Merge branch 'rest' of git://github.com/nimbusproject/nimbus into nim…

…bus-upstream-rest

.gitignore

@@ -6,11 +6,13 @@ build/
 dist/
 autocontainer/downloads/
 autocontainer/gt/
-web/lib/python/
+web/lib/python/cherrypy/
+web/lib/python/django/
 web/lib/java/
 web/src/env.sh
 web/src/python/nimbusweb/portal/generated_secrets.py
 web/src/python/nimbusweb/portal/generated_settings.py
 web/var/
 control/var/workspace-control/logs/wclog*
 derby.log
+bin/tmp/

autocommon/src/org/nimbustools/auto_common/ezpz_ca/CertDN.java

@@ -0,0 +1,82 @@
+/*
+ * Copyright 1999-2009 University of Chicago
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package org.nimbustools.auto_common.ezpz_ca;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.FileReader;
+import java.security.cert.X509Certificate;
+import java.security.Security;
+
+import org.bouncycastle.openssl.PEMReader;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.globus.gsi.CertUtil;
+
+import javax.security.auth.x500.X500Principal;
+
+public class CertDN {
+
+
+    static {
+        Security.addProvider(new BouncyCastleProvider());
+    }
+
+    public static String dnFromPath(String path) throws IOException {
+
+        final File certFile = new File(path);
+        if (!certFile.canRead()) {
+            final String msg = "File '" + path + "' can not be read.";
+            throw new IOException(msg);
+        }
+
+		final FileReader fr = new FileReader(certFile);
+		try {
+			final PEMReader reader =
+					new PEMReader(fr, null, BouncyCastleProvider.PROVIDER_NAME);
+			try {
+				final X509Certificate cert = (X509Certificate) reader.readObject();
+                final X500Principal principal = cert.getSubjectX500Principal();
+                final String DN = principal.getName(X500Principal.RFC2253);
+
+                return CertUtil.toGlobusID(DN, false);
+
+            } finally {
+				reader.close();
+			}
+		} finally {
+			fr.close();
+		}
+    }
+
+
+    public static void main(String[] args) {
+
+        if (args == null || args.length != 1) {
+            System.err.println("Needs these arguments:\n" +
+                    "1 - the certificate file");
+            System.exit(1);
+        }
+
+        try {
+            final String dn = dnFromPath(args[0]);
+            System.out.println(dn);
+        } catch (Throwable t) {
+            System.err.println("Problem: " + t.getMessage());
+			t.printStackTrace();
+            System.exit(1);
+        }
+    }
+}

autoconfiguration/share/lib/common-env.sh

@@ -43,11 +43,6 @@ export NIMWIZ_SCP_BATCH_OPTIONS
 NIMWIZ_NO_NETWORK_CONFIGS="(( not configuring ))"
 export NIMWIZ_NO_NETWORK_CONFIGS
 
-CONTROL_TARBALL_SHORT="nimbus-controls-2.3RC1.tar.gz"
-CONTROL_TARBALL_DIR="nimbus-controls-2.3RC1"
-CONTROL_TARBALL="http://www.nimbusproject.org/downloads/$CONTROL_TARBALL_SHORT"
-export CONTROL_TARBALL_DIR CONTROL_TARBALL_SHORT CONTROL_TARBALL
-
 WORKSPACE_CONTROL_DOC_LINK="http://www.nimbusproject.org/docs/?doc=2.3/admin/quickstart.html#part-III"
 export WORKSPACE_CONTROL_DOC_LINK
 

