Version 8 (modified by 13 years ago) (diff) | ,
---|
- Variables
- Step 0: make necessary modifications to the state of your myplc
-
Step 1: get a tarball of the
sfa-geni-gec9
tag of SFA - Step 2: install SFA prerequisites
- Step 3: Compile and install the SFA code
- Step 4: Configure SFA
- Step 5: Start SFA
- Step 6: Create local sfi credentials if desired
-
Step 7: Install the
pgeni.gpolab.bbn.com
certificate - Step 8: Configure host firewall to allow SFA
- Outcome
This page provides instructions for grabbing/configuring SFA from git, assuming a site which is already running a stable myplc and just needs to add SFA
We recommend sites use the tag sfa-geni-gec9
from the PlanetLab GIT repository.
IF you were already running an older version of SFA, including RPM-based versions sfa-0.9-14 or earlier, you will need to remove all old sfi credentials to handle a credential format change. NOTE: if those credentials were used to create any slivers which are still active, you may lose the ability to modify those slivers. Please contact the GPO before upgrading if this is a concern for you. If you were already running a more recent SFA, this upgrade should be harmless, though it's always good to proceed with caution around any upgrade.
Variables
You will need to configure SFA using some of the same variables which were configured for PLC. Get these values by running plc-config-tty
in read-only mode on your myplc host:
$ plc-config-tty Enter command (u for usual changes, w to save, ? for help) s PLC_SLICE_PREFIX PLC_SLICE_PREFIX = <plc_slice_prefix> Enter command (u for usual changes, w to save, ? for help) s PLC_API_HOST PLC_API_HOST = <plc_api_host> Enter command (u for usual changes, w to save, ? for help) s PLC_DB_HOST PLC_DB_HOST = <plc_db_host> Enter command (u for usual changes, w to save, ? for help) s PLC_ROOT_USER PLC_ROOT_USER = <plc_root_user> Enter command (u for usual changes, w to save, ? for help) s PLC_ROOT_PASSWORD PLC_ROOT_PASSWORD = <plc_root_password> Enter command (u for usual changes, w to save, ? for help) s PLC_DB_PASSWORD PLC_DB_PASSWORD = <plc_db_password> Enter command (u for usual changes, w to save, ? for help) q
Step 0: make necessary modifications to the state of your myplc
This page assumes you are already running a myplc and have nodes attached to it. However, there are myplc customizations which are needed for SFA beyond what is needed for basic myplc operation.
Step 0A: ensure that the planetlab site containing your nodes is public
Your planetlab nodes and users are part of one or more local sites on your myplc. If your nodes belong to a site which is not public, SFA won't share those nodes. By default, the initial site generated on myplc creation is private, so you will need to make your site public now.
Note: every time the plc service restarts (e.g. when the host reboots), the default site becomes private again. If you are using a single-site config, you'll need to make the site public again every time plc restarts. Contact gpo-infra@geni.net
if you'd like the workaround we use to automate this.
Use the PLC shell to modify the configuration
$ sudo plcsh >>> UpdateSite('<plc_slice_prefix>', {'is_public': True}) >>> exit
Step 1: get a tarball of the sfa-geni-gec9
tag of SFA
On any machine with git installed:
git clone git://git.planet-lab.org/sfa.git gittag=sfa-geni-gec9 cd sfa git archive --format=tar --prefix=${gittag}/ ${gittag} | gzip > ${gittag}.tar.gz
This will produce a tarball named sfa-geni-gec9.tar.gz
. Copy the tar file to your myplc node.
