-<?xml version="1.0"?>
-<!DOCTYPE configuration PUBLIC "-//PlanetLab Central//DTD PLC configuration//EN" "configuration.dtd">
+<?xml version="1.0" encoding="utf-8"?>
+
+<!--
+Default PLC configuration file
+
+Mark Huang <mlhuang@cs.princeton.edu>
+Copyright (C) 2006 The Trustees of Princeton University
+
+$Id: plc_config.xml,v 1.16 2006/10/27 20:26:49 mlhuang Exp $
+-->
+
+<!DOCTYPE configuration PUBLIC "-//PlanetLab Central//DTD PLC configuration//EN" "plc_config.dtd">
<configuration>
<variables>
<description>The abbreviated name of this PLC
installation. It is used as the prefix for system slices
(e.g., pl_conf). Warning: Currently, this variable should
- not be changed once set.</description>
+ not be changed.</description>
</variable>
- <variable id="root_user" type="password">
+ <variable id="root_user" type="email">
<name>Root Account</name>
- <value>root@test.planet-lab.org</value>
+ <value>root@localhost.localdomain</value>
<description>The name of the initial administrative
account. We recommend that this account be used only to create
additional accounts associated with real
</variablelist>
</category>
+ <category id="plc_ma_sa">
+ <name>Management and Slice Authority</name>
+ <description>These variables control how your site interacts
+ with other PlanetLab sites as a Management Authority (MA) and/or
+ Slice Authority (SA).</description>
+
+ <variablelist>
+ <variable id="namespace" type="ip">
+ <name>Namespace</name>
+ <value>test</value>
+ <description>The namespace of your MA/SA. This should be a
+ globally unique value assigned by PlanetLab
+ Central.</description>
+ </variable>
+
+ <variable id="ssl_key" type="file">
+ <name>SSL Private Key</name>
+ <value>/etc/planetlab/ma_sa_ssl.key</value>
+ <description>The SSL private key used for signing documents
+ with the signature of your MA/SA. If non-existent, one will
+ be generated.</description>
+ </variable>
+
+ <variable id="ssl_crt" type="file">
+ <name>SSL Public Certificate</name>
+ <value>/etc/planetlab/ma_sa_ssl.crt</value>
+ <description>The corresponding SSL public certificate. By
+ default, this certificate is self-signed. You may replace
+ the certificate later with one signed by the PLC root
+ CA.</description>
+ </variable>
+
+ <variable id="ca_ssl_crt" type="file">
+ <name>Root CA SSL Public Certificate</name>
+ <value>/etc/planetlab/ma_sa_ca_ssl.crt</value>
+ <description>If applicable, the certificate of the PLC root
+ CA. If your MA/SA certificate is self-signed, then this file
+ is the same as your MA/SA certificate.</description>
+ </variable>
+
+ <variable id="ca_ssl_key_pub" type="file">
+ <name>Root CA SSL Public Key</name>
+ <value>/etc/planetlab/ma_sa_ca_ssl.pub</value>
+ <description>If applicable, the public key of the PLC root
+ CA. If your MA/SA certificate is self-signed, then this file
+ is the same as your MA/SA public key.</description>
+ </variable>
+
+ <variable id="api_crt" type="file">
+ <name>API Certificate</name>
+ <value>/etc/planetlab/ma_sa_api.xml</value>
+ <description>The API Certificate is your MA/SA public key
+ embedded in a digitally signed XML document. By default,
+ this document is self-signed. You may replace this
+ certificate later with one signed by the PLC root
+ CA.</description>
+ </variable>
+ </variablelist>
+ </category>
+
<category id="plc_net">
<name>Network</name>
<description>Network environment.</description>
<variablelist>
<variable id="dns1" type="ip">
<name>Primary DNS Server</name>
- <value>128.112.136.10</value>
+ <value>127.0.0.1</value>
<description>Primary DNS server address.</description>
</variable>
<variable id="dns2" type="ip">
<name>Secondary DNS Server</name>
- <value>128.112.136.12</value>
+ <value></value>
<description>Secondary DNS server address.</description>
</variable>
</variablelist>
</category>
+ <category id="plc_dns">
+ <name>DNS</name>
+ <description>MyPLC can provide forward DNS resolution for itself
+ and for its nodes. To enable resolution for MyPLC itself, set
+ the Primary DNS Server address to 127.0.0.1 and provide external
+ IP addresses for the database, API, web, and boot servers
+ below. To enable resolution for nodes, use the external IP
+ address of this machine as the primary DNS server address for
+ each node.</description>
+
+ <variablelist>
+ <variable id="enabled" type="boolean">
+ <name>Enable DNS</name>
+ <value>true</value>
+ <description>Enable the internal DNS server. The server does
+ not provide reverse resolution and is not a production
+ quality or scalable DNS solution. Use the internal DNS
+ server only for small deployments or for
+ testing.</description>
+ </variable>
+ </variablelist>
