Skip to topic | Skip to bottom
Home
GENI
National
Science
Foundation
Register or Logon
Private Intranet

Start of topic | Skip to actions

Experiences in deploying MyPLC PlanetLab Central v4.3

This page is dedicated to documenting the procedure we used to deploy a MyPLC PlanetLab Central v4.3 distribution on the DRAGON network.

Install CentOS 5.3

On a fresh PC, install CentOS 5.3 (Linux RedHat variant).

Begin by downloading the netinstall ISO image at http://mirror.anl.gov/pub/centos/5.3/isos/i386/CentOS-5.3-i386-netinstall.iso

The CentOS netinstall procedure requires the user to supply some information about the mirror. We selected the 'HTTP' method for installation, using mirror.anl.gov for the 'Website Name', and /pub/centos/5.3/os/i386 for the 'CentOS Directory'.

  • NOTE:
    • Don't select 'Xen' during the installation. If you do, you will get exceptions in dmesg later on because you will be booting a vserver-enabled kernel, which does not include Xen support. If you accidentally select 'Xen', you will want to turn off libvirtd using chkconfig.
    • During the installation, you are presented with a software selection screen. We unchecked 'Desktop - Gnome' and checked 'Server'.
    • In our installation, we named this host planetlab1.domain.org

DNS configuration

  • We configured our DNS server as follows:
    • planetlab1.domain.org is an A record pointing to the IP address 192.168.100.133.
    • myplc.domain.org is an A record pointing to the IP address 192.168.100.131.

Install vserver-enabled kernel

  • After installing CentOS 5.3, create a new file /etc/yum.repos.d/dhozac-vserver.repo and populate it with the following: 
[dhozac-vserver]
name=Linux-VServer related packages for CentOS $releasever - $basearch
baseurl=http://rpm.hozac.com/dhozac/centos/$releasever/vserver/$basearch
gpgkey=http://rpm.hozac.com/conf/keys/RPM-DHOZAC-GPG-KEY

  • Next, run yum -y update yum and yum -y install kernel

  • Edit /boot/grub/menu.lst (is actually a symlink to grub.conf in CentOS)
    • The last yum command should have added something like this (it should be the first kernel entry): 
title CentOS (2.6.22.19-vs2.3.0.34.1)
        root (hd0,0)
        kernel /vmlinuz-2.6.22.19-vs2.3.0.34.1 ro root=/dev/VolGroup00/LogVol00
        initrd /initrd-2.6.22.19-vs2.3.0.34.1.img

  • Make sure you have default=0 in order to boot this kernel by default

Tweak SSH daemon

  • Edit /etc/ssh/sshd_config, change ListenAddress to the IP address configured eth0 (would block any guest's attempt to run sshd if you do not do this because sshd binds to '*:22' by default)

Turn SElinux off

  • edit /etc/sysconfig/selinux, set SELINUX=disabled

Reboot

  • Reboot the PC, when it comes back up, ensure that you can SSH to it and that the new vserver-enabled kernel is running: 
[root@planetlab1 ~]# uname -a
Linux planetlab1 2.6.22.19-vs2.3.0.34.1 #1 SMP Mon Mar 17 05:32:04 EDT 2008 i686 i686 i386 GNU/Linux

Install util-vserver packages 

[root@planetlab1 ~]# yum install util-vserver
[root@planetlab1 ~]# yum install util-vserver-build

  • Additional steps required: 
[root@planetlab1 ~]# /etc/init.d/vprocunhide start
Fixing /proc entries visibility...                         [  OK  ]
[root@planetlab1 ~]# chkconfig vservers-default on
[root@planetlab1 ~]# chkconfig --list vservers-default
vservers-default        0:off   1:off   2:on    3:on    4:on    5:on    6:off

Build Guest Systems

  • yum install all of these packages in "root context" (e.g. not inside the vserver):
    • subversion
    • httpd (on machines that mirror fedora repositories)
    • createrepo is needed in the root context on build boxes - this is for when just built rpms get published to the test framework
    • qemu is required on boxed that may host qemu-based test boxes
    • bridge-utils is mandatory on your qemu boxes as well
    • yum install subversion httpd mod_ssl createrepo qemu bridge-utils emacs ntp
    • chkconfig ntpd on

  • check out planetlab SVN build
    • this is really just a bunch of scripts to setup an environment so that myplc will run inside a vserver 
[root@planetlab1 ~]# cd /root
[root@planetlab1 ~]# svn co http://svn.planet-lab.org/svn/build/trunk svn-build

Fedora 8 mirroring

  • We mirror the entire Fedora 8 distribution so that vserver instantiation is particularly fast.

  • NOTE: Fedora 8 has been moved off of almost all of the mirrors!

  • Run the vbuild-fedora-mirror.sh command below: 
[root@planetlab1 ~]# cd /root/svn-build
[root@planetlab1 svn-build]# ./vbuild-fedora-mirror.sh -v -l -f f8 -u rsync://archive.kernel.org/fedora-archive

  • NOTE: This process takes a long time! The Fedora 8 mirror consumes approximately 19GB on our planetlab1.domain.org server.

Start apache in root context

  • Apache will run in the root context of planetlab1.domain.org and serve up Fedora/CentOS RPMs so that vservers can quickly be instantiated. 
[root@planetlab1 ~]# /etc/init.d/httpd start

  • Make sure Apache is configured to automatically start whenever this machine is booted: 
[root@planetlab1 ~]# chkconfig --level 2345 httpd on
[root@planetlab1 ~]# chkconfig --list httpd
httpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off

Apache configuration

  • make symlink to /mirror: 
[root@planetlab1 ~]# cd /var/www/html
[root@planetlab1 html]# ln -s /mirror mirror

  • Modify Apache's /etc/httpd/conf/httpd.conf to only listen on 127.0.0.1:80 and root context's public IP, for example: 
Listen 127.0.0.1:80
Listen 192.168.100.133:80
ServerName planetlab1.domain.org

  • Modify Apache's /etc/httpd/conf.d/ssl.conf to only listen on the root context's public IP, and update the VirtualHost entry, for example: 
Listen 192.168.100.133:443
[...]
#<VirtualHost _default_:443>
<VirtualHost 192.168.100.133:443>

  • We also set ServerName above, just to make sure it gets set to the proper value..

