Changes between Version 27 and Version 28 of FeddDownload

Timestamp:

Jun 10, 2014 3:32:53 PM (10 years ago)

Author:

faber

Comment:

--

FeddDownload

@@ +1 @@
+[[TOC()]]
 
 = Downloading and Installing fedd =
@@ -48 +49 @@
 
 {{{
-$ tar xzf -C /tmp fedd-3.50b.tar.gz
-$ cd /tmp/fedd-3.50b
+$ tar xzf -C /tmp fedd-4.00b.tar.gz
+$ cd /tmp/fedd-4.00b
 $ sudo python ./setup.py install
 $ cd 
-$ sudo rm -rf /tmp/fedd-3.50b
+$ sudo rm -rf /tmp/fedd-4.00b
 }}}
 
@@ -58 +59 @@
 scripts:
  `/usr/local/bin/access_to_abac.py`::
-  [wiki:FeddABAC#access_to_abac.py converts] existing access controller DBs to ABAC. 
+  [wiki:FeddABAC#access_to_abac.py converts] access controller authorization databases to ABAC. 
  `/usr/local/bin/cert_to_fedid.py`::
   create a self-signed certificate from an existing hierarchical X.509 certificate and key.
- `/usr/local/bin/confirm_sshkey.py`::
-  used in certain static project installs, see [FeddConfig configuring]
  `/usr/local/bin/creddy_split.py`::
   Split a combination X.509 certificate and key file into two separate files, useful for working with the [http://abac.deterlab.net libabac]  [http://abac.deterlab.net/wiki/Creddy creddy] utility
@@ -97 +96 @@
  `/usr/local/bin/fedid.py`::
   command line tool for getting fedids from X509 certificates
- `/usr/local/bin/user_to_project.py`::
-  used in dynamic project installs, see [FeddConfig configuring]
 
 These scripts are documented in more detail on the [FeddCommands commands page].
@@ -107 +104 @@
 
 
-== Additional scripts ==
 
-If you intend to use dynamic project manipulation, you will need to
-install patched versions of the addpubkey and grantnodetype scripts on
-boss.  These patches extend those commands to revoke access/keys or
-confirm the presence of access or keys. 
+== The Federation Kit (fedkit) ==
 
-The patches are here:
- * [attachment:addpubkey.patch addpubkey]
- * [attachment:grantnodetype.patch grantnodetype]
+The federation kit is the software used by `fedd` to connect testbeds and tunnel services from the master to the other testbeds. Currently we have a single [attachment:fedkit.tgz fedkit] that provides SSH tunnels to connect experimental testbeds at the ethernet layer, tunnels the DETER/Emulab event system and provides shared file service via [http://en.wikipedia.org/wiki/Server_Message_Block SMB].  That fedkit runs on any FreeBSD or Linux image that provides the SMB file system.
 
-To avoid inadvertently interfering with testbed operation, we suggest
-making modified shadow commands on boss called taddpubkey and
-tgrantnodetype.  Note the leading 't' on the shadow commands.  You can
-do this by doing the following on boss (where the patch files come from
-wherever you saved them):
+By splitting this function out, we intend to allow different installations of `fedd` to provide different interconnection and service tunneling function.  Currently the DETER fedkit is the only federation kit in use, and `fedd` defaults its startcmd options for use with it.
 
-{{{
-$ cd /tmp
-$ cp /usr/testbed/sbin/addpubkey .
-$ patch < addpubkey.patch
-$ sudo mv addpubkey /usr/testbed/sbin/taddpubkey
-$ sudo chown root:wheel /usr/testbed/sbin/taddpubkey
-$ sudo chmod 4755 /usr/testbed/sbin/taddpubkey
-}}}
+To install fedd, the administrator must download a copy and put it where fedd can read it, usually `/usr/local/etc/fedd` and set the '''fedkit''' parameter in the [experiment_control] section of the [FeddConfig#ExperimentControlOptions config file] to be the pathname of the tar file.
 
-{{{
-$ cd /tmp
-$ cp /usr/testbed/sbin/grantnodetype .
-$ patch < grantnodetype.patch
-$ sudo mv grantnodetype /usr/testbed/sbin/tgrantnodetype
-$ sudo chown root:wheel /usr/testbed/sbin/tgrantnodetype
-}}}
+=== Fedkit Functions and Configuration ===
 
-Note that taddpubkey will be setuid root (just like addpubkey is) and
-that grantnodetype will not.  The permissions need to match those of the
-original command.  They will fail with different ones.
+In standard operation, the fedkit is configured and invoked by fedd.  This section provides some details on the inner workings of the kit that may be helpful in debugging.
 
