| 1 | GEMINI Topics, Issues and Tasks |
| 2 | |
| 3 | Notes and tasks from 3/22/12 GEMINI status call: |
| 4 | Additions and corrections after call on 3/27/12 with Martin: |
| 5 | Additions and corrections after team call on 3/29/12, and call on 3/30/12 with Jim: |
| 6 | Additions and changes after call with Martin and Jim on 4/4/12: |
| 7 | |
| 8 | |
| 9 | 1) Discussion of authentication and authorization: multiple actor options: |
| 10 | |
| 11 | a) tool (outside slice) to AggMgr srvc; AM API; XMl-RPC + ssl [protoGENI cert + GENI credential] |
| 12 | |
| 13 | b) tool (outside slice) to host (Slice A); ssh, scp [private/public keys] |
| 14 | |
| 15 | c) tool (outside slice) to I&M srvc (Slice A); http(s) [in LAMP, browser to GUI, https with protoGENI cert] [can private/public keys be used for access to a GUI?] [in OMF, signed messages using private/public keys; more details?] |
| 16 | |
| 17 | d) I&M srvc (Slice A) to I&M srvc (Slice A); http(s) [in LAMP, service to service, https with LAMP cert, from LAMP CA] [in GIMI/OML, not using http; what is done there?] |
| 18 | |
| 19 | e) I&M srvc (Slice A) to I&M srvc (Slice B); http(s) [in European perfSONAR, SOAP interface with security tokens] [can delegated GENI credentials be used?] {can credentials based on ABAC be used?] |
| 20 | |
| 21 | f) I&M srvc (Slice A) to UNIS srvc; http(s) [in LAMP, service to UNIS, https with protoGENI cert] |
| 22 | |
| 23 | g) tool (outside slice) to iRODS archive srvc; what is interface to iRODS? ftp(s)? can it be http(s)? how is authentication/authorization handled? [need info from Shu] |
| 24 | |
| 25 | h) option: I&M srvc (Slice A) to iRODS archive srvc; is there any way to move data from MC direct to iRODS? perhaps mount iRODS on node with MC? [need info from Shu] |
| 26 | |
| 27 | |
| 28 | |
| 29 | |
| 30 | 2) Discussion of authentication and authorization: multiple methods: |
| 31 | |
| 32 | a) [for ssh, ssl, etc.] private/public keys |
| 33 | |
| 34 | a') [in OMF] signed messages using private/public keys |
| 35 | |
| 36 | b) user certificates |
| 37 | |
| 38 | c) GENI credentials (user and slice) |
| 39 | |
| 40 | c') [in IMF, GENI credentials included with XML messages, for authorization? how? reuse?] |
| 41 | |
| 42 | d) ABAC [Harry: GPO believes that ABAC may eventually be used for resource assignment, but not soon] [What code is available from ISI? Jim is checking with Teb Faber; waiting for a response] |
| 43 | |
| 44 | ABAC references: |
| 45 | Deter web site: http://abac.deterlab.net/ |
| 46 | Authorization storyboard from Jeff Chase: http://groups.geni.net/geni/wiki/AuthStoryBoard |
| 47 | Slides on credential store from Jeff Chase: http://groups.geni.net/geni/attachment/wiki/AuthStoryBoard/certstore.ppt |
| 48 | Slides on future of authorization in GENI from Tom Mitchell: http://groups.geni.net/geni/attachment/wiki/GEC13Agenda/Authorization/AuthFuture.pdf [note options without and with credential store] |
| 49 | Summary of GENI authorization discussion at GEC13 (and before): http://groups.geni.net/geni/wiki/GeniAuthorization |
| 50 | |
| 51 | |
| 52 | |
| 53 | 3) Discussion of target protoGENI environments: |
| 54 | |
| 55 | a) servers: relatively few; public IP available |
| 56 | |
| 57 | b) VMs: OpenVZ; expect move to LXC; internal to an aggregate, private host name, private IP addresses, need more details |
| 58 | |
| 59 | c) To date, all LAMP/periscope has been on servers |
| 60 | |
| 61 | c') Task: try to run all LAMP nodes (or just common node) on VMs (Matt Jaffe) |
| 62 | |
| 63 | d) To date, all INSTOOLS has been with MC on server, and MPs on VMs |
| 64 | |
