Skip to content
Snippets Groups Projects
user avatar
Sarah Edwards authored
f124c96d
History
GENI Reference Control Framework
================================


Description
===========

The GCF package implements a sample GENI Aggregate Manager. It also
includes a sample GENI Clearinghouse and command line test client. This
software is intended to demonstrate the GENI Aggregate Manager
API. The Omni command line tool is also included with the GCF package:
see README-omni.txt.


Installation & Getting Started
==============================

See INSTALL.txt for instructions on installing this package, and
the 4 step test run using the test client.
Omni users should follow those instructions to ensure software 
dependencies are met.

Software Dependencies
=====================

The GCF package is intended to be run on a modern Linux distribution
(circa 2010 or 2009). Python 2.6 is required. This software is not
Python 3 compatible.

This software requires a number of readily available software
packages. Most modern Linux distributions should have these packages
available via their native package management suite (eg. yum or apt).

For details, see INSTALL.txt.


Included Software
=================

This package includes software from PlanetLab. All of the PlanetLab
software is in the src/sfa directory. More information, including the
license, can be found in src/sfa/README.txt.


Usage Instructions
============

Basic install & running instructions are in INSTALL.txt.

Full details on options for each step are described below.

0. Edit gcf_config (typically in the current directory; find a
   template in gcf_config.sample) to configure your clearinghouse and
   aggregate manager.  The default values should be fine for most
   settings, but you may change the base_name (URN) to be specific
   to you.  The keys and certificates will be generated in
   src/gen-certs.py in Step 1 to the paths you enter in
   gcf_config.
 
1. Generate keys and certificates for your users, clearinghouse, and 
   aggregate manager.

   $ python src/gen-certs.py

   This creates keys and certificates for a clearinghouse (ch), an
   aggregate manager (am), and a researcher (alice).  Cert URNs and
   some privileges are modifiable via constants.  Note you can
   generate multiple AM credentials and multiple user credentials
   using this script.

   Note that you should customize the certificates generated at your
   site using the constants in gcf_config, if you will use these
   certificates to interact with any other GENI site. In particular,
   URNs must be globally unique.

   By default the gcf_config file is found in the local directory.
   Override the default locations by specifying the -f argument.

   A directory for trusted_roots is used or created, and your CH
   certificate is copied there. This directory is used in Federation (see
   below).

2. Start the clearinghouse server:

   $ python src/gcf-ch.py   
 
   To override the settings in gcf_config, you can use these command
   line options:

   $ python src/gcf-ch.py -r <ch-cert.pem or trusted_roots_dir/> \
                          -g ch-cert.pem -k ch-key.pem \
                          -c <path-to-gcf_config-file>

   The optional -r argument could be a file with the GCF CH
   certificate.  If you want to allow users from other Clearinghouses
   to make calls on this clearinghouse, install their root
   certificates too.  To support this, it should be a directory with
   all trusted / federated certificates (PEM format).  Note that the
   CH certificate is used in generating slice credentials.

   The gcf_config file am_* properties lists the Aggregate Managers that have
   federated with this Clearinghouse. For some other examples see
   src/geni/ch.py.  This is how a single gcf-ch can contact multiple
   AM API compliant agggregate managers from whatever control
   framework.  Aggregate URNs here are for human consumption and need
   not be accurate.

   By default the gcf_config file is found in the local
   directory. Override that by specifying the -f argument.

   Other optional arguments include -H to specify a full hostname, -p
   to listen on a port other than 8000, and --debug for debugging
   output.  Note that listening on localhost/127.0.0.1 (the default)
   is not the same as listening on a real hostname / IP address. Be
   sure to listen on the desired interface and address the Aggregate
   Manager / Clearinghouse consistently.

   Supply the --debug argument for more detailed logging.

   See the gcf_config clearinghouse section for relevant constants.  Note
   that slice URNs are globally unique, and constrained to be proper
   children of their Clearinghouse (Slice Authority).  Another
   constant you may want to change is the lifetime of Slice
   credentials. By default they last 7200 seconds. That is likely too
   short to actually use any allocated resources.
 
3. Start the aggregate manager server:

   $ python src/gcf-am.py
 
   To override the settings in gcf_config, you can use these command
   line options:

 $ python src/gcf-am.py -r <ch-cert.pem or trusted_chs_and_cas_dir/> \
                        -g am-cert.pem -k am-key.pem \
                        -c <path-to-gcf_config-file>

   By default the gcf_config file is found in the local
   directory. Override that by specifying the -f argument. See the
   aggregate_manager section.  Note in particular that you name your
   aggregate manager, and could generate multiple aggregate manager
   certificates by editing gcf_config and re-running gen-certs.