Update iptables

Since a complete mirror of Fedora and CentOS will be available from this Apache server (without any authentication), we would recommend adding a couple of iptables rules to the RH-Firewall-1-INPUT chain in /etc/sysconfig/iptables. For example, we limit incoming requests on TCP port 80 and 443 to our local network (206.196.176.0/21): 

-A RH-Firewall-1-INPUT -s 206.196.176.0/21 -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -s 206.196.176.0/21 -p tcp --dport 443 -j ACCEPT

  • Run /etc/init.d/iptables restart to apply the changes

Tweaking yum config for vservers

  • The following commands will update /etc/vservers/.distributions/[f8|centos5]/yum.repos.d/building.repo so that baseurl points to http://planetlab1.domain.org/mirror/ instead of http://localhost/mirror/ 
[root@planetlab1 ~]# cd /root/svn-build/mirroring/
[root@planetlab1 mirroring]# ./mirror.sh -f f8 -u http://planetlab1.domain.org/mirror/ init
[root@planetlab1 mirroring]# ./mirror.sh -f centos5 -u http://planetlab1.domain.org/mirror/ init

  • NOTE: You don't want http://localhost/mirror/ because vserver creation will fail after installing the base operating system and starting the vserver and running yum!

  • After running the commands above, make sure the output of mirror.sh -a looks like the following (check that baseurl is correct): 
[root@planetlab1 mirroring]# ./mirror.sh -a | grep -i baseurl
baseurl=http://planetlab1.domain.org/mirror/fedora/releases/8/Everything/$basearch/os/
baseurl=http://planetlab1.domain.org/mirror/fedora/updates/8/$basearch/
baseurl=http://planetlab1.domain.org/mirror/fedora/updates/8/$basearch.newkey/
baseurl=http://planetlab1.domain.org/mirror/centos/5.3/os/$basearch/
baseurl=http://planetlab1.domain.org/mirror/centos/5.3/updates/$basearch/
baseurl=http://planetlab1.domain.org/mirror/epel/5/$basearch/

  • Fix gpgcheck setting in .repo files: 
[root@planetlab1 svn-build]# cd /etc/vservers/.distributions/f8 
[root@planetlab1 f8]# find . -name '*.repo' | xargs sed -i -e s,gpgcheck=1,gpgcheck=0,g
[root@planetlab1 f8]# find . -name '*.repo' | xargs grep gpgcheck
gpgcheck=0
gpgcheck=0
gpgcheck=0

Patching yum

  • If you run vtest-init-vserver.sh and get the following error, you need to patch yum: 
You are using a version of yum which is insecure and broken in chroot
related operations; either apply the patches shipped in the 'contrib/'
directory of util-vserver, or ask the author of yum to apply them
(preferred).

In the meantime, 'vyum' will continue with dirty hacks which might not
work when the vserver is running and local DOS attacks are possible.

Execution will continue in 5 seconds...

  • procedure: 
# yum install rpm-build intltool
# mkdir /usr/src/redhat
# mkdir /usr/src/redhat/SOURCES
# cd /usr/src/*/SOURCES
# wget http://svn.linux-vserver.org/svn/util-vserver/trunk/contrib/yum-3.2.19-chroot.patch
# cd /root
# mkdir yum-chroot
# cd yum-chroot
# wget http://mirror.anl.gov/pub/centos/5.3/os/SRPMS/yum-3.2.19-18.el5.centos.src.rpm
# rpm -i yum-3.2.19-18.el5.centos.src.rpm
# cp /usr/src/*/SPECS/yum.spec .

modify the yum.spec file, add these lines:
===
Patch4: yum-3.2.19-chroot.patch
%patch4 -p1
===

# rpmbuild -ba yum.spec
# rpm --force -U /usr/src/*/RPMS/noarch/yum-*

  • If you receive the error message above and try to create a vserver, you will receive python tracebacks like this until you patch yum as shown above: 
Traceback (most recent call last):
  File "/usr/lib/python2.4/site-packages/yum/rpmtrans.py", line 366, in callback
  File "/usr/lib/python2.4/site-packages/yum/rpmtrans.py", line 400, in _transStart
  File "/usr/lib/python2.4/site-packages/yum/rpmtrans.py", line 343, in ts_all
  File "/usr/lib/python2.4/os.py", line 156, in makedirs
...repeats...
  File "/usr/lib/python2.4/os.py", line 159, in makedirs
OSError: [Errno 17] File exists: '/vservers/max-myplc2/..'
error: python callback <bound method RPMTransaction.callback of <yum.rpmtrans.RPMTransaction instance at 0x910e60c>> failed, aborting!

Create a vserver to run myplc

myplc is a software package that includes everything you need to manage and slice PlanetLab nodes. It will run inside a vserver on planetlab1.domain.org. We will call that vserver myplc.domain.org.

  • Please note that the root context (planetlab1.domain.org) has an IP address of 192.168.100.133. We will use a different IP address and hostname for the vserver running myplc, in this case, it will be myplc.domain.org with an IP address of 192.168.100.131.

