Context Navigation

Changes between Version 12 and Version 13 of FeddAbout

Timestamp:: Mar 19, 2014 11:40:22 AM (11 years ago)
Author:: faber
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

FeddAbout

-                      v12
+                      v13
 = Experiments =
 A federated experiment combines resources from multiple independently administered testbeds into a cohesive environment for experimentation.  Earlier versions of fedd enforced a !Master/Slave relationship with one emulab project exporting its environment to others.  While this model remains viable, current fedd implementations allow compositions of the services and views of the facilities as well as their resources.
+A federated experiment combines resources from multiple independently administered testbeds into a cohesive environment for experimentation.  How much the independent testbeds preserve their internal configurations is a matter of policy and experiment controller requests.  Most of the existing access controllers will allow a master testbed to export user and filesystem information into all segments when that is consistent with policy.  Local access controllers can configure their resources as they noremally would as well.
 Currently experiments can be described in the same ns2 syntax that DETER
+and Emulab use, except that additional annotations for the testbed on
+which to place each node have been added.  (The extension is
+set-node-testbed, and described elsewhere.)  Most users will specify experiments in this format, initially. The testbed name here is a
+local string meaningful to the experimenter.  Each fedd knows some set
+of such strings, and experimenters can also inform fedd of the
+appropriate mapping between local testbed name and fedd address to
+contact.
+uses. Most users will specify experiments in this format, initially.
 Fedd also understands experiments expressed in the [FeddPluginArchitecture#TopologyDescriptionLanguage topdl] language that it uses to communicate with facilities.
+An experimenter creates an experiment by presenting it to a fedd that
+knows him or her - usually the fedd on their local testbed - along with
+the master testbed name, local Emulab project to export and local
+mappings.  That fedd will map the local user into the global (testbed,
+project, user) namespace and acquire and configure resources to create
+the experiment.  A fedd may try different mappings of the experimenter
+into the global namespace in order to acquire all the resources.  For
+example a local experimenter may be a member of several local Emulab
+projects that map into different global testbed-scoped projects.
+Once created the user can gather information on the resources allocated to the experiment and where to access them.  (Experiments are identified by
+fedids).  The local name is mnemonic and can be used locally to access
+information about the experiment and to terminate it.  The experimenter
+can suggest a name when requesting experiment creation.
+In order to create a fedid, a key pair is created.  The public and
+private keys for the fedid representing the experiment are returned in
+an encrypted channel from fedd to the requesting experimenter.  The
+experimenter can use this key pair as a capability to grant access to the
+experiment to other users.
+An experimenter creates an experiment by presenting it to an experiment controller that knows him or her - usually the DETER experiment contoller or one on their local testbed. That controller will map the local user into the global (testbed, project, user) namespace and acquire and configure resources to create the experiment.  An experiment controller may try different mappings of the experimenter into the global namespace in order to acquire all the resources.  For example a local experimenter may be a member of several local DETER projects that different access controllers will accept.
 While an experiment exists, experimenters can access the nodes directly
 using the credentials passed back and can acquire information about the
+experiment's topology from fedd.  Only the experimenter who created it
+or one given the capability to manipulate it can get this information.
+Finally, fedd will terminate an experiment on behalf of the experimenter
+who created it, or one who has been granted control of it.  Fedd is
+responsible for deallocating the running experiments and telling the
+testbeds that this experimenter is done with their access.
+The `fedd` installation includes a [FeddCommands#Fedd_client.py command line program] that allows users to create and delete federated experiments.  We are currently developing other interfaces, including a [http://seer.isi.deterlab.net SEER ] interface.
+experiment's topology from the experiment controller.
