wiki:GENIRacksAdministration/InstaGENIAdministration

Version 28 (modified by asydney@bbn.com, 10 years ago) (diff)

--

1.0 InstaGENI Rack Administration

This page describes how to access systems in an InstaGENI rack and how administrator accounts are created. Please note, that the InstaGENI racks do not allow access via password based authentication, therefore administrators can only access rack hosts with the SSH keys. Each InstaGENI rack is delivered with an initial site administrator account that is referred to as the local administrator account throughout this page.

1.1 Administrative Access Overview

Administrators can access the following InstaGENI hosts via SSH key:

  • boss and ops hosts
  • control, flowvisor and foam hosts

To access any of the above hosts, simply add the your domain name to the hostname listed above. For example to access the GPO boss node:

$ ssh boss.instageni.gpolab.bbn.com
[lnevers@boss ~]$

NB. Please read through Subsections 1.1.1 and 1.1.2 to ensure your account exists before attempting above. Also note that the InstaGENI racks also have an administrative Web interface that can be accessed on the boss node. For example, the GPO InstaGENI Web UI can be accessed at https://boss.instageni.gpolab.bbn.com. If you do not know your domain, look for your site in the GENI Aggregate page.

Access to other hosts and devices in the rack is possible by first accessing the boss node and then using SSH on the boss not to get access to:

  • Experimenter nodes (pc1, pc2, pc3, pc4 and pc5)
  • Control and data plane switches

This page describes how to create new administrator accounts and give access to other administrators to the above systems.

1.1.1 boss and ops hosts

The boss and ops hosts are VMs located on the control node. The local administrator must request an account via the InstaGENI web interface as described in section 1.2.1 below before they can SSH to these two VMs. This process is the same for subsequent administrator accounts.

1.1.2 control, flowvisor and foam hosts

The control host is a physical node, while the flowvisor and foam hosts are VMs. The initial local administrator must send the desired login ID and an SSH version 2 public key to the InstaGENI Utah team. The requested login ID and SSH keys will be part of the OS images that run on the control, foam and flowvisor hosts. Once the local administrator has access to these 3 hosts and he/she may grant access to subsequent administrators as described in the section 1.2.3

1.1.3 Experimenter nodes

Each InstaGENI rack has three VM servers to provide experiment VMs and two physical nodes running as dedicated hosts for experimenters (aka raw PCs). The VM servers can be accessed from the boss host with your account, because all active users public keys are in place on the VM servers, thus allowing SSH access. The dedicated hosts (aka raw PCs) can also be accessed from the boss host, but only when they are up and running as part of an experiment, and can only be accessed by using the root account's SSH keys by using "sudo ssh ...".

1.1.4 Control and data plane switches

The control switch is named procurve1 and the data plane switch is named procurve2, both are accessible to administrative accounts via SSH from the boss host using the account manager with a passphrase stored on boss host at /usr/testbed/etc/switch.pswd.

1.1.5 Console access

InstaGENI rack include HP Integrated Lights-Out 3 (iLO 3) to provides ways to configure, update, and operate rack node remotely. To access the console of any node in the rack, you can issue the following on the boss node:

boss> sudo sshtb -mng -host pcX

If you are connecting remotely, than you must use the management IP address for the device and login as "elabman" with the passorwd specified at boss:/usr/testbed/etc/ilo.pswd.

Once you have accessed the iLo you can view the console with the TEXTCONS command. User guide and other documents are available here.

1.2 Adding New Administrator accounts

Adding new administrators account on a rack is a multi-step process. These are the actions that must take place to fully enable a new administrator account:

  1. User requests administrative account by joining "emulab-ops" group.
  2. Local administrator approves request and enables boss and ops administrative access.
  3. Local administrator installs requester public key on control, foam and flowvisor hosts.

1.2.1. User Requests Administrative Account

To become an administrator, a user must be part of the emulab-ops project. New administrators can go to the InstaGENI rack web interface to select the Request Account button and click on Join and Existing Project and fill in the Apply for Project Membership page where they will enter emulab-ops in the Project Name field.

As the local administrator you will be the first user for your site to go through the administrative account request process. Once the request has been submitted, you will receive an email that includes a link to verify your email address within a few minutes. Follow the instructions in the email message to verify your email, an existing administrator will then complete the account request as described in section 1.2.2. You will receive another email when the account approval has been completed.

1.2.2. Local administrator Approve Request and Enables administrative access

Approving an administrative account request results in two sets of changes:

  • New user can ssh to boss and ops VM and
  • New user has access to administrative functions in InstaGENI web interface.

