| | 1 | GEMINI Topics, Issues and Tasks |
| | 2 | |
| | 3 | Notes and tasks from 3/22/12 GEMINI status call: |
| | 4 | Additions and corrections after call on 3/27/12 with Martin: |
| | 5 | Additions and corrections after team call on 3/29/12, and call on 3/30/12 with Jim: |
| | 6 | Additions and changes after call with Martin and Jim on 4/4/12: |
| | 7 | |
| | 8 | |
| | 9 | 1) Discussion of authentication and authorization: multiple actor options: |
| | 10 | |
| | 11 | a) tool (outside slice) to AggMgr srvc; AM API; XMl-RPC + ssl [protoGENI cert + GENI credential] |
| | 12 | |
| | 13 | b) tool (outside slice) to host (Slice A); ssh, scp [private/public keys] |
| | 14 | |
| | 15 | c) tool (outside slice) to I&M srvc (Slice A); http(s) [in LAMP, browser to GUI, https with protoGENI cert] [can private/public keys be used for access to a GUI?] [in OMF, signed messages using private/public keys; more details?] |
| | 16 | |
| | 17 | d) I&M srvc (Slice A) to I&M srvc (Slice A); http(s) [in LAMP, service to service, https with LAMP cert, from LAMP CA] [in GIMI/OML, not using http; what is done there?] |
| | 18 | |
| | 19 | e) I&M srvc (Slice A) to I&M srvc (Slice B); http(s) [in European perfSONAR, SOAP interface with security tokens] [can delegated GENI credentials be used?] {can credentials based on ABAC be used?] |
| | 20 | |
| | 21 | f) I&M srvc (Slice A) to UNIS srvc; http(s) [in LAMP, service to UNIS, https with protoGENI cert] |
| | 22 | |
| | 23 | g) tool (outside slice) to iRODS archive srvc; what is interface to iRODS? ftp(s)? can it be http(s)? how is authentication/authorization handled? [need info from Shu] |
| | 24 | |
| | 25 | h) option: I&M srvc (Slice A) to iRODS archive srvc; is there any way to move data from MC direct to iRODS? perhaps mount iRODS on node with MC? [need info from Shu] |
| | 26 | |
| | 27 | |
| | 28 | |
| | 29 | |
| | 30 | 2) Discussion of authentication and authorization: multiple methods: |
| | 31 | |
| | 32 | a) [for ssh, ssl, etc.] private/public keys |
| | 33 | |
| | 34 | a') [in OMF] signed messages using private/public keys |
| | 35 | |
| | 36 | b) user certificates |
| | 37 | |
| | 38 | c) GENI credentials (user and slice) |
| | 39 | |
| | 40 | c') [in IMF, GENI credentials included with XML messages, for authorization? how? reuse?] |
| | 41 | |
| | 42 | d) ABAC [Harry: GPO believes that ABAC may eventually be used for resource assignment, but not soon] [What code is available from ISI? Jim is checking with Teb Faber; waiting for a response] |
| | 43 | |
| | 44 | ABAC references: |
| | 45 | Deter web site: http://abac.deterlab.net/ |
| | 46 | Authorization storyboard from Jeff Chase: http://groups.geni.net/geni/wiki/AuthStoryBoard |
| | 47 | Slides on credential store from Jeff Chase: http://groups.geni.net/geni/attachment/wiki/AuthStoryBoard/certstore.ppt |
| | 48 | Slides on future of authorization in GENI from Tom Mitchell: http://groups.geni.net/geni/attachment/wiki/GEC13Agenda/Authorization/AuthFuture.pdf [note options without and with credential store] |
| | 49 | Summary of GENI authorization discussion at GEC13 (and before): http://groups.geni.net/geni/wiki/GeniAuthorization |
| | 50 | |
| | 51 | |
| | 52 | |
| | 53 | 3) Discussion of target protoGENI environments: |
| | 54 | |
| | 55 | a) servers: relatively few; public IP available |
| | 56 | |
| | 57 | b) VMs: OpenVZ; expect move to LXC; internal to an aggregate, private host name, private IP addresses, need more details |
| | 58 | |
| | 59 | c) To date, all LAMP/periscope has been on servers |
| | 60 | |
| | 61 | c') Task: try to run all LAMP nodes (or just common node) on VMs (Matt Jaffe) |
| | 62 | |
| | 63 | d) To date, all INSTOOLS has been with MC on server, and MPs on VMs |
| | 64 | |
| | 65 | e) Task: Try to run INSTOOLS MC in a VM; Nasir on 3/30: still runs, although might need some small code changes; but would need to open http port, perhaps with extension to rspec; need to discuss with protoGENI (Jonathan Deurig) about adding to mapping agent; Jim had discussed with Jonathan and Rob earlier, quite doable, but would have to restart mapping agent; perhaps could "piggyback" on opening ssh port? |