  • Build a new vserver using the vtest-init-vserver.sh script: 
[root@planetlab1 ~]# cd /root/svn-build
[root@planetlab1 svn-build]# ./vtest-init-vserver.sh -v -f f8 -p linux32 myplc http://build.planet-lab.org/planetlab/f8/2009.06.22--planetlab-f8-linux32/RPMS/ -- \
  --netdev eth0 --interface 192.168.100.131 --hostname myplc.domain.org

NOTE: Visit http://build.planet-lab.org/planetlab/f8/?C=M;O=D to find the latest release and change the URL which you pass to the vtest-init-vserver.sh script. If you are interested in running the OneLab build of the PlanetLab software, begin by visiting http://build.onelab.eu/ to find a suitable URL to pass to vtest-init-vserver.sh.

  • Once that finishes, enter the vserver and install the myplc package: 
[root@planetlab1 svn-build]# vserver myplc enter
[myplc] / # yum -y install myplc

  • Try to start/stop the plc service: 
[myplc] / # service plc start
[myplc] / # service plc stop

  • Use chkconfig to make sure it comes up when this vserver is started: 
[myplc] / # chkconfig plc on
[myplc] / # chkconfig --list plc
plc             0:off   1:off   2:on    3:on    4:on    5:on    6:off

  • Configure myplc from the console using plc-config-tty 
[myplc] ~ # plc-config-tty
Enter command (u for usual changes, w to save, ? for help) u
== PLC_NAME : [PlanetLab Test] My Domain PlanetLab Central
== PLC_SHORTNAME : [Tlab] pl
== PLC_SLICE_PREFIX : [pl] pl
== PLC_ROOT_USER : [root@localhost.localdomain] pl-admin@domain.org
== PLC_ROOT_PASSWORD : [root] password
== PLC_MAIL_ENABLED : [false] true
== PLC_MAIL_SUPPORT_ADDRESS : [root+support@localhost.localdomain] pl-admin@domain.org
== PLC_DB_HOST : [localhost.localdomain] myplc.domain.org
== PLC_API_HOST : [localhost.localdomain] myplc.domain.org
== PLC_WWW_HOST : [localhost.localdomain] myplc.domain.org
== PLC_BOOT_HOST : [localhost.localdomain] myplc.domain.org
== PLC_NET_DNS1 : [127.0.0.1] 192.168.1.1
== PLC_NET_DNS2 : [None] 192.168.2.1
Enter command (u for usual changes, w to save, ? for help) w
Wrote /etc/planetlab/configs/site.xml
Merged
        /etc/planetlab/default_config.xml
and     /etc/planetlab/configs/site.xml
into    /etc/planetlab/plc_config.xml
+ service plc reload
You might want to type 'r' (restart plc) or 'q' (quit)
Enter command (u for usual changes, w to save, ? for help) r
==================== Stopping plc
...
==================== Starting plc
...

Fix procfs warnings in dmesg

  • If you run dmesg on planetlab1.domain.org (the root context), you will see messages like this: 
> vxW: [<BB>crond<AB>,12389:#40056|40056|40056] messing with the procfs.

  • The current workaround requires running this command inside the guest vserver:
    • sed -i -e 's/.*pam_loginuid.*/#\0/' /etc/pam.d/*

  • NOTE: This is fixed in newer vserver kernels...(According to D.Hozac)...but these kernels are not ready for prime-time yet [as of December 2008].

Allow new users to be created

  • The is_public variable in the sites table of the planetlab5 postgresql database must be set to 't' (true) to allow new users to be created.

  • As explained by Thierry Parmentelat -- MyPLC comes with one predefined slice (the one that you provide a login_base for as PLC_SLICE_PREFIX in plc-config-tty). This site is mostly an administrative site, the one that the 'system' slices like e.g. netflow will be attached to; similarly the predefined admin users are attached to this site as well. On PLC/PLE this site is thus not public, as it does not correspond to any physical/real entity. The recommended way to use MyPLC would rather to first create a second site in the system for attaching your nodes and users. You should be able to do that through the 'file a site registration link'.

  • In our example, we used the system site to host our real stuff (nodes/users/slices). This is perfectly valid and will not break anything, but it does require tweaking the site attributes so that it is public.

  • Initially, the only way we could find to change this behavior was to manually edit the SQL database. Thierry then explained that this could also be done via plcsh using the UpdateSites() method.

  • plcsh method: 
[root@planetlab1 ~]# vserver myplc enter
[myplc] ~ # plcsh
PlanetLab Central Direct API Access
Type "system.listMethods()" or "help(method)" for more information.
>>> UpdateSite('pl',{'is_public':True})
1
[press ctrl-D to exit]

  • manual SQL method: 
[root@planetlab1 ~]# vserver myplc enter
[myplc] ~ # su -l postgres
-bash-3.2$ psql planetlab5
planetlab5=# update sites set is_public='t';
UPDATE 1
planetlab5=# \q [enter]

Skip hardware requirement checks

PlanetLab enforces sites to run relatively modern hardware, as described at http://www.planet-lab.org/hardware. There is actually a check upon bootup to make sure that the system meets the minimum hardware requirements. Since a lot of our PCs are a little older (or have small hard drives), we want to skip this requirement in our environment.

  • Modify bootmanager configuration to skip minimum hardware requirements:
    • Inside the myplc vserver, edit the file /usr/share/bootmanager/source/configuration
    • set SKIP_HARDWARE_REQUIREMENT_CHECK=1

  • Now, run service plc stop and service plc start within the myplc vserver

  • This should re-create the boot CD and ensure that any ISOs downloaded from the MyPLC web interface will not do the minimum hardware requirements check!

  • UPDATE: An easier way to do this on a node-by-node basis is to simply add '/minhw' to the end of the node's Model field -- click on My Site Nodes, select a node, add /minhw to the end of the Model field.

Login to MyPLC web-based user interface

The MyPLC web interface is a place where you can add new PlanetLab nodes, create and manage slices, etc. All of this can be done through an API as well, but the web interface is a good starting point for seeing how everything works.

