From: Mark Huang Date: Fri, 21 Jul 2006 16:13:11 +0000 (+0000) Subject: - MyPLC 0.4 RC2 X-Git-Tag: myplc-0_4-rc2~7 X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=106e14d7f661da956715e6898cbfeff512744b28;p=myplc.git - MyPLC 0.4 RC2 --- diff --git a/api-config b/api-config index 765da82..f58ab75 100755 --- a/api-config +++ b/api-config @@ -6,7 +6,7 @@ # Mark Huang # Copyright (C) 2006 The Trustees of Princeton University # -# $Id: api-config,v 1.12 2006/05/30 15:06:20 mlhuang Exp $ +# $Id: api-config,v 1.15 2006/07/11 20:57:25 mlhuang Exp $ # from plc_config import PLCConfiguration @@ -28,9 +28,11 @@ def main(): globals()[category_id] = dict(zip(variablelist.keys(), [variable['value'] for variable in variablelist.values()])) - # Get the issuer e-mail address of the root CA certificate + # Get the issuer e-mail address and public key from the root CA certificate root_ca_email = commands.getoutput("openssl x509 -in %s -noout -email" % \ - plc['root_ca_ssl_crt']) + plc_ma_sa['ca_ssl_crt']) + root_ca_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \ + plc_ma_sa['ca_ssl_crt']) # Verify API certificate if os.path.exists(plc_ma_sa['api_crt']): @@ -38,36 +40,35 @@ def main(): try: cert_xml = file(plc_ma_sa['api_crt']).read().strip() # Verify root CA signature - CertOps.authenticate_cert(cert_xml, - {root_ca_email: - file(plc['root_ca_ssl_key_pub']).read().strip()}) + CertOps.authenticate_cert(cert_xml, {root_ca_email: root_ca_key_pub}) # Check if MA/SA e-mail address has changed dom = xml.dom.minidom.parseString(cert_xml) - for issuer in dom.getElementsByTagName('issuer'): - if issuer.getAttribute('email') != plc_mail['support_address']: + for subject in dom.getElementsByTagName('subject'): + if subject.getAttribute('email') != plc_mail['support_address']: raise Exception, "E-mail address '%s' in certificate '%s' does not match support address '%s'" % \ - (issuer.getAttribute('email'), plc_ma_sa['api_crt'], plc_mail['support_address']) + (subject.getAttribute('email'), plc_ma_sa['api_crt'], plc_mail['support_address']) except Exception, e: # Delete invalid API certificate print "Warning: ", e os.unlink(plc_ma_sa['api_crt']) - # Generate API certificate + # Generate self-signed API certificate if not os.path.exists(plc_ma_sa['api_crt']): print "Generating new API certificate" try: cert = Certificate.Certificate('ticket-cert-0') - ma_sa_ssl_key_pub = file(plc_ma_sa['ssl_key_pub']).read().strip() + ma_sa_ssl_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \ + plc_ma_sa['ssl_crt']) cert.add_subject_pubkey(pubkey = ma_sa_ssl_key_pub, email = plc_mail['support_address']) root_ca_subject = commands.getoutput("openssl x509 -in %s -noout -subject" % \ - plc['root_ca_ssl_crt']) + plc_ma_sa['ssl_crt']) m = re.search('/CN=([^/]*).*', root_ca_subject) if m is None: - root_ca_cn = plc['name'] + " Root CA" + root_ca_cn = plc['name'] + " Management and Slice Authority" else: root_ca_cn = m.group(1) cert.set_issuer(email = root_ca_email, cn = root_ca_cn) - cert_xml = cert.sign(plc['root_ca_ssl_key']) + cert_xml = cert.sign(plc_ma_sa['ssl_key']) ma_sa_api_crt = file(plc_ma_sa['api_crt'], "w") ma_sa_api_crt.write(cert_xml) ma_sa_api_crt.close() @@ -82,6 +83,11 @@ def main(): os.symlink(plc['root_ssh_key_pub'], "/etc/planetlab/node_root_key") # Old variable names littered throughout the API + if plc_mail['enabled'] == "true": + plc_mail_enabled = "1" + else: + plc_mail_enabled = "0" + old_variables = {'PL_API_SERVER': plc_api['host'], 'PL_API_PATH': plc_api['path'], 'PL_API_PORT': plc_api['port'], @@ -93,10 +99,11 @@ def main(): 'WWW_BASE': plc_www['host'], 'BOOT_BASE': plc_boot['host'], + 'PLC_MAIL_ENABLED': plc_mail_enabled, 'MA_SA_NAMESPACE': plc_ma_sa['namespace'], 'SESSION_LENGTH_HOURS': "24", 'ROOT_CA_EMAIL': root_ca_email, - 'ROOT_CA_PUB_KEY': plc['root_ca_ssl_key_pub'], + 'ROOT_CA_PUB_KEY': plc_ma_sa['ca_ssl_key_pub'], 'API_CERT_PATH': plc_ma_sa['api_crt'], 'MA_SA_PRIVATE_KEY': plc_ma_sa['ssl_key'], 'PL_API_TICKET_KEY_FILE': plc_ma_sa['ssl_key']} diff --git a/build.functions b/build.functions index 8281801..a842d37 100644 --- a/build.functions +++ b/build.functions @@ -6,7 +6,7 @@ # Mark Huang # Copyright (C) 2006 The Trustees of Princeton University # -# $Id: functions,v 1.6 2006/07/10 21:05:37 mlhuang Exp $ +# $Id: build.functions,v 1.1 2006/07/17 21:31:31 mlhuang Exp $ # PATH=/sbin:/bin:/usr/sbin:/usr/bin diff --git a/build.sh b/build.sh index 6d3733b..8b3c731 100755 --- a/build.sh +++ b/build.sh @@ -1,160 +1,129 @@ #!/bin/bash # -# Builds a Fedora based PLC image. You should be able to run this -# script multiple times without a problem. +# Builds MyPLC, either inside the MyPLC development environment in +# devel/root (if PLC_DEVEL_BOOTSTRAP is true), or in the current host +# environment (may be itself a MyPLC development environment or a +# Fedora Core 4 environment with the appropriate development packages +# installed). +# +# root.img (loopback image) +# root/ (mount point) +# data/ (various data files) +# data/etc/planetlab/ (configuration files) # # Mark Huang # Copyright (C) 2006 The Trustees of Princeton University # -# $Id$ +# $Id: build.sh,v 1.26 2006/07/18 20:06:51 mlhuang Exp $ # -PATH=/sbin:/bin:/usr/sbin:/usr/bin - -# In both a normal CVS environment and a PlanetLab RPM -# build environment, all of our dependencies are checked out into -# directories at the same level as us. -if [ -d ../build ] ; then - PATH=$PATH:../build - srcdir=.. -else - echo "Error: Could not find $(cd .. && pwd -P)/build/" - exit 1 -fi - -export PATH - -# PLC configuration file -config=plc_config.xml +. build.functions -# Release and architecture to install -releasever=4 -basearch=i386 - -# Initial size of the image -size=1000000000 +# +# Build myplc inside myplc-devel. Infinite recursion is avoided only +# if PLC_DEVEL_BOOTSTRAP is false in the default configuration file. +# -usage() -{ - echo "Usage: build.sh [OPTION]..." - echo " -c file PLC configuration file (default: $config)" - echo " -r release Fedora release number (default: $releasever)" - echo " -a arch Fedora architecture (default: $basearch)" - echo " -s size Approximate size of the installation (default: $size)" - echo " -h This message" - exit 1 -} +if [ "$PLC_DEVEL_BOOTSTRAP" = "true" ] ; then + # So that we don't pollute the actual myplc-devel image, we use + # the directory that was used to build the image instead of the + # image itself, and mount everything by hand. + mount -o bind,rw devel/data devel/root/data + mount -t proc none devel/root/proc + + # If we used a local mirror, bind mount it into the chroot so that + # we can use it again. + if [ "${PLC_DEVEL_FEDORA_URL:0:7}" = "file://" ] ; then + mkdir -p devel/root/usr/share/mirrors/fedora + mount -o bind,ro ${PLC_DEVEL_FEDORA_URL#file://} devel/root/usr/share/mirrors/fedora + fi -# Get options -while getopts "c:r:a:s:h" opt ; do - case $opt in - c) - config=$OPTARG - ;; - r) - releasever=$OPTARG - ;; - a) - basearch=$OPTARG - ;; - s) - size=$OPTARG - ;; - h|*) - usage - ;; - esac -done + # Clean up before exiting if anything goes wrong + trap "umount $PWD/devel/root/data; + umount $PWD/devel/root/proc; + umount $PWD/devel/root/usr/share/mirrors/fedora" ERR INT + + # Build myplc inside myplc-devel. Make sure PLC_DEVEL_BOOTSTRAP is + # false to avoid infinite recursion. + chroot devel/root su - < target: - print (df.f_blocks - (df.f_bavail - target)) * df.f_bsize / 1024 -EOF -) - -umount $root -trap - ERR - -if [ -n "$kb" ] ; then - # Setup loopback association. Newer versions of losetup have a -f - # option which finds an unused loopback device, but we must - # support FC2 for now. - # dev_loop=$(losetup -f) - for i in `seq 1 7` ; do - if ! grep -q "^/dev/loop$i" /proc/mounts ; then - dev_loop="/dev/loop$i" - break - fi - done - losetup $dev_loop $root.img - trap "losetup -d $dev_loop" ERR - - # Resize the filesystem - echo "* Checking filesystem" - e2fsck -a -f $dev_loop - echo "* Shrinking filesystem" - resize2fs $dev_loop ${kb}K - - # Tear down loopback association - losetup -d $dev_loop - trap - ERR - - # Truncate the image file - perl -e "truncate '$root.img', $kb*1024" -fi - -# Write sysconfig -cat >plc.sysconfig <100MB but only take a -# couple of seconds to generate at first boot. -rm -f $data/var/www/html/download/*.{iso,usb} - -./host.init stop -RETVAL=$(($RETVAL+$?)) +install -D -m 644 ../build/groups/v3_yumgroups.xml \ + data/var/www/html/install-rpms/planetlab/yumgroups.xml -# Restore default configuration -rm -f $data/etc/planetlab/configs/bootstrap.xml -install -D -m 444 $config $data/etc/planetlab/plc_config.xml +# Make image out of directory +echo "* myplc: Building loopback image" +make_image root root.img -exit $RETVAL +exit 0 diff --git a/build_devel.sh b/build_devel.sh index 77893b3..ff27981 100755 --- a/build_devel.sh +++ b/build_devel.sh @@ -14,7 +14,7 @@ # Mark Huang # Copyright (C) 2006 The Trustees of Princeton University # -# $Id$ +# $Id: build_devel.sh,v 1.1 2006/07/17 21:31:31 mlhuang Exp $ # . build.functions diff --git a/doc/Makefile b/doc/Makefile index 14a62ed..f1cb444 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -4,18 +4,18 @@ # Mark Huang # Copyright (C) 2006 The Trustees of Princeton University # -# $Id: Makefile,v 1.3 2006/04/24 22:14:56 mlhuang Exp $ +# $Id: Makefile,v 1.5 2006/07/18 22:41:44 mlhuang Exp $ # vpath GenDoc.xsl ../../plc_www/doc -vpath plc_config.xml .. +vpath %_config.xml .. all: myplc.pdf myplc.php # Dependencies -.myplc.xml.valid: architecture.eps architecture.png variables.xml +.myplc.xml.valid: architecture.eps architecture.png plc_variables.xml plc_devel_variables.xml -variables.xml: variables.xsl plc_config.xml +%_variables.xml: variables.xsl %_config.xml xsltproc $(XSLFLAGS) --output $@ $^ # Validate the XML diff --git a/doc/myplc.pdf b/doc/myplc.pdf index d9f9814..5937bd9 100644 Binary files a/doc/myplc.pdf and b/doc/myplc.pdf differ diff --git a/doc/myplc.php b/doc/myplc.php index 720182a..d70807b 100644 --- a/doc/myplc.php +++ b/doc/myplc.php @@ -22,9 +22,13 @@ April 7, 2006 MLH - -

Initial draft.

