Re: [9fans] 9grid

Re: [9fans] 9grid

[YAMANASHI Takeshi]

> The single central auth server approach uses the
> outside.plan9.bell-labs.com auth server allowing anyone who has
> a sources account (I.E. anyone who wants to), to attach to grid nodes

Yes.  But that's not the problem both multi authdom proposals are
trying to solve, I guess.  If you don't like the way sources accounts are
distributed (I.E. anyone who wants to), you can choose not to trust
the sources auth server and use others instead, like 9grid.de and/or tip9ug.
Both proposals are allowing you which authdom you trust or not.
Also, both proposals solved the username crash between multiple
authdoms.

Oh wait, what's the difference between the two proposals, btw?

> and run arbitary software, and read any world readable files
> on any node.

These are next hurdles I would like to jump over.
How about constructing the namespace of a grid user
only from /mnt/term/* ?

> how can an adminstrator on one side of the world trust an unknwon
> user on the other side?

Maybe he can't confidently trust unknown users in an authdom
on the other side of the world, but he may trust the admin of
the authdom reasonably.  I think this is the heart of grid's
authentication in general.


> Unfortunately in the current implementation, exchanges between the auth
> servers rely on DNS for mutual authentication.

I'm sorry.  I'm left behind here.  Which parts of the current
implementation rely on DNS for mutual authentication?


> Next we need some way to stop grid users hogging too much of a nodes
> cpu capacity, network bandwidth, disk space, and to stop them posting spam
> or organising DDoS attacks...

I wonder how globus is managing these issues...
-- 

Re: [9fans] 9grid

[Ronald G. Minnich]

On Thu, 9 Jun 2005, YAMANASHI Takeshi wrote:

> These are next hurdles I would like to jump over. How about constructing
> the namespace of a grid user only from /mnt/term/* ?

makes sense to me.

> Maybe he can't confidently trust unknown users in an authdom on the
> other side of the world, but he may trust the admin of the authdom
> reasonably.  I think this is the heart of grid's authentication in
> general.

yep. 

> > Next we need some way to stop grid users hogging too much of a nodes
> > cpu capacity, network bandwidth, disk space, and to stop them posting spam
> > or organising DDoS attacks...
> 
> I wonder how globus is managing these issues...

My guess is: not.

ron

Re: [9fans] 9grid

[erik quanstrom]

On Mon Nov 17 09:17:49 EST 2008, lupin636@gmail.com wrote:
> Hi Eric, (sic)
> I did what you told me, and i got the same as you wrote below.
> if you still have any idea, it will be helpful.
> thanks again,

you need to verify the keys also match.

- erik

Re: [9fans] 9grid

[lupin636]

thanks a lot eric..
what do you mean with "match"?
>
> > Hi Eric, (sic)
> > I did what you told me, and i got the same as you wrote below.
> > if you still have any idea, it will be helpful.
> > thanks again,
>
> you need to verify the keys also match.
>
> - erik

Re: [9fans] 9grid

[erik quanstrom]

> Hi,
> I just did it:
>    fsname%  ndb/query -f /lib/ndb/auth hostid bootes
>    fsname%
> i got no response,only the fs prompt..
> but in /lib/ndb/auth.mio i have the same lines,so:
>    hostid°otes
>         uid
> dm uid
> ??

easy fix
	9fs sources && cp /n/sources/plan9/lib/ndb/auth /lib/ndb/auth

- erik

Re: [9fans] 9grid

[lupin636]

Hi Eric,

I did every thing you told me, but when i try again:
   fsname%  ndb/query -f /lib/ndb/auth hostid bootes
   fsname%
without no response.
do you still have any idea??...because i'm thinkig to take a
drill ;-)))
thank you very much for your time.

Armando


> easy fix
> � � � � 9fs sources && cp /n/sources/plan9/lib/ndb/auth /lib/ndb/auth
>
> - erik

Re: [9fans] 9grid

[lupin636]

Hi All,

my /lib/ndb/auth is:
   hostid=bootes
       uid=!sys uid=!adm uid=*
but i just remember that "armando"(user name) is also sys and adm,
could it be the problem for "speaks for"?
because, as i explained above i have "no speaks for" in /sys/log/auth
when i try cpu(1) command from terminal, i also have /mnt/factotum/
log:
14: no key matches proto=p9sk1 role=server dom?
14: failure no key matches proto=p9sk1 role=server dom?
suggestions please?
thanks in advance for all responses.

Armando

Re: [9fans] 9grid

[erik quanstrom]

> my /lib/ndb/auth is:
>    hostid=bootes
>        uid=!sys uid=!adm uid=*
> but i just remember that "armando"(user name) is also sys and adm,
> could it be the problem for "speaks for"?
> because, as i explained above i have "no speaks for" in /sys/log/auth
> when i try cpu(1) command from terminal, i also have /mnt/factotum/
> log:
> 14: no key matches proto=p9sk1 role=server dom?
> 14: failure no key matches proto=p9sk1 role=server dom?

looking in /mnt/factotum/ctl on the console, you should see
keys like these at a minimum

terminal:
key proto=p9sk1 dom=quanstro.net user=quanstro !password?

cpu server and file server:
key proto=p9sk1 user=bootes dom=quanstro.net !hex? !password?

of course you should substitute your authentication domain
(which may be the same text but is different from your dns domain)
for quanstro.net

hope that gets you a bit further.