| | 66 | |
| | 67 | f) Task: can ssh into public host name (or public IP) , with special 5+ digit port number (from manifest) from port map |
| | 68 | |
| | 69 | g) Task: (see e) above) how to access http interface? tunnel through ssh? port map, like ssh? perhaps could "piggyback" on opening ssh port? setup a separate proxy? |
| | 70 | |
| | 71 | g') New task: **Review possible tunnel through ssh (or use fo ssh to forward http port), to reuse available ssh port mapping. (who?) |
| | 72 | |
| | 73 | g'') New task: ** Review port mapping for http, like ssh, with protoGENI, to see how it might be done (Nasir/Jim) |
| | 74 | |
| | 75 | g''') New task: **Review need within GENI/GPO to open ports, and implications for rspec (Harry) |
| | 76 | |
| | 77 | h) Task: what about vnc tunnels? how were they done in INSTOOLS? which port on host? (who?) |
| | 78 | |
| | 79 | i) Task: what happens when VMs are on multiple aggregates? (who?) |
| | 80 | |
| | 81 | j) Task: consider separate host for managing communications? VM? server? centralized? include pub/sub? is this GENI Event Messaging Service? (who?) |
| | 82 | |
| | 83 | |
| | 84 | |
| | 85 | |
| | 86 | |
| | 87 | 4) LAMP/Periscope questions: |
| | 88 | Per call with Martin on 3/27/12: |
| | 89 | |
| | 90 | a) Question: Is there a local UNIS, or not?? (Martin) Not yet; needs to be, with push from local UNIS to global UNIS. |
| | 91 | |
| | 92 | b) How does UNIS authenticate/authorize when receiving data? (Martin) [in LAMP, service to UNIS, https with protoGENI cert] |
| | 93 | |
| | 94 | c) Question: Use web interface on common node to configure services, tests; how does this push config to UNIS? What authentication/authorization steps are included? |
| | 95 | |
| | 96 | d) How is data transfer from service to service, in a single slice, authorized? what keys/certificates/credentials are used? what is held by each service? (Martin) [in LAMP, service to service, https with LAMP cert, from LAMP CA] |
| | 97 | |
| | 98 | |
| | 99 | |
| | 100 | 5) Discussion of user workspace service: |
| | 101 | |
| | 102 | Current view: (Harry) |
| | 103 | |
| | 104 | a) Persistent Linux environment, with file system, key/certificate/credential store, dedicated to the user; could also have rspec store, etc. |
| | 105 | |
| | 106 | b) Place for tools, e.g., Gush and OMNI, and scripts; can easily call one another; not in slice; could deal with multiple slices |
| | 107 | |
| | 108 | c) Place for "portals"; but what are they? (see below) |
| | 109 | |
| | 110 | d) Task: Setup user workspace using server (or VM) in BBN Cambridge lab; begin to include tools, etc . (Jeanne) |
| | 111 | On 3/30/12: Done on VM in BBN Cambridge lab, ubuntu 10.04, internal to BBN. |
| | 112 | **Next: external to BBN |
| | 113 | |
| | 114 | e) Task: Consider VM to distribute user workspace (Matt); e.g, ubuntu on virtual box [similar to what has been done at GEC tutorials] |
| | 115 | |
| | 116 | f) Task: What is required to secure keys/certificates/credentials? passphrase? other? [Per Tom Mitchell, OMNI does not require passphrase, but FLACK does currently require passpharase] [Per Jim protoGENI cert does require passphrase] [Vic to check with Steve Schwab; need to balance security and ability ot use scripts.] |
| | 117 | |
| | 118 | g) Start with CNRI: Directory Archive (DA) service, which can push data to DOA service, using OI service |
| | 119 | Then replace DOA with iRODS |
| | 120 | [Have iRODS at IU for NetKarma; Jim and Wesley talking with Ilia and Shu] |
| | 121 | |
| | 122 | h) Include MDOD creator/editor (CNRI, GPO) |
| | 123 | |
| | 124 | i) Task: Need help with final formulation of MDOD (Ezra?) |
| | 125 | |
| | 126 | j) Task: Define view of user workspace service (Jeannie, Matt, Harry, Jim, Martin, Niky) |
