redirect, "
" r.sharing_mode,e.geniflags,nv.uuid, "
" nv.nonfsmounts "
" nv.nonfsmounts,e.nonfsmounts AS enonfs "
"from nodes as nv "
"left join nodes as np on "
" np.node_id=nv.phys_nodeid "
......@@ -6880,7 +6881,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey)
"left join users as u on "
" u.uid_idx=e.swapper_idx "
"where nv.node_id='%s' and (%s)",
36, reqp->vnodeid, clause);
37, reqp->vnodeid, clause);
}
else {
char clause[BUFSIZ];
......@@ -6909,7 +6910,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey)
" as isdedicated_wa, "
" r.genisliver_idx,r.tmcd_redirect, "
" r.sharing_mode,e.geniflags,n.uuid, "
" n.nonfsmounts "
" n.nonfsmounts,e.nonfsmounts AS enonfs "
"from interfaces as i "
"left join nodes as n on n.node_id=i.node_id "
"left join reserved as r on "
......@@ -6937,7 +6938,7 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey)
" on n.type=dedicated_wa_types.type "
"where (%s) "
" and notmcdinfo_types.attrvalue is NULL",
36, clause);
37, clause);
}
if (!res) {
......@@ -7060,8 +7061,10 @@ iptonodeid(struct in_addr ipaddr, tmcdreq_t *reqp, char* nodekey)
reqp->iscontrol = (! strcasecmp(row[10], "ctrlnode") ? 1 : 0);
/* nonfsmounts */
if (row[35])
/* nonfsmounts - per-experiment disable overrides per-node setting */
if (row[36] && atoi(row[36]) != 0)
reqp->nonfsmounts = atoi(row[36]);
else if (row[35])
reqp->nonfsmounts = atoi(row[35]);
else
reqp->nonfsmounts = 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment