Merge remote branch 'upstream/master' into spotinstances

nimbusproject · Aug 9, 2010 · cb5e0dc · cb5e0dc
2 parents 36708f6 + da01a68
commit cb5e0dc
Show file tree

Hide file tree

Showing 6 changed files with 129 additions and 14 deletions.
diff --git a/cumulus/cb/pycb/cbRequest.py b/cumulus/cb/pycb/cbRequest.py
@@ -53,8 +53,21 @@ def parse_acl_request(xml):
     users = {}
 
     for g in grant_a:
-        email = getText(g.getElementsByTagName("DisplayName")[0].childNodes)
-        id = getText(g.getElementsByTagName("ID")[0].childNodes)
+        el = g.getElementsByTagName("URI")
+        if el != None and len(el) >= 1:
+            u = getText(el[0].childNodes)
+            if u == "http://acs.amazonaws.com/groups/global/AllUsers":
+                id = "CumulusPublicUser"
+                email = ""
+            else:
+                raise cbException('InvalidArgument')
+        else:
+            el = g.getElementsByTagName("DisplayName")
+            if el == None or len(el) < 1:
+                email = None
+            else:
+                email = getText(el[0].childNodes)
+            id = getText(g.getElementsByTagName("ID")[0].childNodes)
         perm_set = g.getElementsByTagName("Permission")
 
         perms = ""
@@ -523,6 +536,7 @@ def work(self):
             rc = self.grant_public_permissions(self.bucketName, self.objectName)
             if not rc:
                 xml = self.request.content.read()
+                pycb.log(logging.INFO, "xml %s" % (xml))
                 grants = parse_acl_request(xml)
                 for g in grants:
                     pycb.log(logging.INFO, "granting %s to %s" % (g[2], g[0]))
@@ -568,6 +582,7 @@ def work(self):
             rc = self.grant_public_permissions(self.bucketName, self.objectName)
             if not rc:
                 xml = self.request.content.read()
+                pycb.log(logging.ERROR, "acl xml %s" % (xml))
                 grants = parse_acl_request(xml)
                 for g in grants:
                     pycb.log(logging.INFO, "granting %s to %s" % (g[2], g[0]))

diff --git a/cumulus/tests/s3cmd/test_auth.sh b/cumulus/tests/s3cmd/test_auth.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+bucket_name=CumulusTest$RANDOM
+fname=GRP$RANDOM
+
+s3cmd mb s3://$bucket_name
+# just run it a few times for races
+s3cmd -r put /etc/group s3://$bucket_name/$fname
+if [ "X$?" != "X0" ]; then
+    echo "recursive put failed"
+    exit 1
+fi
+s3cmd setacl --acl-public  s3://$bucket_name/$fname
+if [ "X$?" != "X0" ]; then
+    echo "setacl failed failed"
+    exit 1
+fi
+
+s3cmd -r --force del s3://$bucket_name/
+if [ "X$?" != "X0" ]; then
+    echo "ERROR: delete bucket failed"
+    exit 1
+fi
+exit 0
diff --git a/docs/src/admin/reference.html b/docs/src/admin/reference.html
@@ -1714,9 +1714,81 @@ <h3>Pilot _NAMELINK(pilot)</h3>
 <a name="backend-config-invm-networking"> </a>
 <h2>Network configuration details _NAMELINK(backend-config-invm-networking)</h2>
 <p>
-    As of Nimbus 2.5, the networking and DHCP situation has changed, this section is currently undergoing an overhaul.  Check back soon or contact the list.
+    While addresses for VMs are configured and chosen within the Nimbus service,
+    they are physically queried via an external DHCPd service. There are two ways
+    of arranging the DHCP configuration.
 </p>
+<ol>
+    <li>
+        Centralized -- a new or existing DHCP service that you configure with Nimbus-specific
+        MAC to IP mappings. This is generally simpler to set up and is covered in the
+        <a href="z2c/networking-setup.html">Zero-to-Cloud guide</a>.
+    </li>
+    <li>
+        Local -- a DHCP server is installed on every VMM node and automatically configured
+        with the appropriate addresses just before a VM boots. This is more complicated to
+        set up initially but can be preferable in certain scenarios.
+    </li>
+</ol>
 
+<p>
+    Because Nimbus chooses the MAC address, it controls which DHCP entry will be
+    retrieved by the VM. Additionally, ebtables rules are configured to ensure that
+    a malicious or misconfigured VM cannot use another MAC or IP.
+</p>
+
+<p>
+    In a local DHCP scenario, <tt class="literal">workspace-control</tt>  on each VMM
+    manages the DHCP configuration file and injects entries just before each VM boots.
+    To prevent DHCP broadcast requests from getting out to the LAN, an ebtables rule is
+    enacted to force packets to a specific local interface.
+</p>
+
+<p>
+    Configuring local DHCP is not difficult, but you should exercise caution to
+    ensure that the DHCP daemons on each VMM do not interfere with other networks.
+    First of all, you must install an ISC-compatible DHCP server. This should be
+    available on all Linux distributions.
+</p>
+<p>
+    Once installed, find the DHCP configuration location. Typically this is something
+    like <tt class="literal">/etc/dhcp/dhcpd.conf</tt> or
+    <tt class="literal">/etc/dhcp3/dhcpd.conf</tt>. Replace this file with the example
+    in the workspace-control package:
+    <tt class="literal">share/workspace-control/dhcp.conf.example</tt> and then edit
+    it to include proper subnet declarations for your network. Afterwards, try
+    restarting DHCP and checking logs to ensure that it started without error.
+</p>
+<p>
+    Next, edit the <tt class="literal">networks.conf</tt> file in
+    <tt class="literal">etc/workspace-control/</tt>. Set the
+    <tt class="literal">localdhcp</tt> option to <tt class="literal">true</tt>
+    and take a look at the <tt class="literal">dhcp-bridges</tt> section to configure
+    where DHCP packets are bridged to.
+</p>
+
+<p>
+    Finally, you may need to edit the sudo script that workspace-control uses to
+    alter <tt class="literal">dhcp.conf</tt> and restart the service. This script
+    is located at <tt class="literal">libexec/workspace-control/dhcp-config.sh</tt>.
+    It expects the following defaults:
+</p>
+
+<pre class="panel">
+# Policy file for script to adjust
+DHCPD_CONF="/etc/dhcpd.conf"
+
+# Command to run before policy adjustment
+DHCPD_STOP="/etc/init.d/dhcpd stop"
+
+# Command to run after policy adjustment
+DHCPD_START="/etc/init.d/dhcpd start"
+</pre>
+
+<p>
+    You should also ensure that this script can be called via sudo as the
+    <tt class="literal">nimbus</tt> user.
+</p>
 
 <!-- *********************************************************************** -->
 <!-- *********************************************************************** -->

diff --git a/docs/src/admin/z2c/final-tests.html b/docs/src/admin/z2c/final-tests.html
@@ -226,13 +226,15 @@ <h3>Once more, with contextualization</h3>
     for more information.
 </p>
 
+<a name="whatnext"> </a>
 <h3>What's next?</h3>
 <p>
     Once all of these tests succeed, your cloud is up and running. At this
-    point you probably want to configure more VMM nodes and add them
-    to the resource pool. You may also want to check out the
-    <a href="../reference.html">reference page</a> for details about advanced
-    configurations.
+    point you probably want to 
+    <a href="../reference.html#resource-pool">configure more VMM nodes</a>
+    and add them to the resource pool. You may also want to check out the
+    <a href="../reference.html">reference page</a> sections for more
+    a list of other configurations and information.
 </p>
 <p>
     You can also now start enabling remote users.  You should familiarize yourself with the <a href="../reference.html#user-management">user management</a> tools, the <a href="../reference.html#nimbusweb-config">web application</a> that is available for securely distributing credentials, and look into configuring <a href="../reference.html#group-authz">per-user rights and allocations</a>.

diff --git a/docs/src/admin/z2c/index.html b/docs/src/admin/z2c/index.html
@@ -9,6 +9,8 @@
 
 <h2>Nimbus 2.5 Zero To Cloud Guide</h2>
 
+<img src="/images/z2c.png" width="640" height="348" />
+
 <p>
     This "zero to cloud" guide contains configuration information for system 
     administrators working with Nimbus.
@@ -106,13 +108,9 @@ <h2>Nimbus 2.5 Zero To Cloud Guide</h2>
             client like you did before.  But this time, a virtual machine
             will be started for you as expected.
         </p>
-    </li>
-    <li>
-        <p>
-            What Next?
-        </p>
         <p>
-            You can now start enabling remote users.  You should familiarize yourself with the <a href="../reference.html#user-management">user management</a> tools, the <a href="../reference.html#nimbusweb-config">web application</a> that is available for securely distributing credentials, and look into configuring <a href="../reference.html#group-authz">per-user rights and allocations</a>.
+            This page also describes <a href="final-tests.html#whatnext">what 
+            to do next</a> after completing the guide.
         </p>
     </li>
 </ul>

diff --git a/docs/src/admin/z2c/networking-setup.html b/docs/src/admin/z2c/networking-setup.html
@@ -198,9 +198,13 @@ <h3>Metadata server</h3>
 
 <pre class="panel">
 $ grep Metadata $NIMBUS_HOME/var/services.log
-2010-07-30 14:50:33,769 INFO  defaults.HTTPListener [main,initServer:84] Metadata server URL: 'http://0.0.0.0:8090'
+2010-07-30 14:50:33,769 INFO  defaults.HTTPListener [main,initServer:84] Metadata server URL:
 </pre>
 
+<p>
+    Now you are ready to configure real nodes. Proceed to the next page to
+    <a href="vmm-setup.html">Install VMM Software</a>.
+</p>
 
 
 _NIMBUS_CENTER2_COLUMN_END