   NOTE: The -r ch-cert.pem option specifies the name of the file with
   the CH cert, or better still, a directory with all trusted root
   certs.
   These certs will be used to verify slices and resource requests
   from the control frameworks that you have federated with.

   Optional arguments include -H to specify a full hostname, -p to
   listen on a port other than 8001, and --debug for debugging output.
   Note that listening on localhost/127.0.0.1 (the default) is not the
   same as listening on a real hostname / IP address. Be sure to
   listen on the desired interface and address the Aggregate Manager /
   Clearinghouse consistently.

   You can also optionally specify the API version that this aggregate should
   implement, using the -V option. The default is API version 2, and
   valid values include 1, 2 and 3. If using gcf-test, be sure to
   supply a matching -V option to that script.
   Supply the --debug argument for more detailed logging.

4. Run the GCF installation testing client:

   $ python src/gcf-test.py
 
   To override the settings in gcf_config, you can use these command
   line options:

   $ python src/gcf-test.py -g alice-cert.pem -k alice-key.pem \
                            --ch https://localhost:8000/ \
                            --am https://localhost:8001/ \
                            -c <path-to-gcf_config-file>

   The output should show some basic API testing, and possibly some
   debug output. Errors will be marked by exception traces or
   'failed'.

   By default the gcf_config file is found in the local
   directory. Override that by specifying the -f argument.

   Optional arguments --debug and --debug-rpc enable more debug
   output.
   Optional argument -V allows specifying the AM API version to run
   against the specified aggregate: the default is 2, and valid values
   are 1, 2 or 3. Be sure it matches the -V value you supplied to gcf-am.

   Note that you can use user credentials from any federated control
   framework, as long as the appropriate CH certificates were supplied
   to the -r arguments to gcf-ch and gcf-am above.

5. See README-omni.txt for instructions on running the OMNI GENI
   Client. Omni is a command line tool for doing arbitrary
   commands against multiple Aggregate Managers.

6. Federating: Interacting with multiple Control Frameworks.
 
   With federation, a user from one control framework (or
   clearinghouse and slice authority) can use their
   certificate and slice credentials to allocate resources from
   aggregates affiliated with other control frameworks.  In a
   federated network, each clearinghouse lists to its users all of the
   known aggregate managers that its users can allocate from.  Second,
   each aggregate manager has a list of trusted root certificates for
   each federated control framework.

6.1 Sharing keys -- Do this for each Aggregate Manager

   For each Aggregate Manager that should accept credentials from your
   Clearinghouse:

   To add your GCF certificate to an SFA based aggregate manager, copy
   the CH certificate file (ch-cert.pem) to /etc/sfa/trusted_roots/ on
   the AM's server.
 
   After adding your certificates, restart sfa (sudo /etc/init.d/sfa
   restart).

   To add an SFA certificate to a GCF based aggregate manager, copy
   your SFA key from /etc/sfa/trusted_roots/<should be a .gid file> to
   your GCF trusted roots directory created in steps 2 and 3
   above. This is not particularly necessary for the Clearinghouse
   (gcf-ch), but is necessary for the Aggregate Manager (gcf-am).

   There is a similar for ProtoGENI (InstaGENI), FOAM, and Orca
   (ExoGENI) aggregates.

6.2 Listing Aggregates -- Do this on all peered clearinghouses

   To list your GCF AM to SFA users, add your GCF address to 
    	 /etc/sfa/geni_aggregates.xml.

   The form is 
       <aggregate addr="hostname" hrn="hrn" port="port" url="hostname:port"/>

   URL and addr/port are redundant, but fill in both.  The hrn can be
   anything, but its intent is to be a shorthand dotted notation of
   your URN, such as 'plc.princeton' or 'geni.gpo.bbn'. Be sure it is
   unique.

   To list your SFA aggregate manager in your GCF clearinghouse, edit
   the 'gcf_config' file in your root gcf/ directory and add an
   entry for the SFA AM. The form is documented in the sample file.
   Enter a new am_# property with a value like "URN,URL" (without quotes) with
   one such entry per line. An example is:

     'am_5 = urn:publicid:IDN+plc:gpo1+authority+sa, \
             http://sfa.gpolab.bbn.com:12348'

   The AM URN should be unique. While it need not be fully accurate, that
   is useful. You can find the AM URN using the openssl commandline:

     openssl x509 -in [cert of AM] -text | grep "urn:publicid:IDN"

   There is a similar for ProtoGENI (InstaGENI), FOAM, and Orca
   (ExoGENI) aggregates.


Further Reading
===============

The GENI API pages on the GENI wiki have full details on GENI identifiers,
credentials and certificates, and the GENI AM API.

See http://groups.geni.net/geni/wiki/GeniApi

Known issues, Omni tutorials and further documentation are on the GCF Wiki:
http://trac.gpolab.bbn.com/gcf