Changes between Version 2 and Version 3 of GENIRacksHome/InstageniRacks/AcceptanceTestStatus/IG-ADM-2

Timestamp:

05/12/12 09:05:43 (12 years ago)

Author:

chaos@bbn.com

Comment:

--

GENIRacksHome/InstageniRacks/AcceptanceTestStatus/IG-ADM-2

@@ -5 +5 @@
 ''This page is GPO's working page for performing IG-ADM-2.  It is public for informational purposes, but it is not an official status report.  See [wiki:GENIRacksHome/InstageniRacks/AcceptanceTestStatus] for the current status of InstaGENI acceptance tests.''
 
-''Last substantive edit of this page: 2012-05-08''
+''Last substantive edit of this page: 2012-05-12''
 
 == Page format ==
@@ -35 +35 @@
 || 3B         || [[Color(orange,Blocked)]] ||                      ||               || blocked on 3A ||
 || 3C         || [[Color(orange,Blocked)]] ||                      ||               || blocked on 3A ||
-|| 4A         || [[Color(orange,Blocked)]] ||                      ||               || blocked on access to infrastructure VM server ||
+|| 4A         || [[Color(orange,Blocked)]] ||                      ||               || blocked on access to FlowVisor VM ||
 || 4B         || [[Color(orange,Blocked)]] ||                      ||               || blocked on 4A ||
 || 4C         || [[Color(orange,Blocked)]] ||                      ||               || blocked on 4A ||
-|| 5A         || [[Color(orange,Blocked)]] ||                      ||               || blocked on sudo access to boss; allocation of OpenVZ node || 
+|| 5A         || [[Color(orange,Blocked)]] ||                      ||               || blocked on access to infrastructure VM server ||
 || 5B         || [[Color(orange,Blocked)]] ||                      ||               || blocked on 5A ||
 || 5C         || [[Color(orange,Blocked)]] ||                      ||               || blocked on 5A ||
-|| 6A         || [[Color(orange,Blocked)]] ||                      ||               || blocked on access to switches   ||
-|| 6B         || [[Color(orange,Blocked)]] ||                      ||               || blocked on 6A                        ||
-|| 6C         || [[Color(orange,Blocked)]] ||                      ||               || blocked on 6A                        ||
-|| 6D         || [[Color(orange,Blocked)]] ||                      ||               || blocked on serial access to switches ||
+|| 6A         || [[Color(orange,Blocked)]] ||                      ||               || blocked on sudo access to boss; allocation of OpenVZ node || 
+|| 6B         || [[Color(orange,Blocked)]] ||                      ||               || blocked on 6A ||
+|| 6C         || [[Color(orange,Blocked)]] ||                      ||               || blocked on 6A ||
 || 7A         || [[Color(orange,Blocked)]] ||                      ||               || blocked on access to switches   ||
 || 7B         || [[Color(orange,Blocked)]] ||                      ||               || blocked on 7A                        ||
 || 7C         || [[Color(orange,Blocked)]] ||                      ||               || blocked on 7A                        ||
 || 7D         || [[Color(orange,Blocked)]] ||                      ||               || blocked on serial access to switches ||
-|| 8          || [[Color(orange,Blocked)]] ||                      ||               || blocked on access to rack iLO ||
+|| 8A         || [[Color(orange,Blocked)]] ||                      ||               || blocked on access to switches   ||
+|| 8B         || [[Color(orange,Blocked)]] ||                      ||               || blocked on 8A                        ||
+|| 8C         || [[Color(orange,Blocked)]] ||                      ||               || blocked on 8A                        ||
+|| 8D         || [[Color(orange,Blocked)]] ||                      ||               || blocked on serial access to switches ||
+|| 9          || [[Color(orange,Blocked)]] ||                      ||               || blocked on access to rack iLO ||
 
 == High-level description from test plan ==
@@ -178 +181 @@
  * The command which was run should be recorded in a log
 