 === Experiment Descriptions ===
 An experiment description is currently given in a slightly extended version of the [https://users.emulab.net/trac/emulab/wiki/nscommands ns2 dialect that is used for an Emulab experiment description.] Specifically, the `tb-set-node-testbed` command has been added.  Its syntax is:
+An experiment description is currently given in a slightly extended version of the [https://users.emulab.net/trac/emulab/wiki/nscommands ns2 dialect that is used for an DETER experiment description.] Specifically, the `tb-set-node-testbed` command has been added.  Its syntax is:
 {{{
 …
 In addition, `fedd` understands the `tb-set-default-failure-action` command.  This sets the default failure action for nodes in the experiment to one of '''fatal''', '''nonfatal''', or '''ignore'''.  Those values have the same meaning as in standard Emulabs. Nodes that do not have their failure mode reset by the `tb-set-node-failure-action` command will user the explicit default.  If no default is set, '''fatal''' is used.
-=== Federated Experiment Creation ===
-TO give an intuition for how `fedd` works, we present a sample experiment description and show how it would be turned into a federated experiment.  The experiment description is:
-{{{
-# simple DETER topology for playing with SEER
-set ns [new Simulator]
-source tb_compat.tcl
-set a [$ns node]
-set b [$ns node]
-set c [$ns node]
-set d [$ns node]
-set e [$ns node]
-set deter_os "FC6-STD"
-set deter_hw "pc"
-set ucb_os "FC6-SMB"
-set ucb_hw "bvx2200"
-tb-set-node-os $a $deter_os
-tb-set-node-testbed $a "deter"
-tb-set-hardware $a $deter_hw
-tb-set-node-os $b $deter_os
-tb-set-node-testbed $b "deter"
-tb-set-hardware $b $deter_hw
-tb-set-node-os $c $ucb_os
-tb-set-node-testbed $c "ucb"
-tb-set-hardware $c $ucb_hw
-tb-set-node-os $d $ucb_os
-tb-set-node-testbed $d "ucb"
-tb-set-hardware $d $ucb_hw
-tb-set-node-os $e $ucb_os
-tb-set-node-testbed $e "ucb"
-tb-set-hardware $e $ucb_hw
-set link0 [ $ns duplex-link $a $b 100Mb 0ms DropTail]
-set link1 [ $ns duplex-link $c $b 100Mb 0ms DropTail]
-set lan0 [ $ns make-lan "$c $d $e" 100Mb 0ms ]
-$ns rtproto Static
-$ns run
-}}}
-That experiment file generates the following topology:
-[[Image(example_topology.png)]]
-Each of the boxes is a node and the circle is a shared network.  Considering the values of the `set-node-testbed` calls, the experiment will be split up like this:
-[[Image(testbeds.png)]]
-The assignment of nodes to testbeds implicitly creates links (or networks) that must be connected across the wide area, and one of the key jobs of `fedd` is to create these connections.  Fedd splits the experiment description into two descriptions (one for each testbed), adds extra nodes and startcmds to create the shared experiment, and swaps them in.  The sub-experiments look something like these:
-{{{
-set ns [new Simulator]
-source tb_compat.tcl
-set a [$ns node]
-tb-set-hardware $a pc
-tb-set-node-os $a FC6-STD
-tb-set-node-tarfiles $a /usr /proj/emulab-ops//tarfiles/bwfed/fedkit.tgz
-# tb-set-node-testbed $a "deter"
-tb-set-node-startcmd $a "sudo -H /usr/local/federation/bin/make_hosts /proj/emulab-ops/exp/bwfed/tmp//hosts >& /tmp/federate \$USER"
-tb-set-node-failure-action $a "fatal"
-set b [$ns node]
-tb-set-hardware $b pc
-tb-set-node-os $b FC6-STD