+ </category>
+
<category id="plc_mail">
<name>Mail</name>
<description>Many maintenance scripts, as well as the API and
and warnings.</description>
</variable>
- <variable id="support_address">
+ <variable id="support_address" type="email">
<name>Support Address</name>
- <value>root@localhost</value>
+ <value>root+support@localhost.localdomain</value>
<description>This address is used for support
requests. Support requests may include traffic complaints,
security incident reporting, web site malfunctions, and
Tracker.</description>
</variable>
- <variable id="boot_address">
+ <variable id="boot_address" type="email">
<name>Boot Messages Address</name>
- <value>root@localhost</value>
+ <value>root+install-msgs@localhost.localdomain</value>
<description>The API will notify this address when a problem
- occurs during node installation or boot. If a domain is not
- specified, the default system domain will be used
- name.</description>
+ occurs during node installation or boot.</description>
+ </variable>
+
+ <variable id="slice_address" type="email">
+ <name>Slice Address</name>
+ <value>root+SLICE@localhost.localdomain</value>
+ <description>This address template is used for sending
+ e-mail notifications to slices. SLICE will be replaced with
+ the name of the slice.</description>
</variable>
</variablelist>
</category>
<variable id="host" type="hostname">
<name>Hostname</name>
- <value>localhost</value>
- <description>The fully qualified hostname or IP address of
- the database server. This hostname must be resolvable and
- reachable by the rest of your installation.</description>
+ <value>localhost.localdomain</value>
+ <description>The fully qualified hostname of the database
+ server.</description>
+ </variable>
+
+ <variable id="ip" type="ip">
+ <name>IP Address</name>
+ <value>127.0.0.1</value>
+ <description>The IP address of the database server, if not
+ resolvable by the configured DNS servers.</description>
+ </variable>
+
+ <variable id="port" type="int">
+ <name>Port</name>
+ <value>5432</value>
+ <description>The TCP port number through which the database
+ server should be accessed.</description>
</variable>
<variable id="name" type="string">
<name>Database Name</name>
- <value>planetlab3</value>
+ <value>planetlab4</value>
<description>The name of the database to access.</description>
</variable>
<variable id="host" type="hostname">
<name>Hostname</name>
- <value>localhost</value>
- <description>The fully qualified hostname or IP address of
- the API server. This hostname must be resolvable and
- reachable by the rest of your installation, as well as your
- nodes.</description>
+ <value>localhost.localdomain</value>
+ <description>The fully qualified hostname of the API
+ server.</description>
</variable>
+ <variable id="ip" type="ip">
+ <name>IP Address</name>
+ <value>127.0.0.1</value>
+ <description>The IP address of the API server, if not
+ resolvable by the configured DNS servers.</description>
+ </variable>
+
<variable id="port" type="int">
<name>Port</name>
- <value>80</value>
+ <value>443</value>
<description>The TCP port number through which the API
- should be accessed. Warning: SSL (port 443) access is not
- fully supported by the website code yet. We recommend that
- port 80 be used for now and that the API server either run
- on the same machine as the web server, or that they both be
- on a secure wired network.</description>
+ should be accessed.</description>
</variable>
<variable id="path" type="string">
<variable id="maintenance_user" type="string">
<name>Maintenance User</name>
- <value>maint@test.planet-lab.org</value>
+ <value>maint@localhost.localdomain</value>
<description>The username of the maintenance account. This
account is used by local scripts that perform automated
tasks, and cannot be used for normal logins.</description>
<name>Authorized Hosts</name>
<value></value>
<description>A space-separated list of IP addresses allowed
- to access the API through the maintenance account. If left
- blank, the API, web, and boot servers are
- allowed.</description>
+ to access the API through the maintenance account. The value
+ of this variable is set automatically to allow only the API,
+ web, and boot servers, and should not be
+ changed.</description>
</variable>
<!-- The following are not actually meant to be configurable
be downloaded, or its contents replaced by a file upload,
but the actual <value> shouldn't need to be changed. -->
- <variable id="ssl_crt" type="file">
- <name>SSL Certificate</name>
- <value>/etc/planetlab/api_ssl.crt</value>
- <description>The signed SSL certificate to use for HTTPS
- access. If not specified or non-existent, a self-signed
