1.0 High Level Overview

 

The purpose of Geniwrapper is to provide a Geni-like interface around the existing planetlab infrastructure. The existing infrastructure consists of two parts: planetlab central (PLC) and planetlab nodes. Geni defines three interfaces: Registry, Slice, and Component Management.  A part of the wrapper is co-located with PLC (it exports the Registry and Slice interfaces), and a part of the wrapper is co-located with each node (it exports the Slice and Management interfaces).

 

Geniwrapper is comprised of the following logical modules: utility classes, plc wrapper, component wrapper, and command line client. Client-server communication uses a variant of XML-RPC called the Geni protocol. Section 1 of this document presents a very brief overview of each module. In-depth discussion occurs later.

 

Much of this design adheres to the SFA, and as such this document avoids duplication of the information already presented in the SFA. For example, the description of privileges, which operations are allowed by a specific privileges, and how privileges are assigned to principals is described fully in the SFA and is therefore not duplicated here.

 

NOTE: API documentation is extracted from code comments automatically and is maintained in separate files, one documentation file corresponding to each python source file. An effort has been made to keep API documentation separate from this document, so that the API documentation may be self-maintaining as the code is updated.

 

Geniwrapper is checked into a subversion repository at http://svn.planetlab.org/geniwrapper. [TODO: verify link]

 

 

1.2 PLC wrapper

 

The plc wrapper is intended to be colocated with PLC. All communication between the plc wrapper and PLC uses the PLCAPI interface and as such, the plc wrapper can be run on a separate machine for ease of development. In addition to the Geni registry operations (register, update, ...), the plc wrapper also implements slice operations, such as GetTicket.

 

The plc wrapper is located in the plc subdirectory.

 

TODO: Most of the slice interface is yet to be implemented in plc wrapper.

 

1.3 The component wrapper

 

The component wrapper is located on planetlab nodes. It implements the slice interface, and the component management interface. Due to SFA engineering decisions, some slice operations (i.e. GetTicket) are not supported in the component wrapper.

 

The component wrapper is located in the component subdirectory.

 

1.4 Command line client

 

The command line client exports a client interface to Geni that may be used for testing and demonstration purposes. It allows easy invocation of Geni api functions and dumps the results in a human-readable format.

 

The command line client is located in the cmdline subdirectory

 

1.5 Geni Protocol

 

The Geni protocol is based on XML-RPC. It is implemented primarily in the geniserver.py and geniclient.py files located with the utility classes. Modifications to the XML-RPC protocol include the following:

 

 

Authentication:

 

Authentication of the client by the server is done by using Credentials/GIDs. Generally, each operation contains a credential as the first argument. This credential includes the GID of the caller, which in turn contains the public key of the caller. The server ensures that this public key matches the public key that is being used to decrypt the HTTPS connection, thus ensuring the caller must posess the private key that corresponds to the GID.

 

Authentication of the server by the client is left as an exercise for the client. It may be done easily by specifying the server's public key when the client create the HTTPS connection. This presumes the client knows the public key (or GID) of the server he is trying to connect to.

 
1.6 Extending Geniwrapper to other environments

The PLC Wrapper and Component Wrapper are implemented to work on top of the Planetlab environment, but Geniwrapper was designed specifically to be easy to port to other platforms or environments. The utility classes are generally planetlab-independent, and the planetlab specific code is located in the directories that house the PLC and Component wrappers. The utility classes implement most of the complexity of the Geni wrapper, allowing the PLC and Component wrappers to be relatively lightweight.

For example, looking at the code for the stop_slice function implemented in the component wrapper:

    def stop_slice(self, cred_str):
        self.decode_authentication(cred_str, "stopslice")
        slicename = hrn_to_pl_slicename(self.object_gid.get_hrn())
        print "stopslice:", slicename
        accounts.get(slicename).stop()

The hrn_to_pl_slicename() function and accounts() class are planetlab-specific and implement the actual stopping of the slice. The remaining code that implements the Geni protocol, decodes credentials and authentication, etc., is planetlab-independent, and could be easily used in a non-planetlab environment.

