Changes between Version 8 and Version 9 of SfaInstallGEC9Demos


Ignore:
Timestamp:
03/22/11 21:22:03 (13 years ago)
Author:
tupty@bbn.com
Comment:

gst 2058 replacing old documentation with links to new page

Legend:

Unmodified
Added
Removed
Modified
  • SfaInstallGEC9Demos

    v8 v9  
    1 [[PageOutline]]
    2 
    3 This page provides instructions for grabbing/configuring SFA from git, assuming a site which is already running a stable myplc and just needs to add SFA
    4 
    5 We recommend sites use the tag `sfa-geni-gec9` from the PlanetLab GIT repository.
    6 
    7 IF you were already running an older version of SFA, including RPM-based versions sfa-0.9-14 or earlier, you will need to remove all old sfi credentials to handle a credential format change.  NOTE: if those credentials were used to create any slivers which are still active, you may lose the ability to modify those slivers.  Please contact the GPO before upgrading if this is a concern for you.  If you were already running a more recent SFA, this upgrade should be harmless, though it's always good to proceed with caution around any upgrade.
    8 
    9 = Variables =
    10 
    11 You will need to configure SFA using some of the same variables which were configured for PLC.  Get these values by running `plc-config-tty` in read-only mode on your myplc host:
    12 {{{
    13 $ plc-config-tty
    14 Enter command (u for usual changes, w to save, ? for help) s PLC_SLICE_PREFIX
    15 PLC_SLICE_PREFIX = <plc_slice_prefix>
    16 
    17 Enter command (u for usual changes, w to save, ? for help) s PLC_API_HOST
    18 PLC_API_HOST = <plc_api_host>
    19 
    20 Enter command (u for usual changes, w to save, ? for help) s PLC_DB_HOST
    21 PLC_DB_HOST = <plc_db_host>
    22 
    23 Enter command (u for usual changes, w to save, ? for help) s PLC_ROOT_USER
    24 PLC_ROOT_USER = <plc_root_user>
    25 
    26 Enter command (u for usual changes, w to save, ? for help) s PLC_ROOT_PASSWORD
    27 PLC_ROOT_PASSWORD = <plc_root_password>
    28 
    29 Enter command (u for usual changes, w to save, ? for help) s PLC_DB_PASSWORD
    30 PLC_DB_PASSWORD = <plc_db_password>
    31 
    32 Enter command (u for usual changes, w to save, ? for help) q
    33 }}}
    34 
    35 = Step 0: make necessary modifications to the state of your myplc =
    36 
    37 This page assumes you are already running a myplc and have nodes attached to it.  However, there are myplc customizations which are needed for SFA beyond what is needed for basic myplc operation.
    38 
    39 == Step 0A: ensure that the planetlab site containing your nodes is public ==
    40 
    41 Your planetlab nodes and users are part of one or more local sites on your myplc.  If your nodes belong to a site which is not public, SFA won't share those nodes.  By default, the initial site generated on myplc creation is private, so you will need to make your site public now.
    42 
    43 ''Note: every time the plc service restarts (e.g. when the host reboots), the default site becomes private again.  If you are using a single-site config, you'll need to make the site public again every time plc restarts.  Contact `gpo-infra@geni.net` if you'd like the workaround we use to automate this.''
    44 
    45 Use the PLC shell to modify the configuration
    46 {{{
    47 $ sudo plcsh
    48 >>> UpdateSite('<plc_slice_prefix>', {'is_public': True})
    49 >>> exit
    50 }}}
    51 
    52 = Step 1: get a tarball of the `sfa-geni-gec9` tag of SFA =
    53 
    54 On any machine with git installed:
    55 {{{
    56 git clone git://git.planet-lab.org/sfa.git
    57 gittag=sfa-geni-gec9
    58 cd sfa
    59 git archive --format=tar --prefix=${gittag}/ ${gittag} | gzip > ${gittag}.tar.gz
    60 }}}
    61 
    62 This will produce a tarball named `sfa-geni-gec9.tar.gz`.  Copy the tar file to your myplc node.
    63 
    64 = Step 2: install SFA prerequisites =
    65 
    66 If this is the first time you are installing SFA on this myplc, you will need to install prerequisite packages, and you will need to make certain that particular packages are up-to-date:
    67 {{{
    68 sudo yum update fedora-release
    69 sudo yum install m2crypto python-dateutil python-psycopg2 myplc-config pyOpenSSL python-ZSI libxslt-python xmlsec1-openssl-devel python-lxml
    70 sudo yum upgrade pyOpenSSL python-lxml
    71 }}}
    72 
    73 = Step 3: Compile and install the SFA code =
    74 
    75 Compile the source code in a working directory of your choice:
    76 {{{
    77 mkdir ~/src
    78 cd ~/src
    79 tar xvzf ~/sfa-geni-gec9.tar.gz
    80 cd sfa-geni-gec9
    81 make
    82 }}}
    83 
    84 Expect about 6 lines of output and no obvious errors.  Assuming that looks okay, install SFA:
    85 {{{
    86 sudo make install
    87 }}}
    88 
    89 = Step 4: Configure SFA =
    90 
    91 == Step 4A: Clean old certificates if you were already running SFA ==
    92 