-tb-set-node-tarfiles $b /usr /proj/emulab-ops//tarfiles/bwfed/fedkit.tgz
-# tb-set-node-testbed $b "deter"
-tb-set-node-startcmd $b "sudo -H /usr/local/federation/bin/make_hosts /proj/emulab-ops/exp/bwfed/tmp//hosts >& /tmp/federate \$USER"
-set control [$ns node]
-tb-set-hardware $control pc
-tb-set-node-os $control FC6-STD
-tb-set-node-tarfiles $control /usr /proj/emulab-ops//tarfiles/bwfed/fedkit.tgz
-# tb-set-node-testbed $control "deter"
-tb-set-node-startcmd $control "sudo -H /usr/local/federation/bin/make_hosts /proj/emulab-ops/exp/bwfed/tmp//hosts >& /tmp/federate \$USER "
-tb-set-node-failure-action $control "fatal"
-# Link establishment and parameter setting
-set link0 [$ns duplex-link $a $b 100000kb 0.0ms DropTail]
-tb-set-ip-link $a $link0 10.1.1.2
-tb-set-ip-link $b $link0 10.1.1.3
-# federation gateway
-set ucbtunnel0 [$ns node ]
-tb-set-hardware $ucbtunnel0 pc3000_tunnel
-tb-set-node-os $ucbtunnel0 FBSD7-TVF
-tb-set-node-startcmd $ucbtunnel0 "sudo -H /usr/local/federation/bin/fed-tun.pl -f /proj/emulab-ops/exp/bwfed/tmp/`hostname`.gw.conf >& /tmp/bridge.log"
-tb-set-node-tarfiles $ucbtunnel0 /usr/ /proj/emulab-ops//tarfiles/bwfed/fedkit.tgz
-# Link establishment and parameter setting
-set link1 [$ns duplex-link $ucbtunnel0 $b 100000kb 0.0ms DropTail]
-tb-set-ip-link $ucbtunnel0 $link1 10.1.3.2
-tb-set-ip-link $b $link1 10.1.3.3
-$ns rtproto Session
-$ns run
-}}}
-{{{
-set ns [new Simulator]
-source tb_compat.tcl
-set c [$ns node]
-tb-set-hardware $c pc
-tb-set-node-os $c FC6-SMB
-tb-set-node-tarfiles $c /usr /proj/Deter//tarfiles/bwfed/fedkit.tgz
-# tb-set-node-testbed $c "ucb"
-tb-set-node-startcmd $c "sudo -H /bin/sh /usr/local/federation/bin/federate.sh >& /tmp/startup \$USER "
-tb-set-node-failure-action $c "fatal"
-set d [$ns node]
-tb-set-hardware $d pc
-tb-set-node-os $d FC6-SMB
-tb-set-node-tarfiles $d /usr /proj/Deter//tarfiles/bwfed/fedkit.tgz
-# tb-set-node-testbed $d "ucb"
-tb-set-node-startcmd $d "sudo -H /bin/sh /usr/local/federation/bin/federate.sh >& /tmp/startup \$USER "
-tb-set-node-failure-action $d "fatal"
-set e [$ns node]
-tb-set-hardware $e pc
-tb-set-node-os $e FC6-SMB
-tb-set-node-tarfiles $e /usr /proj/Deter//tarfiles/bwfed/fedkit.tgz
-# tb-set-node-testbed $e "ucb"
-tb-set-node-startcmd $e "sudo -H /bin/sh /usr/local/federation/bin/federate.sh >& /tmp/startup \$USER"
-tb-set-node-failure-action $e "fatal"
-set f [$ns node]
-tb-set-hardware $f pc
-tb-set-node-os $f FC6-SMB
-tb-set-node-tarfiles $f /usr /proj/Deter//tarfiles/bwfed/fedkit.tgz
-# tb-set-node-testbed $f "ucb"
-tb-set-node-startcmd $f "sudo -H /bin/sh /usr/local/federation/bin/federate.sh >& /tmp/startup \$USER"
-tb-set-node-failure-action $f "fatal"
-# Create LAN
-set lan0 [$ns make-lan "$c $d $e " 100000kb 0.0ms ]
-# Set LAN/Node parameters
-tb-set-ip-lan $c $lan0 10.1.2.2
-tb-set-lan-simplex-params $lan0 $c 0.0ms 100000kb 0 0.0ms 100000kb 0
-# Set LAN/Node parameters
-tb-set-ip-lan $d $lan0 10.1.2.3
-tb-set-lan-simplex-params $lan0 $d 0.0ms 100000kb 0 0.0ms 100000kb 0
-# Set LAN/Node parameters
-tb-set-ip-lan $e $lan0 10.1.2.4
-tb-set-lan-simplex-params $lan0 $e 0.0ms 100000kb 0 0.0ms 100000kb 0
-# federation gateway
-set detertunnel0 [$ns node ]
-tb-set-hardware $detertunnel0 pc3000_tunnel
-tb-set-node-os $detertunnel0 FBSD7-TVF