| | 127 | [Jeanne to add security policy into view] |
| | 128 | |
| | 129 | |
| | 130 | 6) Discussion of portals: |
| | 131 | |
| | 132 | a) Option 1: "portal to UIs". [Is this close to Jim's proposal?] |
| | 133 | |
| | 134 | b) Option 2: a more complete tool for managing I&M services, as is implied in the SOW, so that it can view, orchestrate, edit MDOD, manage archiving, etc. [Is this close to Max's proposal] |
| | 135 | |
| | 136 | c) Task: understand options for authentication and authorization at a web interface. (who?) |
| | 137 | |
| | 138 | d) Task: provide a more complete view of GEMINI portal service (Harry, jim and Charles) |
| | 139 | |
| | 140 | Task: Jim and Charles plan to provide in a week or two. |
| | 141 | |
| | 142 | Task: Charles needs to find a name for the service |
| | 143 | |
| | 144 | After discussion on 3/31/12 with Jim, Harry feels that this is very close to Option 1: "portal to UIs". |
| | 145 | |
| | 146 | Jim expects User to have a capable browser, e.g., one that runs HTML-5 |
| | 147 | |
| | 148 | Jim expects portal to manage windowing to various GUIs. |
| | 149 | |
| | 150 | Jim expect all interactions to be via browser, so there are window(s) to login to shell(s), etc. |
| | 151 | |
| | 152 | Jim does not specify whether browser is looking at GUI in slice, or a tool; tools are not in a specified place. |
| | 153 | |
| | 154 | Harry feels that portal and other tools are in a "user workspace", in a persistent Linux environment, with file system, key/certificate/credential store, dedicated to the user; could also have rspec store, etc. ; then, all tools have ready access to required info, and can readily call one another. |
| | 155 | |
| | 156 | Harry thinks of "persistent Linux environment" on infrastructure, e.g., a server under your desk or in the lab; not your laptop; Jim agrees, and has thought portal would be hosted on infrastructure at Kentucky |
| | 157 | |
| | 158 | Harry feels that this is just a strucutre, that there is much more work to define tools, interfaces, etc.; Jim agrees, was concerned it was the final configuration. |
| | 159 | |
| | 160 | Task: Harry will modify drawing to reflect discussion with Jim, and then two perspectives can be compared. |
| | 161 | Done on 4/4; agree thatprotal can be in user workspace, or somewhere else. |
| | 162 | See updated drawing. |
| | 163 | |
| | 164 | |
| | 165 | e) Task: Understand NICTA's iREEL portal service; is this a more complete tool for managing I&M services? |
| | 166 | |
| | 167 | Get login, and survey (Jeanne) |
| | 168 | |
| | 169 | Provide more info (NICTA, e.g., Christoph) |
| | 170 | |
| | 171 | |
| | 172 | |
| | 173 | 7) Discussion of configuration to gather host metrics: |
| | 174 | |
| | 175 | a) Use BLiPP to gather host metrics (Guilherme) |
| | 176 | |
| | 177 | via libvirt? |
| | 178 | |
| | 179 | via Shinken? |
| | 180 | |
| | 181 | Talking to Dan about use cases for gathering host metrics. |
| | 182 | |
| | 183 | Could still use SNMP daemon from INSTOOLS (Jim) |
| | 184 | |
| | 185 | b) BLiPP pushes to Measurement Store (MS) |
| | 186 | |
| | 187 | Use http? POST to port? what about authentication and authorization? |
| | 188 | |
| | 189 | Use XSP, for streaming? |
| | 190 | |
| | 191 | c) Need to realize MS |
| | 192 | |
| | 193 | How many options? |
| | 194 | |
| | 195 | One per Aggregate? |
| | 196 | |
| | 197 | d) Need to realize MAP service |
| | 198 | |
| | 199 | Based on Periscope? |
| | 200 | |
| | 201 | Include druple form INSTOOLS> |
| | 202 | |
| | 203 | How is this integrated with MS? |
| | 204 | |
| | 205 | e) Uses UNIS (new version) |
| | 206 | |
| | 207 | Uses RESTful interface, replaces older UNIS with SOAP interface |
| | 208 | |
| | 209 | Allows drawing topology |
| | 210 | |
| | 211 | Used to configure services? |
| | 212 | |
| | 213 | Prototype underway (Ahmed) |
| | 214 | |
| | 215 | **Concern: incompatible with earlier UNIS, which will still be required (see 9) below. |
| | 216 | |
