Changes between Version 50 and Version 51 of OpenFlow/FOAM


Ignore:
Timestamp:
06/04/13 22:08:52 (11 years ago)
Author:
Josh Smift
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • OpenFlow/FOAM

    v50 v51  
    3737Note that there were significant changes between FOAM 0.6 and FOAM 0.8; http://groups.geni.net/geni/wiki/OpenFlow/FOAM?version=22 has the last version of this page with 0.6-specific information.
    3838
     39== Slice Authority trust configuration ==
     40
     41FOAM has a set of CA certificates that it uses for user authorization: If a user has a certificate signed by a CA that FOAM is configured to trust, then that user can talk to FOAM (and create FOAM slivers, which will be approved automatically if auto-approval is on, etc).
     42
     43To configure what Slice Authorities FOAM trusts, install or remove the CA cert for the Slice Authority in a file in `/opt/foam/etc/gcf-ca-certs`, and then rebuild the nginx CA cert bundle and restart FOAM and nginx:
     44
     45{{{
     46sudo foamctl admin:bundle-certs
     47sudo service foam restart
     48sudo service nginx restart
     49}}}
     50
     51The GPO recommends that GENI FOAM aggregates trust the authorities in the GENI cert bundle; see below for detailed instructins on how to do that.
     52
    3953== Initial configuration ==
    4054
    41 The GPO has a variety of recommendations for configuring FOAM. We strongly encourage GENI sites to do all of these things.
     55The GPO has a variety of recommendations for configuring FOAM. We strongly encourage GENI sites to do all of these things, and encourage you to contact us (`gpo-infra@geni.net`) if you have any questions or concerns.
    4256
    4357=== Administrative e-mail ===
     
    4559When you install FOAM for the first time (i.e. not an upgrade to an existing installation), you should configure its ability to send you administrative e-mail; those steps are part of the official [https://openflow.stanford.edu/display/FOAM/0.10.x+Install+Guide FOAM 0.10 install guide].
    4660
     61=== Slice Authorities ===
     62
     63The GPO recommends that GENI FOAM aggregates trust the authorities in the GENI cert bundle. To do that, first download the bundle and check its MD5 checksum:
     64
     65{{{
     66wget -O geni-cert-bundle.tar.gz http://groups.geni.net/geni/attachment/wiki/GeniTrustAnchors/geni-cert-bundle.tar.gz?format=raw
     67md5sum geni-cert-bundle.tar.gz
     68}}}
     69
     70See http://groups.geni.net/geni/wiki/GeniTrustAnchors for the expected value of the checksum. If the checksum doesn't match, contact `gpo-infra@geni.net` and we'll take a look.
     71
     72If the checksum on the tar.gz file matches, unpack the bundle and check the sums on the files in it:
     73
     74{{{
     75tar xfz geni-cert-bundle.tar.gz
     76cd geni-cert-bundle
     77md5sum --check MD5SUMS
     78}}}
     79
     80That should produce output like:
     81
     82{{{
     83ch.geni.net-ca.pem: OK
     84ch.geni.net-ma.pem: OK
     85emulab.net.pem: OK
     86pgeni.gpolab.bbn.com.pem: OK
     87plc.pem: OK
     88}}}
     89
     90If any of them don't say "OK", or you get any other errors, contact `gpo-infra@geni.net`.
     91
     92If those do all check out ok, install the certs in the directory that FOAM uses, rebuild the cert file that nginx uses, and restart FOAM and nginx:
     93
     94{{{
     95sudo cp *.pem /opt/foam/etc/gcf-ca-certs
     96sudo foamctl admin:bundle-certs
     97sudo service foam restart
     98sudo service nginx restart
     99}}}
     100
     101Experimenters should then be able to use FOAM with credentials signed by any of those authorities; you can test this yourself if you have such credentials handy.
     102
    47103=== Admin password ===
    48104
     
    51107=== !FlowVisor configuration ===
    52108
    53 You'll then need to configure FOAM to point to your !FlowVisor, which you can do interactively with {{{foamctl config:set-flowvisor-info}}}, or non-interactively like this (with values that work for your installation):
     109You'll then need to configure FOAM to point to your !FlowVisor, which you can do interactively with {{{foamctl config:set-flowvisor-info}}}, or non-interactively like this:
    54110
    55111{{{
     
    58114}}}
    59115
     116This example works if your !FlowVisor is on the same host as FOAM; if it's not, use values that work for your installation.
     117
    60118=== Site tag ===
    61119
     
    94152/bin/echo "flowvisor hold" | sudo /usr/bin/dpkg --set-selections
    95153}}}
     154
     155If you run !FlowVisor on a different server, you'd want to run the second command there instead.
    96156
    97157== Upgrading ==
     
    367427You can also use 'geni:show-sliver -s' to show flowspaces instead, which have the advantage of not including any comments or other formatting in the experimenter's rspec, but are a less familiar format for most admins.
    368428
    369 == Slice Authority trust configuration ==
    370 
    371 FOAM has a set of CA certificates that it uses for user authorization: If a user has a certificate signed by a CA that FOAM is configured to trust, then that user can talk to FOAM (and create FOAM slivers, which will be approved automatically if auto-approval is on, etc).
    372 
    373 To configure what Slice Authorities FOAM trusts, install or remove the CA cert for the Slice Authority in a file in /opt/foam/etc/gcf-ca-certs, and then rebuild the nginx CA cert bundle and restart FOAM and nginx:
    374 
    375 {{{
    376 sudo foamctl admin:bundle-certs
    377 sudo service foam restart
    378 sudo service nginx restart
    379 }}}
    380 
    381 GENI deployments should trust the pgeni.gpolab.bbn.com SA; the official FOAM installation guide includes this step, or you can get the cert from http://www.pgeni.gpolab.bbn.com/ca-cert/pgeni.gpolab.bbn.com.pem if you need it.
    382 
    383429== Changing the !FlowVisor password ==
    384430