| Version 2 (modified by , 10 years ago) (diff) |
|---|
OG-ADM-2: Rack Administrator Access Test
This page captures status for the test case OG-ADM-2. For additional information see the Acceptance Test Status - May 2013 page overall status, or the OpenGENI Acceptance Test Plan for details about the planned evaluation.
Last Update: 2013/05/14"
| Step | State | Notes | Tickets |
| Step 1 | Pass | ||
| Step 2 | Pass | ||
| Step 3 | Fail | IPKVM powered off and disconnected | #65 |
| State Legend | Description |
| Pass | Test completed and met all criteria |
| Pass: most criteria | Test completed and met most criteria. Exceptions documented |
| Fail | Test completed and failed to meet criteria. |
| Complete | Test completed but will require re-execution due to expected changes |
| Blocked | Blocked by ticketed issue(s). |
| In Progress | Currently under test. |
| Not Planned | This area is not part of initial evaluation |
Test Plan Steps
Step 1: For each type of rack infrastructure node verify features
For each type of rack infrastructure node, including VM server hosts and any VMs running infrastructure support services, use a site administrator account to test:
- Login to the node using public-key SSH.
- Verify that you cannot login to the node using password-based SSH, nor via any unencrypted login protocol.
- When logged in, run a command via sudo to verify root privileges.
Control Node
Requested Administrative account and provided SSH Public keys. Once the account was created, logged in and verified sudo access:
$ ssh 128.89.91.170 Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-23-generic x86_64) * Documentation: https://help.ubuntu.com/ *** System restart required *** Last login: Tue May 14 09:01:27 2013 from dhcp89-073-116.bbn.com lnevers@boscontroller:~$ sudo whoami root lnevers@boscontroller:~$
Compute Nodes VM servers
Logged in to each of the 3 VM servers and verified access. Compute Node 1:
$ ssh 128.89.91.171 Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-23-generic x86_64) * Documentation: https://help.ubuntu.com/ 1 package can be updated. 0 updates are security updates. *** System restart required *** The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. lnevers@boscompute1:~$ sudo whoami root lnevers@boscompute1:~$
Compute Node 2:
$ ssh 128.89.91.172 Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-23-generic x86_64) * Documentation: https://help.ubuntu.com/ 1 package can be updated. 0 updates are security updates. *** System restart required *** The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. lnevers@boscompute2:~$ sudo whoami root lnevers@boscompute2:~$
Compute node 3:
$ ssh 128.89.91.174 Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-23-generic x86_64) * Documentation: https://help.ubuntu.com/ *** System restart required *** The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. lnevers@boscompute4:~$ sudo whoami root lnevers@boscompute4:~$
Step 2: For each rack infrastructure device verify features
For each rack infrastructure device (switches, remote PDUs if any), use a site administrator account to test:
- Login via SSH.
- Login via a serial console (if the device has one).
- Verify that you cannot login to the device via an unencrypted login protocol.
- Use the "enable" command or equivalent to verify privileged access.
First connected to host desktop.gpolab.bbn.com which has access to console ports for routers:
LNM:~$ ssh desktop.gpolab.bbn.com Last login: Tue May 14 10:44:21 2013 from dhcp89-073-116.bbn.com Welcome to coruscant.gpolab.bbn.com. This host is managed by GENI GPO Ops. This host's configuration files are maintained using the Puppet automated configuration utility. Manual system-level changes may be overwritten. Please make all system-level changes using Puppet. For configuration requests, contact gpo-infra@geni.net. [lnevers@coruscant ~]$
Then connected to router console ports for Control Network. First login to desktop.gpolab.bbn.com and then connect to console via screen.
Note: Cable must be connected to console port to get access to Control Router Console via screen
$ ssh desktop.gpolab.bbn.com
[lnevers@coruscant ~]$ screen /dev/ttyS4
<...>
Username: gpo
Password:
bos-router1>
bos-router1#show running-config
Building configuration...
Current configuration : 6950 bytes
!