| 65 | e) Task: Try to run INSTOOLS MC in a VM; Nasir on 3/30: still runs, although might need some small code changes; but would need to open http port, perhaps with extension to rspec; need to discuss with protoGENI (Jonathan Deurig) about adding to mapping agent; Jim had discussed with Jonathan and Rob earlier, quite doable, but would have to restart mapping agent; perhaps could "piggyback" on opening ssh port? |
| 66 | |
| 67 | f) Task: can ssh into public host name (or public IP) , with special 5+ digit port number (from manifest) from port map |
| 68 | |
| 69 | g) Task: (see e) above) how to access http interface? tunnel through ssh? port map, like ssh? perhaps could "piggyback" on opening ssh port? setup a separate proxy? |
| 70 | |
| 71 | g') New task: **Review possible tunnel through ssh (or use fo ssh to forward http port), to reuse available ssh port mapping. (who?) |
| 72 | |
| 73 | g'') New task: ** Review port mapping for http, like ssh, with protoGENI, to see how it might be done (Nasir/Jim) |
| 74 | |
| 75 | g''') New task: **Review need within GENI/GPO to open ports, and implications for rspec (Harry) |
| 76 | |
| 77 | h) Task: what about vnc tunnels? how were they done in INSTOOLS? which port on host? (who?) |
| 78 | |
| 79 | i) Task: what happens when VMs are on multiple aggregates? (who?) |
| 80 | |
| 81 | j) Task: consider separate host for managing communications? VM? server? centralized? include pub/sub? is this GENI Event Messaging Service? (who?) |
| 82 | |
| 83 | |
| 84 | |
| 85 | |
| 86 | |
| 87 | 4) LAMP/Periscope questions: |
| 88 | Per call with Martin on 3/27/12: |
| 89 | |
| 90 | a) Question: Is there a local UNIS, or not?? (Martin) Not yet; needs to be, with push from local UNIS to global UNIS. |
| 91 | |
| 92 | b) How does UNIS authenticate/authorize when receiving data? (Martin) [in LAMP, service to UNIS, https with protoGENI cert] |
| 93 | |
| 94 | c) Question: Use web interface on common node to configure services, tests; how does this push config to UNIS? What authentication/authorization steps are included? |
| 95 | |
| 96 | d) How is data transfer from service to service, in a single slice, authorized? what keys/certificates/credentials are used? what is held by each service? (Martin) [in LAMP, service to service, https with LAMP cert, from LAMP CA] |
| 97 | |
| 98 | |
| 99 | |
| 100 | 5) Discussion of user workspace service: |
| 101 | |
| 102 | Current view: (Harry) |
| 103 | |
| 104 | a) Persistent Linux environment, with file system, key/certificate/credential store, dedicated to the user; could also have rspec store, etc. |
| 105 | |
| 106 | b) Place for tools, e.g., Gush and OMNI, and scripts; can easily call one another; not in slice; could deal with multiple slices |
| 107 | |
| 108 | c) Place for "portals"; but what are they? (see below) |
| 109 | |
| 110 | d) Task: Setup user workspace using server (or VM) in BBN Cambridge lab; begin to include tools, etc . (Jeanne) |
| 111 | On 3/30/12: Done on VM in BBN Cambridge lab, ubuntu 10.04, internal to BBN. |
| 112 | **Next: external to BBN |
| 113 | |
| 114 | e) Task: Consider VM to distribute user workspace (Matt); e.g, ubuntu on virtual box [similar to what has been done at GEC tutorials] |
| 115 | |
| 116 | f) Task: What is required to secure keys/certificates/credentials? passphrase? other? [Per Tom Mitchell, OMNI does not require passphrase, but FLACK does currently require passpharase] [Per Jim protoGENI cert does require passphrase] [Vic to check with Steve Schwab; need to balance security and ability ot use scripts.] |
| 117 | |
| 118 | g) Start with CNRI: Directory Archive (DA) service, which can push data to DOA service, using OI service |
| 119 | Then replace DOA with iRODS |
| 120 | [Have iRODS at IU for NetKarma; Jim and Wesley talking with Ilia and Shu] |
| 121 | |
| 122 | h) Include MDOD creator/editor (CNRI, GPO) |
| 123 | |
| 124 | i) Task: Need help with final formulation of MDOD (Ezra?) |
| 125 | |
| 126 | j) Task: Define view of user workspace service (Jeannie, Matt, Harry, Jim, Martin, Niky) |