  • Visit the URL: https://myplc.domain.org/
  • Username: pl-admin@domain.org (see above - set by running plc-config-tty)
  • Password: password (see above - set by running plc-config-tty)

Create user accounts & upload public SSH key

To create a new user account, visit https://myplc.domain.org and click "Create an account".

If your site does not appear under the 'Site' drop-down menu, see the section above entitled "Allow new users to be created". You need to tweak a variable in the sites table of your planetlab SQL database.

Once your account is created, you should login to your account and upload an SSH key. To do this, login to https://myplc.domain.org, click 'My Acccount' under 'Users' (and not 'my account' under 'drupal'). Click on 'Manage Keys' and use the form to upload your public SSH key. If don't already have a public key, generate one by running a command like ssh-keygen -t rsa. Then upload the file ~/.ssh/id_rsa.pub.

NOTE: GENIWrapper does not support importing of DSA keys (only RSA keys are supported), so if you plan to use GENIWrapper, make sure you use ssh-keygen -t rsa and not ssh-keygen -t dsa!

You will need to use this SSH key to login to "slices" that are created for you in later steps.

Add some PlanetLab nodes

Find some unused PCs to be used as PlanetLab nodes. These nodes can boot off of a CD-ROM or USB flash device. As of this writing, we have only experimented with the Boot CD option. PXE netboot is also being worked on, and would be much more convenient if you have nodes scattered throughout many POPs. Once these nodes are active, they may be "sliced" meaning that a Linux vserver will be automatically added/removed and handed off to an end user. They will be able to login via their SSH private key.

Login to the MyPLC web interface, click "My Site" (not "My Site Nodes") on the left bar, then "Add Node", fill out the form, then click "Add New Node". We currently have two nodes -- planetlab2.domain.org and planetlab3.domain.org.

Once the node is added, you must download the boot materials for that node. If you have just clicked "Add New Node", you should already be on the proper page. If not, click "My Site Nodes" on the left bar, then click on the hostname of the node you just added. On this page, you will be able to download an ISO image (for burning to CD), a USB image, the planetlab config file, or a generic ISO/USB image.

Burn the ISO image to a CD-ROM. Boot the node off of that CD.

NOTE: All of the data will be wiped from the machine when you boot up the CD! By default, you will not be prompted and you will lose all data on the machine!

You can control the 'boot state' of each node from the MyPLC web interface. Click on "My Site Nodes" on the left bar, click a hostname (or ID), and then examine the option 'Preferred Boot state'.

If all goes well, after you boot up the CD the machine should register itself with MyPLC. Assuming that the 'preferred boot state' has been left at the default value of 'reinstall', the entire machine will be wiped. It may ask you for confirmation before wiping a new node -- if you are upgrading from v4.2, there does not appear to be any user interaction required. The boot state in MyPLC should eventually come up to 'Boot' if all goes well -- it can take awhile to finihs. The node should be "sliceable" at this point.

Create Slices

The whole point of setting up this environment is to be able to create "slices" for end users. This is essentially a vserver, which gets some percentage of CPU time and some chunk of disk space on a PlanetLab node. To create slices, do the following:

  • Login to MyPLC web interface
  • Click on "Create Slice" on the left bar
  • Fill out the form with meaningful values for name/URL/description (we used testing for the name field in our examples below)
  • For the "Instantiation" option, choose "PLC"
  • Associate one or more users with this slice by checking the box at the bottom of the page. This will control which users' SSH keys will be able to access the vserver.
  • Click the "Create Slice" button

Now you need to associate nodes. This will control which nodes will be accessible by the users associated with this slice.

  • On the slice details page, click the small right arrow next to "0 Nodes"
  • Now, click the small right arrow next to "[#] more nodes available"
  • Put checkboxes in the nodes that you wish to be associated with this "slice", e.g. check planetlab2 and planetlab3, then click "Add Selected"

Each planetlab node runs a "NodeManager" process (nm.py) in its root context. This will occasionally "check in" with MyPLC to see if it needs to do anything (e.g. create/delete a slice). By default, this happens every 10 minutes, +/- some random polling interval (301 seconds by default). Within 10 minutes, you should see new vservers appear on the nodes which you selected (look under /etc/vservers in the root context), and SSH keys should be copied over to that node so the users can access their slices. In a section below, we describe how to tweak the polling period for quicker slice setup/teardown.

Logging into your "slice"

In order to login to your planetlab slice, you must add an SSH key to your user profile in MyPLC. Assuming you have done this, after you setup a slice and associate your user with that slice, the SSH keys will be copied to the node.

NOTE: MyPLC supports RSA and DSA public SSH keys, but GENIWrapper currently only supports RSA keys. If you plan to deploy GENIWrapper, be sure to use RSA keys.

How does this actually work?

Assume you have just created a new slice called myplc_testing and have associated node planetlab2.domain.org and user admin@domain.org with that slice.

What actually happens when you use "create slice" above is this:

  • new user named myplc_testing is created on planetlab2.domain.org (NOTE: in the root context! not the vserver!)
  • SSH keys for admin@domain.org are copied to planetlab2.domain.org:/home/myplc_testing/.ssh/authorized_keys (NOTE: in the root context! not the vserver!)
  • new vserver named myplc_testing is created (see /etc/vservers/myplc_testing/...)

The new vserver is not actually running an SSH daemon, nor does it have a unique IP address assigned to it. PlanetLab nodes run a special process called pl_sshd on which somehow logs users into their vservers automatically. Take a look at the sshd processes running on a PlanetLab node: 

[root@planetlab2 ssh]# ps auxwww | grep sshd | grep sbin
root      1263  0.0  0.2   6880  1060 ?        Ss   Nov06   0:52 /usr/sbin/sshd
root      1289  0.0  0.2   6880  1056 ?        Ss   Nov06   0:00 /usr/local/sbin/pl_sshd -o PidFile /var/run/pl_sshd.pid -p 806

[root@planetlab2 ssh]# lsof -i -U -P | grep ^sshd | grep LISTEN
sshd       1263             root    3u  IPv6       4467           TCP *:22 (LISTEN)
sshd       1289             root    3u  IPv6       4512           TCP *:806 (LISTEN)

Note that 'sshd' listens on port 22, but 'pl_sshd' listens on port 806.