-tb-set-node-startcmd $detertunnel0 "sudo -H /usr/local/federation/bin/fed-tun.pl -f /proj/Deter/exp/bwfed/tmp/`hostname`.gw.conf >& /tmp/bridge.log"
-tb-set-node-tarfiles $detertunnel0 /usr/ /proj/Deter//tarfiles/bwfed/fedkit.tgz
-# Link establishment and parameter setting
-set link1 [$ns duplex-link $c $detertunnel0 100000kb 0.0ms DropTail]
-tb-set-ip-link $c $link1 10.1.3.2
-tb-set-ip-link $detertunnel0 $link1 10.1.3.3
-$ns rtproto Session
-$ns run
-}}}
-The resulting topology across two testbeds looks like this:
-[[Image(federated_testbeds.png)]]
-The red nodes are the connector nodes inserted by `fedd`.  They both transfer experimental traffic verbatim and tunnel services, like a shared filesystem.  Exactly what gets tunneled and how the connections are made is a function of the federation kit, the topic of the next section.
-= Experiment Services =
-An important part of the cohesive experiment framework created by the DFA is the web of services interconnecting the sub experiments.  A service, in this context, is fairly liberally defined; it is any one of several pre-defined ways of sharing information statically or dynamically between sub-experiments.  Static information includes the accounts to create on various machines or the hostnames to export to sub-experiments.  Dynamic information includes mounting filesystems or connecting user experiment tools, like [http://seer.isi.deterlab.net SEER].
-Each service has an ''exporter'' the testbed that provides the service, and zero or more ''importers'', testbeds that use the information.  In addition, services can have attribute/value pairs as parameters.
-The specific services currently supported by fedd are:
- '''hide_hosts'''::
- By default, all hosts in the topology are visible across the experiment.  This allows some hosts to be completely local.  The hosts chosen are given by the hosts attribute.
- '''local_seer_control'''::
- Adds a local seer control node to sub-experiments in the exporting testbed.
- '''project_export'''::
- Exports the user configuration and filesystem named by the project attribute to the importing testbeds
- '''seer_master'''::
-  Adds a second seer controller to the exporting testbed that is capable of aggregating the inputs from several local seer masters.  To create a seer instance that sees several sub experiments, create a local_seer_control in each and export a seer_master to all.
- '''SMB'''::
-  Export a set of SMB/CIFS filesystems.
- '''userconfig'''::
-  Export the account information from a given project or group.  Currently accepts the project attribute for that purpose.
-Service advertisement, provision, and specification is an ongoing area of research in federation, and we expect these specifications to become more detailed and useful as that research progresses.
-= The Federation Kit =
-The federation kit is the software used by `fedd` to connect testbeds and tunnel services from the master to the other testbeds. Currently we have a single fedkit (available from the [FeddDownload download section]) that provides SSH tunnels to connect experimental testbeds at the ethernet layer, and that tunnels the emulab event system and provides shared file service via [http://en.wikipedia.org/wiki/Server_Message_Block SMB].  That fedkit runs on any FreeBSD or Linux image that provides the SMB file system.
