wiki:GENIRacksAdministration/InstaGENIAdministration

Version 3 (modified by lnevers@bbn.com, 10 years ago) (diff)

--

1.0 InstaGENI Rack Administration

This page describes how to access systems in an InstaGENI rack and how administrator accounts are created. Please note, that the InstaGENI racks do not allow access via password based authentication, therefore administrators can only access rack hosts with the SSH keys. Each InstaGENI rack is delivered with an initial site administrator account that is referred to as the local administrator account throughout this page.

1.1 Administrative Access Overview

Understanding access to the hosts and devices in the rack provides insight into what has to be done to create new administrator accounts. Following is an overview of access to hosts and devices in your InstaGENI rack.

1.1.1 boss and ops hosts

The boss and ops hosts are VMs located on the control node. The local administrator must request an account via the InstaGENI web interface as described in section 1.2.1 below before they can SSH to these two VMs. This process is the same for subsequent administrator accounts.

1.1.2 control, flowvisor and foam hosts

The control host is a physical node, while the flowvisor and foam hosts are VMs. The initial local administrator must send the desired login ID and an SSH version 2 public key to the InstaGENI Utah team. The requested login ID and SSH keys will be part of the OS images that run on the control, foam and flowvisor hosts. Once the local administrator has access to these 3 hosts and he/she may grant access to subsequent administrators as described in the section 1.2.3

1.1.3 Experimenter nodes

Each InstaGENI rack has three VM servers to provide experiment VMs and two physical nodes running as dedicated hosts for experimenters (aka raw PCs). The VM servers can be accessed from the boss host with your account, because all active users public keys are in place on the VM servers, thus allowing SSH access. The dedicated hosts (aka raw PCs) can also be accessed from the boss host, but only when they are up and running as part of an experiment, and can only be accessed by using the root account's SSH keys by using "sudo ssh ...".

1.1.4 Control and data plane switches

The control switch is named procurve1and the data plane switch is named procurve2, both are accessible to administrative accounts via SSH from the boss host using the account manager with a passphrase stored on boss host at /usr/testbed/etc/switch.pswd.

1.2 Adding New Administrator accounts

Adding new administrators account on a rack is a multi-step process. These are the actions that must take place to fully enable a new administrator account:

  1. User requests administrative account by joining "emulab-ops" group.
  2. Local administrator approves request and enables boss and ops administrative access.
  3. Local administrator installs requester public key on control, foam and flowvisor hosts.

1.2.1. User Requests Administrative Account

To become an administrator, a user must be part of the emulab-ops project. New administrators can go to the InstaGENI rack web interface to select the Request Account button and click on Join and Existing Project and fill in the Apply for Project Membership page where they will enter emulab-ops in the Project Name field.

As the local administrator you will be the first user for your site to go through the administrative account request process. Once the request has been submitted, you will receive an email that includes a link to verify your email address within a few minutes. Follow the instructions in the email message to verify your email, an existing administrator will then complete the account request as described in section 1.2.2. You will receive another email when the account approval has been completed.

1.2.2. Local administrator Approve Request and Enables administrative access

Approving and administrative account request results in two sets of changes:

  • New user can ssh to boss and ops VM and
  • New user has access to administrative functions in InstaGENI web interface.

Any request for an administrator account must be approved by an existing site administrator or by InstaGENI Utah team. To approve a request for a new administrator account, login to InstaGENI web interface and do the following:

  1. Enable administrative functions by clicking on the green dot at the top of the page to the left of the Search Documentation box.
  2. Select the Experimentation pull-down and choose New User Approval .
  3. On the New User Approval page you will see a list of users needing approval.
  4. To approve a user, select approve and group_root and then click on submit. The new user will receive email that the account has been approved, but you must still enable the administrative access for the account.
  5. To enable administrative access for the account, click on the Administration pull-down and select List Users . On the resulting page select the active link, find the user in the list and click on that user.
  6. On the Profile page shown, look for Administrator: No (Be very careful with this Toggle) and click on the "Toggle" link. This will enable the administrative function and the "No" will be replaced by a "Yes".