-Once the scripts exist, make sure you configure the [allocate] section
-of the configuration file to use them, e.g.:
+The federation kit has 2 roles
 
-{{{
-[allocate]
-addpubkey: /usr/testbed/sbin/taddpubkey
-grantnodetype: /usr/testbed/sbin/tgrantnodetype
-}}}
+ * Configuring experiment nodes to use [FeddAbout#ExperimentServices services], such as shared file systems.
+ * Configuring portal nodes to connect experiments
 
-See the [FeddConfig configuration section] for more detail.
+==== Fedkit on Experiment Nodes ====
 
-== Federation Kit ==
+On experiment nodes, the fedkit starts dynamic routing, and optionally configures user accounts and samba filesystems if they are in use.  The system expects the following software to be available:
 
-The federation kit includes the software that provides the shared environment in the federated experiment.  It is described in more detail in the [FeddAbout#TheFederationKit overview of the system.]  The version we primarily use is available for [attachment:fedkit.tgz download].  Download it, put it somewhere that `fedd` can read it, like `/usr/local/etc/fedd` and set the '''fedkit''' parameter in the [experiment_control] section of the [FeddConfig#ExperimentControlOptions config file] to be the pathname of the tar file.
+ * quagga routing system (an old gated installation will also work)
+ * samba-client
+ * smbfs
+ 
+Those are the linux package names; equivalent FreeBSD packages will also work.  For software to be available is for it to be either installed or accessible using {{{yum}}} or {{{apt-get}}}.  DETER nodes have a local repository for that purpose.
+
+The fedkit is installed in {{{/usr/local/federation}}} and when run places a log in {{{/tmp/federate}}}.
+
+Services are initialized based on the contents of {{{/usr/local/federation/etc/client.conf}}}.  Possible values include:
+
+ '''!ControlGateway'''::
+  The DNS name (or IP address) of the node that will forward services
+ '''Hide''':
+  Do nat add this node to the node's view of the experiment.  Used for [FeddMulti multi-party experiments].
+ '''!PortalAlias'''::
+  A name that will be mapped to the same IP address as the control gateway.  SEER in particular expects nodes with certain functions to have certain names.
+ '''!ProjectUser'''::
+  The local user under which to mount shared project directories
+ '''!ProjectName'''::
+  Project name to derive shared project directories from
+ '''Service'''::
+  a string naming the [FeddAbout#ExperimentServices services] to initialize.
+ '''SMBShare'''::
+  The name of the share to mount
+
+
+
+==== Fedkit on Portal Nodes ====
+
+On portal nodes the fedkit uses ssh to interconnect the segments and bridges traffic at layer 2.  If the portal node is a Linux image it needs to have the {{{bridge-tools}}} package available.  Like the fedkit on experiment nodes, it will attempt to load that software from repositories if it is not present.
+
+The fedkit configures the portal based on the contents of a configuration file containing the following parameters:
+
+ '''active'''::
+  a boolean.  If true this portal will initiate ssh connections to its peer.
+ '''nat_partner'''::
+  a boolean.  If true the fedkit's peer is behind a network address translator.  Not used yet.
+ '''tunnelip'''::
+  a boolean.  If true use the DETER system for binding external addresses.
+ '''peer'''::
+  a string.  A list of DNS names or IP addresses.  Usually this is one value, the DNS name of the peer, but passive ends of NATted portals may use a list of addresses to establish routing.
+ '''ssh_pubkey'''::
+  a string.  A file in which the access controller has placed the ssh key shared by this portal and its peer.  These are nonce keys discarded after the experiment ends.
+ '''ssh_privkey'''::
+  a string.  A file in which the access controller has placed the ssh key shared by this portal and its peer.  These are nonce keys discarded after the experiment ends.
+
+The passive portal node establishes routing connectivity to the active end, reconfigures the local sshd to allow link layer forwarding and to allow the active end to remotely configure it, and waits.  The active end connects through ssh, establishes a link layer forwarding tunnel and bridges that to the experimental interface.  It also forwards ports to connect experiment services.
+
 
 == Git access ==