Whenever I login as user myplc_testing using the SSH key for admin@domain.org, I am transferred into the myplc_testing vserver: 

somehost% ssh myplc_testing@planetlab2.domain.org
[myplc_testing@planetlab2 ~]$ sudo -s
[root@planetlab2 ~]# ps auxwww
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
508      26605  0.5  0.2   2632  1416 ?        Ss   19:32   0:00 /bin/bash -l
root     26617  2.0  0.2   2632  1424 ?        S    19:32   0:00 /bin/bash
root     26621  0.0  0.1   2456   824 ?        R+   19:32   0:00 ps auxwww

Note that I cannot "see" or modify my SSH .authorized_keys file -- because that actually lives in the root context, not the vserver! 

[myplc_testing@planetlab2 ~]$ ls -l ~/.ssh
ls: cannot access /home/myplc_testing/.ssh: No such file or directory

How to SSH to PlanetLab node's "root context" (for management)

Normally, users would upload their public key to the MyPLC web interface, and when new slices are created, vservers are setup on the PlanetLab nodes and the SSH keys for that user are automatically installed.

In order to SSH to the "root context" of a PlanetLab node, that has booted off of the Boot CD, you must use the private SSH key. Login via password is disabled. Use the private key inside the MyPLC vserver in /etc/planetlab/root_ssh_key.rsa. NOTE: If the node has come up in debug mode (either intentionally or otherwise) you must use the /etc/planetlab/debug_ssh_key.rsa private key. For example: 

[root@planetlab1 ~]# ssh root@planetlab1.domain.org
[root@planetlab1 ~]# vserver myplc enter
[myplc] / # ssh -i /etc/planetlab/root_ssh_key.rsa root@planetlab2.domain.org
[root@planetlab2 ~]# uname -a
Linux planetlab2.domain.org 2.6.22.19-vs2.3.0.34.29.planetlab #1 SMP Fri Oct 17 12:33:05 EDT 2008 i686 i686 i386 GNU/Linux

Adding tagged 802.1Q VLAN interface to vserver

We have found two ways to add a tagged 802.1Q VLAN interface to a vserver. Normally this would be done using something like vconfig add eth1 3000 and configured with an IP address by running ifconfig eth1.3000 inet A.B.C.D. However, this method will not work for vservers. 

[root@planetlab2 ~]# yum -y install vconfig
[...]
[root@planetlab2 ~]# /sbin/vconfig add eth1 3000
WARNING:  Could not open /proc/net/vlan/config.  Maybe you need to load the 8021q module, or maybe you are not using PROCFS??
ERROR: trying to add VLAN #3000 to IF -:eth1:-  error: Operation not permitted

Option 1: during vserver instantiation

With the latest releases (sometime around 12/15/2008), you can pass --interface ethX.YYYY directly to the vserver build command. For example, this could be passed into the vtest-init-vserver.sh script: 

./vtest-init-vserver.sh [...] -- --interface eth0:10.1.1.1/24 --interface eth1.3000:10.2.2.1/24 --hostname [...]

Option 2: modifying an existing vserver

  • Do something like this within the root context (use the technique described above to SSH to the root context of the PlanetLab node): 
[root@planetlab2 ~]# ifconfig eth1 up
[root@planetlab2 ~]# ifconfig eth1 mtu 9000
[root@planetlab2 ~]# vconfig add eth1 1234
Added VLAN with VID == 1234 to IF -:eth1:-
[root@planetlab2 ~]# ifconfig eth1.1234 inet 10.1.1.1 netmask 255.255.255.0 mtu 9000

  • NOTE: By default, eth1.1234 will now show up in all PlanetLab-instantiated vservers!

  • Now the vserver has a tagged VLAN interface: 
bash-3.2$ ssh pl_testing@planetlab2.domain.org
[pl_testing@planetlab2 ~]$ sudo -s
[root@planetlab2 ~]# ifconfig eth1.1234
eth1.1234 Link encap:Ethernet  HWaddr 00:30:48:9A:D3:89
          inet addr:10.1.1.1  Bcast:10.1.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:9000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:35 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:8286 (8.0 KiB)

Using the API

plcsh

  • plcsh should be already installed on the vserver hosting MyPLC in /usr/bin/plcsh. However, it can be run from anywhere (such as your laptop, another server, etc).

  • On planetlab1, check out plcsh using subversion: 
[root@planetlab1 ~]# svn co http://svn.planet-lab.org/svn/plcmdline/trunk plcsh
A    plcsh/plcapilib.py
A    plcsh/setup.py
A    plcsh/plcapilib.spec
A    plcsh/plcsh
A    plcsh/Makefile
A    plcsh/plcmdline.py
Checked out revision 12695.

  • Run plcsh as follows, using -h to point it to your PLCAPI and -u to specify the user that you created above: 
[root@planetlab1 ~]# cd plcsh  
[root@planetlab1 plcsh]# ./plcsh -h https://myplc.domain.org/PLCAPI/ -r user -u admin@domain.org
Password: [enter password here]
PlanetLab Central API server at https://myplc.domain.org/PLCAPI/
admin@domain.org connected as user using password authentication
Type "system.listMethods()" or "help(method)" for more information.
[admin@domain.org user]>>>

API access directly from python

Assuming you have python installed and have xmlrpclib, you can login, create slices, associate nodes/users with that slice using the PLCAPI (based on XML-RPC).