2.0 Utility Classes

 

2.1 Certificates and Keys (cert.py)

 

Geniwrapper uses two crypto libraries: pyOpenSSL and M2Crypto to implement the necessary crypto functionality. Ideally just one of these libraries would be used, but unfortunately each of these libraries is independently lacking. The pyOpenSSL library is missing many necessary functions, and the M2Crypto library has crashed inside of some of the functions. The design decision is to use pyOpenSSL whenever possible as it seems more stable, and only use M2Crypto for those functions that are not possible in pyOpenSSL.

 

2.1.1 Keys

 

Public-private key pairs are implemented by the Keypair class. A Keypair object may represent both a public and private key pair, or it may represent only a public key (this usage is consistent with OpenSSL).

2.1.2 Certificates

 

The certificate class implements a general purpose X509 certificate, making use of the appropriate pyOpenSSL or M2Crypto abstractions. It also adds several addition features, such as the ability to maintain a chain of parent certificates, and storage of application-specific data.

 

Certificates include the ability to maintain a chain of parents. Each certificate includes a pointer to it's parent certificate. When loaded from a file or a string, the parent chain will be automatically loaded. When saving a certificate to a file or a string, the caller can choose whether to save the parent certificates as well.

 

Example creation of a certificate:

 

      # create a key for an issuer
      issuerKey = Keypair(create=True)
      issuerSubject = "testissuer"

 

      # create a key for the certificate

      userKey = KeyPair(create=True)

 

      # create the certificate, set the issuer, and sign it

      cert = Certificate(subject="test")
      cert.set_issuer(issuerKey, issuerSubject)

      cert.set_pubkey(userKey)
      cert.sign()

 

2.1.3 Certificate Verification

 

Verification examines a chain of certificates to ensure that each parent signs the child, and that some certificate in the chain is signed by a trusted certificate. Verification is a basic recursion:

    if this_certificate was signed by trusted_certs:
        return
    else
        return verify_chain(parent, trusted_certs)

At each recursion, the parent is tested to ensure that it did sign the child. If a parent did not sign a child, then an exception is thrown. If the bottom of the recursion is reached and the certificate does not match a trusted root, then an exception is thrown.

     
2.2 GIDS (gid.py)

 

GIDs are a derivative class of certificates and as such the GID class inherits all the methods of the certificate class. A GID includes a tuple of the following fields: 

 

   (uuid, hrn, public_key)

 

UUID is a unique identifier and is created by the python uuid module (or the utility function create_uuid() in gid.py).

 

HRN is a human readable name. It is a dotted form similar to a backward domain name. For example, planetlab.us.arizona.bakers.

 

PUBLIC_KEY is the public key of the principal identified by the UUID/HRN. It is a Keypair object as defined in the cert.py module.

 

It is expected that there is a one-to-one pairing between UUIDs and HRN, but it is uncertain how this would be inforced or if it needs to be enforced.

 

2.2.1 Encoding and Decoding

 

The 5 fields of the GID tuple are stored in the subject-alt-name field of the X509 certificate. Two routines are included to package and unpackage these fields: Encode() and Decode(). Encode should be called prior to signing the GID. Decode is automatically called on demand by the various get_*() functions.

 

2.2.2 Verification of GIDs

 

 

2.3 Credentials (credential.py)

 

Credentials are a derivative class of certificates and as such the credential class inherits all the methods of the certificate class. A credential includes a tuple of the following fields:

 

    (GIDCaller, GIDObject, LifeTime, Privileges, Delegate)

 

GIDCaller identifies the holder of the credential. When a credential is presented to a component, the security layer ensures that the client matches the public key that is contained in GIDCaller.

 

GIDObject identifies the object of the credential. This object depends upon the type of the credential. For example, the credential for a user likely has GIDObject == GIDCaller. Credentials for slices would include the GID of the slice in the GIDObject field. Credentials for authorities include the GID of the authority in the GIDObject field.

