Home Patches

IcePAM and Hesperia::Bootstrap services

fmoyafmoya Member Francisco MoyaOrganization: UCLMProject: Debian packages ✭✭

There are a couple of utilities we developed which may be useful to other Ice users:
  • IcePAM is an IceBox service implementing a PermissionsVerifier and an SSLPermissionsVerifier which uses PAM to perform actual authentication. IcePAM is useful to centralize user management in an LDAP directory, AD, or whatever.
  • Hesperia::Bootstrap is an IceBox service which implements automatic IceGrid configuration (even with replicated registries) for a LAN. It relies on a tiny patch against Ice for C++ I already sent to this forum (to perform basic multicast group membership management when using D class addresses in an UDP endpoint). The patch is already included in the Debian/Ubuntu distribution.
Hesperia::Bootstrap was designed for a very specific setup. We want to remotely boot a bunch of labs with a minimal GNU/Linux distribution, use all the available computers to perform some tasks at night, and then switch everything off. But it may also be useful in other scenarios.

Bootstrap use multicast messages to publish or locate registries. You may force any computer to become a registry using a config option or (by default) you may leave registries unspecified and then they will be eventually be chosen among the computers running bootstrap.

A pair of python scripts may be used to find the proxy for the locator (even if registry is replicated) or to reset the whole LAN to start a new election.

Bootstrap automatically starts IceGridNode properly configured with IcePAM. In the default configuration people from the icegrid group will be able to create Admin sessions. In combination with IceStorm (also using multicast endpoints) you may use Bootstrap in a multi-LAN setup without any need for multicast routing. Beware that if security is a concern you should force all registries to be in known hosts. Also to prevent DoS attacks we plan to use an encrypted udp transport for the Bootstrap protocol.

F. Moya


  • dwaynedwayne St. John's, NewfoundlandMember Dwayne BooneOrganization: ZeroC, Inc.Project: Internet Communications Engine
    Hi Francisco,

    The link you provided for Hesperia::Bootstrap no longer appears to be working. Could you provide a new link?

  • fmoyafmoya Member Francisco MoyaOrganization: UCLMProject: Debian packages ✭✭
    Sorry, there were some revisions afterwards and I only keep the latest revision. You may always browse the whole directory at:

    Index of /~francisco.moya/debian

    Today the most recent Hesperia Bootstrap source is:


    And the IcePAM PermissionsVerifier:


    Please, note that this is still a proof of concept. At the very least we should require some kind of endpoints using shared key cryptography. This is in my TODO list but it was delayed because we would like to implement a stackable endpoint abstraction (decorator). Something like this

    blowfish -s sharedKey|tcp

    This is not only useful for ciphering endpoints but also for things like reliable transports built on unreliable datagram transports:


Sign In or Register to comment.