- +

Initial draft.

+ +Revision 1.1 +July 19, 2006 +MLH + +

Add development environment.

MyPLC is a complete PlanetLab Central (PLC) portable installation contained within a chroot jail. The default installation consists of a web server, an @@ -80,28 +92,30 @@

-2. Installation

+2. Installation

Though internally composed of commodity software subpackages, MyPLC should be treated as a monolithic software application. MyPLC is distributed as single RPM package that has no external dependencies, allowing it to be installed on practically any Linux 2.6 based distribution:

-

Example 1. Installing MyPLC.

+

Example 1. Installing MyPLC.

# If your distribution supports RPM
-rpm -U myplc-0.3-1.planetlab.i386.rpm
+rpm -U http://build.planet-lab.org/build/myplc-0_4-rc1/RPMS/i386/myplc-0.4-1.planetlab.i386.rpm
 
 # If your distribution does not support RPM
+cd /tmp
+wget http://build.planet-lab.org/build/myplc-0_4-rc1/RPMS/i386/myplc-0.4-1.planetlab.i386.rpm
 cd /
-rpm2cpio myplc-0.3-1.planetlab.i386.rpm | cpio -diu
+rpm2cpio /tmp/myplc-0.4-1.planetlab.i386.rpm | cpio -diu

MyPLC installs the following files and directories:

  • /plc/root.img: The main root filesystem of the MyPLC application. This file is an uncompressed ext3 filesystem that is loopback mounted on - /plc/root when MyPLC starts. The - filesystem, even when mounted, should be treated an opaque + /plc/root when MyPLC starts. This + filesystem, even when mounted, should be treated as an opaque binary that can and will be replaced in its entirety by any upgrade of MyPLC.

  • /plc/root: The mount point @@ -112,13 +126,14 @@ rpm2cpio myplc-0.3-1.planetlab.i386.rpm | cpio -diu

  • /plc/data: The directory where user data and generated files are stored. This directory is bind - mounted into the chroot jail on - /data. Files in this directory are marked - with %config(noreplace) in the RPM. That - is, during an upgrade of MyPLC, if a file has not changed - since the last installation or upgrade of MyPLC, it is subject - to upgrade and replacement. If the file has chanegd, the new - version of the file will be created with a + mounted onto /plc/root/data so that it is + accessible as /data from within the + chroot jail. Files in this directory are + marked with %config(noreplace) in the + RPM. That is, during an upgrade of MyPLC, if a file has not + changed since the last installation or upgrade of MyPLC, it is + subject to upgrade and replacement. If the file has changed, + the new version of the file will be created with a .rpmnew extension. Symlinks within the MyPLC root filesystem ensure that the following directories (relative to /plc/root) are stored @@ -183,7 +198,7 @@ service plc stop the chkconfig command on a Red Hat or Fedora host system:

    -

    Example 3. Disabling automatic startup of MyPLC.

    +

    Example 3. Disabling automatic startup of MyPLC.

    # Disable automatic startup
 chkconfig plc off
 
@@ -208,13 +223,13 @@ chkconfig plc on

    -3. Quickstart

    +3. Quickstart

Once installed, start MyPLC (see Example 2, “Starting and stopping MyPLC.”). MyPLC must be started as root. Observe the output of this command for any failures. If no failures occur, you should see output similar to the following:

-

Example 4. A successful MyPLC startup.

+

Example 4. A successful MyPLC startup.

Mounting PLC:                                              [  OK  ]
 PLC: Generating network files:                             [  OK  ]
 PLC: Starting system logger:                               [  OK  ]
@@ -245,10 +260,12 @@ PLC: Signing node packages:                                [  OK  ]
       mounts, or your kernel may not support loopback mounting, bind
       mounting, or the ext3 filesystem. Try freeing at least one
       loopback device, or re-compiling your kernel to support loopback
-      mounting, bind mounting, and the ext3 filesystem. SELinux may
-      also be enabled. If you install MyPLC on Fedora Core 4 or 5, use
-      the Security Level Configuration
-      utility to configure SELinux to be
+      mounting, bind mounting, and the ext3 filesystem. If you see an
+      error similar to Permission denied while trying to open
+      /plc/root.img, then SELinux may be enabled. If you
+      installed MyPLC on Fedora Core 4 or 5, use the
+      Security Level Configuration utility
+      to configure SELinux to be
       Permissive.

 
  • Starting database server: If
       this step fails, check
@@ -343,7 +360,7 @@ PLC: Signing node packages:                                [  OK  ]

    • -3.2. Installing nodes

    +3.2. Installing nodes

    Install your first node by clicking Add Node under the Nodes tab. Fill in all the appropriate details, then click @@ -367,12 +384,12 @@ PLC: Signing node packages: [ OK ]

    -3.3. Administering nodes

    +3.3. Administering nodes

    You may administer nodes as root by using the SSH key stored in /etc/planetlab/root_ssh_key.rsa.

    -

    Example 5. Accessing nodes via SSH. Replace +

    Example 5. Accessing nodes via SSH. Replace node with the hostname of the node.

    ssh -i /etc/planetlab/root_ssh_key.rsa root@node
    @@ -395,7 +412,7 @@ PLC: Signing node packages: [ OK ]

    -3.4. Creating a slice

    +3.4. Creating a slice

    Create a slice by clicking Create Slice under the Slices tab. Fill in all the appropriate details, then click Create. Add @@ -410,7 +427,7 @@ PLC: Signing node packages: [ OK ] to determine if it needs to create or delete any slices. You may accelerate this process manually if desired.

    -

    Example 6. Forcing slice creation on a node.

    +

    Example 6. Forcing slice creation on a node.

    # Update slices.xml immediately
 service plc start crond
 
@@ -420,9 +437,242 @@ vserver pl_conf exec service pl_conf restart
    +
    +

    +4. Rebuilding and customizing MyPLC

    +

    The MyPLC package, though distributed as an RPM, is not a + traditional package that can be easily rebuilt from SRPM. The + requisite build environment is quite extensive and numerous + assumptions are made throughout the PlanetLab source code base, + that the build environment is based on Fedora Core 4 and that + access to a complete Fedora Core 4 mirror is available.

    +

    For this reason, it is recommended that you only rebuild + MyPLC (or any of its components) from within the MyPLC development + environment. The MyPLC development environment is similar to MyPLC + itself in that it is a portable filesystem contained within a + chroot jail. The filesystem contains all the + necessary tools required to rebuild MyPLC, as well as a snapshot + of the PlanetLab source code base in the form of a local CVS + repository.

    +
    +

    +4.1. Installation

    +

    Install the MyPLC development environment similarly to how + you would install MyPLC. You may install both packages on the same + host system if you wish. As with MyPLC, the MyPLC development + environment should be treated as a monolithic software + application, and any files present in the + chroot jail should not be modified directly, as + they are subject to upgrade.

    +
    +

    Example 7. Installing the MyPLC development environment.

    +
    # If your distribution supports RPM
+rpm -U http://build.planet-lab.org/build/myplc-0_4-rc2/RPMS/i386/myplc-devel-0.4-2.planetlab.i386.rpm
+
+# If your distribution does not support RPM
+cd /tmp
+wget http://build.planet-lab.org/build/myplc-0_4-rc2/RPMS/i386/myplc-devel-0.4-2.planetlab.i386.rpm
+cd /
+rpm2cpio /tmp/myplc-devel-0.4-2.planetlab.i386.rpm | cpio -diu
    +
    +

    The MyPLC development environment installs the following + files and directories:

    +
      +

    • /plc/devel/root.img: The + main root filesystem of the MyPLC development environment. This + file is an uncompressed ext3 filesystem that is loopback mounted + on /plc/devel/root when the MyPLC + development environment is initialized. This filesystem, even + when mounted, should be treated as an opaque binary that can and + will be replaced in its entirety by any upgrade of the MyPLC + development environment.

      • +

    • /plc/devel/root: The mount + point for + /plc/devel/root.img.

      • +
    • +

      /plc/devel/data: The directory + where user data and generated files are stored. This directory + is bind mounted onto /plc/devel/root/data + so that it is accessible as /data from + within the chroot jail. Files in this + directory are marked with + %config(noreplace) in the RPM. Symlinks + ensure that the following directories (relative to + /plc/devel/root) are stored outside the + root filesystem image:

      +
        +

      • /etc/planetlab: This + directory contains the configuration files that define your + MyPLC development environment.

        • +

      • /cvs: A + snapshot of the PlanetLab source code is stored as a CVS + repository in this directory. Files in this directory will + not be updated by an upgrade of + myplc-devel. See Section 4.4, “Updating CVS” for more information about updating + PlanetLab source code.

        • +

      • /build: + Builds are stored in this directory. This directory is bind + mounted onto /plc/devel/root/build so that + it is accessible as /build from within the + chroot jail. The build scripts in this + directory are themselves source controlled; see Section 4.3, “Building MyPLC” for more information about executing + builds.

        • +
      +
      • +

    • /etc/init.d/plc-devel: This file is + a System V init script installed on your host filesystem, that + allows you to start up and shut down the MyPLC development + environment with a single command.

      • +
    +
    +
    +

    +4.2. Fedora Core 4 mirror requirement

    +

    The MyPLC development environment requires access to a + complete Fedora Core 4 i386 RPM repository, because several + different filesystems based upon Fedora Core 4 are constructed + during the process of building MyPLC. You may configure the + location of this repository via the + PLC_DEVEL_FEDORA_URL variable in + /plc/devel/data/etc/planetlab/plc_config.xml. The + value of the variable should be a URL that points to the top + level of a Fedora mirror that provides the + base, updates, and + extras repositories, e.g.,

    +
      +

    • file:///data/fedora

      • +

    • http://coblitz.planet-lab.org/pub/fedora

      • +

    • ftp://mirror.cs.princeton.edu/pub/mirrors/fedora

      • +

    • ftp://mirror.stanford.edu/pub/mirrors/fedora

      • +

    • http://rpmfind.net/linux/fedora

      • +
    +

    As implied by the list, the repository may be located on + the local filesystem, or it may be located on a remote FTP or + HTTP server. URLs beginning with file:// + should exist at the specified location relative to the root of + the chroot jail. For optimum performance and + reproducibility, specify + PLC_DEVEL_FEDORA_URL=file:///data/fedora and + download all Fedora Core 4 RPMS into + /plc/devel/data/fedora on the host system + after installing myplc-devel. Use a tool + such as wget or rsync to + download the RPMS from a public mirror:

    +
    +

    Example 8. Setting up a local Fedora Core 4 repository.

    +
    mkdir -p /plc/devel/data/fedora
+cd /plc/devel/data/fedora
+
+for repo in core/4/i386/os core/updates/4/i386 extras/4/i386 ; do
+    wget -m -nH --cut-dirs=3 http://coblitz.planet-lab.org/pub/fedora/linux/$repo
+done
    +
    +

    Change the repository URI and --cut-dirs + level as needed to produce a hierarchy that resembles:

    +
    /plc/devel/data/fedora/core/4/i386/os
+/plc/devel/data/fedora/core/updates/4/i386
+/plc/devel/data/fedora/extras/4/i386
    +

    A list of additional Fedora Core 4 mirrors is available at + http://fedora.redhat.com/Download/mirrors.html.

