Changes between Version 5 and Version 6 of FeddConfigExamples


Ignore:
Timestamp:
Jun 5, 2010 2:59:54 PM (14 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • FeddConfigExamples

    v5 v6  
    33This page gives several `fedd` layouts and the configuration files that support them.  You can take them either as starting points from which to create your own configuration or as demonstrations of how the parameters in the [FeddConfig configuration files] and [FeddDatabases databases] work together.
    44
    5 == Static Access Only on Users ==
     5== Emulab Configurations ==
     6
     7=== Static Access Only on Users ===
    68
    79This is the simplest configuration of `fedd`, used to allow users of other testbeds to use resources from yours using pre-configured projects.  The layout assumes that for each [FeddAbout#GlobalIdentifiers:Three-levelName three-level name] you are willing to allow to use your testbed, you have set up a project that already has proper keys installed.  Because no local projects or local users need to be modified, `fedd` does not need access to boss.
     
    1618[globals]
    1719# Identify this fedd by the fedid encoded as a certificate file (user file protections to protect it)
    18  These types of node are not accessible by everyone
    19 restricted: rpc_30cert_file: /usr/local/etc/fedd/fedd.pem
     20cert_file: /usr/local/etc/fedd/fedd.pem
    2021# Provide service on port 23235
    2122services: 23235
     
    2728
    2829# Parameters for remote fedds to instantiate experiments
    29 boss: boss
    30 ops: users
    3130domain: .isi.deterlab.net
    32 fileserver: fs
    33 eventserver: event-server
    34 
    35 # This machine's URI to discriminate proxy requests
    36 testbed: https://users.isi.deterlab.net:23235
     31
    3732
    3833# The database that maps requester to local access projects (shown below)
     
    4944
    5045{{{
    51 # Overrides for the connector image and type
    52 attribute: connectorImage value: FBSD7-TVF
    53 attribute: connectorType value: pc3000_tunnel
    5446
    5547# map users from the given testbed in the Deter group into the local Federation project.  Experiments will
    5648# be created by the local user "fedd" and accessable by users with the same name as requesters.  This
    5749# will require coordination.
    58 (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, <any>) -> (Federation, fedd, <same>)
    59 }}}
    60 
    61 == Dynamic Keying only on Boss ==
     50(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, <any>) -> access, (Federation, fedd, <same>)
     51}}}
     52
     53=== Dynamic Keying only on Boss ===
    6254
    6355In this case there is still one running `fedd`, but it runs on `boss`, where it can add keys to user accounts and change project permissions.  While projects and users need to be kept in sync, the user keys need not.  The changes here are largely in the allocation section of the global configuration.
     
    8274
    8375# Parameters for remote fedds to instantiate experiments
    84 boss: boss
    85 ops: users
    8676domain: .isi.deterlab.net
    87 fileserver: fs
    88 eventserver: event-server
    89 
    90 # This machine's URI to discriminate proxy requests (NB: this runs on boss)
    91 testbed: https://boss.isi.deterlab.net:23235
    9277
    9378# The database that maps requester to local access projects (shown below)
     
    10994
    11095{{{
    111 # Overrides for the connector image and type
    112 attribute: connectorImage value: FBSD7-TVF
    113 attribute: connectorType value: pc3000_tunnel
    114 
    115 # Nodes of this type are not generally accessible
    116 restricted: rpc_3000
    117 
    11896# Additional keys may be added to these groups.  Note that when a user with emulab-ops as the project in their
    119 # three-level name accesses the testbed, the fedd project will be given access to the restricted node type
    120 # rpc_3000.  Requesters with Deter as the project will be unable to successfully request access to such nodes.
    121 (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, <any>) -> (Federation, fedd, <same>)
    122 (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, emulab-ops, <any>) -> (Federation, fedd:rpc_3000, <same>)
    123 
    124 }}}
    125 
    126 == Dynamic Keying with Distributed Operation on Users and Boss ==
     97# three-level name accesses the testbed, the fedd project will be used.
     98(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, <any>) -> access, (Federation, fedd, <same>)
     99(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, emulab-ops, <any>) -> access, (Federation, fedd, <same>)
     100
     101}}}
     102
     103=== Dynamic Keying with Distributed Operation on Users and Boss ===
    127104
    128105In this case two `fedd`s are running.  The one on users accepts and evaluates access requests but calls out to the `fedd` on boss to do the manipulation of local testbed state.  Boss may choose to firewall all other hosts (except users) away from the fedd port, though the    `fedd` access controls will also protect access.  The situation looks like this:
     