- certificate will be generated.</description>
- </variable>
-
<variable id="ssl_key" type="file">
- <name>SSL Key</name>
+ <name>SSL Private Key</name>
<value>/etc/planetlab/api_ssl.key</value>
- <description>The corresponding SSL private key. If not
- specified or non-existent, a self-signed certificate will be
+ <description>The SSL private key to use for encrypting HTTPS
+ traffic. If non-existent, one will be
generated.</description>
</variable>
- <variable id="ticket_key" type="file">
- <name>Slice Ticket Private Key</name>
- <value>/etc/planetlab/slice-ticket-key-nopass.pem</value>
- <description>The private PEM key file used to sign slice
- tickets.</description>
+ <variable id="ssl_crt" type="file">
+ <name>SSL Public Certificate</name>
+ <value>/etc/planetlab/api_ssl.crt</value>
+ <description>The corresponding SSL public certificate. By
+ default, this certificate is self-signed. You may replace
+ the certificate later with one signed by a root
+ CA.</description>
</variable>
- <variable id="ticket_key_pub" type="file">
- <name>Slice Ticket Public Key</name>
- <value>/etc/planetlab/slice-ticket-key-public.pem</value>
- <description>The public PEM key file used to verify signed
- slice tickets.</description>
+ <variable id="ca_ssl_crt" type="file">
+ <name>Root CA SSL Public Certificate</name>
+ <value>/etc/planetlab/api_ca_ssl.crt</value>
+ <description>The certificate of the root CA, if any, that
+ signed your server certificate. If your server certificate is
+ self-signed, then this file is the same as your server
+ certificate.</description>
</variable>
</variablelist>
</category>
<variable id="host" type="hostname">
<name>Hostname</name>
- <value>localhost</value>
- <description>The fully qualified hostname or IP address of
- the web server. This hostname must be resolvable and
- reachable by the rest of your installation, as well as your
- nodes.</description>
+ <value>localhost.localdomain</value>
+ <description>The fully qualified hostname of the web
+ server.</description>
</variable>
+ <variable id="ip" type="ip">
+ <name>IP Address</name>
+ <value>127.0.0.1</value>
+ <description>The IP address of the web server, if not
+ resolvable by the configured DNS servers.</description>
+ </variable>
+
<variable id="port" type="int">
<name>Port</name>
<value>80</value>
be downloaded, or its contents replaced by a file upload,
but the actual <value> shouldn't need to be changed. -->
+ <variable id="ssl_key" type="file">
+ <name>SSL Private Key</name>
+ <value>/etc/planetlab/www_ssl.key</value>
+ <description>The SSL private key to use for encrypting HTTPS
+ traffic. If non-existent, one will be
+ generated.</description>
+ </variable>
+
<variable id="ssl_crt" type="file">
- <name>SSL Certificate</name>
+ <name>SSL Public Certificate</name>
<value>/etc/planetlab/www_ssl.crt</value>
- <description>The signed SSL certificate to use for HTTPS
- access. If not specified or non-existent, a self-signed
- certificate will be generated.</description>
+ <description>The corresponding SSL public certificate for
+ the HTTP server. By default, this certificate is
+ self-signed. You may replace the certificate later with one
+ signed by a root CA.</description>
</variable>
- <variable id="ssl_key" type="file">
- <name>SSL Key</name>
- <value>/etc/planetlab/www_ssl.key</value>
- <description>The corresponding SSL private key. If not
- specified or non-existent, a self-signed certificate will be
- generated.</description>
+ <variable id="ca_ssl_crt" type="file">
+ <name>Root CA SSL Public Certificate</name>
+ <value>/etc/planetlab/www_ca_ssl.crt</value>
+ <description>The certificate of the root CA, if any, that
+ signed your server certificate. If your server certificate is
+ self-signed, then this file is the same as your server
+ certificate.</description>
</variable>
</variablelist>
</category>
<variable id="host" type="hostname">
<name>Hostname</name>
- <value>localhost</value>
- <description>The fully qualified hostname or IP address of
- the boot server. This hostname must be resolvable and
- reachable by the rest of your installation, as well as your
- nodes.</description>
+ <value>localhost.localdomain</value>
+ <description>The fully qualified hostname of the boot
+ server.</description>
</variable>
+ <variable id="ip" type="ip">
+ <name>IP Address</name>
+ <value>127.0.0.1</value>
+ <description>The IP address of the boot server, if not
+ resolvable by the configured DNS servers.</description>
+ </variable>
+
<variable id="port" type="int">
<name>Port</name>
<value>80</value>
be downloaded, or its contents replaced by a file upload,