-By splitting this function out, we intend to allow different installations of `fedd` to provide different interconnection and service tunneling function.  Currently the [FeddDownload DETER fedkit] is the only federation kit in use, and `fedd` defaults its startcmd options for use with it.
-The federation kit has 2 roles
- * Configuring experiment nodes to use [FeddAbout#ExperimentServices services], such as shared file systems.
- * Configuring portal nodes to connect experiments
-== Fedkit on Experiment Nodes ==
-On experiment nodes, the fedkit starts dynamic routing, and optionally configures user accounts and samba filesystems if they are in use.  The system expects the following software to be available:
- * quagga routing system (an old gated installation will also work)
- * samba-client
- * smbfs
-Those are the linux package names; equivalent FreeBSD packages will also work.  For software to be available is for it to be either installed or accessible using {{{yum}}} or {{{apt-get}}}.  DETER nodes have a local repository for that purpose.
-The fedkit is installed in {{{/usr/local/federation}}} and when run places a log in {{{/tmp/federate}}}.
-Services are initialized based on the contents of {{{/usr/local/federation/etc/client.conf}}}.  Possible values include:
- '''!ControlGateway'''::
-  The DNS name (or IP address) of the node that will forward services
- '''Hide''':
-  Do nat add this node to the node's view of the experiment.  Used for [FeddMulti multi-party experiments].
- '''!PortalAlias'''::
-  A name that will be mapped to the same IP address as the control gateway.  SEER in particular expects nodes with certain functions to have certain names.
- '''!ProjectUser'''::
-  The local user under which to mount shared project directories
- '''!ProjectName'''::
-  Project name to derive shared project directories from
- '''Service'''::
-  a string naming the [FeddAbout#ExperimentServices services] to initialize.
- '''SMBShare'''::
-  The name of the share to mount
-== Fedkit on Portal Nodes ==
-On portal nodes the fedkit uses ssh to interconnect the segments and bridges traffic at layer 2.  If the portal node is a Linux image it needs to have the {{{bridge-tools}}} package available.  Like the fedkit on experiment nodes, it will attempt to load that software from repositories if it is not present.
-The fedkit configures the portal based on the contents of a configuration file containing the following parameters:
- '''active'''::
-  a boolean.  If true this portal will initiate ssh connections to its peer.
- '''nat_partner'''::
-  a boolean.  If true the fedkit's peer is behind a network address translator.  Not used yet.
- '''tunnelip'''::
-  a boolean.  If true use the DETER system for binding external addresses.
- '''peer'''::
-  a string.  A list of DNS names or IP addresses.  Usually this is one value, the DNS name of the peer, but passive ends of NATted portals may use a list of addresses to establish routing.
- '''ssh_pubkey'''::
-  a string.  A file in which the access controller has placed the ssh key shared by this portal and its peer.  These are nonce keys discarded after the experiment ends.
- '''ssh_privkey'''::
-  a string.  A file in which the access controller has placed the ssh key shared by this portal and its peer.  These are nonce keys discarded after the experiment ends.
-The passive portal node establishes routing connectivity to the active end, reconfigures the local sshd to allow link layer forwarding and to allow the active end to remotely configure it, and waits.  The active end connects through ssh, establishes a link layer forwarding tunnel and bridges that to the experimental interface.  It also forwards ports to connect experiment services.
-= Interfaces to fedd =
-The fedd interfaces are completely specified in WDSL and SOAP bindings.
-For simplicity and backward compatibility, fedd can export the same
-interfaces over XMLRPC, where the message formats are trivial
-translations.
-All fedd accesses are through HTTP over SSL.  Fedd can support
-traditional SSL CA chaining for access control, but the intention is to
-use self-signed certificates representing fedids.  The fedid semantics
-are always enforced.
-There are also several internal interfaces also specified in WSDL/SOAP
-and accessible through XMLRPC used to simplify the distributed
-implementation of fedd.  You can read about those in the [FeddDevelop development section].