Changes between Version 27 and Version 28 of FeddDownload


Ignore:
Timestamp:
Jun 10, 2014 3:32:53 PM (5 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • FeddDownload

    v27 v28  
     1[[TOC()]]
    12
    23= Downloading and Installing fedd =
     
    4849
    4950{{{
    50 $ tar xzf -C /tmp fedd-3.50b.tar.gz
    51 $ cd /tmp/fedd-3.50b
     51$ tar xzf -C /tmp fedd-4.00b.tar.gz
     52$ cd /tmp/fedd-4.00b
    5253$ sudo python ./setup.py install
    5354$ cd
    54 $ sudo rm -rf /tmp/fedd-3.50b
     55$ sudo rm -rf /tmp/fedd-4.00b
    5556}}}
    5657
     
    5859scripts:
    5960 `/usr/local/bin/access_to_abac.py`::
    60   [wiki:FeddABAC#access_to_abac.py converts] existing access controller DBs to ABAC.
     61  [wiki:FeddABAC#access_to_abac.py converts] access controller authorization databases to ABAC.
    6162 `/usr/local/bin/cert_to_fedid.py`::
    6263  create a self-signed certificate from an existing hierarchical X.509 certificate and key.
    63  `/usr/local/bin/confirm_sshkey.py`::
    64   used in certain static project installs, see [FeddConfig configuring]
    6564 `/usr/local/bin/creddy_split.py`::
    6665  Split a combination X.509 certificate and key file into two separate files, useful for working with the [http://abac.deterlab.net libabac]  [http://abac.deterlab.net/wiki/Creddy creddy] utility
     
    9796 `/usr/local/bin/fedid.py`::
    9897  command line tool for getting fedids from X509 certificates
    99  `/usr/local/bin/user_to_project.py`::
    100   used in dynamic project installs, see [FeddConfig configuring]
    10198
    10299These scripts are documented in more detail on the [FeddCommands commands page].
     