    145122
    146123# Parameters for remote fedds to instantiate experiments
    147 boss: boss
    148 ops: users
    149124domain: .isi.deterlab.net
    150 fileserver: fs
    151 eventserver: event-server
    152 
    153 # This machine's URI to discriminate proxy requests (NB: this runs on users)
    154 testbed: https://users.isi.deterlab.net:23235
    155125
    156126# The database that maps requester to local access projects (shown below)
     
    166136
    167137{{{
    168 # Overrides for the connector image and type
    169 attribute: connectorImage value: FBSD7-TVF
    170 attribute: connectorType value: pc3000_tunnel
    171 
    172 # Nodes of this type are not generally accessible
    173 restricted: rpc_3000
    174138
    175139# Additional keys may be added to these groups.  Note that when a user with emulab-ops as the project in their
    176 # three-level name accesses the testbed, the fedd project will be given access to the restricted node type
    177 # rpc_3000.  Requesters with Deter as the project will be unable to successfully request access to such nodes.
     140# three-level name accesses the testbed, the fedd project will be used.
    178141(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, <any>) -> (Federation, fedd, <same>)
    179 (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, emulab-ops, <any>) -> (Federation, fedd:rpc_3000, <same>)
     142(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, emulab-ops, <any>) -> (Federation, fedd, <same>)
    180143
    181144}}}
     