  • Example: 

bash-3.2$ python
>>> import xmlrpclib
>>> api_server = xmlrpclib.ServerProxy('https://myplc.domain.org/PLCAPI/',allow_none=True)
>>> auth={}
>>> auth['AuthMethod']='password'
>>> auth['Username']='admin@domain.org'
>>> auth['AuthString']='[ secret password ]'
>>> authorized = api_server.AuthCheck(auth)
>>> slice_data = {}
>>> slice_data['name'] = 'pl_apidemo'
>>> slice_data['url'] = 'http://geni.maxgigapop.net'
>>> slice_data['description'] = 'Demo Slice via PLCAPI'
>>> slice_data['instantiation'] = 'plc-instantiated'
>>> slice_id = api_server.AddSlice(auth, slice_data)
>>> print slice_id
16
>>> me = auth['Username']
>>> api_server.AddPersonToSlice(auth, me, slice_id)
1
>>> api_server.AddSliceToNodes(auth, slice_id, ['planetlab2.domain.org', 'planetlab3.domain.org'])
1

  • Another example using GetNodes() to get a list of hosts that are in the 'boot' state (meaning that they are working/able to be sliced): 

>>> boot_state_filter = {'boot_state': 'boot'}
>>> return_fields = ['node_id', 'hostname']
>>> nodes_in_boot = api_server.GetNodes(auth, boot_state_filter, return_fields)
>>> print nodes_in_boot
[{'node_id': 2, 'hostname': 'planetlab3.domain.org'}, {'node_id': 1, 'hostname': 'planetlab2.domain.org'}]

Tweaking Node Manager's Polling Interval

  • Each "sliceable" planetlab node has a process called 'nm.py'. This is a python application that acts as a Node Manager, which will start/stop vservers as needed by checking in with the central MyPLC node.

  • By default, Node Manager has a polling interval of 600 seconds, plus a 301 second range for "additional random polling interval": 
[root@planetlab2 ~]# grep interval /usr/share/NodeManager/nm.py
parser.add_option('-p', '--period', action='store', dest='period', default=600, help='Polling interval (sec)')
parser.add_option('-r', '--random', action='store', dest='random', default=301, help='Range for additional random polling interval (sec)')

  • If you have hundreds/thousands of nodes, these are probably reasonable values. However, if you have a small number of nodes and would like to see vservers created/deleted very quickly, you can edit /etc/init.d/nm and add these options to the command line.

  • Example:
    • edit /etc/init.d/nm and tweak this line: options=${OPTIONS-"-d -s -p 60 -r 10"}
    • stop nm service: /etc/init.d/nm stop
    • start nm service: /etc/init.d/nm start
    • check output of ps auxwww|grep nm to make sure you see the new options -p 60 -r 10 listed on the command line

Miscellaneous Notes

  • If you want to run an SSH server inside the vserver hosting MyPLC, run yum install openssh-server and then edit /etc/pam.d/sshd. Comment out the last line session    required     pam_loginuid.so, otherwise you will not be able to login. NOTE: If the SSH server is running on port 22, this requires that your MyPLC vserver has a unique IP address.

Deploying Princeton's GENIWrapper

Setup the server side

  • vserver enter myplc
  • yum install subversion
  • start with svn checkout of the GENIWrapper code:
  • read geniwrapper/trunk/INSTALL.txt file
  • GENIWrapper is also available in the myplc repo, so you can just run yum install sfa-plc sfa-client. This should get you the latest tagged release.
  • Run plc-config-tty and collect the following bits of information: 
[myplc] ~ # plc-config-tty
Enter command (u for usual changes, w to save, ? for help) s PLC_ROOT_USER
PLC_ROOT_USER = pl-admin@domain.org
Enter command (u for usual changes, w to save, ? for help) s PLC_ROOT_PASSWORD
PLC_ROOT_PASSWORD = password
Enter command (u for usual changes, w to save, ? for help) s PLC_DB_USER
PLC_DB_USER = pgsqluser
Enter command (u for usual changes, w to save, ? for help) s PLC_DB_PASSWORD
PLC_DB_PASSWORD = ** pgsql password here **
  • Run sfa-config-tty, be sure to set SFA_PLC_USER, SFA_PLC_PASSWORD, SFA_PLC_DB_USER and SFA_PLC_DB_PASSWORD to the same values that appeared when running plc-config-tty: 
[myplc] ~ # sfa-config-tty
Enter command (u for usual changes, w to save, ? for help) u
SFA_REGISTRY_ROOT_AUTH : [plc]
SFA_REGISTRY_LEVEL1_AUTH : [] pl
SFA_PLC_USER : [root@localhost.localdomain] pl-admin@domain.org
SFA_PLC_PASSWORD : [root] password
SFA_PLC_DB_USER : [pgsqluser]
SFA_PLC_DB_PASSWORD : [] ** put pgsql password here! **
Enter command (u for usual changes, w to save, ? for help) w
updated config file /etc/sfa/sfa_config
Enter command (u for usual changes, w to save, ? for help) q
Could not create /etc/sfa/authorities/server.key - ignore if you haven't run sfa-import-plc.py yet

  • small issue here: SFA_PLC_DB_HOST in /etc/sfa/sfa_config is set to 'www.planet-lab.org', needs to be changed to 'localhost'
    • also edit '/etc/sfa/authorities/plc/plc.dbinfo' and change 'www.planet-lab.org' to 'localhost'

