Changes between Version 15 and Version 16 of LAMP/Tutorial


Ignore:
Timestamp:
09/21/10 17:03:23 (9 years ago)
Author:
fernande@cis.udel.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • LAMP/Tutorial

    v15 v16  
    2424It is useful to understand the general principles behind the steps we will take throughout this tutorial. The LAMP I&M System is built on top of three pillars:
    2525
    26 - LAMP Portal: The LAMP Portal is the goto resource for experimenters to manage and visualize their I&M services and data. The portal is deployed with the LAMP image and will usually be enabled through the initial RSpec configuration for the experiment. The portal can run on any node or (nodes) within the slice. The LAMP Portal is derived from the Web Admin component of the pS-Performance Toolkit 3.2 RC1 (although not required, looking at the [http://code.google.com/p/perfsonar-ps/wiki/pSPerformanceToolkit31 comprehensive Quick Start guide] of the pS Toolkit can be very useful to understand the LAMP I&M System setup).
    27 
    28 - UNIS and Topology-based Configuration: xxxxxxx
    29 
    30 - I&M software (measurement tools and perfSONAR services): xxxxx
     26* LAMP Portal: The LAMP Portal is the goto resource for experimenters to manage and visualize their I&M services and data. The portal is deployed with the LAMP image and will usually be enabled through the initial RSpec configuration for the experiment. The portal can run on any node or (nodes) within the slice. The LAMP Portal is derived from the Web Admin component of the pS-Performance Toolkit 3.2 RC1 (although not required, looking at the [http://code.google.com/p/perfsonar-ps/wiki/pSPerformanceToolkit31 comprehensive Quick Start guide] of the pS Toolkit can be very useful to understand the LAMP I&M System setup).
     27
     28* UNIS and Topology-based Configuration: xxxxxxx
     29
     30* I&M software (measurement tools and perfSONAR services): xxxxx
    3131
    3232
     
    147147}}}
    148148
    149 A small modification needs to be done for now on the credential we just saved: remove the first line that indicates the xml version and encoding. Make sure you do not modify any other line, otherwise the signature check will fail. Our [http://groups.geni.net/geni/attachment/wiki/LAMP/Tutorial/lamptutorial-credential.xml credential] is now ready to be used with the lamp-sendmanifest.py script.
     149A small modification needs to be done for now on the credential we just saved: we must remove the first line that indicates the xml version and encoding. Make sure you do not modify any other line, otherwise the signature check will fail. Our [http://groups.geni.net/geni/attachment/wiki/LAMP/Tutorial/lamptutorial-credential.xml credential] is now ready to be used with the lamp-sendmanifest.py script.
    150150
    151151{{{
     
    214214
    215215Enter PEM pass phrase:
     216}}}
     217
     218
     219
     220The first message that appears is the message we send to UNIS. We won't go over the details of this message right now, other to point out that we are sending a TSReplaceRequest, passing the credential and our slice's topology in UNIS format. Since all LAMP services are SSL enabled (see our AA page for more), we need to use our ProtoGENI certificate for the request (the script will use the $HOME/.ssl/encrypted.pem path by default, you can change this by specifying the environment variables HTTPS_CERT_FILE and HTTPS_KEY_FILE). If the certificate is password protected, the prompt "Enter PEM pass phrase:" shown above will appear. Enter you certificate's password for the script to continue. The script will send the topology replace request and output the result message:
     221
     222{{{
    216223Received:
    217224
     