    +
    +
    +

    +4.3. Building MyPLC

    +

    All PlanetLab source code modules are built and installed + as RPMS. A set of build scripts, checked into the + build/ directory of the PlanetLab CVS + repository, eases the task of rebuilding PlanetLab source + code.

    +

    To build MyPLC, or any PlanetLab source code module, from + within the MyPLC development environment, execute the following + commands as root:

    +
    +

    Example 9. Building MyPLC.

    +
    # Initialize MyPLC development environment
+service plc-devel start
+
+# Enter development environment
+chroot /plc/devel/root su -
+
+# Check out build scripts into a directory named after the current
+# date. This is simply a convention, it need not be followed
+# exactly. See build/build.sh for an example of a build script that
+# names build directories after CVS tags.
+DATE=$(date +%Y.%m.%d)
+cd /build
+cvs -d /cvs checkout -d $DATE build
+
+# Build everything
+make -C $DATE
    +
    +

    If the build succeeds, a set of binary RPMS will be + installed under + /plc/devel/data/build/$DATE/RPMS/ that you + may copy to the + /var/www/html/install-rpms/planetlab + directory of your MyPLC installation (see Section 2, “Installation”).

    +
    +
    +

    +4.4. Updating CVS

    +

    A complete snapshot of the PlanetLab source code is included + with the MyPLC development environment as a CVS repository in + /plc/devel/data/cvs. This CVS repository may + be accessed like any other CVS repository. It may be accessed + using an interface such as CVSweb, + and file permissions may be altered to allow for fine-grained + access control. Although the files are included with the + myplc-devel RPM, they are not subject to upgrade once installed. New + versions of the myplc-devel RPM will install + updated snapshot repositories in + /plc/devel/data/cvs-%{version}-%{release}, + where %{version}-%{release} is replaced with + the version number of the RPM.

    +

    Because the CVS repository is not automatically upgraded, + if you wish to keep your local repository synchronized with the + public PlanetLab repository, it is highly recommended that you + use CVS's support for vendor + branches to track changes. Vendor branches ease the task + of merging upstream changes with your local modifications. To + import a new snapshot into your local repository (for example, + if you have just upgraded from + myplc-devel-0.4-2 to + myplc-devel-0.4-3 and you notice the new + repository in /plc/devel/data/cvs-0.4-3), + execute the following commands as root from within the MyPLC + development environment:

    +
    +

    Example 10. Updating /data/cvs from /data/cvs-0.4-3.

    +

    Warning: This may cause + severe, irreversible changes to be made to your local + repository. Always tag your local repository before + importing.

    +
    # Initialize MyPLC development environment
+service plc-devel start
+
+# Enter development environment
+chroot /plc/devel/root su -
+
+# Tag current state
+cvs -d /cvs rtag before-myplc-0_4-3-merge
+
+# Export snapshot
+TMP=$(mktemp -d /data/export.XXXXXX)
+pushd $TMP
+cvs -d /data/cvs-0.4-3 export -r HEAD .
+cvs -d /cvs import -m "PlanetLab sources from myplc-0.4-3" -ko -I ! . planetlab myplc-0_4-3
+popd
+rm -rf $TMP
    +
    +

    If there any merge conflicts, use the command suggested by + CVS to help the merge. Explaining how to fix merge conflicts is + beyond the scope of this document; consult the CVS documentation + for more information on how to use CVS.

    +
    +

    -A. Configuration variables

    +A. Configuration variables

    Listed below is the set of standard configuration variables and their default values, defined in the template /etc/planetlab/default_config.xml. Additional @@ -527,33 +777,6 @@ vserver pl_conf exec service pl_conf restart

    The SSH private key used to access the root account on your nodes.

    -
    PLC_ROOT_CA_SSL_KEY
    -
    -

    - Type: file

    -

    - Default: /etc/planetlab/root_ca_ssl.key

    -

    The SSL private key used for signing all other - generated certificates. If non-existent, one will be - generated.

    -
    -
    PLC_ROOT_CA_SSL_KEY_PUB
    -
    -

    - Type: file

    -

    - Default: /etc/planetlab/root_ca_ssl.pub

    -

    The corresponding SSL public key.

    -
    -
    PLC_ROOT_CA_SSL_CRT
    -
    -

    - Type: file

    -

    - Default: /etc/planetlab/root_ca_ssl.crt

    -

    The corresponding SSL public - certificate.

    -
    PLC_MA_SA_NAMESPACE

    @@ -574,22 +797,36 @@ vserver pl_conf exec service pl_conf restart with the signature of your MA/SA. If non-existent, one will be generated.

    -
    PLC_MA_SA_SSL_KEY_PUB
    +
    PLC_MA_SA_SSL_CRT

    Type: file

    - Default: /etc/planetlab/ma_sa_ssl.pub

    -

    The corresponding SSL public key.

    + Default: /etc/planetlab/ma_sa_ssl.crt

    +

    The corresponding SSL public certificate. By + default, this certificate is self-signed. You may replace + the certificate later with one signed by the PLC root + CA.

    -
    PLC_MA_SA_SSL_CRT
    +
    PLC_MA_SA_CA_SSL_CRT

    Type: file

    - Default: /etc/planetlab/ma_sa_ssl.crt

    -

    The corresponding SSL public certificate, - signed by the root CA.

    + Default: /etc/planetlab/ma_sa_ca_ssl.crt

    +

    If applicable, the certificate of the PLC root + CA. If your MA/SA certificate is self-signed, then this file + is the same as your MA/SA certificate.

    +
    +
    PLC_MA_SA_CA_SSL_KEY_PUB
    +
    +

    + Type: file

    +

    + Default: /etc/planetlab/ma_sa_ca_ssl.pub

    +

    If applicable, the public key of the PLC root + CA. If your MA/SA certificate is self-signed, then this file + is the same as your MA/SA public key.

    PLC_MA_SA_API_CRT
    @@ -597,11 +834,11 @@ vserver pl_conf exec service pl_conf restart Type: file

    Default: /etc/planetlab/ma_sa_api.xml

    -

    The API Certificate for your MA/SA is the SSL - public key for your MA/SA embedded in an XML document and - signed by the root CA SSL private key. The API Certificate - can be used by any PlanetLab node managed by any MA, to - verify that your MA/SA public key is valid.

    +

    The API Certificate is your MA/SA public key + embedded in a digitally signed XML document. By default, + this document is self-signed. You may replace this + certificate later with one signed by the PLC root + CA.

    PLC_NET_DNS1
    @@ -849,8 +1086,21 @@ vserver pl_conf exec service pl_conf restart Type: file

    Default: /etc/planetlab/api_ssl.crt

    -

    The corresponding SSL public certificate, - signed by the root CA.

    +

    The corresponding SSL public certificate. By + default, this certificate is self-signed. You may replace + the certificate later with one signed by a root + CA.

    +
    +
    PLC_API_CA_SSL_CRT
    +
    +

    + Type: file

    +

    + Default: /etc/planetlab/api_ca_ssl.crt

    +

    The certificate of the root CA, if any, that + signed your server certificate. If your server certificate is + self-signed, then this file is the same as your server + certificate.

    PLC_WWW_ENABLED
    @@ -923,8 +1173,21 @@ vserver pl_conf exec service pl_conf restart Type: file

    Default: /etc/planetlab/www_ssl.crt

    -

    The corresponding SSL public certificate, - signed by the root CA.

    +

    The corresponding SSL public certificate for + the HTTP server. By default, this certificate is + self-signed. You may replace the certificate later with one + signed by a root CA.

    +
    +
    PLC_WWW_CA_SSL_CRT
    +
    +

    + Type: file

    +

    + Default: /etc/planetlab/www_ca_ssl.crt

    +

    The certificate of the root CA, if any, that + signed your server certificate. If your server certificate is + self-signed, then this file is the same as your server + certificate.

    PLC_BOOT_ENABLED
    @@ -980,8 +1243,7 @@ vserver pl_conf exec service pl_conf restart

    Default: /etc/planetlab/boot_ssl.key

    The SSL private key to use for encrypting HTTPS - traffic. If non-existent, one will be - generated.

    + traffic.

    PLC_BOOT_SSL_CRT
    @@ -989,14 +1251,79 @@ vserver pl_conf exec service pl_conf restart Type: file

    Default: /etc/planetlab/boot_ssl.crt

    -

    The corresponding SSL public certificate, - signed by the root CA.

    +

    The corresponding SSL public certificate for + the HTTP server. By default, this certificate is + self-signed. You may replace the certificate later with one + signed by a root CA.

    +
    +
    PLC_BOOT_CA_SSL_CRT
    +
    +

    + Type: file

    +

    + Default: /etc/planetlab/boot_ca_ssl.crt

    +

    The certificate of the root CA, if any, that + signed your server certificate. If your server certificate is + self-signed, then this file is the same as your server + certificate.

    +
    +
    + +
    +

    +B. Development environment configuration variables

    +
    +
    PLC_DEVEL_FEDORA_RELEASE
    +
    +

    + Type: string

    +

    + Default: 4

    +

    Version number of Fedora Core upon which to + base the build environment. Warning: Currently, only Fedora + Core 4 is supported.

    +
    +
    PLC_DEVEL_FEDORA_ARCH
    +
    +

    + Type: string

    +

    + Default: i386

    +

    Base architecture of the build + environment. Warning: Currently, only i386 is + supported.

    +
    +
    PLC_DEVEL_FEDORA_URL
    +
    +

    + Type: string

    +

    + Default: file:///usr/share/mirrors/fedora

    +

    Fedora Core mirror from which to install + filesystems.

    +
    +
    PLC_DEVEL_CVSROOT
    +
    +

    + Type: string

    +

    + Default: /cvs

    +

    CVSROOT to use when checking out code.

    +
    +
    PLC_DEVEL_BOOTSTRAP
    +
    +

    + Type: boolean

    +

    + Default: false

    +

    Controls whether MyPLC should be built inside + of its own development environment.