  • Run sfa-import-plc.py (this will create the authorities hierarchy, import user keys, node/slice records, etc): 
[root@max-myplc plc]# sfa-import-plc.py
Import: creating top level authorities
plc :
Import: creating table for authority plc
NOTICE:  table "geni$plc" does not exist, skipping
  inserting authority record for plc
Hierarchy: creating authority: max
max :
Import: creating table for authority max
NOTICE:  table "geni$max" does not exist, skipping
  inserting authority record for max
Import: adding plc to trusted list
Import_Site: importing site max.internet2
Hierarchy: creating authority: max.internet2
  inserting authority record for max.internet2
Import_Site: importing site max.maxpl
Hierarchy: creating authority: max.maxpl
  inserting authority record for max.maxpl
Import: importing person max.maxpl.chris
Import: creating table for authority max.maxpl
NOTICE:  table "geni$max$maxpl" does not exist, skipping
keytype = ssh-rsa
completed
  inserting user record for max.maxpl.chris
Import: importing slice max.maxpl.netflow
  inserting slice record for max.maxpl.netflow
Import: importing slice max.maxpl.sirius
  inserting slice record for max.maxpl.sirius
Import: importing slice max.maxpl.netflow
Import: importing slice max.maxpl.sirius
Import: importing node max.maxpl.planetlab3
  inserting node record for max.maxpl.planetlab3
Import: importing node max.maxpl.planetlab2
  inserting node record for max.maxpl.planetlab2

  • NOTE: If you want to clean up whatever sfa-import-plc.py did, use su -l postgres, psql planetlab5, type \dt, drop any tables starting with geni$ using drop table [tablename]. clean up stuff under /etc/sfa/authorities, /etc/sfa/trusted_roots, etc..

  • NOTE: In /etc/sfa/sfa_config, SFA_BASE_DIR points to /usr/share/sfa, which should probably be a symlink to /usr/lib/python2.5/site-packages/sfa ?

  • Start SFA service: 
[myplc] ~/geniwrapper/trunk # service sfa start
Starting SFA:  Registry
Aggregate                                                  [  OK  ]
SliceMgr                                                   [  OK  ]
                                                           [  OK  ]

  • Verify that plc.py is running and listening on TCP ports 12345, 12346, 12347: 
[myplc] ~/geniwrapper/trunk # lsof -P | grep sfa.py | grep LISTEN
sfa-serve 12219     root    5u     IPv4   14801702                TCP *:12345 (LISTEN)
sfa-serve 12278     root    5u     IPv4   14801709                TCP *:12346 (LISTEN)
sfa-serve 12291     root    5u     IPv4   14801730                TCP *:12347 (LISTEN)

  • We updated /etc/sysconfig/iptables on planetlab1 to only allow connections to these ports from a trusted subnet, then restart iptables with /etc/init.d/iptables restart: 
-A RH-Firewall-1-INPUT -s [IP range/netmask] -p tcp --dport 12345 -j ACCEPT
-A RH-Firewall-1-INPUT -s [IP range/netmask] -p tcp --dport 12346 -j ACCEPT
-A RH-Firewall-1-INPUT -s [IP range/netmask] -p tcp --dport 12347 -j ACCEPT

The GENIWrapper server side is now ready to handle requests.

Setup the client side

  • Configure sfi: 
[myplc] /usr/local/share/geniwrapper/cmdline # cat configSfi.sh
export SFI_AUTH=maxpl.maxpl
export SFI_USER=$SFI_AUTH.chris
export SFI_REGISTRY=http://max-myplc.dragon.maxgigapop.net:12345/
export SFI_SM=http://max-myplc.dragon.maxgigapop.net:12346/
[max-myplc] /usr/local/share/geniwrapper/cmdline # source configSfi.sh

  • Setup keys: 
[max-myplc] /usr/local/share/geniwrapper # mkdir ~/.sfi
[max-myplc] /usr/local/share/geniwrapper # cd  ~/.sfi
[max-myplc] ~/.sfi # cat > chris.pkey
-----BEGIN RSA PRIVATE KEY-----
[ NOTE!!! this must be the private RSA key that is associated with the public RSA key that you uploaded to the myplc web interface! ]
-----END RSA PRIVATE KEY-----

  • You should be able to run sfi.py now, for example: 
bash-3.2$ sfi.py slices
maxpl.pl.netflow
maxpl.pl.sirius
maxpl.maxpl.netflow
maxpl.maxpl.sirius

bash-3.2$ sfi.py show maxpl.maxpl.chris
RECORD maxpl.maxpl.chris
     gid:
          hrn: maxpl.maxpl.chris
         uuid: 267017409742892102642070216192429260508
     hrn: maxpl.maxpl.chris
     type: user
     last_name: Admin
     phone: 123-456-7890
     key: maxpl.maxpl.chris#user
     first_name: Admin
     email: pl-admin@domain.org

bash-3.2# sfi.py show maxpl.maxpl.planetlab3
     gid:
          hrn: maxpl.maxpl.planetlab3
         uuid: 13728821136771075015489498889202002815
     hrn: maxpl.maxpl.planetlab3
     type: node
     node_type: regular
     hostname: planetlab3.domain.org

more GENIWrapper usage examples

Use sfi.py show -o [filename] [hrn] to create a file in ~/.sfi, e.g. this creates the file ~/.sfi/chris.record: 

bash-3.2# sfi.py show -o chris.record maxpl.maxpl.chris
     gid:
          hrn: maxpl.maxpl.chris
         uuid: 143081557606242820671539117476212290481
     hrn: maxpl.maxpl.chris
     type: user
     last_name: Tracy
     phone: 123-456-7890
     key: maxpl.maxpl.chris#user
     first_name: Chris
     email: pl-admin@domain.org

You can use getRecord.py to show more information which is contained in the XML file: 

bash-3.2# ./getRecord.py < ~/.sfi/chris.record 
last_name: Tracy
last_updated: 1246393888
slices: maxpl.maxpl.gec4demo 
role_ids: 40 30 20 10 
site_ids: 1 
pointer: 2
first_name: Chris
title: 
sites: maxpl.maxpl 
slice_ids: 7 
hrn: maxpl.maxpl.chris
person_id: 2
type: user
email: pl-admin@domain.org
bio: Co-PI on GENI MANFRED project.
key_ids: 1 
phone: 123-456-7890
key: maxpl.maxpl.chris#user
name: maxpl.maxpl.chris
roles: tech user pi admin 
url: http://dragon.maxgigapop.net
enabled: True
date_created: 1245706563

Let's change last_name to 'Testing': 

bash-3.2# ./setRecord.py last_name=Testing < ~/.sfi/chris.record > ~/.sfi/chris.new.record

Note, setRecord.py only works on local files, nothing has actually been sent to the GENIWrapper server yet...