    107104
    108105
    109 == Additional scripts ==
    110106
    111 If you intend to use dynamic project manipulation, you will need to
    112 install patched versions of the addpubkey and grantnodetype scripts on
    113 boss.  These patches extend those commands to revoke access/keys or
    114 confirm the presence of access or keys.
     107== The Federation Kit (fedkit) ==
    115108
    116 The patches are here:
    117  * [attachment:addpubkey.patch addpubkey]
    118  * [attachment:grantnodetype.patch grantnodetype]
     109The federation kit is the software used by `fedd` to connect testbeds and tunnel services from the master to the other testbeds. Currently we have a single [attachment:fedkit.tgz fedkit] that provides SSH tunnels to connect experimental testbeds at the ethernet layer, tunnels the DETER/Emulab event system and provides shared file service via [http://en.wikipedia.org/wiki/Server_Message_Block SMB].  That fedkit runs on any FreeBSD or Linux image that provides the SMB file system.
    119110
    120 To avoid inadvertently interfering with testbed operation, we suggest
    121 making modified shadow commands on boss called taddpubkey and
    122 tgrantnodetype.  Note the leading 't' on the shadow commands.  You can
    123 do this by doing the following on boss (where the patch files come from
    124 wherever you saved them):
     111By splitting this function out, we intend to allow different installations of `fedd` to provide different interconnection and service tunneling function.  Currently the DETER fedkit is the only federation kit in use, and `fedd` defaults its startcmd options for use with it.
    125112
    126 {{{
    127 $ cd /tmp
    128 $ cp /usr/testbed/sbin/addpubkey .
    129 $ patch < addpubkey.patch
    130 $ sudo mv addpubkey /usr/testbed/sbin/taddpubkey
    131 $ sudo chown root:wheel /usr/testbed/sbin/taddpubkey
    132 $ sudo chmod 4755 /usr/testbed/sbin/taddpubkey
    133 }}}
     113To install fedd, the administrator must download a copy and put it where fedd can read it, usually `/usr/local/etc/fedd` and set the '''fedkit''' parameter in the [experiment_control] section of the [FeddConfig#ExperimentControlOptions config file] to be the pathname of the tar file.
    134114
    135 {{{
    136 $ cd /tmp
    137 $ cp /usr/testbed/sbin/grantnodetype .
    138 $ patch < grantnodetype.patch
    139 $ sudo mv grantnodetype /usr/testbed/sbin/tgrantnodetype
    140 $ sudo chown root:wheel /usr/testbed/sbin/tgrantnodetype
    141 }}}
     115=== Fedkit Functions and Configuration ===
    142116
    143 Note that taddpubkey will be setuid root (just like addpubkey is) and
    144 that grantnodetype will not.  The permissions need to match those of the
    145 original command.  They will fail with different ones.
     117In standard operation, the fedkit is configured and invoked by fedd.  This section provides some details on the inner workings of the kit that may be helpful in debugging.
    146118
    147 Once the scripts exist, make sure you configure the [allocate] section
    148 of the configuration file to use them, e.g.:
     119The federation kit has 2 roles
    149120
    150 {{{
    151 [allocate]
    152 addpubkey: /usr/testbed/sbin/taddpubkey
    153 grantnodetype: /usr/testbed/sbin/tgrantnodetype
    154 }}}
     121 * Configuring experiment nodes to use [FeddAbout#ExperimentServices services], such as shared file systems.
     122 * Configuring portal nodes to connect experiments
    155123
    156 See the [FeddConfig configuration section] for more detail.
     124==== Fedkit on Experiment Nodes ====
    157125
    158 == Federation Kit ==
     126On experiment nodes, the fedkit starts dynamic routing, and optionally configures user accounts and samba filesystems if they are in use.  The system expects the following software to be available:
    159127
    160 The federation kit includes the software that provides the shared environment in the federated experiment.  It is described in more detail in the [FeddAbout#TheFederationKit overview of the system.]  The version we primarily use is available for [attachment:fedkit.tgz download].  Download it, put it somewhere that `fedd` can read it, like `/usr/local/etc/fedd` and set the '''fedkit''' parameter in the [experiment_control] section of the [FeddConfig#ExperimentControlOptions config file] to be the pathname of the tar file.
     128 * quagga routing system (an old gated installation will also work)
     129 * samba-client
     130 * smbfs
     131 
     132Those are the linux package names; equivalent FreeBSD packages will also work.  For software to be available is for it to be either installed or accessible using {{{yum}}} or {{{apt-get}}}.  DETER nodes have a local repository for that purpose.
     133
     134The fedkit is installed in {{{/usr/local/federation}}} and when run places a log in {{{/tmp/federate}}}.
     135
     136Services are initialized based on the contents of {{{/usr/local/federation/etc/client.conf}}}.  Possible values include:
     137
     138 '''!ControlGateway'''::
     139  The DNS name (or IP address) of the node that will forward services
     140 '''Hide''':
     141  Do nat add this node to the node's view of the experiment.  Used for [FeddMulti multi-party experiments].
     142 '''!PortalAlias'''::
     143  A name that will be mapped to the same IP address as the control gateway.  SEER in particular expects nodes with certain functions to have certain names.
     144 '''!ProjectUser'''::
     145  The local user under which to mount shared project directories
     146 '''!ProjectName'''::
     147  Project name to derive shared project directories from
     148 '''Service'''::
     149  a string naming the [FeddAbout#ExperimentServices services] to initialize.
     150 '''SMBShare'''::
     151  The name of the share to mount
     152
     153
     154
     155==== Fedkit on Portal Nodes ====
     156
     157On portal nodes the fedkit uses ssh to interconnect the segments and bridges traffic at layer 2.  If the portal node is a Linux image it needs to have the {{{bridge-tools}}} package available.  Like the fedkit on experiment nodes, it will attempt to load that software from repositories if it is not present.
     158
     159The fedkit configures the portal based on the contents of a configuration file containing the following parameters:
     160
     161 '''active'''::
     162  a boolean.  If true this portal will initiate ssh connections to its peer.
     163 '''nat_partner'''::
     164  a boolean.  If true the fedkit's peer is behind a network address translator.  Not used yet.
     165 '''tunnelip'''::
     166  a boolean.  If true use the DETER system for binding external addresses.
     167 '''peer'''::
     168  a string.  A list of DNS names or IP addresses.  Usually this is one value, the DNS name of the peer, but passive ends of NATted portals may use a list of addresses to establish routing.
     169 '''ssh_pubkey'''::
     170  a string.  A file in which the access controller has placed the ssh key shared by this portal and its peer.  These are nonce keys discarded after the experiment ends.
     171 '''ssh_privkey'''::
     172  a string.  A file in which the access controller has placed the ssh key shared by this portal and its peer.  These are nonce keys discarded after the experiment ends.
     173
     174The passive portal node establishes routing connectivity to the active end, reconfigures the local sshd to allow link layer forwarding and to allow the active end to remotely configure it, and waits.  The active end connects through ssh, establishes a link layer forwarding tunnel and bridges that to the experimental interface.  It also forwards ports to connect experiment services.
     175
    161176
    162177== Git access ==