    -Bibliography

    +Bibliography

    [1] Mark Huang. PlanetLab Technical Contact's Guide.

    diff --git a/doc/myplc.xml b/doc/myplc.xml index 98e8bc2..fa35162 100644 --- a/doc/myplc.xml +++ b/doc/myplc.xml @@ -1,7 +1,8 @@ + + ]>
    @@ -27,14 +28,15 @@ 1.0 - April 7, 2006 - MLH - - - Initial draft. - + Initial draft. + + + 1.1 + July 19, 2006 + MLH + Add development environment. @@ -76,7 +78,7 @@ -
    +
    Installation Though internally composed of commodity software @@ -88,12 +90,14 @@ Installing MyPLC. - +rpm2cpio /tmp/myplc-0.4-1.planetlab.i386.rpm | cpio -diu]]> MyPLC installs the following files and directories: @@ -103,8 +107,8 @@ rpm2cpio myplc-0.3-1.planetlab.i386.rpm | cpio -diu]]> /plc/root.img: The main root filesystem of the MyPLC application. This file is an uncompressed ext3 filesystem that is loopback mounted on - /plc/root when MyPLC starts. The - filesystem, even when mounted, should be treated an opaque + /plc/root when MyPLC starts. This + filesystem, even when mounted, should be treated as an opaque binary that can and will be replaced in its entirety by any upgrade of MyPLC. @@ -117,13 +121,14 @@ rpm2cpio myplc-0.3-1.planetlab.i386.rpm | cpio -diu]]> /plc/data: The directory where user data and generated files are stored. This directory is bind - mounted into the chroot jail on - /data. Files in this directory are marked - with %config(noreplace) in the RPM. That - is, during an upgrade of MyPLC, if a file has not changed - since the last installation or upgrade of MyPLC, it is subject - to upgrade and replacement. If the file has chanegd, the new - version of the file will be created with a + mounted onto /plc/root/data so that it is + accessible as /data from within the + chroot jail. Files in this directory are + marked with %config(noreplace) in the + RPM. That is, during an upgrade of MyPLC, if a file has not + changed since the last installation or upgrade of MyPLC, it is + subject to upgrade and replacement. If the file has changed, + the new version of the file will be created with a .rpmnew extension. Symlinks within the MyPLC root filesystem ensure that the following directories (relative to /plc/root) are stored @@ -271,10 +276,12 @@ PLC: Signing node packages: [ OK ] mounts, or your kernel may not support loopback mounting, bind mounting, or the ext3 filesystem. Try freeing at least one loopback device, or re-compiling your kernel to support loopback - mounting, bind mounting, and the ext3 filesystem. SELinux may - also be enabled. If you install MyPLC on Fedora Core 4 or 5, use - the Security Level Configuration - utility to configure SELinux to be + mounting, bind mounting, and the ext3 filesystem. If you see an + error similar to Permission denied while trying to open + /plc/root.img, then SELinux may be enabled. If you + installed MyPLC on Fedora Core 4 or 5, use the + Security Level Configuration utility + to configure SELinux to be Permissive. Starting database server: If @@ -476,6 +483,279 @@ vserver pl_conf exec service pl_conf restart]]>
    +
    + Rebuilding and customizing MyPLC + + The MyPLC package, though distributed as an RPM, is not a + traditional package that can be easily rebuilt from SRPM. The + requisite build environment is quite extensive and numerous + assumptions are made throughout the PlanetLab source code base, + that the build environment is based on Fedora Core 4 and that + access to a complete Fedora Core 4 mirror is available. + + For this reason, it is recommended that you only rebuild + MyPLC (or any of its components) from within the MyPLC development + environment. The MyPLC development environment is similar to MyPLC + itself in that it is a portable filesystem contained within a + chroot jail. The filesystem contains all the + necessary tools required to rebuild MyPLC, as well as a snapshot + of the PlanetLab source code base in the form of a local CVS + repository. + +
    + Installation + + Install the MyPLC development environment similarly to how + you would install MyPLC. You may install both packages on the same + host system if you wish. As with MyPLC, the MyPLC development + environment should be treated as a monolithic software + application, and any files present in the + chroot jail should not be modified directly, as + they are subject to upgrade. + + + Installing the MyPLC development environment. + + + + + The MyPLC development environment installs the following + files and directories: + + + /plc/devel/root.img: The + main root filesystem of the MyPLC development environment. This + file is an uncompressed ext3 filesystem that is loopback mounted + on /plc/devel/root when the MyPLC + development environment is initialized. This filesystem, even + when mounted, should be treated as an opaque binary that can and + will be replaced in its entirety by any upgrade of the MyPLC + development environment. + + /plc/devel/root: The mount + point for + /plc/devel/root.img. + + + /plc/devel/data: The directory + where user data and generated files are stored. This directory + is bind mounted onto /plc/devel/root/data + so that it is accessible as /data from + within the chroot jail. Files in this + directory are marked with + %config(noreplace) in the RPM. Symlinks + ensure that the following directories (relative to + /plc/devel/root) are stored outside the + root filesystem image: + + + /etc/planetlab: This + directory contains the configuration files that define your + MyPLC development environment. + + /cvs: A + snapshot of the PlanetLab source code is stored as a CVS + repository in this directory. Files in this directory will + not be updated by an upgrade of + myplc-devel. See for more information about updating + PlanetLab source code. + + /build: + Builds are stored in this directory. This directory is bind + mounted onto /plc/devel/root/build so that + it is accessible as /build from within the + chroot jail. The build scripts in this + directory are themselves source controlled; see for more information about executing + builds. + + + + + /etc/init.d/plc-devel: This file is + a System V init script installed on your host filesystem, that + allows you to start up and shut down the MyPLC development + environment with a single command. + + +
    + +
    + Fedora Core 4 mirror requirement + + The MyPLC development environment requires access to a + complete Fedora Core 4 i386 RPM repository, because several + different filesystems based upon Fedora Core 4 are constructed + during the process of building MyPLC. You may configure the + location of this repository via the + PLC_DEVEL_FEDORA_URL variable in + /plc/devel/data/etc/planetlab/plc_config.xml. The + value of the variable should be a URL that points to the top + level of a Fedora mirror that provides the + base, updates, and + extras repositories, e.g., + + + file:///data/fedora + http://coblitz.planet-lab.org/pub/fedora + ftp://mirror.cs.princeton.edu/pub/mirrors/fedora + ftp://mirror.stanford.edu/pub/mirrors/fedora + http://rpmfind.net/linux/fedora + + + As implied by the list, the repository may be located on + the local filesystem, or it may be located on a remote FTP or + HTTP server. URLs beginning with file:// + should exist at the specified location relative to the root of + the chroot jail. For optimum performance and + reproducibility, specify + PLC_DEVEL_FEDORA_URL=file:///data/fedora and + download all Fedora Core 4 RPMS into + /plc/devel/data/fedora on the host system + after installing myplc-devel. Use a tool + such as wget or rsync to + download the RPMS from a public mirror: + + + Setting up a local Fedora Core 4 repository. + + + + + Change the repository URI and --cut-dirs + level as needed to produce a hierarchy that resembles: + + + + A list of additional Fedora Core 4 mirrors is available at + http://fedora.redhat.com/Download/mirrors.html. +
    + +
    + Building MyPLC + + All PlanetLab source code modules are built and installed + as RPMS. A set of build scripts, checked into the + build/ directory of the PlanetLab CVS + repository, eases the task of rebuilding PlanetLab source + code. + + To build MyPLC, or any PlanetLab source code module, from + within the MyPLC development environment, execute the following + commands as root: + + + Building MyPLC. + + + + + If the build succeeds, a set of binary RPMS will be + installed under + /plc/devel/data/build/$DATE/RPMS/ that you + may copy to the + /var/www/html/install-rpms/planetlab + directory of your MyPLC installation (see ). +
    + +
    + Updating CVS + + A complete snapshot of the PlanetLab source code is included + with the MyPLC development environment as a CVS repository in + /plc/devel/data/cvs. This CVS repository may + be accessed like any other CVS repository. It may be accessed + using an interface such as CVSweb, + and file permissions may be altered to allow for fine-grained + access control. Although the files are included with the + myplc-devel RPM, they are not subject to upgrade once installed. New + versions of the myplc-devel RPM will install + updated snapshot repositories in + /plc/devel/data/cvs-%{version}-%{release}, + where %{version}-%{release} is replaced with + the version number of the RPM. + + Because the CVS repository is not automatically upgraded, + if you wish to keep your local repository synchronized with the + public PlanetLab repository, it is highly recommended that you + use CVS's support for vendor + branches to track changes. Vendor branches ease the task + of merging upstream changes with your local modifications. To + import a new snapshot into your local repository (for example, + if you have just upgraded from + myplc-devel-0.4-2 to + myplc-devel-0.4-3 and you notice the new + repository in /plc/devel/data/cvs-0.4-3), + execute the following commands as root from within the MyPLC + development environment: + + + Updating /data/cvs from /data/cvs-0.4-3. + + Warning: This may cause + severe, irreversible changes to be made to your local + repository. Always tag your local repository before + importing. + + + + + If there any merge conflicts, use the command suggested by + CVS to help the merge. Explaining how to fix merge conflicts is + beyond the scope of this document; consult the CVS documentation + for more information on how to use CVS. +
    +