| 127 | [Jeanne to add security policy into view] |
| 128 | |
| 129 | |
| 130 | 6) Discussion of portals: |
| 131 | |
| 132 | a) Option 1: "portal to UIs". [Is this close to Jim's proposal?] |
| 133 | |
| 134 | b) Option 2: a more complete tool for managing I&M services, as is implied in the SOW, so that it can view, orchestrate, edit MDOD, manage archiving, etc. [Is this close to Max's proposal] |
| 135 | |
| 136 | c) Task: understand options for authentication and authorization at a web interface. (who?) |
| 137 | |
| 138 | d) Task: provide a more complete view of GEMINI portal service (Harry, jim and Charles) |
| 139 | |
| 140 | Task: Jim and Charles plan to provide in a week or two. |
| 141 | |
| 142 | Task: Charles needs to find a name for the service |
| 143 | |
| 144 | After discussion on 3/31/12 with Jim, Harry feels that this is very close to Option 1: "portal to UIs". |
| 145 | |
| 146 | Jim expects User to have a capable browser, e.g., one that runs HTML-5 |
| 147 | |
| 148 | Jim expects portal to manage windowing to various GUIs. |
| 149 | |
| 150 | Jim expect all interactions to be via browser, so there are window(s) to login to shell(s), etc. |
| 151 | |
| 152 | Jim does not specify whether browser is looking at GUI in slice, or a tool; tools are not in a specified place. |
| 153 | |
| 154 | Harry feels that portal and other tools are in a "user workspace", in a persistent Linux environment, with file system, key/certificate/credential store, dedicated to the user; could also have rspec store, etc. ; then, all tools have ready access to required info, and can readily call one another. |
| 155 | |
| 156 | Harry thinks of "persistent Linux environment" on infrastructure, e.g., a server under your desk or in the lab; not your laptop; Jim agrees, and has thought portal would be hosted on infrastructure at Kentucky |
| 157 | |
| 158 | Harry feels that this is just a strucutre, that there is much more work to define tools, interfaces, etc.; Jim agrees, was concerned it was the final configuration. |
| 159 | |
| 160 | Task: Harry will modify drawing to reflect discussion with Jim, and then two perspectives can be compared. |
| 161 | Done on 4/4; agree thatprotal can be in user workspace, or somewhere else. |
| 162 | See updated drawing. |
| 163 | |
| 164 | |
| 165 | e) Task: Understand NICTA's iREEL portal service; is this a more complete tool for managing I&M services? |
| 166 | |
| 167 | Get login, and survey (Jeanne) |
| 168 | |
| 169 | Provide more info (NICTA, e.g., Christoph) |
| 170 | |
| 171 | |
| 172 | |
| 173 | 7) Discussion of configuration to gather host metrics: |
| 174 | |
| 175 | a) Use BLiPP to gather host metrics (Guilherme) |
| 176 | |
| 177 | via libvirt? |
| 178 | |
| 179 | via Shinken? |
| 180 | |
| 181 | Talking to Dan about use cases for gathering host metrics. |
| 182 | |
| 183 | Could still use SNMP daemon from INSTOOLS (Jim) |
| 184 | |
| 185 | b) BLiPP pushes to Measurement Store (MS) |
| 186 | |
| 187 | Use http? POST to port? what about authentication and authorization? |
| 188 | |
| 189 | Use XSP, for streaming? |
| 190 | |
| 191 | c) Need to realize MS |
| 192 | |
| 193 | How many options? |
| 194 | |
| 195 | One per Aggregate? |
| 196 | |
| 197 | d) Need to realize MAP service |
| 198 | |
| 199 | Based on Periscope? |
| 200 | |
| 201 | Include druple form INSTOOLS> |
| 202 | |
| 203 | How is this integrated with MS? |
| 204 | |
| 205 | e) Uses UNIS (new version) |
| 206 | |
| 207 | Uses RESTful interface, replaces older UNIS with SOAP interface |
| 208 | |
| 209 | Allows drawing topology |
| 210 | |
| 211 | Used to configure services? |
| 212 | |
| 213 | Prototype underway (Ahmed) |
| 214 | |
| 215 | **Concern: incompatible with earlier UNIS, which will still be required (see 9) below. |