 

LifeTime is the lifetime of the credential. Currently not implemented; expect to implement it as an expiration date, and refuse credentials beyond that date.

 

Privileges is a Rights object that describes the rights that are granted to the holder of the credential.

 

Delegate is a True/False bit that indicates whether or not a credential can be delegated to a different caller.

 

2.3.1 Encoding and Decoding

 

The 5 fields of the credential tuple are stored in the subject-alt-name field of the X509 certificate. Two routines are included to package and unpackage these fields: Encode() and Decode(). Encode should be called prior to signing the credential. Decode is automatically called on demand by the various get_*() functions.

 

2.3.2 Verification of Credentials

 

In addition to the checks for ordinary certificates, verification of credentials also ensures that the delegate bit was set by each parent in the chain. If a delegate bit was not set, then an exception is thrown. Each credential must also contain a subset of the rights of the parent credential (i.e. a user credential cannot delegate authority rights).

2.4 Rights (rights.py)

Rights are implemented by two classes:

Right - represents a single right
RightList - represents a list of rights A right may allow several different operations.

For example, the "info" right allows "listslices", "listcomponentresources", etc.

2.5 Records (record.py)

 

The GeniRecord class implements a Geni Record. The GeniRecord class implements an abstract interface for the record, so that a client may use records without having to understant the underlying implementation details, such as whether the record is realized in the registry database, a local cache, or has been transmitted over the wire by an interface. A GeniRecord is a tuple (Name, GID, Type, Info).

 

  Name specifies the HRN of the object GID is the GID of the object

 

  Type is user | sa | ma | slice | component Info is comprised of the following sub-fields

 

  Pointer is a pointer to the record in the PL database

 

  pl_info is planetlab-specific info (when talking to client)

 

  geni_info = geni-specific info (when talking to client)

 

The pointer is interpreted depending on the type of the record. For example, if the type=="user", then pointer is assumed to be a person_id that indexes into the persons table.

 

A given HRN may have more than one record, provided that the records are of different types. For example, planetlab.us.arizona may have both an SA and a MA record, but cannot have two SA records.

 

2.6 Tickets (geniticket.py)

 

Similar to GIDs and Credentials, tickets also leverage the certificate object.

 

A Ticket is tuple:
   (gidCaller, gidObject, attributes, rspec, delegate)

    gidCaller = GID of the caller performing the operation
    gidObject = GID of the slice
    attributes = slice attributes (keys, vref, instantiation, etc)
    rspec = resources

 

Tickets are created by invoking GetTicket() on the plc wrapper. The slice attributes and rspec are taken from the planetlab slice database and represent the current state of the slice. As of yet, tickets do not include any concept of time -- a ticket represents the state of the slice at the current time only.

 

Tickets are redeemed by invoking RedeemTicket() on the slice interface. The attributes and spec are combined back into a planetlab slice record and handed off to the node manager.

 

Tickets are signed by an authority and include parentage information that traces the chain of authorities back to a trusted root.

 

2.6.1 rspecs

 

The rspec is currently a dictionary of {name: value} pairs. These pairs are taken verbatim from the planetlab slice database.

 

The general rule that is used is that things in the slice record that do not specifically imply a tangible resource (initscripts, keys, etc) are treated as attributes and things that do specify a tangible resource (disk, network, etc) are treated as the rspec.

 

TODO: The definition of an rspec is evolving. It remains to reconcile the eclipse schema with Geniwrapper. Gacks is also using another rspec format, which may be need to be reconciled with the eclipse schema and/or geniwrapper.

 

 

The default behavior is that all authorities contained in the hierarchy will be located together in a single physical registry. However, this is not strictly necessary. The *.DBINFO files contain the database information for an authority and can easily be configured to point to other machines. How an authority would cause the DBINFO files to be installed in the correct places is left as a separate exercise, possibly via an out-of-band management interface or a web page.

2.8 Configuration Information (config.py)

This module holds configuration parameters for geniwrapper. There are two main pieces of information that are used: the database connection and the PLCAPI connection.