    + Configuration variables @@ -489,6 +769,12 @@ vserver pl_conf exec service pl_conf restart]]> &Variables; + + Development environment configuration variables + + &DevelVariables; + + Bibliography diff --git a/doc/variables.xml b/doc/variables.xml deleted file mode 100644 index 87a58e2..0000000 --- a/doc/variables.xml +++ /dev/null @@ -1,682 +0,0 @@ - - - PLC_NAME - - - Type: string - - Default: PlanetLab Test - The name of this PLC installation. It is used in - the name of the default system site (e.g., PlanetLab Central) - and in the names of various administrative entities (e.g., - PlanetLab Support). - - - - PLC_SLICE_PREFIX - - - Type: string - - Default: pl - The abbreviated name of this PLC - installation. It is used as the prefix for system slices - (e.g., pl_conf). Warning: Currently, this variable should - not be changed. - - - - PLC_ROOT_USER - - - Type: email - - Default: root@localhost.localdomain - The name of the initial administrative - account. We recommend that this account be used only to create - additional accounts associated with real - administrators, then disabled. - - - - PLC_ROOT_PASSWORD - - - Type: password - - Default: root - The password of the initial administrative - account. Also the password of the root account on the Boot - CD. - - - - PLC_ROOT_SSH_KEY_PUB - - - Type: file - - Default: /etc/planetlab/root_ssh_key.pub - The SSH public key used to access the root - account on your nodes. - - - - PLC_ROOT_SSH_KEY - - - Type: file - - Default: /etc/planetlab/root_ssh_key.rsa - The SSH private key used to access the root - account on your nodes. - - - - PLC_DEBUG_SSH_KEY_PUB - - - Type: file - - Default: /etc/planetlab/debug_ssh_key.pub - The SSH public key used to access the root - account on your nodes when they are in Debug mode. - - - - PLC_DEBUG_SSH_KEY - - - Type: file - - Default: /etc/planetlab/debug_ssh_key.rsa - The SSH private key used to access the root - account on your nodes when they are in Debug mode. - - - - PLC_ROOT_GPG_KEY_PUB - - - Type: file - - Default: /etc/planetlab/pubring.gpg - The GPG public keyring used to sign the Boot - Manager and all node packages. - - - - PLC_ROOT_GPG_KEY - - - Type: file - - Default: /etc/planetlab/secring.gpg - The SSH private key used to access the root - account on your nodes. - - - - PLC_ROOT_CA_SSL_KEY - - - Type: file - - Default: /etc/planetlab/root_ca_ssl.key - The SSL private key used for signing all other - generated certificates. If non-existent, one will be - generated. - - - - PLC_ROOT_CA_SSL_KEY_PUB - - - Type: file - - Default: /etc/planetlab/root_ca_ssl.pub - The corresponding SSL public key. - - - - PLC_ROOT_CA_SSL_CRT - - - Type: file - - Default: /etc/planetlab/root_ca_ssl.crt - The corresponding SSL public - certificate. - - - - PLC_MA_SA_NAMESPACE - - - Type: ip - - Default: test - The namespace of your MA/SA. This should be a - globally unique value assigned by PlanetLab - Central. - - - - PLC_MA_SA_SSL_KEY - - - Type: file - - Default: /etc/planetlab/ma_sa_ssl.key - The SSL private key used for signing documents - with the signature of your MA/SA. If non-existent, one will - be generated. - - - - PLC_MA_SA_SSL_KEY_PUB - - - Type: file - - Default: /etc/planetlab/ma_sa_ssl.pub - The corresponding SSL public key. - - - - PLC_MA_SA_SSL_CRT - - - Type: file - - Default: /etc/planetlab/ma_sa_ssl.crt - The corresponding SSL public certificate, - signed by the root CA. - - - - PLC_MA_SA_API_CRT - - - Type: file - - Default: /etc/planetlab/ma_sa_api.xml - The API Certificate for your MA/SA is the SSL - public key for your MA/SA embedded in an XML document and - signed by the root CA SSL private key. The API Certificate - can be used by any PlanetLab node managed by any MA, to - verify that your MA/SA public key is valid. - - - - PLC_NET_DNS1 - - - Type: ip - - Default: 127.0.0.1 - Primary DNS server address. - - - - PLC_NET_DNS2 - - - Type: ip - - Default: - Secondary DNS server address. - - - - PLC_DNS_ENABLED - - - Type: boolean - - Default: true - Enable the internal DNS server. The server does - not provide reverse resolution and is not a production - quality or scalable DNS solution. Use the internal DNS - server only for small deployments or for - testing. - - - - PLC_MAIL_ENABLED - - - Type: boolean - - Default: false - Set to false to suppress all e-mail notifications - and warnings. - - - - PLC_MAIL_SUPPORT_ADDRESS - - - Type: email - - Default: root+support@localhost.localdomain - This address is used for support - requests. Support requests may include traffic complaints, - security incident reporting, web site malfunctions, and - general requests for information. We recommend that the - address be aliased to a ticketing system such as Request - Tracker. - - - - PLC_MAIL_BOOT_ADDRESS - - - Type: email - - Default: root+install-msgs@localhost.localdomain - The API will notify this address when a problem - occurs during node installation or boot. - - - - PLC_MAIL_SLICE_ADDRESS - - - Type: email - - Default: root+SLICE@localhost.localdomain - This address template is used for sending - e-mail notifications to slices. SLICE will be replaced with - the name of the slice. - - - - PLC_DB_ENABLED - - - Type: boolean - - Default: true - Enable the database server on this - machine. - - - - PLC_DB_TYPE - - - Type: string - - Default: postgresql - The type of database server. Currently, only - postgresql is supported. - - - - PLC_DB_HOST - - - Type: hostname - - Default: localhost.localdomain - The fully qualified hostname of the database - server. - - - - PLC_DB_IP - - - Type: ip - - Default: 127.0.0.1 - The IP address of the database server, if not - resolvable by the configured DNS servers. - - - - PLC_DB_PORT - - - Type: int - - Default: 5432 - The TCP port number through which the database - server should be accessed. - - - - PLC_DB_NAME - - - Type: string - - Default: planetlab3 - The name of the database to access. - - - - PLC_DB_USER - - - Type: string - - Default: pgsqluser - The username to use when accessing the - database. - - - - PLC_DB_PASSWORD - - - Type: password - - Default: - The password to use when accessing the - database. If left blank, one will be - generated. - - - - PLC_API_ENABLED - - - Type: boolean - - Default: true - Enable the API server on this - machine. - - - - PLC_API_DEBUG - - - Type: boolean - - Default: false - Enable verbose API debugging. Do not enable on - a production system! - - - - PLC_API_HOST - - - Type: hostname - - Default: localhost.localdomain - The fully qualified hostname of the API - server. - - - - PLC_API_IP - - - Type: ip - - Default: 127.0.0.1 - The IP address of the API server, if not - resolvable by the configured DNS servers. - - - - PLC_API_PORT - - - Type: int - - Default: 80 - The TCP port number through which the API - should be accessed. Warning: SSL (port 443) access is not - fully supported by the website code yet. We recommend that - port 80 be used for now and that the API server either run - on the same machine as the web server, or that they both be - on a secure wired network. - - - - PLC_API_PATH - - - Type: string - - Default: /PLCAPI/ - The base path of the API URL. - - - - PLC_API_MAINTENANCE_USER - - - Type: string - - Default: maint@localhost.localdomain - The username of the maintenance account. This - account is used by local scripts that perform automated - tasks, and cannot be used for normal logins. - - - - PLC_API_MAINTENANCE_PASSWORD - - - Type: password - - Default: - The password of the maintenance account. If - left blank, one will be generated. We recommend that the - password be changed periodically. - - - - PLC_API_MAINTENANCE_SOURCES - - - Type: hostname - - Default: - A space-separated list of IP addresses allowed - to access the API through the maintenance account. The value - of this variable is set automatically to allow only the API, - web, and boot servers, and should not be - changed. - - - - PLC_API_SSL_KEY - - - Type: file - - Default: /etc/planetlab/api_ssl.key - The SSL private key to use for encrypting HTTPS - traffic. If non-existent, one will be - generated. - - - - PLC_API_SSL_CRT - - - Type: file - - Default: /etc/planetlab/api_ssl.crt - The corresponding SSL public certificate, - signed by the root CA. - - - - PLC_WWW_ENABLED - - - Type: boolean - - Default: true - Enable the web server on this - machine. - - - - PLC_WWW_DEBUG - - - Type: boolean - - Default: false - Enable debugging output on web pages. Do not - enable on a production system! - - - - PLC_WWW_HOST - - - Type: hostname - - Default: localhost.localdomain - The fully qualified hostname of the web - server. - - - - PLC_WWW_IP - - - Type: ip - - Default: 127.0.0.1 - The IP address of the web server, if not - resolvable by the configured DNS servers. - - - - PLC_WWW_PORT - - - Type: int - - Default: 80 - The TCP port number through which the - unprotected portions of the web site should be - accessed. - - - - PLC_WWW_SSL_PORT - - - Type: int - - Default: 443 - The TCP port number through which the protected - portions of the web site should be accessed. - - - - PLC_WWW_SSL_KEY - - - Type: file - - Default: /etc/planetlab/www_ssl.key - The SSL private key to use for encrypting HTTPS - traffic. If non-existent, one will be - generated. - - - - PLC_WWW_SSL_CRT - - - Type: file - - Default: /etc/planetlab/www_ssl.crt - The corresponding SSL public certificate, - signed by the root CA. - - - - PLC_BOOT_ENABLED - - - Type: boolean - - Default: true - Enable the boot server on this - machine. - - - - PLC_BOOT_HOST - - - Type: hostname - - Default: localhost.localdomain - The fully qualified hostname of the boot - server. - - - - PLC_BOOT_IP - - - Type: ip - - Default: 127.0.0.1 - The IP address of the boot server, if not - resolvable by the configured DNS servers. - - - - PLC_BOOT_PORT - - - Type: int - - Default: 80 - The TCP port number through which the - unprotected portions of the boot server should be - accessed. - - - - PLC_BOOT_SSL_PORT - - - Type: int - - Default: 443 - The TCP port number through which the protected - portions of the boot server should be - accessed. - - - - PLC_BOOT_SSL_KEY - - - Type: file - - Default: /etc/planetlab/boot_ssl.key - The SSL private key to use for encrypting HTTPS - traffic. If non-existent, one will be - generated. - - - - PLC_BOOT_SSL_CRT - - - Type: file - - Default: /etc/planetlab/boot_ssl.crt - The corresponding SSL public certificate, - signed by the root CA. - - - diff --git a/guest.init b/guest.init index b287ef7..5d14608 100755 --- a/guest.init +++ b/guest.init @@ -6,7 +6,7 @@ # # description: Manages all PLC services on this machine # -# $Id: guest.init,v 1.17 2006/04/27 21:50:00 mlhuang Exp $ +# $Id: guest.init,v 1.19 2006/07/10 21:10:21 mlhuang Exp $ # # Source function library and configuration @@ -35,79 +35,34 @@ reload () { # Regenerate the main configuration file from default values # overlaid with site-specific and current values. - tmp=$(mktemp /tmp/plc_config.xml.XXXXXX) - plc-config --xml \ - /etc/planetlab/default_config.xml \ - /etc/planetlab/configs/* \ - /etc/planetlab/plc_config.xml \ - >$tmp - if [ $? -eq 0 ] ; then - mv $tmp /etc/planetlab/plc_config.xml - chmod 644 /etc/planetlab/plc_config.xml - else - echo "PLC: Warning: Invalid configuration file(s) detected" - rm -f $tmp - fi - - # Shell constants - plc-config --shell >/etc/planetlab/plc_config - . /etc/planetlab/plc_config + files=( + /etc/planetlab/default_config.xml + /etc/planetlab/configs/* + /etc/planetlab/plc_config.xml + ) + for file in "${files[@]}" ; do + if [ $file -nt /etc/planetlab/plc_config.xml ] ; then + tmp=$(mktemp /tmp/plc_config.xml.XXXXXX) + plc-config --xml "${files[@]}" >$tmp + if [ $? -eq 0 ] ; then + mv $tmp /etc/planetlab/plc_config.xml + chmod 644 /etc/planetlab/plc_config.xml + else + echo "PLC: Warning: Invalid configuration file(s) detected" + rm -f $tmp + fi + break + fi + done - # Generate various defaults - if [ -z "$PLC_DB_PASSWORD" ] ; then - PLC_DB_PASSWORD=$(uuidgen) - plc-config --category=plc_db --variable=password --value="$PLC_DB_PASSWORD" --save + # Convert configuration to various formats + if [ /etc/planetlab/plc_config.xml -nt /etc/planetlab/plc_config ] ; then + plc-config --shell >/etc/planetlab/plc_config fi - - if [ -z "$PLC_API_MAINTENANCE_PASSWORD" ] ; then - PLC_API_MAINTENANCE_PASSWORD=$(uuidgen) - plc-config --category=plc_api --variable=maintenance_password --value="$PLC_API_MAINTENANCE_PASSWORD" --save + if [ /etc/planetlab/plc_config.xml -nt /etc/planetlab/php/plc_config.php ] ; then + mkdir -p /etc/planetlab/php + plc-config --php >/etc/planetlab/php/plc_config.php fi - - # Need to configure network before resolving hostnames - /etc/plc.d/network start 3>/dev/null 4>/dev/null - - PLC_API_MAINTENANCE_SOURCES=$( - for server in API BOOT WWW ; do - hostname=PLC_${server}_HOST - gethostbyname ${!hostname} - done | sort -u - ) - plc-config --category=plc_api --variable=maintenance_sources --value="$PLC_API_MAINTENANCE_SOURCES" --save - - # Save configuration - mkdir -p /etc/planetlab/php - plc-config --php >/etc/planetlab/php/plc_config.php - plc-config --shell >/etc/planetlab/plc_config - - # For backward compatibility, until we can convert all code to use - # the now standardized variable names. - - # DB constants are all named the same - ln -sf plc_config /etc/planetlab/plc_db - - # PHP constants - cat >/etc/planetlab/php/site_constants.php <<"EOF" -'); -define('PLANETLAB_SUPPORT_EMAIL_ONLY', PLC_MAIL_SUPPORT_ADDRESS); -?> -EOF - - # API constants are written in plc.d/api } usage() @@ -176,6 +131,8 @@ start () for step in "${steps[@]}" ; do if [ -x /etc/plc.d/$step ] ; then /etc/plc.d/$step start + # Steps may alter the configuration, may need to regenerate + reload else echo "PLC: $step: unrecognized step" >&4 exit 1 @@ -189,6 +146,8 @@ stop () step=${steps[$(($nsteps - $i))]} if [ -x /etc/plc.d/$step ] ; then /etc/plc.d/$step stop + # Steps may alter the configuration, may need to regenerate + reload else echo "PLC: $step: unrecognized step" >&4 exit 1 diff --git a/host.init b/host.init index 62aeed4..0c2a914 100755 --- a/host.init +++ b/host.init @@ -6,7 +6,7 @@ # # description: Manages all PLC services on this machine # -# $Id: host.init,v 1.8 2006/07/06 17:43:52 mlhuang Exp $ +# $Id: host.init,v 1.9 2006/07/17 21:30:33 mlhuang Exp $ # PATH=/sbin:/bin:/usr/bin:/usr/sbin @@ -29,8 +29,12 @@ if ! type -type success >/dev/null || ! type -type failure >/dev/null ; then fi # Source configuration -if [ -f /etc/sysconfig/plc -a -z "${PLC_ROOT}${PLC_DATA}" ] ; then - . /etc/sysconfig/plc +SERVICE=$(basename $0) +if [ ! -f /etc/sysconfig/$SERVICE ] ; then + SERVICE=plc +fi +if [ -f /etc/sysconfig/$SERVICE -a -z "${PLC_ROOT}${PLC_DATA}" ] ; then + . /etc/sysconfig/$SERVICE fi # Total number of errors @@ -141,12 +145,16 @@ case "$command" in start $* ;; + reload) + chroot $PLC_ROOT /sbin/service plc $PLC_OPTIONS reload $* + ;; + mount|umount|mountstatus) ${command}_plc $* ;; *) - echo "Usage: $0 {start|stop|restart|mount|umount|mountstatus}" + echo "Usage: $0 {start|stop|restart|reload|mount|umount|mountstatus}" RETVAL=1 ;; esac diff --git a/myplc.spec b/myplc.spec index 7e25982..1616004 100644 --- a/myplc.spec +++ b/myplc.spec @@ -6,7 +6,7 @@ URL: http://cvs.planet-lab.org/cvs/myplc Summary: PlanetLab Central (PLC) Portable Installation Name: myplc Version: 0.4 -Release: 1%{?pldistro:.%{pldistro}}%{?date:.%{date}} +Release: 2%{?pldistro:.%{pldistro}}%{?date:.%{date}} License: PlanetLab Group: Applications/Systems Source0: %{name}-%{version}.tar.gz @@ -23,11 +23,23 @@ through a graphical interface. All PLC services are started up and shut down through a single System V init script installed in the host system. +%package devel +Summary: PlanetLab Central (PLC) Development Environment +Group: Development/Tools +AutoReqProv: no + +%description devel +This package install a complete PlanetLab development environment +contained within a chroot jail. The default installation consists of a +local CVS repository bootstrapped with a snapshot of all PlanetLab +source code, and all the tools necessary to compile it. + %prep %setup -q %build pushd myplc +./build_devel.sh ./build.sh popd @@ -36,6 +48,10 @@ rm -rf $RPM_BUILD_ROOT pushd myplc +# +# myplc +# + # Install host startup script and configuration file install -D -m 755 host.init $RPM_BUILD_ROOT/%{_sysconfdir}/init.d/plc install -D -m 644 plc.sysconfig $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/plc @@ -51,6 +67,25 @@ install -D -m 644 root.img $RPM_BUILD_ROOT/plc/root.img # Install data directory find data | cpio -p -d -u $RPM_BUILD_ROOT/plc/ +# +# myplc-devel +# + +# Install host startup script and configuration file +install -D -m 755 host.init $RPM_BUILD_ROOT/%{_sysconfdir}/init.d/plc-devel +install -D -m 644 plc-devel.sysconfig $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/plc-devel + +# Install root filesystem +install -d -m 755 $RPM_BUILD_ROOT/plc/devel/root +install -D -m 644 devel/root.img $RPM_BUILD_ROOT/plc/devel/root.img + +# Install data directory +find devel/data | cpio -p -d -u $RPM_BUILD_ROOT/plc/ + +# Make sure /cvs is never upgraded once installed by giving it a +# unique name. A hard-linked copy is made in %post. +mv $RPM_BUILD_ROOT/plc/devel/data/{cvs,cvs-%{version}-%{release}} + popd %clean @@ -69,7 +104,36 @@ fi %pre if [ -x %{_sysconfdir}/init.d/plc ] ; then - service plc stop + %{_sysconfdir}/init.d/plc stop +fi + +# Old versions of myplc used to ship with a bootstrapped database and +# /etc/planetlab directory. Including generated files in the manifest +# was dangerous; if /plc/data/var/lib/pgsql/data/base/1/16676 changed +# names from one RPM build to another, it would be rpmsaved and thus +# effectively deleted. Now we do not include these files in the +# manifest. However, to avoid deleting these files in the process of +# upgrading from one of these old versions of myplc, we must back up +# the database and /etc/planetlab and restore them after the old +# version has been uninstalled in %triggerpostun. +# +# This code can be removed once all myplc-0.4-1 installations have +# been upgraded to at least myplc-0.4-2. + +# 0 = install, 1 = upgrade +if [ $1 -gt 0 ] ; then + for dir in /var/lib/pgsql/data /etc/planetlab ; do + if [ -d /plc/data/$dir ] ; then + echo "Preserving /plc/data/$dir" + mv /plc/data/$dir /plc/data/$dir.rpmsave + fi + done + + # Except for the default configuration file and DTD, which really + # should be considered for upgrade. + mkdir -m 755 -p /plc/data/etc/planetlab + mv /plc/data/etc/planetlab.rpmsave/{default_config.xml,plc_config.dtd} \ + /plc/data/etc/planetlab/ || : fi %post @@ -78,6 +142,23 @@ if [ -x /sbin/chkconfig ] ; then /sbin/chkconfig plc on fi +# Force a regeneration to take into account new variables +touch /plc/data/etc/planetlab/default_config.xml + +%triggerpostun -- %{name} +# 0 = erase, 1 = upgrade +if [ $1 -gt 0 ] ; then + for dir in /var/lib/pgsql/data /etc/planetlab ; do + if [ -d /plc/data/$dir.rpmsave -a -d /plc/data/$dir ] ; then + echo "Merging /plc/data/$dir" + if tar -C /plc/data/$dir.rpmsave -cpf - . | \ + tar -C /plc/data/$dir -xpf - ; then + rm -rf /plc/data/$dir.rpmsave + fi + fi + done +fi + %preun # 0 = erase, 1 = upgrade if [ $1 -eq 0 ] ; then @@ -88,6 +169,33 @@ if [ $1 -eq 0 ] ; then fi fi +%pre devel +if [ -x %{_sysconfdir}/init.d/plc-devel ] ; then + %{_sysconfdir}/init.d/plc-devel stop +fi + +%post devel +if [ -x /sbin/chkconfig ] ; then + /sbin/chkconfig --add plc-devel + /sbin/chkconfig plc-devel on +fi + +# If /cvs does not already exist, make a hard-linked copy of this +# version's /cvs repository. +if [ ! -d /plc/devel/data/cvs ] ; then + cp -rl /plc/devel/data/{cvs-%{version}-%{release},cvs} +fi + +%preun devel +# 0 = erase, 1 = upgrade +if [ $1 -eq 0 ] ; then + %{_sysconfdir}/init.d/plc-devel stop + if [ -x /sbin/chkconfig ] ; then + /sbin/chkconfig plc-devel off + /sbin/chkconfig --del plc-devel + fi +fi + %files %defattr(-,root,root,-) # Host startup script and configuration file @@ -105,7 +213,51 @@ fi %dir /plc/data %config(noreplace) /plc/data/* +%files devel +%defattr(-,root,root,-) +# Host startup script and configuration file +%{_sysconfdir}/init.d/plc-devel +%{_sysconfdir}/sysconfig/plc-devel + +# Root filesystem +/plc/devel/root.img +/plc/devel/root + +# Data directory +%dir /plc/devel/data +%config(noreplace) /plc/devel/data/* + %changelog +* Thu Jul 13 2006 Mark Huang - 0.4-2, 0.5-2 +- MyPLC 0.4 RC2. +- Fix many spec files (License replaces Copyright). +- Fix kernel build under gcc32 (module verification bug). +- Fix vnet build under gcc32 +- Fix PlanetFlow. MySQL RPM postinstall script no longer starts the + server. Also, get hostnames list from PLC_WWW_HOST, not + www.planet-lab.org. +- Fix pl_mom/bwmon to use cached values if NM is unresponsive +- Fix pl_mom/swapmon reset logic to avoid endless loops +- Remove ksymoops, add kernel-smp to standard PlanetLab package group +- Add kernel-smp boot support to bootmanager +- Add badblock search support to bootmanager +- Build development environment (myplc-devel). Add support for + building myplc itself inside myplc-devel. +- Move step-specific initialization to appropriate plc.d scripts +- Fix postgresql startup failure when bootstrapping +- Allow CA to be configured for each SSL certificate set. Stop doing + root CA stuff, this is outside the scope of MyPLC. MyPLC now only + generates self-signed certificates, but supports replacement of the + self-signed certificates with real certifcates signed by another CA, + as long as the CA is specified. +- Self-sign the MA/SA SSL certificate (and by extension, the MA/SA API + certificate). +- pl_mom: Workarounds for when NM queries time out. +- plc_api: Honor PLC_MAIL_ENABLED. + +* Wed Jul 6 2006 Mark Huang - 0.4-1, 0.5-1 +- First stable release of MyPLC 0.4 RC1. + * Wed Apr 5 2006 Mark Huang - 0.2-1 - Basic functionality complete. Consolidate into a single package installed in /plc. diff --git a/openssl.cnf b/openssl.cnf deleted file mode 100644 index 198c30c..0000000 --- a/openssl.cnf +++ /dev/null @@ -1,260 +0,0 @@ -# -# OpenSSL example configuration file. -# This is mostly being used for generation of certificate requests. -# - -RANDFILE = /etc/planetlab/ssl/.rnd - -# Extra OBJECT IDENTIFIER info: -#oid_file = /etc/planetlab/ssl/.oid -oid_section = new_oids - -# To use this configuration file with the "-extfile" option of the -# "openssl x509" utility, name here the section containing the -# X.509v3 extensions to use: -# extensions = -# (Alternatively, use a configuration file that has