but the actual <value> shouldn't need to be changed. -->
- <variable id="ssl_crt" type="binary">
- <name>SSL Certificate</name>
+ <variable id="ssl_key" type="file">
+ <name>SSL Private Key</name>
+ <value>/etc/planetlab/boot_ssl.key</value>
+ <description>The SSL private key to use for encrypting HTTPS
+ traffic.</description>
+ </variable>
+
+ <variable id="ssl_crt" type="file">
+ <name>SSL Public Certificate</name>
<value>/etc/planetlab/boot_ssl.crt</value>
- <description>The signed SSL certificate to use for HTTPS
- access. If not specified, or non-existent a self-signed
- certificate will be generated.</description>
+ <description>The corresponding SSL public certificate for
+ the HTTP server. By default, this certificate is
+ self-signed. You may replace the certificate later with one
+ signed by a root CA.</description>
</variable>
- <variable id="ssl_key" type="binary">
- <name>SSL Key</name>
- <value>/etc/planetlab/boot_ssl.key</value>
- <description>The corresponding SSL private key. If not
- specified or non-existent, a self-signed certificate will be
- generated.</description>
+ <variable id="ca_ssl_crt" type="file">
+ <name>Root CA SSL Public Certificate</name>
+ <value>/etc/planetlab/boot_ca_ssl.crt</value>
+ <description>The certificate of the root CA, if any, that
+ signed your server certificate. If your server certificate is
+ self-signed, then this file is the same as your server
+ certificate.</description>
</variable>
</variablelist>
</category>
<description>PlanetLab Central Packages</description>
<uservisible>true</uservisible>
<packagelist>
+ <!-- Basics -->
+ <packagereq type="mandatory">dev</packagereq>
+
+ <!-- kernel-vserver is intended for the vserver-reference, but
+ serves the same useful purpose for MyPLC, namely, to
+ Provide: kernel without actually installing anything. -->
+ <packagereq type="mandatory">kernel-vserver</packagereq>
+
<!-- Sending mail -->
<packagereq type="mandatory">sendmail</packagereq>
<packagereq type="mandatory">sendmail-cf</packagereq>
+ <!-- Caching DNS server -->
+ <packagereq type="mandatory">dnsmasq</packagereq>
+
<!-- (Optional) Synchronizing with PLC -->
<packagereq type="mandatory">rsync</packagereq>
<packagereq type="mandatory">cvs</packagereq>
<packagereq type="mandatory">curl</packagereq>
<packagereq type="mandatory">wget</packagereq>
+ <packagereq type="mandatory">less</packagereq>
+ <packagereq type="mandatory">gzip</packagereq>
+ <packagereq type="mandatory">bzip2</packagereq>
+ <packagereq type="mandatory">cpio</packagereq>
+ <packagereq type="mandatory">tar</packagereq>
+ <packagereq type="mandatory">diffutils</packagereq>
<!-- yum >=2.2 uses a new repository format -->
<packagereq type="mandatory">createrepo</packagereq>
+ <packagereq type="mandatory">yum</packagereq>
+ <packagereq type="mandatory">rpm</packagereq>
<!-- For mkpasswd -->
<packagereq type="mandatory">expect</packagereq>
+ <!-- For ssh-keygen -->
+ <packagereq type="mandatory">openssh</packagereq>
+
<!-- Almost all scripts are written in Python -->
<packagereq type="mandatory">python</packagereq>
- <!-- For various Python scripts that access the API -->
- <packagereq type="mandatory">plcapilib</packagereq>
-
<!-- Database server -->
<packagereq type="mandatory">postgresql</packagereq>
<packagereq type="mandatory">postgresql-server</packagereq>
access the DB directly. -->
<packagereq type="mandatory">php</packagereq>
<packagereq type="mandatory">php-pgsql</packagereq>
- <packagereq type="mandatory">php-xmlrpc</packagereq>
+ <!-- PLCAPI replaces php-xmlrpc -->
+ <!-- <packagereq type="mandatory">php-xmlrpc</packagereq> -->
<!-- Need GD for ImageCreate(), etc. -->
<packagereq type="mandatory">gd</packagereq>
<packagereq type="mandatory">mod_python</packagereq>
<!-- API server uses a few non-standard packages -->
+ <packagereq type="mandatory">PLCAPI</packagereq>
<packagereq type="mandatory">PyXML</packagereq>
+ <packagereq type="mandatory">PlanetLabAuth</packagereq>
<!-- API server uses SSL to sign tickets -->
<packagereq type="mandatory">xmlsec1</packagereq>
<packagereq type="mandatory">xmlsec1-openssl</packagereq>
<packagereq type="mandatory">openssl</packagereq>
- <!-- bootcd is generated using mkisofs -->
- <packagereq type="mandatory">mkisofs</packagereq>
-
- <!-- bootcd and bootmanager images are signed using GPG -->
- <packagereq type="mandatory">gnupg</packagereq>
-
- <!-- bootmanager requires uuencode -->
- <packagereq type="mandatory">sharutils</packagereq>
+ <!-- Customizable Boot CD and Boot Manager packages -->
+ <packagereq type="mandatory">bootcd</packagereq>
+ <packagereq type="mandatory">bootmanager</packagereq>
</packagelist>
</group>