    228235</SOAP-ENV:Envelope>
    229236}}}
     237
     238This is a standard perfSONAR exchange. We send a NMWG request and get back a response with an eventType and possibly a response message. In this case the eventType is "success.ma.replaced" and the message "data element(s) successfully replaced". Great! Everything worked. Our topology is now in UNIS and our services can request it to learn more about the network and their own configuration. If this step fails for you, check that your credential is valid, that you're using the right certificate for the credential, and that you gave the correct slice URN. Contact us at lamp@damsl.cis.udel.edu if the problems persist.
     239
     240=== 4. Request and setup the LAMP certificate ===
     241
     242Right now our topology is on UNIS and our slice has started/is starting. Because of security considerations, only those with a valid slice credential can access the slice's topology information in UNIS. However, LAMP services rely on that information to configure themselves (and sometimes also need to communicate with each other). This requires LAMP services to have access to a special certificate that grants them the necessary permissions. Right now the only way we have to provide this is to give users a slice specific certificate that lasts until the slice's expiration time (given in the slice credential). Users can request this certificate with the lamp-getcertificate.py script. This script works similarly to the ProtoGENI test scripts and requires only the name of the slice as an argument.
     243
     244{{{
     245fernandes@debian:~/dev/geni$ test/lamp-getcertificate.py -n lamptutorial
     246Got my SA credential, looking up lamptutorial
     247Asking for slice credential for lamptutorial
     248Got the slice credential
     249Asking for my lamp certificate
     250Paste the following certificate *as is* into a file called lampcert.pem
     251Upload the certificate to all LAMP enabled nodes at /usr/local/etc/protogeni/ssl/lampcert.pem
     252-----BEGIN RSA PRIVATE KEY-----
     253... certificate's private key ...
     254-----END RSA PRIVATE KEY-----
     255Certificate:
     256    Data:
     257        ... certificate's data ...
     258
     259            X509v3 Subject Alternative Name:
     260                URI:urn:publicid:IDN+emulab.net+service+lamp@lamptutorial
     261        ...
     262
     263-----BEGIN CERTIFICATE-----
     264... certificate ...
     265-----END CERTIFICATE-----
     266}}}
     267
     268Following the instructions shown by the script, we copy paste the certificate '''with the private key''' into a file, say lamptutorial-cert.pem (you can call it anything you want locally, but it must be called lampcert.pem at the nodes). This file will then need to be uploaded to each of the nodes that have LAMP services at the indicated location: /usr/local/etc/protogeni/ssl/lampcert.pem. (Sorry for the work this causes right now, we will try to streamline it in the future.) Note that the certificate file cannot be password protected because services will use it without user intervention.
     269
     270To upload the certificate to all the nodes we can use the following Unix commands. Feel free to do it in your preferred way.
     271
     272Get the list of hostnames in our slice (you might need manually check if some nodes are not LAMP related):
     273
     274{{{
     275$ grep "login" lamptutorial-manifest.xml
     276   <services><login authentication="ssh-keys" hostname="pc123.emulab.net" port="22"/></services></node>
     277   <services><login authentication="ssh-keys" hostname="pc112.emulab.net" port="22"/></services></node>
     278   <services><login authentication="ssh-keys" hostname="pc99.emulab.net" port="22"/></services></node>
     279}}}
     280
     281Use bash scripting to upload the certificate, move it to the right place, set the correct permissions and owner/group, and finally restart pSConfig:
     282
     283{{{
     284$ for node in pc123.emulab.net pc112.emulab.net pc99.emulab.net; do
     285>      scp lamptutorial-cert.pem fernande@$node:
     286>      ssh fernande@$node "sudo mv lamptutorial-cert.pem /usr/local/etc/protogeni/ssl/lampcert.pem"
     287>      ssh fernande@$node "sudo chown root.perfsonar /usr/local/etc/protogeni/ssl/lampcert.pem"
     288>      ssh fernande@$node "sudo chmod 440 /usr/local/etc/protogeni/ssl/lampcert.pem"
     289>      ssh fernande@$node "sudo /etc/init.d/psconfig restart"
     290> done
     291}}}
     292
     293Note that services run under the ''perfsonar'' user, and the httpd server will read the certificate as ''root''. The last step is to (re)start ''pSConfig'', the service that fetches and configures the nodes according to the topology information. If you did not setup the RSpec to run the bootstrap.sh script on startup, you will need to run it on all nodes before starting pSConfig (e.g. I would add {{{ssh fernande@$node "sudo /usr/local/etc/lamp/bootstrap.sh urn:publicid:IDN+emulab.net+slice+lamptutorial urn:publicid:IDN+emulab.net+user+fernande"}}} before the last line on the above command, while you would need to change the slice and user URNs).
     294
     295=== 5. Accessing the LAMP Portal ===
     296
     297We have now uploaded our slice's topology to UNIS and we have setup our nodes with the LAMP certificate (and bootstrapped the configuration). As soon as pSConfig starts, the service will contact UNIS and fetch the configuration for the node. On our tutorial's RSpec, only one service is enabled for now: the LAMP Portal on the ''lamp'' node. pSConfig will thus enable the service automatically. It can take up to 5 minutes for services to start/stop based on configuration changes (a ''service watcher'' script runs every 5 minutes and will make sure that any enabled/disabled services are running/stopped).
     298
     299After a few minutes we try to access the LAMP Portal at our ''lamp'' node: https://pc99.emulab.net/lamp/. To our surprise, however, we get an error:
     300
     301[[Image(portal-error.png)]]
     302
     303We're sorry that right now our error reporting is so uninformative, so the user doesn't really know what happened. Looking at the error log for the web server (/var/log/apache2/error.log) we see the following error message:
     304
     305{{{
     306[Tue Sep 21 16:44:17 2010] [error] [client 128.4.62.115] You're not authorized to access this service. at /opt/perfsonar_ps/perfSONAR_PS-Toolkit/web/root/gui/services/../../../../lib/perfSONAR_PS/Utils/GENIPolicy.pm line 91.
     307}}}
     308
     309Ah, so everything makes sense now. We either did not use a certificate to access the server, or used a certificate for a user that is not allowed to access the service. Currently in our slice, only us (the slice owner) will be able to access the LAMP Portal with their ProtoGENI certificate, or anyone using the LAMP certificate (remember, LAMP services trust the LAMP certificate implicitly! so be carefully with it). To setup you browser to use a certificate, if you haven't done so already, follow the instructions at [https://www.protogeni.net/trac/protogeni/wiki/FlashClientSetup ProtoGENI Flash Client Setup]. You'll have to look for similar instructions for other browsers (e.g. for [http://code.google.com/p/chromium/wiki/LinuxCertManagement Google Chromium]).
     310
     311After setting up the certificate
     312
     313