Geniwrapper uses a MYSQL database to store records. This database may be co-located with the PLC database, or it may be a separate database. The following parameters define the connection to the database. Note that Geniwrapper does not access any of the PLC databases directly via a mysql connection; All PLC databases are accessed via PLCAPI.

2.8.1 Database Configuration

 

Below is an example database configuration from config.py:

 

def get_default_dbinfo():
    dbinfo={}
    dbinfo['dbname'] = 'planetlab4'
    dbinfo['address'] = 'localhost'
    dbinfo['port'] = 5432
    dbinfo['user'] = 'pgsqluser'
    dbinfo['password'] = '4c77b272-c892-4bdf-a833-dddeeee1a2ed'

    return dbinfo

 

This identifies several important pieces of the database configuration. The name specifies the database name as used by pgsql. The address is the hostname (or ip-address) of the machine that is hosting the database. It is most likely the local machine. Port specifies the socket port where the pgsql is listening. The user and password authenticate Geniwrapper to the pgsql database. In this example, an existing PLC database was used. This is not strictly necessary as only Geni-specific information is stored in this database. A separate database could be used, on a separate machine than PLC if desired.

 

2.8.2 PLCAPI Configuration

 

Blow is an example PLCAPI configuration from config.py:

 

def get_pl_auth():
    pl_auth = {'Username': 'root@198.0.0.132',
    'AuthMethod': 'password',
    'AuthString':  'root',
    "Url": "https://localhost:443/PLCAPI/"
    }

    return pl_auth

 

The PLCAPI configuration tells Geniwrapper how to connect to PLC. There are two options: a local connection or a remote connection. If the Url field is defined, then a remote connection is assumed, and Geniwrapper will attempt to connect via XMLRPC to a remote PLCAPI server. If the Url field is not defined, then Geniwrapper will assume that PYTHONPATH includes the relevant PLCAPI classes to use PLCAPI directly.

 

Username specifies the name of the PLCAPI user. It is suggested that a user with full administrative authority be allowed. Otherwise, Geniwrapper will be unable to lookup public keys and other information that PLC does not make available publicly. Administrative permission is also required to create PLC sites, users, etc. Authmethod and AuthString specify the password require to use this account.

 

2.9 GeniServer and GeniClient

 

Two files, geniserver.py and geniclient.py implement a basic Geni server and client.

 

Geniserver forms the basis of any server that exports a Geni interface. Examples include the PLC and Component wrappers. The Geniserver class itself does not export any useful API functions other than a "noop" function that can be used to test the server interface. Descendant classes register additional API functions by overriding the register_function() member of the geniserver object.

 

Geniserver provides a function, decode_authentication, that decodes credentials. Credentials are supplied as the first parameter to many registry and slice interface API functions. This function converts the credential string supplied by the user into a credential object, checks to see that the key the caller is using to encrypt the SSL connection matches the public key in the caller GID of the credential, checks to see that the credential allows the operation the caller is attempting to do, and finally verifies that the parentage of the credential traces back to a trusted root.

 

Geniclient provides a variety of client-side stubs for invoking operations on Geni interfaces. These stubs convert objects into strings that may be encoded by XMLRPC, call the associated XMLRPC function, and convert the results back into objects. Use of the Geniclient class is optional, but it makes a convenient mechanism to execute API calls.

 

3.0 The PLC Wrapper

 

This wrapper implements the Registry and Slice interfaces. According to the SFA, the basic functionality of a registry is to map HRNs into records. However, because of the interactions between Geniwrapper and PLC, the registry does more than act as a simple database. The registry performs API calls on PLC that create slices, sites, users, etc., and as such may indirectly cause slices to be instantiated on components, because components are also linked to PLC.

 

The mapping of Geni objects to planetlab objects is relatively straightforward:

 

    slice = slice

    user = person

    component = node

    sa = site

    ma = site

 

The one part that is slightly counterintuitive is SA and MA, which both map to the planetlab site object. In a unified registry (a registry that serves as both slice and component registry), these will map to the same site record in the PLC database. However, there are two distinct Geni records, one for the SA and one for the MA. 

