Archived
This forum has been archived. Please start a new discussion on GitHub.
IcePAM and Hesperia::Bootstrap services
Hi,
There are a couple of utilities we developed which may be useful to other Ice users:
Bootstrap use multicast messages to publish or locate registries. You may force any computer to become a registry using a config option or (by default) you may leave registries unspecified and then they will be eventually be chosen among the computers running bootstrap.
A pair of python scripts may be used to find the proxy for the locator (even if registry is replicated) or to reset the whole LAN to start a new election.
Bootstrap automatically starts IceGridNode properly configured with IcePAM. In the default configuration people from the icegrid group will be able to create Admin sessions. In combination with IceStorm (also using multicast endpoints) you may use Bootstrap in a multi-LAN setup without any need for multicast routing. Beware that if security is a concern you should force all registries to be in known hosts. Also to prevent DoS attacks we plan to use an encrypted udp transport for the Bootstrap protocol.
Regards,
F. Moya
There are a couple of utilities we developed which may be useful to other Ice users:
- IcePAM is an IceBox service implementing a PermissionsVerifier and an SSLPermissionsVerifier which uses PAM to perform actual authentication. IcePAM is useful to centralize user management in an LDAP directory, AD, or whatever.
- Hesperia::Bootstrap is an IceBox service which implements automatic IceGrid configuration (even with replicated registries) for a LAN. It relies on a tiny patch against Ice for C++ I already sent to this forum (to perform basic multicast group membership management when using D class addresses in an UDP endpoint). The patch is already included in the Debian/Ubuntu distribution.
Bootstrap use multicast messages to publish or locate registries. You may force any computer to become a registry using a config option or (by default) you may leave registries unspecified and then they will be eventually be chosen among the computers running bootstrap.
A pair of python scripts may be used to find the proxy for the locator (even if registry is replicated) or to reset the whole LAN to start a new election.
Bootstrap automatically starts IceGridNode properly configured with IcePAM. In the default configuration people from the icegrid group will be able to create Admin sessions. In combination with IceStorm (also using multicast endpoints) you may use Bootstrap in a multi-LAN setup without any need for multicast routing. Beware that if security is a concern you should force all registries to be in known hosts. Also to prevent DoS attacks we plan to use an encrypted udp transport for the Bootstrap protocol.
- IcePAM:http://arco.inf-cr.uclm.es/~francisco.moya/debian/icepam_1.0.2.tar.gz
- Hesperia::Bootstrap:http://arco.inf-cr.uclm.es/~francisco.moya/debian/hesperia-bootstrap_1.0.10.tar.gz
Regards,
F. Moya
0
Comments
-
Hi Francisco,
The link you provided for Hesperia::Bootstrap no longer appears to be working. Could you provide a new link?
Regards,
Dwayne0 -
Sorry, there were some revisions afterwards and I only keep the latest revision. You may always browse the whole directory at:
Index of /~francisco.moya/debian
Today the most recent Hesperia Bootstrap source is:
http://arco.inf-cr.uclm.es/~francisco.moya/debian/hesperia-bootstrap_1.0.11.tar.gz
And the IcePAM PermissionsVerifier:
http://arco.inf-cr.uclm.es/~francisco.moya/debian/icepam_1.0.2.tar.gz
Please, note that this is still a proof of concept. At the very least we should require some kind of endpoints using shared key cryptography. This is in my TODO list but it was delayed because we would like to implement a stackable endpoint abstraction (decorator). Something like this
blowfish -s sharedKey|tcp
This is not only useful for ciphering endpoints but also for things like reliable transports built on unreliable datagram transports:
store_and_forward|bluetooth
Regards,
Paco0