    93 IF you were already running an older version of SFA, including RPM-based versions sfa-0.9-14 or earlier, you will need to remove all old sfi credentials to handle a credential format change.  NOTE: if those credentials were used to create any slivers which are still active, you may lose the ability to modify those slivers.
    94 
    95 {{{
    96 sudo /etc/init.d/sfa stop
    97 sudo sfa-nuke-plc.py
    98 sudo rm /etc/sfa/trusted_roots/*.gid
    99 sudo rm -rf /var/lib/sfa/
    100 rm ~/.sfi/*.gid
    101 rm ~/.sfi/*.cert
    102 rm ~/.sfi/*.cred
    103 }}}
    104 
    105 == Step 4B: Create new configuration if this is the first time SFA has run on this PLC ==
    106 
    107 Note that many of these configuration options require variables taken from your myplc configuration itself.  See [#Variables] for details.
    108 
    109 {{{
    110 $ sudo sfa-config-tty
    111 Enter command (u for usual changes, w to save, ? for help) u
    112  SFA_INTERFACE_HRN: plc.<plc_slice_prefix>
    113  SFA_REGISTRY_ROOT_AUTH: plc
    114  SFA_REGISTRY_HOST : <plc_api_host>
    115  SFA_AGGREGATE_HOST : <plc_api_host>
    116  SFA_SM_HOST : <plc_api_host>
    117  SFA_PLC_DB_HOST : <plc_db_host>
    118  SFA_PLC_DB_USER : postgres
    119  SFA_PLC_USER: <plc_root_user>
    120  SFA_PLC_PASSWORD: <plc_root_password>
    121  SFA_PLC_DB_PASSWORD: <plc_db_password> 
    122  SFA_PLC_URL : [https://localhost:443/PLCAPI/]
    123 Enter command (u for usual changes, w to save, ? for help) w
    124 Enter command (u for usual changes, w to save, ? for help) q
    125 }}}
    126 
    127 = Step 5: Start SFA =
    128 
    129 Start up SFA once, to create the initial /etc/sfa/sfa_config.py, and stop it again
    130 {{{
    131 sudo service sfa reload
    132 }}}
    133 
    134 Import the PLC database into SFA:
    135 {{{
    136 sudo sfa-import-plc.py
    137 }}}
    138  
    139 Start up SFA again:
    140 {{{
    141 sudo service sfa restart
    142 }}}
    143 
    144 = Step 6: Create local sfi credentials if desired =
    145 
    146 In order to use omni to reserve resources using the `pgeni.gpolab.bbn.com` slice authority, you do not need to test sfi or create local users with sfi certificates.  You should be able to install SFA and configure it to allow omni sliver creation for GEC9 demos without ever installing a local sfi user on your myplc.  So it is fine to skip this step.
    147 
    148 However, you may want to create local users for other purposes, or to test functionality.  If you want to do that, [wiki:GeniApiInstallationMyPlc#InstallSFA] has instructions for creating an sfi client configuration and using it to test `getversion` in steps 6 and 7.
    149 
    150 = Step 7: Install the `pgeni.gpolab.bbn.com` certificate =
    151 
    152 Configure your SFA instance to allow slivers to slices created at the GEC9 demo slice authority, `pgeni.gpolab.bbn.com`.
    153 
    154 Get a copy of the certificate:
    155 {{{
    156 wget http://www.pgeni.gpolab.bbn.com/ca-cert/pgeni.gpolab.bbn.com.pem
    157 }}}
    158 
    159 Copy that certificate into a `.crt` file under `/etc/sfa/trusted_roots`:
    160 {{{
    161 sudo cp pgeni.gpolab.bbn.com.pem /etc/sfa/trusted_roots/pgeni.gpolab.bbn.com.crt
    162 }}}
    163 
    164 Restart sfa:
    165 {{{
    166 sudo service sfa restart
    167 }}}
    168 
    169 = Step 8: Configure host firewall to allow SFA =
    170 
    171 If your myplc is running iptables, you will need to add rules to allow inbound connections to the `sfa-server.py` daemon, which listens on three ports.  You should also ensure that HTTP and HTTPS are allowed.  Add the following rules to `/etc/sysconfig/iptables`:
    172 {{{
    173 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
    174 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
    175 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 12345 -j ACCEPT
    176 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 12346 -j ACCEPT
    177 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 12347 -j ACCEPT
    178 }}}
    179 placing them immediately ''before'' the default reject rule:
    180 {{{
    181 -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    182 }}}
    183 
    184 Then restart iptables:
    185 {{{
    186 sudo service iptables restart
    187 }}}
    188 
    189 = Outcome =
    190 
    191 Assuming SFA comes up cleanly, it should now be possible for people to create slivers via omni at your myplc, using the instructions at OmniSetupGEC9Demos.  Of particular note, you will want to run:
    192 {{{
    193 ./src/omni.py listresources -n -a http://<plc_www_host>:12346
    194 }}}
    195 to obtain an rspec describing the planetlab nodes available at your myplc.  This will tell you what your planetlab hosts are called by omni, and thus how to reserve them.
    196 
     1Please see GpoLab/MyplcReferenceImplementation for updated documentation on MyPLC with SFA.