bin/create-nimbus-home.sh

@@ -0,0 +1,102 @@
+#!/bin/sh
+
+CONTAINER_URL="http://www-unix.globus.org/ftppub/gt4/4.0/4.0.8/ws-core/bin/ws-core-4.0.8-bin.tar.gz"
+CONTAINER_TARNAME="ws-core-4.0.8-bin.tar.gz"
+CONTAINER_UNTARREDNAME="ws-core-4.0.8"
+
+# destination directory inside $NIMBUS_HOME
+CONTAINER_DIRNAME="services"
+
+NIMBUS_SRC_REL="`dirname $0`/.."
+NIMBUS_SRC=`cd $NIMBUS_SRC_REL; pwd`
+
+TMPDIR="$NIMBUS_SRC/bin/tmp"
+
+if [ ! -d $TMPDIR ]; then
+    mkdir $TMPDIR
+    if [ $? -ne 0 ]; then
+        echo "Failed to create temp directory: $TMPDIR"
+        exit 1
+    fi
+fi
+
+if [ "X$1" == "X" ]; then
+    echo "\nUsage: $0 destination_dir"
+    echo "\tYou must specify the destination directory.\n"
+    exit 1
+fi
+
+NIMBUS_HOME=$1
+
+if [ ! -d $NIMBUS_HOME ]; then
+    PARENT_DIR=`dirname $NIMBUS_HOME`
+
+    if [ -d $PARENT_DIR ]; then
+
+        echo "Creating destination directory: $NIMBUS_HOME"
+        mkdir $NIMBUS_HOME
+
+        if [ $? -ne 0 ]; then
+            echo "Failed to create destination directory!"
+            exit 1
+        fi
+    else
+        echo "Parent dir of destination does not exist: $PARENT_DIR"
+        exit 1
+    fi
+fi
+
+echo "Deploying skeleton directory structure.."
+cp -fr $NIMBUS_SRC/home/* $NIMBUS_HOME/
+if [ $? -ne 0 ]; then
+    echo "Failed to copy Nimbus home directory"
+    exit 1
+fi
+
+echo "Deploying web application.."
+cp -r $NIMBUS_SRC/web $NIMBUS_HOME/
+if [ $? -ne 0 ]; then
+    echo "Failed to copy Nimbus web directory"
+    exit 1
+fi
+
+CONTAINER_DIR="$NIMBUS_HOME/$CONTAINER_DIRNAME"
+if [ ! -d $CONTAINER_DIR ]; then
+
+    echo "Downloading and installing service container.."
+
+    # fetch GT container if it doesn't already exist
+    if [ ! -f $TMPDIR/$CONTAINER_TARNAME ]; then
+        wget -c -O $TMPDIR/$CONTAINER_TARNAME $CONTAINER_URL
+
+        if [ $? -ne 0 ]; then
+            echo "Failed to download container tarball"
+            exit 1
+        fi
+    fi
+
+    tar xzf $TMPDIR/$CONTAINER_TARNAME -C $TMPDIR
+    if [ $? -ne 0 ]; then
+        echo "Failed to expand Nimbus tarball"
+        exit 1
+    fi
+
+    mv $TMPDIR/$CONTAINER_UNTARREDNAME $CONTAINER_DIR
+    if [ $? -ne 0 ]; then
+        echo "Failed to move container directory to $CONTAINER_DIR"
+        exit 1
+    fi
+else
+    echo "Service container already exists at $CONTAINER_DIR"
+fi
+
+echo "Building and installing Nimbus to service container.."
+
+GLOBUS_LOCATION=$CONTAINER_DIR
+export GLOBUS_LOCATION
+
+$NIMBUS_SRC/scripts/all-build-and-install.sh
+if [ $? -ne 0 ]; then
+    echo "Build and install FAILED!"
+    exit 1
+fi

bin/install.sh

@@ -0,0 +1,64 @@
+#!/bin/sh
+
+FORCE_FRESH_INSTALL="yes"
+
+NIMBUS_SRC_REL="`dirname $0`/.."
+NIMBUS_SRC=`cd $NIMBUS_SRC_REL; pwd`
+
+if [ "X$1" == "X" ]; then
+    echo "\nUsage: $0 destination_dir"
+    echo "\tYou must specify the destination directory.\n"
+    exit 1
+fi
+
+NIMBUS_HOME=$1
+
+if [ -d $NIMBUS_HOME ] && [ "$(ls -A $NIMBUS_HOME)" ]; then
+    if [ $FORCE_FRESH_INSTALL == "yes" ]; then
+        echo ""
+        echo "The destination directory '$NIMBUS_HOME' exists and is not empty."
+        echo "It is not recommended to reinstall Nimbus into an existing install."
+        echo ""
+        echo "If you are making changes to the services, you can build and install those directly:"
+        echo "\texport GLOBUS_LOCATION=$NIMBUS_HOME/services"
+        echo "\tscripts/all-build-and-install.sh"
+        echo ""
+        echo "If you know what you are doing and want to reinstall, edit this script:"
+        echo "\t$0"
+        echo "and change FORCE_FRESH_INSTALL to \"no\""
+        echo ""
+
+        exit 1
+    fi
+fi
+
+$NIMBUS_SRC/bin/create-nimbus-home.sh $NIMBUS_HOME
+
+if [ $? -ne 0 ]; then
+    echo "Nimbus home creation failed!"
+    exit 1
+fi
+
+CONFIG_SCRIPT="$NIMBUS_HOME/bin/nimbus-configure"
+
+if [ ! -f $CONFIG_SCRIPT ]; then
+    echo "Configuration script could not be found: $CONFIG_SCRIPT"
+    exit 1
+fi
+
+$CONFIG_SCRIPT
+
+if [ $? -ne 0 ]; then
+    echo "Nimbus configuration script failed! You may try running it manually:"
+    echo "\t$CONFIG_SCRIPT"
+    exit 1
+fi
+
+echo ""
+echo "Nimbus installation succeeded!"
+echo "However, additional configuration may be necessary."
+echo "Refer to the Administrator Guide for details.\n"
+echo "You can now start/stop Nimbus services with the nimbusctl command. e.g:"
+echo "\t$NIMBUS_HOME/bin/nimbusctl start\n"
+
+exit 0