 

Registry and slice operations generally authenticate the caller by credential. There are a few exceptions, and the registry API documents should note those exceptions. 

 

3.1 PLC Wrapper Tools

 

The registry include several additional tools that are used to manage it. These include:

 

import.py - imports existing PLC records into the registry

 

nuke.py - deletes all Geni records

 

3.1 Bootstrapping the PLC Wrapper

 

There are several items that need to be done before starting the plc wrapper.

 

1) Update util/config.py to match the parameters of your PLC installation.

 

2) Import the existing planetlab database, creating the appropriate geni records. This is done by running the "import.py" tool.

 

3) Create a "trusted_roots" directory and place the certificate of the root authority in that directory. Given the defaults in import.py, this certificate would be named "planetlab.gid". For example, mkdir trusted_roots; cp authorities/planetlab.gid trusted_roots/

 

4.0 The Component Wrapper

The Geni Component Wrapper implements the Geni Slice and Component Management interfaces. It includes functions for redeeming tickets, starting/stopping/resetting/deleting slices, and management such as rebooting the component.

 

The design of the component differs from the plc wrapper in the respect that the component wrapper must be run in the same domain (VM) as the NM for the node it is responsible for. That is, the component wrapper directly calls the local node manager.

 

4.1 Component Authentication of Credentials

 

The component authenticates credentials the same way that the plc wrapper does. Specifically, there is a directory of trusted_root certificates (or GIDs) on the component. Any credential presented to the component must include in it's parentage some certificate in the set of trusted roots. Otherwise, and exception is thrown.

 

4.2 The Ticket interface

 

Mainpulating tickets is split between the PLC wrapper and the Component wrapper. Specifically, the authoritative copy of planetlab state is stored on PLC and only cached on the components. Thus, GetTicket() is implemented by the plc wrapper, and RedeemTicket() is implemented by the component wrapper. Attempting to call GetTicket() on a component will fail.

InstantiateSlice is not implemented, as that operation is a combination of GetTicket/RedeemTicket and would therefore span the PLC and Component wrappers.

 

4.3 Sliver Credentials

 

A recent Geni Architecture call mentioned the need for sliver credentials. A sliver credential would be identical to a slice credential, but would 1) only be redeemable on a particular component, and 2) would resolve to a trusted_root unique to that component (likely the component's GID certificate). Sliver credentials would be returned by the RedeemTicket call and would give the caller the permission required to start and stop the sliver, etc.

 

Sliver credentials are not yet implemented, but their implementation would be straightforward.

 

4.4 Bootstrapping the Component Wrapper

 

The first step is to install some required libraries on the component. These include the m2crypto and pyopenssl libraries. Installing the actual RPMs for these libaries on a running component proved difficult due to additional support packages that require installation (python-devel, etc). For development purposes, it was sufficient to copy the installed/compiled version of the libraries from the development machine to the component.

 

The second step is to copy the files required by the component wrapper to the node manager. They are copied to the /usr/share/Nodemanager directory. A list of the files is contained in the copynode.sh script in the component subdirectory.

 

The third step is to copy the trusted root certificates to the component. They are stored in /usr/share/Nodemanager/trusted_roots. This should include the certificate for the registry.

 

The fourth step is to start the component manager. This is done by connecting to the component via SSH and running /usr/share/Nodemanager/component.py.

In a production environment, all of these steps would be integrated into the DVD boot image for the planetlab node.

 

5.0 Command-Line Interface

 

A command-line interface is provided that allows a user to interact with the Geni Registry and Component. This command line interface is located in the cmdline directory and can be invoked by running genicli.py. Specifying "genicli.py help" will display a list of available commands.

 

5.1 Examples

 

Several examples of using the CLI are presented in the form of shell scripts in the cmdline directory. These scripts demonstrate creating slices, authorities, users, nodes, and getting tickets and redeeming tickets. Rather than duplicating all of those examples here, a few short examples are presented below.