only -# X.509v3 extensions in its main [= default] section.) - -[ new_oids ] - -# We can add new OIDs in here for use by 'ca' and 'req'. -# Add a simple OID like this: -# testoid1=1.2.3.4 -# Or use config file substitution like this: -# testoid2=${testoid1}.5.6 - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = /etc/planetlab/ssl # Where everything is kept -certs = $dir # Where the issued certs are kept -crl_dir = $dir # Where the issued crl are kept -database = $dir/index.txt # database index file. -unique_subject = no # Set to 'no' to allow creation of - # several ctificates with same subject. -new_certs_dir = $dir # default place for new certs. - -certificate = $dir/cacert.pem # The CA certificate -serial = $dir/serial # The current serial number -#crlnumber = $dir/crlnumber # the current crl number must be - # commented out to leave a V1 CRL -crl = $dir/crl.pem # The current CRL -private_key = $dir/cakey.pem # The private key -RANDFILE = $dir/.rand # private random number file - -x509_extensions = usr_cert # The extentions to add to the cert - -# Comment out the following two lines for the "traditional" -# (and highly broken) format. -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options - -# Extension copying option: use with caution. -# copy_extensions = copy - -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crlnumber must also be commented out to leave a V1 CRL. -# crl_extensions = crl_ext - -default_days = 365 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = md5 # which md to use. -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_match - -# For the CA policy -[ policy_match ] -countryName = optional -stateOrProvinceName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -#################################################################### -[ req ] -default_bits = 1024 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = secret -# output_password = secret - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -# we use PrintableString+UTF8String mask so if pure ASCII texts are used -# the resulting certificates are compatible with Netscape -string_mask = MASK:0x2002 - -# req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = GB -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Berkshire - -localityName = Locality Name (eg, city) -localityName_default = Newbury - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = My Company Ltd - -# we can do this but it is not needed normally :-) -#1.organizationName = Second Organization Name (eg, company) -#1.organizationName_default = World Wide Web Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) -#organizationalUnitName_default = - -commonName = Common Name (eg, your name or your server\'s hostname) -commonName_max = 64 - -emailAddress = Email Address -emailAddress_max = 64 - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] -challengePassword = A challenge password -challengePassword_min = 4 -challengePassword_max = 20 - -unstructuredName = An optional company name - -[ usr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ca ] - - -# Extensions for a typical CA - - -# PKIX recommendation. - -subjectKeyIdentifier=hash - -authorityKeyIdentifier=keyid:always,issuer:always - -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true - -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign - -# Some might want this also -# nsCertType = sslCA, emailCA - -# Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy - -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - -[ crl_ext ] - -# CRL extensions. -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always diff --git a/plc-config b/plc-config index 840ee46..ac5e7b9 100755 --- a/plc-config +++ b/plc-config @@ -6,7 +6,7 @@ # Mark Huang # Copyright (C) 2006 The Trustees of Princeton University # -# $Id$ +# $Id: plc-config,v 1.2 2006/07/17 21:29:21 mlhuang Exp $ # import sys @@ -71,6 +71,7 @@ def main(): "xml", "variables", "packages", + "groups", "comps", "category=", "variable=", "value=", "group=", "package=", "type=", @@ -96,6 +97,8 @@ def main(): output = plc.output_variables elif opt == "--packages": output = plc.output_packages + elif opt == "--groups": + output = plc.output_groups elif opt == "--comps": output = plc.output_comps elif opt == "--category": diff --git a/plc.d/api b/plc.d/api index 7f90de6..d015bc6 100755 --- a/plc.d/api +++ b/plc.d/api @@ -8,7 +8,7 @@ # Mark Huang # Copyright (C) 2006 The Trustees of Princeton University # -# $Id: api,v 1.3 2006/04/25 21:18:19 mlhuang Exp $ +# $Id: api,v 1.5 2006/07/10 21:08:06 mlhuang Exp $ # # Source function library and configuration @@ -27,6 +27,27 @@ case "$1" in MESSAGE=$"Configuring the API" dialog "$MESSAGE" + # Generate old DB configuration file + ln -sf plc_config /etc/planetlab/plc_db + + # Make sure that the API maintenance account is protected by a + # password. + if [ -z "$PLC_API_MAINTENANCE_PASSWORD" ] ; then + PLC_API_MAINTENANCE_PASSWORD=$(uuidgen) + plc-config --category=plc_api --variable=maintenance_password --value="$PLC_API_MAINTENANCE_PASSWORD" --save + fi + + # Make sure that all PLC servers are allowed to access the API + # through the maintenance account. + PLC_API_MAINTENANCE_SOURCES=$( + for server in API BOOT WWW ; do + hostname=PLC_${server}_HOST + gethostbyname ${!hostname} + done | sort -u + ) + plc-config --category=plc_api --variable=maintenance_sources --value="$PLC_API_MAINTENANCE_SOURCES" --save + + # Generate old API configuration file api-config check diff --git a/plc.d/functions b/plc.d/functions index e07788c..4437dd3 100644 --- a/plc.d/functions +++ b/plc.d/functions @@ -5,7 +5,7 @@ # Mark Huang # Copyright (C) 2006 The Trustees of Princeton University # -# $Id: functions,v 1.4 2006/04/25 21:18:19 mlhuang Exp $ +# $Id: functions,v 1.6 2006/07/10 21:05:37 mlhuang Exp $ # export PATH=/sbin:/bin:/usr/bin:/usr/sbin @@ -72,20 +72,6 @@ gethostbyname () perl -MSocket -e '($a,$b,$c,$d,@addrs) = gethostbyname($ARGV[0]); print inet_ntoa($addrs[0]) . "\n";' $1 2>/dev/null } -# Print the CNAME of an SSL certificate -ssl_cname () -{ - openssl x509 -noout -in $1 -subject | \ - sed -n -e 's@.*/CN=\([^/]*\).*@\1@p' -} - -# Print the emailAddress of an SSL certificate -ssl_email () -{ - openssl x509 -noout -in $1 -subject | \ - sed -n -e 's@.*/emailAddress=\([^/]*\).*@\1@p' -} - # Forcefully make a symlink symlink () { diff --git a/plc.d/httpd b/plc.d/httpd index 9741e82..013fcc7 100755 --- a/plc.d/httpd +++ b/plc.d/httpd @@ -7,7 +7,7 @@ # Mark Huang # Copyright (C) 2006 The Trustees of Princeton University # -# $Id: httpd,v 1.2 2006/04/25 21:18:19 mlhuang Exp $ +# $Id: httpd,v 1.4 2006/07/10 21:08:46 mlhuang Exp $ # # Source function library and configuration @@ -130,6 +130,28 @@ EOF # Make alpina-logs directory writable for bootmanager log upload chown apache:apache $DocumentRoot/alpina-logs/nodes + # Old style PHP constants + mkdir -p /etc/planetlab/php + cat >/etc/planetlab/php/site_constants.php <<"EOF" +'); +define('PLANETLAB_SUPPORT_EMAIL_ONLY', PLC_MAIL_SUPPORT_ADDRESS); +?> +EOF + plc_daemon httpd check diff --git a/plc.d/packages b/plc.d/packages index a19422f..b85c9a7 100755 --- a/plc.d/packages +++ b/plc.d/packages @@ -7,7 +7,7 @@ # Mark Huang # Copyright (C) 2006 The Trustees of Princeton University # -# $Id: packages,v 1.2 2006/05/18 22:58:20 mlhuang Exp $ +# $Id: packages,v 1.4 2006/07/19 14:15:15 mlhuang Exp $ # # Source function library and configuration @@ -40,9 +40,9 @@ case "$1" in check fi - # Update yum metadata. createrepo sometimes leaves behind - # an .olddata file accidentally. - rm -rf $repository/.olddata + # Update yum metadata. yum-arch createrepo sometimes leaves behind + # .oldheaders and .olddata directories accidentally. + rm -rf $repository/{.oldheaders,.olddata} yum-arch $repository check createrepo -g yumgroups.xml $repository diff --git a/plc.d/postgresql b/plc.d/postgresql index f777a55..362cb5f 100755 --- a/plc.d/postgresql +++ b/plc.d/postgresql @@ -7,7 +7,7 @@ # Mark Huang # Copyright (C) 2006 The Trustees of Princeton University # -# $Id: postgresql,v 1.3 2006/05/02 23:52:50 mlhuang Exp $ +# $Id: postgresql,v 1.5 2006/07/10 21:09:24 mlhuang Exp $ # # Source function library and configuration @@ -35,7 +35,9 @@ postgresql_start () if status postmaster && [ -f /var/lock/subsys/postgresql ] ; then # The only way we can be sure is if we can access it for i in $(seq 1 10) ; do - psql -U postgres -c "" template1 && return 0 + # Must do this as the postgres user initially (before we + # fix pg_hba.conf to passwordless localhost access). + su -c 'psql -U postgres -c "" template1' postgres && return 0 sleep 1 done fi @@ -104,6 +106,10 @@ case "$1" in check # Create/update the unprivileged database user and password + if [ -z "$PLC_DB_PASSWORD" ] ; then + PLC_DB_PASSWORD=$(uuidgen) + plc-config --category=plc_db --variable=password --value="$PLC_DB_PASSWORD" --save + fi if ! psql -U $PLC_DB_USER -c "" template1 >/dev/null 2>&1 ; then psql -U postgres -c "CREATE USER $PLC_DB_USER PASSWORD '$PLC_DB_PASSWORD'" template1 else diff --git a/plc.d/ssl b/plc.d/ssl index d8da402..29435f5 100755 --- a/plc.d/ssl +++ b/plc.d/ssl @@ -7,7 +7,7 @@ # Mark Huang # Copyright (C) 2006 The Trustees of Princeton University # -# $Id: ssl,v 1.6 2006/06/28 20:44:17 alk Exp $ +# $Id: ssl,v 1.9 2006/07/17 21:28:55 mlhuang Exp $ # # Source function library and configuration @@ -17,112 +17,100 @@ # Be verbose set -x -mkcert () +# Print the CNAME of an SSL certificate +ssl_cname () { - CN=$1 - KEY=$2 - CRT=$3 - - # Generate a temporary CSR. We could save the CSR, but it's not - # worth the trouble. - csr=$(mktemp /tmp/csr.XXXXXX) - - mkdir -p $(dirname $KEY) - openssl req -config /etc/planetlab/ssl/openssl.cnf \ - -new -extensions v3_req -days 3650 -set_serial $RANDOM \ - -batch -subj "/CN=$CN" \ - -nodes -keyout $KEY -out $csr - check - chmod 600 $KEY - - # Generate and sign certificate from CSR - serial=$(cat /etc/planetlab/ssl/serial) - - openssl ca -config /etc/planetlab/ssl/openssl.cnf \ - -keyfile $PLC_ROOT_CA_SSL_KEY \ - -cert $PLC_ROOT_CA_SSL_CRT \ - -batch -infiles $csr - check - - mv /etc/planetlab/ssl/$serial.pem $CRT - chmod 644 $CRT - - # Delete CSR - rm -f $csr + openssl x509 -noout -in $1 -subject | \ + sed -n -e 's@.*/CN=\([^/]*\).*@\1@p' } -case "$1" in - start) - MESSAGE=$"Generating SSL certificates" - dialog "$MESSAGE" +# Print the emailAddress of an SSL certificate +ssl_email () +{ + openssl x509 -noout -in $1 -subject | \ + sed -n -e 's@.*/emailAddress=\([^/]*\).