    223186where that fedid is the one that the `users` `fedd` is identified by.
    224187
    225 == Dynamic Keying with Distributed Operation on Users and Boss and Experiment Control on Users ==
    226 
    227 Extending the previous configuration to also provide facilities for creating and managing federated experiments as well as allowing others to use this testbed's resources requires expanding the main configuration on users and adding a couple more databases.
    228 
    229 Specifically the `users` configuration becomes:
    230 
    231 {{{
    232 [globals]
    233 # Identify this fedd by the fedid encoded as a certificate file (user file protections to protect it)
    234 cert_file: /usr/local/etc/fedd/fedd.pem
    235 # Provide service on port 23235
    236 services: 23235
    237 
    238 [access]
    239 # Keep access state (which experiments are live) in this file
    240 # Be sure it is writeable by the fedd user
    241 access_state: /var/db/fedd/deter_access.state
    242 
    243 # Parameters for remote fedds to instantiate experiments
    244 boss: boss
    245 ops: users
    246 domain: .isi.deterlab.net
    247 fileserver: fs
    248 eventserver: event-server
    249 
    250 # This machine's URI to discriminate proxy requests (NB: this runs on users)
    251 testbed: https://users.isi.deterlab.net:23235
    252 
    253 # The database that maps requester to local access projects (shown below)
    254 accessdb: /usr/local/etc/fedd/deter_access
    255 
    256 [allocate]
    257 # Contact boss for allocations
    258 uri: https://boss.ucb.deterlab.net:23235
    259 
    260 [experiment_control]
    261 # Keys used to access the experiment creation testbed user account (may be installed
    262 # by that testbed's fedd)
    263 ssh_pubkey_file: /usr/local/etc/fedd/fedd_rsa.pub
    264 ssh_privkey_file: /usr/local/etc/fedd/fedd_rsa
    265 
    266 # Save experiment control state in case of loss of the process or machine
    267 experiment_state_file: ./deter.state
    268 
    269 # Which users can create experiments (see below)
    270 accessdb: /users/faber/fedd/exp_access_db
    271 
    272 # How users name testbeds
    273 mapdb: /users/faber/fedd/exp_map_db
    274 
    275 # Standard experiment instantiation software
    276 fedkit: /usr/local/etc/fedd/fedkit.tgz
    277 
    278 }}}
    279 
    280 The [FeddDatabases#ExperimentControlComponentAccessDB experiment control accessDB] in `/users/faber/fedd/exp_access_db` would look like:
    281 
    282 {{{
    283 # bwilson
    284 fedid:5bf3384e2cefca6ba8718958e488fe8bcbf1da2c->bwilson
    285 fedid:5bf3384e2cefca6ba8718958e488fe8bcbf1da2c->(ddos,bwilson)
    286 # jhickey
    287 fedid:29f0436dac012086ca50fe31afb7d746268aefce->jhickey
    288 fedid:29f0436dac012086ca50fe31afb7d746268aefce->(emulab-ops,jhickey)
    289 fedid:29f0436dac012086ca50fe31afb7d746268aefce->(routing,jhickey)
    290 fedid:29f0436dac012086ca50fe31afb7d746268aefce->(worm,jhickey)
    291 }}}
    292 
    293 and the [FeddDatabases#ExperimentNameMappingDB name mapping DB] in `/users/faber/fedd/exp_map_db` would look like:
    294 
    295 {{{
    296 deter:https://users.isi.deterlab.net:23235
    297 ucb:https://users.ucb.deterlab.net:23235
    298 }}}
    299 
    300 Other files on `users` and all files on `boss` would be unchanged from the previous configuration.
    301 
    302188There are other possible layouts, but hopefully these have highlighted the use of the various [FeddConfig configuration parameters] and their related  [FeddDatabases databases].
     189
     190== ProtoGENI Configuration ==
     191
     192
     193Basic ProtoGENI configuration
     194
     195{{{
     196[DEFAULT]
     197base: /usr/local/etc/fedd
     198
     199[access]
     200project_priority: false
     201log_level: debug
     202access_state: %(base)s/protoGENI_access.state
     203accessdb: %(base)s/protoGENI_access
     204certdir: %(base)s/certs
     205userconfdir: %(base)s/userconf
     206
     207domain: .emulab.net
     208renewal: 10080
     209
     210# Stage files on ops.emulab.net in a geni directory
     211staging_dir: /proj/geni/tarfiles
     212staging_host: ops.emulab.net
     213
     214# Some custom ssh settings, the one in use when this file was written was too old to support federation
     215sshd: /proj/geni/tarfiles/TIED/sshd
     216sshd_config: /proj/geni/tarfiles/TIED/sshd_config
     217ssh_port: 20200
     218
     219# The standard start commands
     220portal_startcommand: sudo -H /usr/bin/perl -I/usr/local/federation/lib /usr/local/federation/bin/combo.pl --use_file >& /tmp/bridge.log
     221node_startcommand: sudo -H /usr/bin/perl -I/usr/local/federation/lib /usr/local/federation/bin/federate.pl --install_samba >& /tmp/federate
     222smbshare: FS
     223
     224ch_url: https://www.emulab.net:443/protogeni/xmlrpc/ch
     225sa_url: https://www.emulab.net:443/protogeni/xmlrpc/sa
     226cm_url: https://www.emulab.net:443/protogeni/xmlrpc/cm/1.0
     227
     228
     229federation_software: /usr %(base)s/fedkit.tgz rpm %(base)s/python2.4-2.4-1pydotorg.i586.rpm
     230portal_software: /usr/local %(base)s/seer-all-current.tgz
     231
     232[allocate]
     233debug: true
     234log_level: debug
     235allocation_level: none
     236
     237[globals]
     238cert_file: %(base)s/fedd.pem
     239cert_pwd: alkdfh
     240services: 13234
     241
     242access_type: protogeni
     243
     244}}}
     245
     246Simple access database maps [FeddAbout#GlobalIdentifiers:Three-levelNames three names] to a certificate, username, ssh key, and ssh password.
     247{{{
     248(fedid:b55205ac843c40ce9c9feb3b358bff782ed337fd, TIED, <any> ) -> access, (/users/faber/fedd-config/protoGENI/ProtoGENI.pem, faber, /users/faber/fedd-config/protoGENI/fedd_rsa, aldkfh)
     249}}}
     250
     251== DRAGON configuration ==
     252
     253Here is a pretty standard dragon configuration:
     254
     255{{{
     256[DEFAULT]
     257base: /usr/local/etc/fedd
     258[access]
     259
     260project_priority: false
     261log_level: debug
     262access_state: %(base)s/dragon_access.state
     263accessdb: %(base)s/dragon_access
     264certdir: %(base)s/certs
     265userconfdir: %(base)s/userconf
     266type: dragon
     267
     268# Here is where the OSCARS software and support have been installed
     269cli_dir: %(base)s/OSCARS-client-api/examples/
     270axis2_home: %(base)s/axis2-1.4.1
     271
     272#The IDC where the certificate below is valid.
     273idc: https://idc.dragon.maxgigapop.net:8443/axis2/services/OSCARS
     274
     275
     276[allocate]
     277debug: true
     278log_level: debug
     279allocation_level: none
     280
     281[globals]
     282cert_file: %(base)s/fedd.pem
     283cert_pwd: lkajdgl
     284services: 23229
     285
     286access_type: dragon
     287}}}
     288
     289This access DB maps to a single repo directory that contains appropriate certificates (see the OSCARS documentation)
     290
     291{{{
     292(fedid:b55205ac843c40ce9c9feb3b358bff782ed337fd, <any>, mcgeer) -> access, (repo)
     293(fedid:b55205ac843c40ce9c9feb3b358bff782ed337fd, TIED, <any>) -> access, (repo)
     294}}}