control/libexec/workspace-control/kvm-ebtables-config.sh

@@ -21,15 +21,16 @@
 # ABOUT #
 #########
 
-# This script adjusts ebtables rules to packets coming from a bridged interface
+# This script adjusts ebtables rules to prevent MAC and IP spoofing.
 # Unlike the 'main' ebtables-config script used with Xen, this will NOT allow
-# you to host multiple VMs on the same host and still get proper spoofing
-# protection.
-
-# 1. Is the MAC address incorrect?  Drop the packet.
-# 2. Is this is a DHCP packet?
-# 3. If so, allow it to be bridged.
-# 4. If not a DHCP packet, it must have the correct source IP address,
+# you to stop DHCP packets from workspaces escaping to the site network.
+
+# 1. Is the packet coming from a workspace virtual interface?
+# 2. If not, proceed without further processing.
+# 3. If so, is the MAC address incorrect?  Drop the packet.
+# 4. Is this is a DHCP packet?
+# 5. If so, allow it to be bridged.
+# 6. If not a DHCP packet, it must have the correct source IP address,
 #    otherwise the packet is dropped.
 
 
@@ -143,13 +144,13 @@ function delete_vifname_chain() {
   return $?
 }
 
-function add_forward_rule() {
-  $EBTABLES -A INPUT -j $VIFNAME
+function add_input_rule() {
+  $EBTABLES -A INPUT -i $VIFNAME -j $VIFNAME
   return $?
 }
 
-function rem_forward_rule() {
-  $EBTABLES -D INPUT -j $VIFNAME
+function rem_input_rule() {
+  $EBTABLES -D INPUT -i $VIFNAME -j $VIFNAME
   return $?
 }
 
@@ -161,12 +162,12 @@ function rem_forward_rule() {
 if [ "$ADDREM" = "rem" ]; then
 
   SUCCESS="y"
-  rem_forward_rule
+  rem_input_rule
   if [ $? -ne 0 ]; then
-    echo "ERROR: Failed to remove $VIFNAME FORWARD rule"
+    echo "ERROR: Failed to remove $VIFNAME INPUT rule"
     SUCCESS="n"
   else
-    echo "Removed $VIFNAME FORWARD rule"
+    echo "Removed $VIFNAME INPUT rule"
   fi
 
   delete_vifname_chain
@@ -193,12 +194,12 @@ if [ "$ADDREM" = "add" ]; then
     echo "Created $VIFNAME chain"
   fi
 
-  add_forward_rule
+  add_input_rule
   if [ $? -ne 0 ]; then
-    echo "ERROR: Failed to add $VIFNAME FORWARD rule"
+    echo "ERROR: Failed to add $VIFNAME INPUT rule"
     exit 1
   else
-    echo "Added $VIFNAME FORWARD rule"
+    echo "Added $VIFNAME INPUT rule"
     exit 0
   fi
 fi

docs/src/doc/cloud.html

@@ -21,7 +21,7 @@ <h2>Cloud Guide (2.3)</h2>
 </p>
 
 <p class="indent">
-    <img src="../../../img/warning.gif" alt="warning!" class="floatleft" />
+    <img src="../img/warning.gif" alt="warning!" class="floatleft" />
     <i>This page is for <b>deployers</b> of the cloud configuration to
     learn about it and configure the workspace service for it.  This is
     <b>not necessary for cloud users</b> to read and understand.</i>  If you

docs/src/elclients.html

@@ -49,7 +49,7 @@ <h2>Using the EC2 SOAP frontend from the console _NAMELINK(ec2-api-tools)</h2>
         So <a href="http://s3.amazonaws.com/ec2-downloads/ec2-api-tools.zip">the
         default client</a> may not always be the one to use.  See a specific cloud's
         documentation for the definitive tools URL (for example, the
-        <a href="_clouds/nimbus.html">Nimbus cloud</a>).
+        <a href="/nimbus_cloud">Nimbus cloud</a>).
         And see
         <a href="http://bugzilla.globus.org/globus/show_bug.cgi?id=6558">enhancement 6558</a>.
     </li>