| | 217 | e) Later: Extend to gathering data from an application |
| | 218 | |
| | 219 | f) Task: Prototype soon (Guilherme) |
| | 220 | |
| | 221 | Need baseline configuration ASAP |
| | 222 | |
| | 223 | |
| | 224 | |
| | 225 | |
| | 226 | 8) Steps towards GEMINI tutorial at GEC14 |
| | 227 | |
| | 228 | a) Which aggregates, servers, hosts, etc.? |
| | 229 | |
| | 230 | b) Start with protoGENI tutorial? LAMP tutorial? INSTOOLS tutorial? |
| | 231 | |
| | 232 | c) Arrange user workspace (GPO, Jeannie) |
| | 233 | |
| | 234 | d) What is first configuration of tools (see below) ? LAMP on VMs? (who provides?) test scripts? (Jeannie) |
| | 235 | |
| | 236 | e) What is second configuration of tools (see below)? BLiPP to measurement store, with presentation? (Guilherme?) when? test scripts? (Jeannie) |
| | 237 | |
| | 238 | |
| | 239 | |
| | 240 | 9) First configuration, follows p15 Operator A slice, to collect network measurements, like LAMP project: |
| | 241 | |
| | 242 | a) Start: each node on a server, with an available public IP address (single aggregate or multiple aggregates) |
| | 243 | |
| | 244 | a') Second: all nodes on VMs, or all nodes on VMs except common node on server |
| | 245 | |
| | 246 | b) One common node (e.g., node n+1) to: configure measurements, collect data, present data |
| | 247 | |
| | 248 | c) Multiple measurement nodes (e.g., nodes 1, 2, ..., n) |
| | 249 | |
| | 250 | d) Start: one slice, classic pS interface, with data pulled from measurement node, authorized with GENI credential or ? |
| | 251 | |
| | 252 | e) Global UNIS as shown; include local UNIS on common node |
| | 253 | |
| | 254 | f) Load software onto common node with image; as option, use wget |
| | 255 | |
| | 256 | g) Load software onto measurement node with image; as option, load after app with wget |
| | 257 | |
| | 258 | h) Use web interface on common node to configure services, tests, like LAMP; how does this push config to UNIS?? How do we let only user do this with keys, etc. |
| | 259 | |
| | 260 | i) Use web interface on common node to present/observe data, like LAMP How do we let only user do this with keys, etc. |
| | 261 | |
| | 262 | j) Demo all of the perfSONAR network performance tools, tests, as was done in LAMP project |
| | 263 | |
| | 264 | k) Extension: pull data from one slice to another, as shown in p15 from Operator A to Operator B; authorize using GENI credentials |
| | 265 | |
| | 266 | k) Provide regression tests of various configurations, features, etc., driven by scripts |
| | 267 | |
| | 268 | l) Provide tutorial for users at GEC14. |
| | 269 | |
| | 270 | |
| | 271 | |
| | 272 | 10) Second configuration to support basic host monitoring using BLiPP, like p15 Experimenter C slice What this means: no SNMP daemon |
| | 273 | |
| | 274 | **Concern: Per 7) above, still defining intial configuration; need firm plan to meet GEC14 goals; or do we start with earlier INSTOOLS code? |
| | 275 | |
| | 276 | a) Introduces push of data to common node; what protocol? http? XSP? (is this GENI Event Messaging Service?) |
| | 277 | |
| | 278 | b) Need to organize presentation of data at a web interface; like INSTOOLS? Introduce DRUPLE into periscope? (plan Dec 2012) |
| | 279 | |
| | 280 | c) Extend: gather data from user's application (like OML client) |
| | 281 | |
| | 282 | d) Provide regression tests of various configurations, features, etc., driven by scripts |
| | 283 | |
| | 284 | e) Provide tutorial for users at GEC14. |
| | 285 | |
| | 286 | |
| | 287 | 11) GEMINI project documentation |
| | 288 | |
| | 289 | a) Code on IU github |
| | 290 | |
| | 291 | Good: all relevant code appears to be here, including Kentuck code |
| | 292 | |
| | 293 | b) Jira |
| | 294 | |
| | 295 | Good: being used by IU to track project |
| | 296 | |
| | 297 | **Concern: Kentucky effort not reflected here |
| | 298 | |
| | 299 | c) GENI trac for GEMINI |
| | 300 | |
| | 301 | Include TopicsTasksIssues |
| | 302 | |
| | 303 | Include drawings |