 

5.1.1 Getting a Credential

 

python ./genicli.py --username root --credfile None --outfile test.cred getCredential user planetlab.us.pl.account_test

 

The credential for planetlab.us.pl.account_test is retrieved and stored in the local file test.cred. The private ket test.pkey is used when opening the XMLRPC connection and authenticates the client. test.pkey must match the public key that is in the GID for the user record for planetlab.us.pl.account_test.

 

Sample output: (in human-readable summary)

 

CREDENTIAL planetlab.us.pl.account_test
      privs: refresh,resolve,info
  gidCaller:
          hrn: planetlab.us.pl.account_test
         uuid: 276262316202422735940395896620385479122
  gidObject:
          hrn: planetlab.us.pl.account_test
         uuid: 276262316202422735940395896620385479122
   delegate: False

 

 

5.1.2 Resolving a record

 

python ./genicli.py --username test resolve planetlab.us.pl.account_test

 

The record for planetlab.us.pl.account_test is retrieved and printed to stdout. The credential used comes from the local file test.cred.

 

Sample output: (in human-readable summary)

 

RECORD planetlab.us.pl.account_test
        hrn: planetlab.us.pl.account_test
       type: user
        gid:
          hrn: planetlab.us.pl.account_test
         uuid: 276262316202422735940395896620385479122
    pointer: 6
  geni_info:
        email : test@test.com
    pl_info:
        bio : None
        first_name : test
        last_name : account
        last_updated : 1222497672
        uuid : None
        roles : ['user']
        title : None
        url : None
        key_ids : [1]
        enabled : True
        slice_ids : [24]
        phone : None
        peer_person_id : None
        role_ids : [30]
        person_id : 6
        date_created : 1219083140
        site_ids : [1]
        peer_id : None
        email : test@test.com

 

5.1.3 Updating a record

 

python ./genicli.py --username test update user planetlab.us.pl.account_test

 

The record for planetlab.us.pl.account_test is updated. The credential used comes from the local file test.cred. No changes are specified, so the only thing that should be updated is the expiration time.

 

5.1.4 Resolving an authority

 

An authority is an example of an HRN that might resolve to two different records, an SA and a MA record.

 

python ./genicli.py --username test resolve planetlab.us.pl

 

Sample Output: (in human readable summary)

 

RECORD planetlab.us.pl
        hrn: planetlab.us.pl
       type: sa
        gid:
          hrn: planetlab.us.pl
         uuid: 294786197975089072547582920862317666209
    pointer: 1
  geni_info:
        pi : ['planetlab.us.pl.Administrator_Default']
    pl_info:
        last_updated : 1224136003
        node_ids : [1]
        site_id : 1
        pcu_ids : []
        max_slices : 100
        ext_consortium_id : None
        peer_site_id : None
        abbreviated_name : plctest
        uuid : 230749975723590978208303655640765327534
        person_ids : [2, 4, 6]
        slice_ids : [24, 1, 2]
        latitude : None
        peer_id : None
        max_slivers : 1000
        is_public : False
        address_ids : []
        name : plctest Central
        url : http://198.0.0.132/
        enabled : True
        longitude : None
        login_base : pl
        date_created : 1209428329
RESULT:
RECORD planetlab.us.pl
        hrn: planetlab.us.pl
       type: ma
        gid:
          hrn: planetlab.us.pl
         uuid: 294786197975089072547582920862317666209
    pointer: 1
  geni_info:
        operator : []
        owner : ['planetlab.us.pl.Administrator_Default']
    pl_info:
        last_updated : 1224136003
        node_ids : [1]
        site_id : 1
        pcu_ids : []
        max_slices : 100
        ext_consortium_id : None
        peer_site_id : None
        abbreviated_name : plctest
        uuid : 230749975723590978208303655640765327534
        person_ids : [2, 4, 6]
        slice_ids : [24, 1, 2]
        latitude : None
        peer_id : None
        max_slivers : 1000
        is_public : False
        address_ids : []
        name : plctest Central
        url : http://198.0.0.132/
        enabled : True
        longitude : None
        login_base : pl
        date_created : 1209428329