| 216 | |
| 217 | e) Later: Extend to gathering data from an application |
| 218 | |
| 219 | f) Task: Prototype soon (Guilherme) |
| 220 | |
| 221 | Need baseline configuration ASAP |
| 222 | |
| 223 | |
| 224 | |
| 225 | |
| 226 | 8) Steps towards GEMINI tutorial at GEC14 |
| 227 | |
| 228 | a) Which aggregates, servers, hosts, etc.? |
| 229 | |
| 230 | b) Start with protoGENI tutorial? LAMP tutorial? INSTOOLS tutorial? |
| 231 | |
| 232 | c) Arrange user workspace (GPO, Jeannie) |
| 233 | |
| 234 | d) What is first configuration of tools (see below) ? LAMP on VMs? (who provides?) test scripts? (Jeannie) |
| 235 | |
| 236 | e) What is second configuration of tools (see below)? BLiPP to measurement store, with presentation? (Guilherme?) when? test scripts? (Jeannie) |
| 237 | |
| 238 | |
| 239 | |
| 240 | 9) First configuration, follows p15 Operator A slice, to collect network measurements, like LAMP project: |
| 241 | |
| 242 | a) Start: each node on a server, with an available public IP address (single aggregate or multiple aggregates) |
| 243 | |
| 244 | a') Second: all nodes on VMs, or all nodes on VMs except common node on server |
| 245 | |
| 246 | b) One common node (e.g., node n+1) to: configure measurements, collect data, present data |
| 247 | |
| 248 | c) Multiple measurement nodes (e.g., nodes 1, 2, ..., n) |
| 249 | |
| 250 | d) Start: one slice, classic pS interface, with data pulled from measurement node, authorized with GENI credential or ? |
| 251 | |
| 252 | e) Global UNIS as shown; include local UNIS on common node |
| 253 | |
| 254 | f) Load software onto common node with image; as option, use wget |
| 255 | |
| 256 | g) Load software onto measurement node with image; as option, load after app with wget |
| 257 | |
| 258 | h) Use web interface on common node to configure services, tests, like LAMP; how does this push config to UNIS?? How do we let only user do this with keys, etc. |
| 259 | |
| 260 | i) Use web interface on common node to present/observe data, like LAMP How do we let only user do this with keys, etc. |
| 261 | |
| 262 | j) Demo all of the perfSONAR network performance tools, tests, as was done in LAMP project |
| 263 | |
| 264 | k) Extension: pull data from one slice to another, as shown in p15 from Operator A to Operator B; authorize using GENI credentials |
| 265 | |
| 266 | k) Provide regression tests of various configurations, features, etc., driven by scripts |
| 267 | |
| 268 | l) Provide tutorial for users at GEC14. |
| 269 | |
| 270 | |
| 271 | |
| 272 | 10) Second configuration to support basic host monitoring using BLiPP, like p15 Experimenter C slice What this means: no SNMP daemon |
| 273 | |
| 274 | **Concern: Per 7) above, still defining intial configuration; need firm plan to meet GEC14 goals; or do we start with earlier INSTOOLS code? |
| 275 | |
| 276 | a) Introduces push of data to common node; what protocol? http? XSP? (is this GENI Event Messaging Service?) |
| 277 | |
| 278 | b) Need to organize presentation of data at a web interface; like INSTOOLS? Introduce DRUPLE into periscope? (plan Dec 2012) |
| 279 | |
| 280 | c) Extend: gather data from user's application (like OML client) |
| 281 | |
| 282 | d) Provide regression tests of various configurations, features, etc., driven by scripts |
| 283 | |
| 284 | e) Provide tutorial for users at GEC14. |
| 285 | |
| 286 | |
| 287 | 11) GEMINI project documentation |
| 288 | |
| 289 | a) Code on IU github |
| 290 | |
| 291 | Good: all relevant code appears to be here, including Kentuck code |
| 292 | |
| 293 | b) Jira |
| 294 | |
| 295 | Good: being used by IU to track project |
| 296 | |
| 297 | **Concern: Kentucky effort not reflected here |
| 298 | |
| 299 | c) GENI trac for GEMINI |
| 300 | |
| 301 | Include TopicsTasksIssues |
| 302 | |
| 303 | Include drawings |