Step 2: install SFA prerequisites
If this is the first time you are installing SFA on this myplc, you will need to install prerequisite packages, and you will need to make certain that particular packages are up-to-date:
sudo yum update fedora-release sudo yum install m2crypto python-dateutil python-psycopg2 myplc-config pyOpenSSL python-ZSI libxslt-python xmlsec1-openssl-devel python-lxml sudo yum upgrade pyOpenSSL python-lxml
Step 3: Compile and install the SFA code
Compile the source code in a working directory of your choice:
mkdir ~/src cd ~/src tar xvzf ~/sfa-geni-gec9.tar.gz cd sfa-geni-gec9 make
Expect about 6 lines of output and no obvious errors. Assuming that looks okay, install SFA:
sudo make install
Step 4: Configure SFA
Step 4A: Clean old certificates if you were already running SFA
IF you were already running an older version of SFA, including RPM-based versions sfa-0.9-14 or earlier, you will need to remove all old sfi credentials to handle a credential format change. NOTE: if those credentials were used to create any slivers which are still active, you may lose the ability to modify those slivers.
sudo /etc/init.d/sfa stop sudo sfa-nuke-plc.py sudo rm /etc/sfa/trusted_roots/*.gid sudo rm -rf /var/lib/sfa/ rm ~/.sfi/*.gid rm ~/.sfi/*.cert rm ~/.sfi/*.cred
Step 4B: Create new configuration if this is the first time SFA has run on this PLC
Note that many of these configuration options require variables taken from your myplc configuration itself. See #Variables for details.
$ sudo sfa-config-tty Enter command (u for usual changes, w to save, ? for help) u SFA_INTERFACE_HRN: plc.<plc_slice_prefix> SFA_REGISTRY_ROOT_AUTH: plc SFA_REGISTRY_HOST : <plc_api_host> SFA_AGGREGATE_HOST : <plc_api_host> SFA_SM_HOST : <plc_api_host> SFA_PLC_DB_HOST : <plc_db_host> SFA_PLC_DB_USER : postgres SFA_PLC_USER: <plc_root_user> SFA_PLC_PASSWORD: <plc_root_password> SFA_PLC_DB_PASSWORD: <plc_db_password> SFA_PLC_URL : [https://localhost:443/PLCAPI/] Enter command (u for usual changes, w to save, ? for help) w Enter command (u for usual changes, w to save, ? for help) q
Step 5: Start SFA
Start up SFA once, to create the initial /etc/sfa/sfa_config.py, and stop it again
sudo service sfa reload
Import the PLC database into SFA:
sudo sfa-import-plc.py
Start up SFA again:
sudo service sfa restart
Step 6: Create local sfi credentials if desired
In order to use omni to reserve resources using the pgeni.gpolab.bbn.com
slice authority, you do not need to test sfi or create local users with sfi certificates. You should be able to install SFA and configure it to allow omni sliver creation for GEC9 demos without ever installing a local sfi user on your myplc. So it is fine to skip this step.
However, you may want to create local users for other purposes, or to test functionality. If you want to do that, GeniApiInstallationMyPlc has instructions for creating an sfi client configuration and using it to test getversion
in steps 6 and 7.
Step 7: Install the pgeni.gpolab.bbn.com
certificate
Configure your SFA instance to allow slivers to slices created at the GEC9 demo slice authority, pgeni.gpolab.bbn.com
.
Get a copy of the certificate:
wget http://www.pgeni.gpolab.bbn.com/ca-cert/pgeni.gpolab.bbn.com.pem
Copy that certificate into a .crt
file under /etc/sfa/trusted_roots
:
sudo cp pgeni.gpolab.bbn.com.pem /etc/sfa/trusted_roots/pgeni.gpolab.bbn.com.crt
Restart sfa:
sudo service sfa restart
Step 8: Configure host firewall to allow SFA
If your myplc is running iptables, you will need to add rules to allow inbound connections to the sfa-server.py
daemon, which listens on three ports. You should also ensure that HTTP and HTTPS are allowed. Add the following rules to /etc/sysconfig/iptables
:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 12345 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 12346 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 12347 -j ACCEPT
placing them immediately before the default reject rule:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Then restart iptables:
sudo service iptables restart
Outcome
Assuming SFA comes up cleanly, it should now be possible for people to create slivers via omni at your myplc, using the instructions at OmniSetupGEC9Demos. Of particular note, you will want to run:
./src/omni.py listresources -n -a http://<plc_www_host>:12346
to obtain an rspec describing the planetlab nodes available at your myplc. This will tell you what your planetlab hosts are called by omni, and thus how to reserve them.