Use sfi.py update [filename] to commit the changes: 

bash-3.2# sfi.py update ~/.sfi/chris.new.record

Verify that it worked by using sfi.py show: 

bash-3.2# sfi.py show maxpl.maxpl.chris
     gid:
          hrn: maxpl.maxpl.chris
         uuid: 143081557606242820671539117476212290481
     hrn: maxpl.maxpl.chris
     type: user
     last_name: Testing
     phone: 123-456-7890
     key: maxpl.maxpl.chris#user
     first_name: Chris
     email: pl-admin@domain.org

If you login to the MyPLC web-based interface and click "My Site Accounts" you should see that the last name has been updated in the web portal as well.

Staying up to date

Upgrading to a new nightly myplc build: 

vserver myplc enter
* edit /etc/yum.repos.d/myplc
* update baseurl to point to a newer nightly build
yum update

  • Before doing this, you might want to backup /etc/planetlab/plc_config and /etc/geni/geni_config because they appear to be overwritten during the upgrade. After the upgrade, re-run plc-config-tty, geni-config-tty and make sure everything looks OK. I also restarted the services: 
/etc/init.d/geniwrapper stop
/etc/init.d/plc stop
/etc/init.d/plc start
/etc/init.d/geniwrapper start

  • Note, if you are using the default system site, you will need to use the UpdateSite() method in plcsh so that new accounts can once again be created...

  • I re-ran gimport.py after the upgrade, re-tested sfi.py, created/deleted some slices, etc, to verify that everything still worked.

Upgrading GENIWrapper

To run the latest GENIWrapper from the trunk: 

[myplc] ~ # yum install make
...
[myplc] ~ # wget http://planetlab1.domain.org/mirror/fedora/releases/8/Everything/i386/os/Packages/kernel-headers-2.6.23.1-42.fc8.i386.rpm
[myplc] ~ # rpm -i kernel-headers-2.6.23.1-42.fc8.i386.rpm
[myplc] ~ # yum install gcc
...
[myplc] ~ # yum install openssl-devel
...
[myplc] ~ # cd /root/geniwrapper/
[myplc] ~/geniwrapper # svn update
At revision 14147.
[myplc] ~/geniwrapper # cd trunk
[myplc] ~/geniwrapper # make
...
[myplc] ~/geniwrapper # make install
...
[myplc] ~/geniwrapper # chmod +x /etc/init.d/geniwrapper
[max-myplc] ~/geniwrapper/trunk # /etc/init.d/geniwrapper stop
...
[max-myplc] ~/geniwrapper/trunk # /etc/init.d/geniwrapper start
...

Useful commands for examining .cert/.gid/.key/.pkey files: 

find . \( -name '*.key' -or -name '*.pkey' \) -print | perl -ne 'print; chomp; system("openssl rsa -in $_ -noout -text | grep -A 1 modulus");'
find . \( -name '*.cert' -or -name '*.gid' \) -print | perl -ne 'print; chomp; system("openssl x509 -in $_ -noout -text | grep -A 1 Modulus");'

periodically running gimport.py

When a new user is created via the web interface, they do not seem to automatically be inserted into the geni database tables.

Should gimport.py be periodically run via cron?

UPDATE: The new versions of SFA & MyPLC should have the appropriate upcalls to keep things in sync... (have not tested this yet)

Booting from USB flash drives

  • From the node details screen, download the .usb image. I did not need to use the "partitioned, USB image".

  • Insert the USB drive into a Linux PC. Use dmesg or fdisk to determine the device name (e.g. /dev/sda or /dev/sdb)

  • Copy the image to the USB drive: dd if=pltest.dragon.maxgigapop.net-i386-4.2.usb of=/dev/sdb1

  • Run fdisk /dev/sdb and mark the partition as bootable

  • Update the BIOS on the PC so that it will boot from the USB flash drive (not all motherboards support this)
    • On our SuperMicro motherboards, we just change the first boot device from "Floppy" to "USB-HDD"

  • If you have problems, run syslinux /dev/sdb1 (if you don't have syslinux, install using yum or apt-get)

According to the PlanetLab documentation, you are supposed to use flash drives that have a write-protect switch. I found that this is not absolutely necessary, maybe because I have set the BootManager to skip the hardware requirements checks.

Allowing the USB drive to be read/write is a security issue, but it also allows us to remotely update the MyPLC release without having to burn new CDs. PXEboot would be a better solution, but this is not quite supported yet.

  • Example: 
[root@pltest ~]# dd if=planetlab2.dragon.maxgigapop.net-i386-4.2.usb of=/dev/sdb1
110392+0 records in
110392+0 records out
56520704 bytes (57 MB) copied, 8.83131 s, 6.4 MB/s
[root@pltest ~]# syslinux /dev/sdb1
[root@pltest ~]# fdisk /dev/sdb

Command (m for help): a
Partition number (1-4): 1

Command (m for help): p

Disk /dev/sdb: 2000 MB, 2000748032 bytes
64 heads, 63 sectors/track, 969 cylinders
Units = cylinders of 4032 * 512 = 2064384 bytes
Disk identifier: 0x00000000

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1         969     1953439+   6  FAT16

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Additional References

-- ChrisTracy - 13 Jan 2009

End of topic
Skip to action links | Back to top
You are here: GENI > Deploying-MyPLC-v43

to top

Copyright © 1999-2012.
The information contained in these pages is the property of the Mid-Atlantic Crossroads (MAX).
If you have questions or comments, please contact MAX Administration