The user is now enabled as an administrator and also has SSH access to the boss and ops host using the keys that he/she uploaded in the original request in the InstaGENI web interface.

1.2.3. Local Administrator Installs Keys on the control, foam and flowvisor hosts

The local administrator has an account on the control, foam, and flowvisor hosts, where he can use the mkadmin.pl script to add (or remove) other administrator accounts. Simply secure copy the new administrator SSH public key (or entire authorized keys file) to the control host and then run the following command on the control host:

$ scp user-ssh-key.pub control@your.rack.doamain:<pathtopubkey>
$ ssh control@your.rack.doamain
control-host> sudo /usr/local/bin/mkadmin.pl <username> <pathtopubkey>

Repeat the procedure for the foam host:

$ scp user-ssh-key.pub foam@your.rack.doamain:<pathtopubkey>
$ ssh foam@your.rack.doamain
foam-host> sudo /usr/local/bin/mkadmin.pl <username> <pathtopubkey>

And finally repeat the procedure for the flowvisor host:

$ scp user-ssh-key.pub flowvisor@your.rack.doamain:<pathtopubkey>
$ ssh flowvisor@your.rack.doamain
flowvisor-host> sudo /usr/local/bin/mkadmin.pl <username> <pathtopubkey>

The new administrator account now has SSH access to the control, foam and flowvisor hosts with the keys provided.

1.3 Using Administrator Accounts

1.3.1 InstaGENI Web Interface

The InstaGENI rack provides a web interface which is also know as Emulab, to access administrative functions in the InstaGENI web interface, log in and you can encounter 3 possible states by looking for a dot at the top of the page to the left of the Search Documentation box:

  • There is no dot shown, you are not an administrator. Administrative features were not enabled, see section 1.2.2 for details.
  • There is a green dot , you are an administrator but administrative function are disabled. To enable click on the green dot which will become red.
  • There is a red dot , you are an administrator and administrative function are enabled. To disable click on the red dot which will become green.

1.3.2 SSH Access

InstaGENI does not permit password based login. Users must upload their SSH public keys via the InstaGENI web interface to enable SSH access to the boss and ops hosts. To upload SSH Keys via the InstaGENI web interface click on the Experimentation pull-down, select the My Emulab option, which brings up the user Profile. You can now click on Edit SSH Keys in the left side menu and upload SSH public keys.

Administrator accounts can use sudo without typing a password, so please be careful! Most InstaGENI programs reside in the /usr/testbed directory, to take advantage of these programs you should set your search path to include these directories:

  • /usr/testbed/bin
  • /usr/testbed/sbin

1.4 Removing Administrator accounts

To remove an administrator account two steps must be taken:

  1. Delete the user web account for the rack
  2. Remove the user SSH Keys for the control, foam, and flowvisor hosts.

1.4.1 Delete Web Interface Administrator Account

To delete web access for any user account, an administrator must login to the InstaGENI web interface and do the following:

  1. Enable administrative functions by clicking on the green dot at the top of the page to the left of the Search Documentation box.
  2. Click on the Administration pull-down and select List Users . On the resulting page select the active link, find the user in the list and click on that user.
  3. In the user detail page, select Delete User in the "Admin Options" box. You will be asked to "confirm" you selection twice. Once confirmed the user deleted.

The deleted user account is now part of the inactive users list and will no longer be able to access the InstaGENI web interface and will no longer be able to SSH to boss and ops hosts.

1.4.2 Remove SSH Keys

To remove access for any accounts, an administrator must execute the mkadmin.pl script on the control, foam, and flowvisor hosts as follows:

$ ssh control@your.rack.domain
$ sudo /usr/local/bin/mkadmin.pl -r <username>

Repeat the procedure for the foam host:

$ ssh foam@your.rack.domain
$ sudo /usr/local/bin/mkadmin.pl -r <username>

And finally, repeat procedure for the flowvisor host:

$ ssh flowvisor@your.rack.domain
$ sudo /usr/local/bin/mkadmin.pl -r <username>