-== Step 4: verify access to rack infrastructure VM server host ==
-
-=== Step 4A: verify that SSH to foam succeeds and allows public keys only ===
+== Step 4: verify access to rack FlowVisor node ==
+
+=== Step 4A: verify that SSH to FlowVisor succeeds and allows public keys only ===
+
+'''Using:'''
+ * SSH to `chaos@flowvisor.instageni.gpolab.bbn.com` from outside of the rack using public-key SSH
+ * SSH to `chaos@flowvisor.instageni.gpolab.bbn.com` from outside of the rack using password-based SSH
+
+'''Verify:'''
+ * Public-key SSH succeeds
+ * Password-based SSH does not succeed
+
+=== Step 3B: verify the absence of common unencrypted login protocols ===
+
+'''Using:'''
+ * Use netstat to enumerate the network-listening processes running on foam
+ * Identify each process and determine whether it is a common unencrypted login protocol
+ * For any unencrypted login protocols found to be listening, try to access the relevant port remotely and determine whether login is possible
+
+'''Verify:'''
+ * No unencrypted login protocols are listening on accessible networks
+ * Login does not succeed via any unencrypted login protocol
+
+=== Step 4C: verify sudo and sudo logging ===
+
+'''Using:'''
+ * On flowvisor, run: `sudo whoami`
+ * Look for a syslog file containing a record of the sudo command which was run
+
+'''Verify:'''
+ * The sudo command should succeed
+ * The command which was run should be recorded in a log
+
+== Step 5: verify access to rack infrastructure VM server host ==
+
+=== Step 5A: verify that SSH to foam succeeds and allows public keys only ===
 
 '''Using:'''
@@ -190 +226 @@
  * Password-based SSH does not succeed
 
-=== Step 4B: verify the absence of common unencrypted login protocols ===
+=== Step 5B: verify the absence of common unencrypted login protocols ===
 
 '''Using:'''
@@ -201 +237 @@
  * Login does not succeed via any unencrypted login protocol
 
-=== Step 4C: verify sudo and sudo logging ===
+=== Step 5C: verify sudo and sudo logging ===
 
 '''Using:'''
@@ -211 +247 @@
  * The command which was run should be recorded in a log
 
-== Step 5: verify access to experimental OpenVZ node ==
-
-=== Step 5A: verify that SSH to experimental OpenVZ node succeeds and allows public keys only on public IPs ===
+== Step 6: verify access to experimental OpenVZ node ==
+
+=== Step 6A: verify that SSH to experimental OpenVZ node succeeds and allows public keys only on public IPs ===
 
 '''Using:'''
@@ -223 +259 @@
  * Password-based SSH does not succeed from outside of the rack
 
-=== Step 5B: verify the absence of common unencrypted login protocols ===
+=== Step 6B: verify the absence of common unencrypted login protocols ===
 
 '''Using:'''
@@ -234 +270 @@
  * Login does not succeed via any unencrypted login protocol
 
-=== Step 5C: verify sudo and sudo logging ===
+=== Step 6C: verify sudo and sudo logging ===
 
 '''Using:'''
@@ -244 +280 @@
  * The command which was run should be recorded in a log
 
-== Step 6: verify access to control network switch ==
-
-=== Step 6A: verify SSH access ===
+== Step 7: verify access to control network switch ==
+
+=== Step 7A: verify SSH access ===
 
 '''Using:'''
@@ -254 +290 @@
  * SSH login succeeds
 
-=== Step 6B: verify privileged access to the control network switch ===
+=== Step 7B: verify privileged access to the control network switch ===
 
 '''Using:'''
@@ -266 +302 @@
  * Viewing the MAC address table should succeed
 
-=== Step 6C: verify absence of unencrypted login access ===
+=== Step 7C: verify absence of unencrypted login access ===
 
 '''Using:'''
@@ -280 +316 @@
  * No other services appear to allow remote unencrypted authentication
 
-=== Step 6D: verify serial console access to the device ===
+=== Step 7D: verify serial console access to the device ===
 
 '''Using:'''
@@ -293 +329 @@
  * It should be possible to view the running configuration via the serial console
 
-== Step 7: verify access to dataplane switch ==
-
-=== Step 7A: verify SSH access ===
+== Step 8: verify access to dataplane switch ==
+
+=== Step 8A: verify SSH access ===
 
 '''Using:'''
@@ -303 +339 @@
  * SSH login succeeds
 
-=== Step 7B: verify privileged access to the dataplane switch ===
+=== Step 8B: verify privileged access to the dataplane switch ===
 
 '''Using:'''
@@ -315 +351 @@
  * Viewing the MAC address table should succeed
 
-=== Step 7C: verify absence of unencrypted login access ===
+=== Step 8C: verify absence of unencrypted login access ===
 
 '''Using:'''
@@ -329 +365 @@
  * No other services appear to allow remote unencrypted authentication
 
-=== Step 7D: verify serial console access to the device ===
+=== Step 8D: verify serial console access to the device ===
 
 '''Using:'''
@@ -342 +378 @@
  * It should be possible to view the running configuration via the serial console
 
-== Step 8: verify that iLO is not accessible via unencrypted protocols ==
+== Step 9: verify that iLO is not accessible via unencrypted protocols ==
 
 '''Using:'''