= OG-ADM-2: Rack Administrator Access Test = This page captures status for the test case OG-ADM-2. For additional information see the [wiki:GENIRacksHome/OpenGENIRacks/AcceptanceTestStatusMay2013 Acceptance Test Status - May 2013] page overall status, or the [wiki:GENIRacksHome/AcceptanceTests/OpenGENIAcceptanceTestsPlan OpenGENI Acceptance Test Plan] for details about the planned evaluation. ''Last Update: 2013/05/14" || '''Step''' || '''State'''||''' Notes ''' || '''Tickets''' || || Step 1 ||[[span(Pass, style=background-color: green )]]|| || || || Step 2 ||[[span(Pass, style=background-color: green )]]|| || || Step 3 ||[[span(Fail, style=background-color: red)]]||IPKVM powered off and disconnected ||#65 || [[BR]] || '''State Legend''' || '''Description''' || ||[[span(Pass, style=background-color: green )]] || Test completed and met all criteria || ||[[span(Pass: most criteria, style=background-color: #98FB98)]]|| Test completed and met most criteria. Exceptions documented || ||[[span(Fail, style=background-color: red)]] || Test completed and failed to meet criteria. || ||[[span(Complete, style=background-color: yellow)]] || Test completed but will require re-execution due to expected changes || ||[[span(Blocked, style=background-color: orange)]] || Blocked by ticketed issue(s). || ||[[span(In Progress, style=background-color: #63B8FF)]]|| Currently under test. || ||[[span(Not Planned)]] || This area is not part of initial evaluation || = Test Plan Steps = == Step 1: For each type of rack infrastructure node verify features == For each type of rack infrastructure node, including VM server hosts and any VMs running infrastructure support services, use a site administrator account to test: * Login to the node using public-key SSH. * Verify that you cannot login to the node using password-based SSH, nor via any unencrypted login protocol. * When logged in, run a command via sudo to verify root privileges. === Control Node === Requested Administrative account and provided SSH Public keys. Once the account was created, logged in and verified sudo access: {{{ $ ssh 128.89.91.170 Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-23-generic x86_64) * Documentation: https://help.ubuntu.com/ *** System restart required *** Last login: Tue May 14 09:01:27 2013 from dhcp89-073-116.bbn.com lnevers@boscontroller:~$ sudo whoami root lnevers@boscontroller:~$ }}} === Compute Nodes VM servers === Logged in to each of the 3 VM servers and verified access. Compute Node 1: {{{ $ ssh 128.89.91.171 Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-23-generic x86_64) * Documentation: https://help.ubuntu.com/ 1 package can be updated. 0 updates are security updates. *** System restart required *** The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. lnevers@boscompute1:~$ sudo whoami root lnevers@boscompute1:~$ }}} Compute Node 2: {{{ $ ssh 128.89.91.172 Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-23-generic x86_64) * Documentation: https://help.ubuntu.com/ 1 package can be updated. 0 updates are security updates. *** System restart required *** The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. lnevers@boscompute2:~$ sudo whoami root lnevers@boscompute2:~$ }}} Compute node 3: {{{ $ ssh 128.89.91.174 Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-23-generic x86_64) * Documentation: https://help.ubuntu.com/ *** System restart required *** The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. lnevers@boscompute4:~$ sudo whoami root lnevers@boscompute4:~$ }}} == Step 2: For each rack infrastructure device verify features == For each rack infrastructure device (switches, remote PDUs if any), use a site administrator account to test: * Login via SSH. * Login via a serial console (if the device has one). * Verify that you cannot login to the device via an unencrypted login protocol. * Use the "enable" command or equivalent to verify privileged access. First connected to host desktop.gpolab.bbn.com which has access to console ports for routers: {{{ LNM:~$ ssh desktop.gpolab.bbn.com Last login: Tue May 14 10:44:21 2013 from dhcp89-073-116.bbn.com Welcome to coruscant.gpolab.bbn.com. This host is managed by GENI GPO Ops. This host's configuration files are maintained using the Puppet automated configuration utility. Manual system-level changes may be overwritten. Please make all system-level changes using Puppet. For configuration requests, contact gpo-infra@geni.net. [lnevers@coruscant ~]$ }}} Then connected to router console ports for Control Network. First login to desktop.gpolab.bbn.com and then connect to console via screen. '' Note: Cable must be connected to console port to get access to Control Router Console via screen'' {{{ $ ssh desktop.gpolab.bbn.com [lnevers@coruscant ~]$ screen /dev/ttyS4 <...