! Last configuration change at 19:02:21 UTC Tue Apr 9 2013 by gpo
! NVRAM config last updated at 19:02:27 UTC Tue Apr 9 2013 by gpo
! NVRAM config last updated at 19:02:27 UTC Tue Apr 9 2013 by gpo
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname bos-router1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
aaa authentication login default local
!
aaa session-id common
!
no ipv6 cef
ip source-route
ip cef
!
ip domain name cities.gpolab.bbn.com
ip name-server 128.89.91.10
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1265093406
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1265093406
revocation-check none
rsakeypair TP-self-signed-1265093406
!
crypto pki
<.....>
vtp mode transparent
username xxx XXXX
!
vlan 820
name IP:rack-bos-ctrl
!
vlan 824
name IP:rack-bos-data
!
vlan 2005
name VLAN2006
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 128.89.91.150 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
ip broadcast-address 128.89.91.191
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
switchport access vlan 820
no ip address
!
interface GigabitEthernet0/1/1
switchport access vlan 820
no ip address
!
interface GigabitEthernet0/1/2
switchport access vlan 820
no ip address
!
interface GigabitEthernet0/1/3
switchport access vlan 820
no ip address
!
interface GigabitEthernet0/1/4
switchport mode trunk
no ip address
!
interface GigabitEthernet0/1/5
switchport access vlan 820
no ip address
!
interface GigabitEthernet0/1/6
switchport access vlan 820
no ip address
!
interface GigabitEthernet0/1/7
switchport access vlan 820
no ip address
!
interface GigabitEthernet0/3/0
switchport mode trunk
no ip address
!
interface GigabitEthernet0/3/1
switchport mode trunk
no ip address
!
interface GigabitEthernet0/3/2
switchport access vlan 820
no ip address
!
interface GigabitEthernet0/3/3
switchport mode trunk
no ip address
!
interface GigabitEthernet0/3/4
switchport access vlan 820
no ip address
!
interface GigabitEthernet0/3/5
switchport access vlan 820
no ip address
!
interface GigabitEthernet0/3/6
switchport access vlan 820
no ip address
!
interface GigabitEthernet0/3/7
switchport access vlan 820
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan820
ip address 128.89.91.162 255.255.255.224
!
interface Vlan824
ip address 192.1.243.17 255.255.255.240
shutdown
!
ip default-gateway 128.89.91.149
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 192.1.249.1
ip route 0.0.0.0 0.0.0.0 128.89.91.149
!
logging 192.1.243.4
access-list 3 remark monitoring
access-list 3 permit 192.1.243.4
access-list 23 remark admin
access-list 23 permit 192.1.249.10
access-list 23 permit 192.1.243.4
!
snmp-server community XXX RO 3
!
bos-router1#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
820 IP:rack-bos-ctrl active Gi0/1/0, Gi0/1/1, Gi0/1/2
Gi0/1/3, Gi0/1/5, Gi0/1/6
Gi0/1/7, Gi0/3/2, Gi0/3/4
Gi0/3/5, Gi0/3/6, Gi0/3/7
824 IP:rack-bos-data active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
2005 VLAN2006 active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
820 enet 100820 1500 - - - - - 0 0
824 enet 100824 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
2005 enet 102005 1500 - - - - - 0 0
Then connected to router console ports for Dataplane Network:
$ ssh desktop.gpolab.bbn.com
[lnevers@coruscant ~]$ screen /dev/ttyS4
Username:
Password:
bosswitch> ena
bosswitch# show openflow version
Openflow Version
HP-Labs Openflow Implementation for 5400zl/3500yl switches
Version 2.02w
Jean Tourrilhes & Praveen Yalagandula, HP-Labs
Based on ProCurve firmware for 5400zl/3500yl switches
Version K.14.83o
(Don't ask ProCurve for support or help)
Based on Open vSwitch Reference Source code
Version 1.0.0
bosswitch# show running-config
Running configuration:
; J9452A Configuration Editor; Created on release #K.14.83o
hostname "bosswitch"