*@\1@p' +} - # Check if root CA certificate is valid - if [ -f $PLC_ROOT_CA_SSL_CRT ] ; then - verify=$(openssl verify $PLC_ROOT_CA_SSL_CRT) - # If self signed, assume that we generated it - if grep -q "self signed certificate" <<<$verify ; then - # Delete if expired or PLC name or e-mail address has changed - if grep -q "expired" <<<$verify || \ - [ "$(ssl_cname $PLC_ROOT_CA_SSL_CRT)" != "$PLC_NAME Root CA" ] || \ - [ "$(ssl_email $PLC_ROOT_CA_SSL_CRT)" != "$PLC_MAIL_SUPPORT_ADDRESS" ] ; then - rm -f $PLC_ROOT_CA_SSL_CRT - fi - fi +# Verify a certificate. If invalid, generate a new self-signed +# certificate. +verify_or_generate_certificate() { + crt=$1 + key=$2 + ca=$3 + cname=$4 + email=$5 + + # If the CA certificate does not exist, assume that the + # certificate is self-signed. + if [ ! -f $ca ] ; then + cp -a $crt $ca + fi + + if [ -f $crt ] ; then + # Check if certificate is valid + verify=$(openssl verify -CAfile $ca $crt) + # Delete if invalid or if the subject has changed + if grep -q "error" <<<$verify || \ + [ "$(ssl_cname $crt)" != "$cname" ] || \ + [ "$(ssl_email $crt)" != "$email" ] ; then + rm -f $crt $ca fi + fi - # Generate root CA key pair and certificate - if [ ! -f $PLC_ROOT_CA_SSL_CRT ] ; then - mkdir -p $(dirname $PLC_ROOT_CA_SSL_CRT) - openssl req -config /etc/planetlab/ssl/openssl.cnf \ - -new -x509 -extensions v3_ca -days 3650 -set_serial $RANDOM \ - -batch -subj "/CN=$PLC_NAME Root CA/emailAddress=$PLC_MAIL_SUPPORT_ADDRESS" \ - -nodes -keyout $PLC_ROOT_CA_SSL_KEY -out $PLC_ROOT_CA_SSL_CRT - check - chmod 600 $PLC_ROOT_CA_SSL_KEY - chmod 644 $PLC_ROOT_CA_SSL_CRT - - # API certificate verification requires a public key - openssl rsa -pubout <$PLC_ROOT_CA_SSL_KEY >$PLC_ROOT_CA_SSL_KEY_PUB - check - chmod 644 $PLC_ROOT_CA_SSL_KEY_PUB - - # Reset DB - >/etc/planetlab/ssl/index.txt - echo "01" >/etc/planetlab/ssl/serial + if [ ! -f $crt ] ; then + # Set subject + subj= + if [ -n "$cname" ] ; then + subj="$subj/CN=$cname" fi - - # Check if MA/SA certificate is valid - if [ -f $PLC_MA_SA_SSL_CRT ] ; then - verify=$(openssl verify -CAfile $PLC_ROOT_CA_SSL_CRT $PLC_MA_SA_SSL_CRT) - # Delete if expired or not signed correctly - if grep -q "error" <<<$verify ; then - rm -f $PLC_MA_SA_SSL_CRT - fi + if [ -n "$email" ] ; then + subj="$subj/emailAddress=$email" fi - # Generate MA/SA key pair and certificate - if [ ! -f $PLC_MA_SA_SSL_CRT ] ; then - mkcert "$PLC_NAME Management and Slice Authority" \ - $PLC_MA_SA_SSL_KEY $PLC_MA_SA_SSL_CRT - - # Make readable by apache so that the API can sign certificates - chown apache $PLC_MA_SA_SSL_KEY - chmod 600 $PLC_MA_SA_SSL_KEY + # Generate new self-signed certificate + mkdir -p $(dirname $crt) + openssl req -new -x509 -days 3650 -set_serial $RANDOM \ + -batch -subj "$subj" \ + -nodes -keyout $key -out $crt + check + chmod 644 $crt + + # The certificate it self-signed, so it is its own CA + cp -a $crt $ca + fi +} - # API requires a public key for slice ticket verification - openssl rsa -pubout <$PLC_MA_SA_SSL_KEY >$PLC_MA_SA_SSL_KEY_PUB - check - chmod 644 $PLC_MA_SA_SSL_KEY_PUB - fi +case "$1" in + start) + MESSAGE=$"Generating SSL certificates" + dialog "$MESSAGE" - # Generate self-signed HTTPS certificate(s). These nice - # commands come from the mod_ssl spec file for Fedora Core - # 2. We generate a certificate for each enabled server - # with a different hostname. These self-signed - # certificates may be overridden later. + # Verify or generate MA/SA certificate if necessary. This + # self-signed certificate may be overridden later. + verify_or_generate_certificate \ + $PLC_MA_SA_SSL_CRT $PLC_MA_SA_SSL_KEY $PLC_MA_SA_CA_SSL_CRT \ + "$PLC_NAME Management and Slice Authority" \ + $PLC_MAIL_SUPPORT_ADDRESS + + # Make MA/SA key readable by apache so that the API can sign + # certificates + chown apache $PLC_MA_SA_SSL_KEY + chmod 600 $PLC_MA_SA_SSL_KEY + + # Extract the public key of the root CA (if any) that signed + # the MA/SA certificate. + openssl x509 -in $PLC_MA_SA_CA_SSL_CRT -noout -pubkey >$PLC_MA_SA_CA_SSL_KEY_PUB + check + chmod 644 $PLC_MA_SA_CA_SSL_KEY_PUB + + # Generate HTTPS certificates if necessary. We generate a + # certificate for each enabled server with a different + # hostname. These self-signed certificates may be overridden + # later. for server in WWW API BOOT ; do ssl_key=PLC_${server}_SSL_KEY ssl_crt=PLC_${server}_SSL_CRT + ca_ssl_crt=PLC_${server}_CA_SSL_CRT hostname=PLC_${server}_HOST # Check if we have already generated a certificate for @@ -133,38 +121,22 @@ case "$1" in fi previous_ssl_key=PLC_${previous_server}_SSL_KEY previous_ssl_crt=PLC_${previous_server}_SSL_CRT + previous_ca_ssl_crt=PLC_${previous_server}_CA_SSL_CRT previous_hostname=PLC_${previous_server}_HOST if [ -f ${!previous_ssl_crt} ] && \ [ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then cp -a ${!previous_ssl_key} ${!ssl_key} cp -a ${!previous_ssl_crt} ${!ssl_crt} + cp -a ${!previous_ca_ssl_crt} ${!ca_ssl_crt} break fi done - # Check if self-signed certificate is valid - if [ -f ${!ssl_crt} ] ; then - verify=$(openssl verify ${!ssl_crt}) - # If self-signed - if grep -q "self signed certificate" <<<$verify ; then - # Delete if expired or hostname changed - if grep -q "expired" <<<$verify || \ - [ "$(ssl_cname ${!ssl_crt})" != "${!hostname}" ] ; then - rm -f ${!ssl_crt} - fi - fi - fi + verify_or_generate_certificate \ + ${!ssl_crt} ${!ssl_key} ${!ca_ssl_crt} \ + ${!hostname} $PLC_MAIL_SUPPORT_ADDRESS - # Generate new self-signed certificate - if [ ! -f ${!ssl_crt} ] ; then - mkdir -p $(dirname ${!ssl_crt}) - openssl req -new -x509 -days 3650 -set_serial $RANDOM \ - -batch -subj "/CN=${!hostname}" \ - -nodes -keyout ${!ssl_key} -out ${!ssl_crt} - check - chmod 644 ${!ssl_crt} - fi done # Install HTTPS certificates into both /etc/pki (Fedora Core diff --git a/plc_config.py b/plc_config.py index d1ab2b4..f908233 100644 --- a/plc_config.py +++ b/plc_config.py @@ -7,7 +7,7 @@ # Mark Huang # Copyright (C) 2006 The Trustees of Princeton University # -# $Id: plc_config.py,v 1.2 2006/04/04 22:09:25 mlhuang Exp $ +# $Id: plc_config.py,v 1.4 2006/07/17 21:29:15 mlhuang Exp $ # import xml.dom.minidom @@ -741,6 +741,19 @@ DO NOT EDIT. This file was automatically generated at return buf.getvalue() + def output_groups(self, encoding = "utf-8"): + """ + Return list of all package group names. + """ + + buf = codecs.lookup(encoding)[3](StringIO()) + + for (group, packages) in self._packages.values(): + buf.write(group['name'] + os.linesep) + + return buf.getvalue() + + def output_comps(self, encoding = "utf-8"): """ Return section of configuration. diff --git a/plc_config.xml b/plc_config.xml index dd5d7b1..5f17219 100644 --- a/plc_config.xml +++ b/plc_config.xml @@ -6,7 +6,7 @@ Default PLC configuration file Mark Huang Copyright (C) 2006 The Trustees of Princeton University -$Id: plc_config.xml,v 1.13 2006/05/23 18:14:47 mlhuang Exp $ +$Id: plc_config.xml,v 1.15 2006/07/10 21:04:17 mlhuang Exp $ --> @@ -101,27 +101,6 @@ $Id: plc_config.xml,v 1.13 2006/05/23 18:14:47 mlhuang Exp $ The SSH private key used to access the root account on your nodes. - - - Root CA SSL Private Key - /etc/planetlab/root_ca_ssl.key - The SSL private key used for signing all other - generated certificates. If non-existent, one will be - generated. - - - - Root CA SSL Public Key - /etc/planetlab/root_ca_ssl.pub - The corresponding SSL public key. - - - - Root CA SSL Public Certificate - /etc/planetlab/root_ca_ssl.crt - The corresponding SSL public - certificate. - @@ -148,27 +127,39 @@ $Id: plc_config.xml,v 1.13 2006/05/23 18:14:47 mlhuang Exp $ be generated. - - SSL Public Key - /etc/planetlab/ma_sa_ssl.pub - The corresponding SSL public key. - - SSL Public Certificate /etc/planetlab/ma_sa_ssl.crt - The corresponding SSL public certificate, - signed by the root CA. + The corresponding SSL public certificate. By + default, this certificate is self-signed. You may replace + the certificate later with one signed by the PLC root + CA. + + + + Root CA SSL Public Certificate + /etc/planetlab/ma_sa_ca_ssl.crt + If applicable, the certificate of the PLC root + CA. If your MA/SA certificate is self-signed, then this file + is the same as your MA/SA certificate. + + + + Root CA SSL Public Key + /etc/planetlab/ma_sa_ca_ssl.pub + If applicable, the public key of the PLC root + CA. If your MA/SA certificate is self-signed, then this file + is the same as your MA/SA public key. API Certificate /etc/planetlab/ma_sa_api.xml - The API Certificate for your MA/SA is the SSL - public key for your MA/SA embedded in an XML document and - signed by the root CA SSL private key. The API Certificate - can be used by any PlanetLab node managed by any MA, to - verify that your MA/SA public key is valid. + The API Certificate is your MA/SA public key + embedded in a digitally signed XML document. By default, + this document is self-signed. You may replace this + certificate later with one signed by the PLC root + CA. @@ -412,8 +403,19 @@ $Id: plc_config.xml,v 1.13 2006/05/23 18:14:47 mlhuang Exp $ SSL Public Certificate /etc/planetlab/api_ssl.crt - The corresponding SSL public certificate, - signed by the root CA. + The corresponding SSL public certificate. By + default, this certificate is self-signed. You may replace + the certificate later with one signed by a root + CA. + + + + Root CA SSL Public Certificate + /etc/planetlab/api_ca_ssl.crt + The certificate of the root CA, if any, that + signed your server certificate. If your server certificate is + self-signed, then this file is the same as your server + certificate. @@ -482,8 +484,19 @@ $Id: plc_config.xml,v 1.13 2006/05/23 18:14:47 mlhuang Exp $ SSL Public Certificate /etc/planetlab/www_ssl.crt - The corresponding SSL public certificate, - signed by the root CA. + The corresponding SSL public certificate for + the HTTP server. By default, this certificate is + self-signed. You may replace the certificate later with one + signed by a root CA. + + + + Root CA SSL Public Certificate + /etc/planetlab/www_ca_ssl.crt + The certificate of the root CA, if any, that + signed your server certificate. If your server certificate is + self-signed, then this file is the same as your server + certificate. @@ -543,15 +556,25 @@ $Id: plc_config.xml,v 1.13 2006/05/23 18:14:47 mlhuang Exp $ SSL Private Key /etc/planetlab/boot_ssl.key The SSL private key to use for encrypting HTTPS - traffic. If non-existent, one will be - generated. + traffic. SSL Public Certificate /etc/planetlab/boot_ssl.crt - The corresponding SSL public certificate, - signed by the root CA. + The corresponding SSL public certificate for + the HTTP server. By default, this certificate is + self-signed. You may replace the certificate later with one + signed by a root CA. + + + + Root CA SSL Public Certificate + /etc/planetlab/boot_ca_ssl.crt + The certificate of the root CA, if any, that + signed your server certificate. If your server certificate is + self-signed, then this file is the same as your server + certificate. diff --git a/plc_devel_config.xml b/plc_devel_config.xml index cb9e5b0..5c14e3a 100644 --- a/plc_devel_config.xml +++ b/plc_devel_config.xml @@ -6,7 +6,7 @@ Default PLC build environment configuration file Mark Huang Copyright (C) 2006 The Trustees of Princeton University -$Id: plc_devel_config.xml,v 1.1 2006/07/17 21:31:31 mlhuang Exp $ +$Id: plc_devel_config.xml,v 1.2 2006/07/18 17:37:53 mlhuang Exp $ -->