> Username: gpo Password: bos-router1> bos-router1#show running-config Building configuration... Current configuration : 6950 bytes ! ! Last configuration change at 19:02:21 UTC Tue Apr 9 2013 by gpo ! NVRAM config last updated at 19:02:27 UTC Tue Apr 9 2013 by gpo ! NVRAM config last updated at 19:02:27 UTC Tue Apr 9 2013 by gpo version 15.1 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname bos-router1 ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings ! aaa new-model ! aaa authentication login default local ! aaa session-id common ! no ipv6 cef ip source-route ip cef ! ip domain name cities.gpolab.bbn.com ip name-server 128.89.91.10 multilink bundle-name authenticated ! crypto pki token default removal timeout 0 ! crypto pki trustpoint TP-self-signed-1265093406 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1265093406 revocation-check none rsakeypair TP-self-signed-1265093406 ! crypto pki <.....> vtp mode transparent username xxx XXXX ! vlan 820 name IP:rack-bos-ctrl ! vlan 824 name IP:rack-bos-data ! vlan 2005 name VLAN2006 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$ ip address 128.89.91.150 255.255.255.252 duplex auto speed auto ! interface GigabitEthernet0/1 no ip address ip broadcast-address 128.89.91.191 duplex auto speed auto ! interface GigabitEthernet0/1/0 switchport access vlan 820 no ip address ! interface GigabitEthernet0/1/1 switchport access vlan 820 no ip address ! interface GigabitEthernet0/1/2 switchport access vlan 820 no ip address ! interface GigabitEthernet0/1/3 switchport access vlan 820 no ip address ! interface GigabitEthernet0/1/4 switchport mode trunk no ip address ! interface GigabitEthernet0/1/5 switchport access vlan 820 no ip address ! interface GigabitEthernet0/1/6 switchport access vlan 820 no ip address ! interface GigabitEthernet0/1/7 switchport access vlan 820 no ip address ! interface GigabitEthernet0/3/0 switchport mode trunk no ip address ! interface GigabitEthernet0/3/1 switchport mode trunk no ip address ! interface GigabitEthernet0/3/2 switchport access vlan 820 no ip address ! interface GigabitEthernet0/3/3 switchport mode trunk no ip address ! interface GigabitEthernet0/3/4 switchport access vlan 820 no ip address ! interface GigabitEthernet0/3/5 switchport access vlan 820 no ip address ! interface GigabitEthernet0/3/6 switchport access vlan 820 no ip address ! interface GigabitEthernet0/3/7 switchport access vlan 820 no ip address ! interface Vlan1 no ip address shutdown ! interface Vlan820 ip address 128.89.91.162 255.255.255.224 ! interface Vlan824 ip address 192.1.243.17 255.255.255.240 shutdown ! ip default-gateway 128.89.91.149 ip forward-protocol nd ! no ip http server ip http access-class 23 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip route 0.0.0.0 0.0.0.0 192.1.249.1 ip route 0.0.0.0 0.0.0.0 128.89.91.149 ! logging 192.1.243.4 access-list 3 remark monitoring access-list 3 permit 192.1.243.4 access-list 23 remark admin access-list 23 permit 192.1.249.10 access-list 23 permit 192.1.243.4 ! snmp-server community XXX RO 3 ! bos-router1#show vlan-switch VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active 820 IP:rack-bos-ctrl active Gi0/1/0, Gi0/1/1, Gi0/1/2 Gi0/1/3, Gi0/1/5, Gi0/1/6 Gi0/1/7, Gi0/3/2, Gi0/3/4 Gi0/3/5, Gi0/3/6, Gi0/3/7 824 IP:rack-bos-data active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup 2005 VLAN2006 active VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 1 enet 100001 1500 - - - - - 1002 1003 820 enet 100820 1500 - - - - - 0 0 824 enet 100824 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 1 1003 1003 tr 101003 1500 1005 0 - - srb 1 1002 1004 fdnet 101004 1500 - - 1 ibm - 0 0 1005 trnet 101005 1500 - - 1 ibm - 0 0 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 2005 enet 102005 1500 - - - - - 0 0 }}} Then connected to router console ports for Dataplane Network: {{{ $ ssh desktop.gpolab.bbn.com [lnevers@coruscant ~]$ screen /dev/ttyS4 Username: Password: bosswitch> ena bosswitch# show openflow version Openflow Version HP-Labs Openflow Implementation for 5400zl/3500yl switches Version 2.02w Jean Tourrilhes & Praveen Yalagandula, HP-Labs Based on ProCurve firmware for 5400zl/3500yl switches Version K.14.83o (Don't ask ProCurve for support or help) Based on Open vSwitch Reference Source code Version 1.0.0 bosswitch# show running-config Running configuration: ; J9452A Configuration Editor; Created on release #K.14.83o hostname "bosswitch" ip access-list standard "1" 10 remark "admin" 10 permit 192.1.249.10 0.0.0.0 20 permit 192.1.243.4 0.0.0.0 exit module 2 type J94yyA module 3 type J94zzA module 5 type J94wwA module 6 type J94wwA no stack interface 2 disable exit interface 3 disable exit interface 4 disable exit interface 5 disable exit interface 6 disable exit interface 7 disable exit interface 10 disable exit interface 11 disable exit interface 12 disable exit interface 13 disable exit interface 14 disable exit interface 15 disable exit interface 17 disable exit interface 18 disable exit interface 19 disable exit interface 20 disable exit interface 21 disable exit interface 22 disable exit interface 23 disable exit interface 25 disable exit interface 26 disable exit interface 27 disable exit interface 28 disable exit interface 29 disable exit interface 30 disable exit interface 31 disable exit interface 32 disable exit interface 33 disable exit interface 35 disable exit interface 37 disable exit interface 38 disable exit interface 39 disable exit interface 40 disable exit interface 41 disable exit interface 42 disable exit interface 43 disable exit interface 44 disable exit interface 45 disable exit interface 47 disable exit ip default-gateway 128.89.91.162 vlan 1 name "DEFAULT_VLAN" untagged 2-8,10-45,47,49-50,51-52 no untagged 1,9,46,48 no ip address exit vlan 820 name "IP:rack-bos-ctrl" untagged 48 ip address 128.89.91.161 255.255.255.224 exit vlan 1403 name "IP:exp-euca-bos-priv" untagged 1,9,46 no ip address exit vlan 1000 name "vlan1000" tagged 8,16,24,34 no ip address exit vlan 1001 name "vlan1001" tagged 8,16,24,34 no ip address exit vlan 1002 name "vlan1002" tagged 8,16,24,34 no ip address exit vlan 1003 name "vlan1003" tagged 8,16,24,34 no ip address exit vlan 1004 name "vlan1004" tagged 8,16,24,34 no ip address exit vlan 1005 name "vlan1005" tagged 8,16,24,34 no ip address exit vlan 1006 name "vlan1006" tagged 8,16,24,34 no ip address exit vlan 1007 name "vlan1007" tagged 8,16,24,34 no ip address exit vlan 1008 name "vlan1008" tagged 8,16,24,34 no ip address exit vlan 1009 name "vlan1009" tagged 8,16,24,34 no ip address exit vlan 1010 name "vlan1010" tagged 8,16,24,34 no ip address exit logging 192.1.243.4 logging facility local7 exit logging 192.1.243.4 logging facility local7 timesync sntp sntp unicast sntp server priority 1 192.1.243.4 3 no telnet-server ip authorized-managers 192.1.249.10 255.255.255.255 access XXX access-method ssh ip authorized-managers 192.1.243.4 255.255.255.255 access XXX access-method ssh ip authorized-managers 192.1.243.4 255.255.255.255 access XXX access-method snmp ip ssh filetransfer snmp-server community "XXX" XXX oobm ip address dhcp-bootp exit no tftp client no tftp server no autorun password XXX bosswitch# show vlans Status and Counters - VLAN Information Maximum VLANs to support : 256 Primary VLAN : DEFAULT_VLAN Management VLAN : VLAN ID Name | Status Voice Jumbo ------- -------------------- + ---------- ----- ----- 1 DEFAULT_VLAN | Port-based No No 820 IP:rack-bos-ctrl | Port-based No No 1000 vlan1000 | Port-based No No 1001 vlan1001 | Port-based No No 1002 vlan1002 | Port-based No No 1003 vlan1003 | Port-based No No 1004 vlan1004 | Port-based No No 1005 vlan1005 | Port-based No No 1006 vlan1006 | Port-based No No 1007 vlan1007 | Port-based No No 1008 vlan1008 | Port-based No No 1009 vlan1009 | Port-based No No 1010 vlan1010 | Port-based No No 1403 IP:exp-euca-bos-priv | Port-based No No }}} == Step 3. Verify OpenGENI remote console solution == Verify the OpenGENI remote console solution for rack hosts can be used to access the consoles all server hosts and experimental hosts: * Login via SSH or other encrypted protocol. * Verify that you cannot login via an unencrypted login protocol. There is Direct Console access to each node via a local KVM switch.