Any request for an administrator account must be approved by an existing site administrator or by InstaGENI Utah team. To approve a request for a new administrator account, login to InstaGENI web interface and do the following:

  1. Enable administrative functions by clicking on the green dot at the top of the page to the left of the Search Documentation box.
  2. Select the Experimentation pull-down and choose New User Approval .
  3. On the New User Approval page you will see a list of users needing approval.
  4. To approve a user, select approve and group_root and then click on submit. The new user will receive email that the account has been approved, but you must still enable the administrative access for the account.
  5. To enable administrative access for the account, click on the Administration pull-down and select List Users . On the resulting page select the active link, find the user in the list and click on that user.
  6. On the Profile page shown, look for Administrator: No (Be very careful with this Toggle) and click on the "Toggle" link. This will enable the administrative function and the "No" will be replaced by a "Yes".

The user is now enabled as an administrator and also has SSH access to the boss and ops host using the keys that he/she uploaded in the original request in the InstaGENI web interface.

Note: A user must verify email address before their request shows up in the New User Approval list.

1.2.3. Local Administrator Installs Keys on the control, foam and flowvisor hosts

The local administrator has an account on the control, foam, and flowvisor hosts, where he/she can use the mkadmin.pl script to add (or remove) other administrator accounts.

To add access for others, you must first get a copy of the SSH public key that will be used to authenticate the new administrator. The key can be found on the "boss" and "ops" hosts at " /users/$userid/.ssh/authorized_keys", or you can ask the new user for a copy of the SSH public key that they intend to use to authenticate.

Once you have the new administrator SSH public key, simply secure copy the SSH public key (or entire authorized keys file) to the control host and then run the following command on the control host:

$ scp user-ssh-key.pub control.your.rack.domain:<pathtopubkey>
$ ssh control.your.rack.domain
control-host> sudo /usr/local/bin/mkadmin.pl <username> <pathtopubkey>

Repeat the procedure for the foam host:

$ scp user-ssh-key.pub foam.your.rack.domain:<pathtopubkey>
$ ssh foam.your.rack.domain
foam-host> sudo /usr/local/bin/mkadmin.pl <username> <pathtopubkey>

And finally repeat the procedure for the flowvisor host:

$ scp user-ssh-key.pub flowvisor.your.rack.domain:<pathtopubkey>
$ ssh flowvisor.your.rack.domain
flowvisor-host> sudo /usr/local/bin/mkadmin.pl <username> <pathtopubkey>

The new administrator account now has SSH access to the control, foam and flowvisor hosts with the keys provided.

1.3 Using Administrator Accounts

1.3.1 InstaGENI Web Interface

The InstaGENI rack has a web interfaces also known as Emulab. The web interface provides device, user and experiment resource administrative functions. To access administrative functions log in to the web interface, where you can encounter 3 possible administrative states by looking for a dot at the top of the page to the left of the Search Documentation box:

State What does it mean? What can be done?
There is no dot You are not an administrator Administrative features were not enabled, see section 1.2.2 for details.
There is a green dot You are an administrator but administrative function are disabled To enable click on the green dot which will become red.
There is a red dot You are an administrator and administrative function are enabled To disable click on the red dot which will become green.

1.3.2 SSH Access

InstaGENI does not permit password based login. Users must upload their SSH public keys via the InstaGENI web interface to enable SSH access to the boss and ops hosts. To upload SSH Keys via the InstaGENI web interface click on the Experimentation pull-down, select the My Emulab option, which brings up the user Profile. You can now click on Edit SSH Keys in the left side menu and upload SSH public keys.

Administrator accounts can use sudo without typing a password, so please be careful! Most InstaGENI programs reside in the /usr/testbed directory. To take advantage of these programs you should set your search path to include these directories:

  • /usr/testbed/bin
  • /usr/testbed/sbin

1.4 Removing Administrator accounts

To remove an administrator account two steps must be taken:

  1. Delete the user web account for the rack
  2. Remove the user SSH Keys for the control, foam, and flowvisor hosts.

1.4.1 Delete Web Interface Administrator Account

To delete web access for any user account, an administrator must login to the InstaGENI web interface and do the following:

  1. Enable administrative functions by clicking on the green dot at the top of the page to the left of the Search Documentation box.
  2. Click on the Administration pull-down and select List Users . On the resulting page select the active link, find the user in the list and click on that user.
  3. In the user detail page, select Delete User in the "Admin Options" box. You will be asked to "confirm" you selection twice. Once confirmed the user deleted.

The deleted user account is now part of the inactive users list and will no longer be able to access the InstaGENI web interface and will no longer be able to SSH to boss and ops hosts.

1.4.2 Remove SSH Keys

To remove access for any accounts, an administrator must execute the mkadmin.pl script on the control, foam, and flowvisor hosts as follows:

$ ssh control.your.rack.domain
$ sudo /usr/local/bin/mkadmin.pl -r <username>

Repeat the procedure for the foam host:

$ ssh foam.your.rack.domain
$ sudo /usr/local/bin/mkadmin.pl -r <username>

And finally, repeat procedure for the flowvisor host:

$ ssh flowvisor.your.rack.domain
$ sudo /usr/local/bin/mkadmin.pl -r <username>