ip access-list standard "1"
10 remark "admin"
10 permit 192.1.249.10 0.0.0.0
20 permit 192.1.243.4 0.0.0.0
exit
module 2 type J94yyA
module 3 type J94zzA
module 5 type J94wwA
module 6 type J94wwA
no stack
interface 2
disable
exit
interface 3
disable
exit
interface 4
disable
exit
interface 5
disable
exit
interface 6
disable
exit
interface 7
disable
exit
interface 10
disable
exit
interface 11
disable
exit
interface 12
disable
exit
interface 13
disable
exit
interface 14
disable
exit
interface 15
disable
exit
interface 17
disable
exit
interface 18
disable
exit
interface 19
disable
exit
interface 20
disable
exit
interface 21
disable
exit
interface 22
disable
exit
interface 23
disable
exit
interface 25
disable
exit
interface 26
disable
exit
interface 27
disable
exit
interface 28
disable
exit
interface 29
disable
exit
interface 30
disable
exit
interface 31
disable
exit
interface 32
disable
exit
interface 33
disable
exit
interface 35
disable
exit
interface 37
disable
exit
interface 38
disable
exit
interface 39
disable
exit
interface 40
disable
exit
interface 41
disable
exit
interface 42
disable
exit
interface 43
disable
exit
interface 44
disable
exit
interface 45
disable
exit
interface 47
disable
exit
ip default-gateway 128.89.91.162
vlan 1
name "DEFAULT_VLAN"
untagged 2-8,10-45,47,49-50,51-52
no untagged 1,9,46,48
no ip address
exit
vlan 820
name "IP:rack-bos-ctrl"
untagged 48
ip address 128.89.91.161 255.255.255.224
exit
vlan 1403
name "IP:exp-euca-bos-priv"
untagged 1,9,46
no ip address
exit
vlan 1000
name "vlan1000"
tagged 8,16,24,34
no ip address
exit
vlan 1001
name "vlan1001"
tagged 8,16,24,34
no ip address
exit
vlan 1002
name "vlan1002"
tagged 8,16,24,34
no ip address
exit
vlan 1003
name "vlan1003"
tagged 8,16,24,34
no ip address
exit
vlan 1004
name "vlan1004"
tagged 8,16,24,34
no ip address
exit
vlan 1005
name "vlan1005"
tagged 8,16,24,34
no ip address
exit
vlan 1006
name "vlan1006"
tagged 8,16,24,34
no ip address
exit
vlan 1007
name "vlan1007"
tagged 8,16,24,34
no ip address
exit
vlan 1008
name "vlan1008"
tagged 8,16,24,34
no ip address
exit
vlan 1009
name "vlan1009"
tagged 8,16,24,34
no ip address
exit
vlan 1010
name "vlan1010"
tagged 8,16,24,34
no ip address
exit
logging 192.1.243.4
logging facility local7
exit
logging 192.1.243.4
logging facility local7
timesync sntp
sntp unicast
sntp server priority 1 192.1.243.4 3
no telnet-server
ip authorized-managers 192.1.249.10 255.255.255.255 access XXX access-method
ssh
ip authorized-managers 192.1.243.4 255.255.255.255 access XXX access-method
ssh
ip authorized-managers 192.1.243.4 255.255.255.255 access XXX access-method
snmp
ip ssh filetransfer
snmp-server community "XXX" XXX
oobm
ip address dhcp-bootp
exit
no tftp client
no tftp server
no autorun
password XXX
bosswitch# show vlans
Status and Counters - VLAN Information
Maximum VLANs to support : 256
Primary VLAN : DEFAULT_VLAN
Management VLAN :
VLAN ID Name | Status Voice Jumbo
------- -------------------- + ---------- ----- -----
1 DEFAULT_VLAN | Port-based No No
820 IP:rack-bos-ctrl | Port-based No No
1000 vlan1000 | Port-based No No
1001 vlan1001 | Port-based No No
1002 vlan1002 | Port-based No No
1003 vlan1003 | Port-based No No
1004 vlan1004 | Port-based No No
1005 vlan1005 | Port-based No No
1006 vlan1006 | Port-based No No
1007 vlan1007 | Port-based No No
1008 vlan1008 | Port-based No No
1009 vlan1009 | Port-based No No
1010 vlan1010 | Port-based No No
1403 IP:exp-euca-bos-priv | Port-based No No
Step 3. Verify OpenGENI remote console solution
Verify the OpenGENI remote console solution for rack hosts can be used to access the consoles all server hosts and experimental hosts:
- Login via SSH or other encrypted protocol.
- Verify that you cannot login via an unencrypted login protocol.
There is Direct Console access to each node via a local KVM switch.
