This shows you the differences between two versions of the page.
— | wiki:old:idhal [2013/07/10 22:16] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Mechanism ====== | ||
+ | ===== Secured update procedure ===== | ||
+ | At the very first boot, a virtual node gets the server GPG public key and never get it again. Then, periodically (at boot and from cron), the virtual node makes an http query to get an update script from the server. The server signs it and the node checks the signature of the script before executing it locally: | ||
+ | |||
+ | [[Image: | ||
+ | ===== The update script ===== | ||
+ | The script looks like: | ||
+ | |||
+ | < | ||
+ | | ||
+ | # Update #000 | ||
+ | if [! -f $UPDATES/ | ||
+ | then | ||
+ | # | ||
+ | # do update 000 | ||
+ | # | ||
+ | touch $UPDATES/ | ||
+ | fi | ||
+ | # Update #001 | ||
+ | if [! -f $UPDATES/ | ||
+ | then | ||
+ | # | ||
+ | # do update 001 | ||
+ | # | ||
+ | touch $UPDATES/ | ||
+ | fi | ||
+ | # and so on... | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | ====== wfbT | ||
+ | | ||
+ | |||
+ | The key is that an update (a scriptlet) is executed only once. | ||
+ | |||
+ | ===== The first update sets up the tunnel ===== | ||
+ | ==== Update ==== | ||
+ | < | ||
+ | if [! -f $UPDATES/ | ||
+ | then | ||
+ | wget -q -O / | ||
+ | chmod 700 / | ||
+ | / | ||
+ | rm -f / | ||
+ | / | ||
+ | / | ||
+ | sleep 10 | ||
+ | touch $UPDATES/ | ||
+ | | ||
+ | ==== gen_certif cgi-bin script ==== | ||
+ | This script generates a unique ID and a certificate for the virtual node. Then, it outputs a bash script that makes an Openvpn configuration and copies the certificate. | ||
+ | |||
+ | < | ||
+ | # | ||
+ | | ||
+ | | ||
+ | cgi = CGI.new | ||
+ | | ||
+ | | ||
+ | def get_next_id | ||
+ | id=0 | ||
+ | | ||
+ | | ||
+ | if client_id=file.scan(/ | ||
+ | if client_id[0].to_i > id | ||
+ | | ||
+ | end | ||
+ | end | ||
+ | end | ||
+ | | ||
+ | end | ||
+ | | ||
+ | | ||
+ | | ||
+ | f = File.new("# | ||
+ | | ||
+ | | ||
+ | puts " | ||
+ | puts | ||
+ | puts "# | ||
+ | puts "if [-d / | ||
+ | puts "cat > / | ||
+ | | ||
+ | dev tun | ||
+ | proto tcp | ||
+ | | ||
+ | ca ca.crt | ||
+ | cert client.crt | ||
+ | key client.key | ||
+ | | ||
+ | | ||
+ | up / | ||
+ | down / | ||
+ | | ||
+ | puts "cat > / | ||
+ | | ||
+ | puts " | ||
+ | puts "cat > / | ||
+ | | ||
+ | puts " | ||
+ | puts "chmod 600 / | ||
+ | puts " | ||
+ | |||
+ | ===== The VPN server side configuration ===== | ||
+ | ==== Openvpn ==== | ||
+ | < | ||
+ | port 4242 | ||
+ | proto tcp | ||
+ | dev tun0 | ||
+ | ca ca.crt | ||
+ | cert server.crt | ||
+ | key server.key | ||
+ | dh dh1024.pem | ||
+ | | ||
+ | # | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | # Script where we create/ | ||
+ | | ||
+ | | ||
+ | # G5K Routes pushing | ||
+ | push "route 129.88.70.0 255.255.255.192" | ||
+ | | ||
+ | # DNS pushing | ||
+ | push " | ||
+ | push " | ||
+ | ==== DNS ==== | ||
+ | Every virtual ip address is statically declared into DNS like this example: | ||
+ | < | ||
+ | | ||
+ | ===== OAR server ===== | ||
+ | Resources are added automatically when new tunnels come up. Resources are disabled (but not removed) when tunel goes down. This is made inside the client-up/ | ||
+ | * / | ||
+ | < | ||
+ | # | ||
+ | set -e | ||
+ | | ||
+ | | ||
+ | | ||
+ | if [[|" | ||
+ | then | ||
+ | | ||
+ | fi | ||
+ | | ||
+ | if [" | ||
+ | then | ||
+ | | ||
+ | -p " | ||
+ | fi | ||
+ | | ||
+ | -p " | ||
+ | -p " | ||
+ | -p " | ||
+ | -h $NODE_NAME | ||
+ | echo "/ | ||
+ | | ||
+ | |||
+ | * / | ||
+ | < | ||
+ | # | ||
+ | set -e | ||
+ | | ||
+ | | ||
+ | echo " | ||
+ | |||
+ | Here is a sample resource: | ||
+ | < | ||
+ | 168 | ||
+ | network_address : vnode-2-98.grenoble.grid5000.fr | ||
+ | properties : besteffort=YES, | ||
+ | state : Absent</ | ||
+ | |||
+ | ====== Caveats ====== | ||
+ | The main problem with this solution is that every communication between the nodes is made through the VPN. Actually, we want that the nodes that are on a same LAN or routed network, use their local interface to communicate directly. The solution might be on DNS side... | ||