- erik

Re: [9fans] 9grid

[lupin636]

Hi Eric,
I did what you told me, and i got the same as you wrote below.
if you still have any idea, it will be helpful.
thanks again,

Armando.

> looking in /mnt/factotum/ctl on the console, you should see
> keys like these at a minimum
>
> terminal:
> key proto=p9sk1 dom=quanstro.net user=quanstro !password?
>
> cpu server and file server:
> key proto=p9sk1 user=bootes dom=quanstro.net !hex? !password?
>
> of course you should substitute your authentication domain
> (which may be the same text but is different from your dns domain)
> for quanstro.net
>
> hope that gets you a bit further.
>
> - erik

Re: [9fans] 9grid

[erik quanstrom]

> I did it and it works, but do you have any idea why i can do it from
> file server as bootes but not from terminal as armando?

there's probablly something wrong in your authentication setup.

>      fs name% cpu -h NODE -c 'name=(equal sign)cat ''#c/sysname'';
> echo'

cpu -h node -c 'name=`{cat ''#c/sysname''}; echo do something with $name'

- erik

Re: [9fans] 9grid

[lupin636]

Thanks again Eric..
It works, sorry but i'm newbie in shell ;-)
About the authentication problem, i checked /sys/log/auth, and i
noticed that there are some lines with "no speaks for",like this:

fs name nov 13 18:50:09 tr-fail armando@bootes (NODE ip address) ->
armando@bootes no speaks for
fs name nov 13 18:50:10 tr-ok armando@bootes (NODE ip address) ->
armando@bootes

this happens when i try:    cpu -h NODE
could it be the problem?
thanks,

Armando

> > I did it and it works, but do you have any idea why i can do it from
> > file server as bootes but not from terminal as armando?
>
> there's probablly something wrong in your authentication setup.
>
> > � � �fs name% cpu -h NODE -c 'name=(equal sign)cat ''#c/sysname'';
> > echo'
>
> cpu -h node -c 'name=`{cat ''#c/sysname''}; echo do something with $name'
>
> - erik

Re: [9fans] 9grid

[andrey mirtchovski]

could it be that the equals sign (=) you typed in /lib/ndb/auth is not
the normal equals sign (ascii 3d) but the equal sign of another
encoding? that could be the reason why your /lib/ndb/auth can't be
pasted properly in an email and can't be parsed correctly by
tokenize().

Re: [9fans] 9grid

[erik quanstrom]

> could it be that the equals sign (=) you typed in /lib/ndb/auth is not
> the normal equals sign (ascii 3d) but the equal sign of another
> encoding? that could be the reason why your /lib/ndb/auth can't be
> pasted properly in an email and can't be parsed correctly by
> tokenize().

easy test.
	ndb/query -f /lib/ndb/auth hostid bootes
should ->
hostid=bootes uid=!sys uid=!adm uid=*

- erik

Re: [9fans] 9grid

[lupin636]

Hi,
I just did it:
   fsname%  ndb/query -f /lib/ndb/auth hostid bootes
   fsname%
i got no response,only the fs prompt..
but in /lib/ndb/auth.mio i have the same lines,so:
   hostid=bootes
        uid=!sys uid=!adm uid=*
??

thanks guys,

Armando

> > could it be that the equals sign (=) you typed in /lib/ndb/auth is not
> > the normal equals sign (ascii 3d) but the equal sign of another
> > encoding? that could be the reason why your /lib/ndb/auth can't be
> > pasted properly in an email and can't be parsed correctly by
> > tokenize().
>
> easy test.
> � � � � ndb/query -f /lib/ndb/auth hostid bootes
> should ->
> hostid=bootes uid=!sys uid=!adm uid=*
>
> - erik

Re: [9fans] 9grid

[torsbohn]

On Nov 13, 8:45�am, quans...@quanstro.net (erik quanstrom) wrote:
...
> cpu -h node -c 'name=`{cat ''#c/sysname''}; echo do something with $name'


I added 'role=cpu' to my cpu servers in /lib/ndb/local, now I can do
this

for (node in `{ndb/query -a role cpu sys})
  cpu -h $node -c 'name=`{cat ''#c/sysname''}; echo do something with
$name'


torsbohn - Nothing can stop Tor!

Re: [9fans] 9grid

[erik quanstrom]

On Fri Nov 14 04:48:04 EST 2008, torsbohn@gmail.com wrote:
> On Nov 13, 8:45 am, quans...@quanstro.net (erik quanstrom) wrote:
> ...
> > cpu -h node -c 'name=`{cat ''#c/sysname''}; echo do something with $name'
>
>
> I added 'role=cpu' to my cpu servers in /lib/ndb/local, now I can do
> this
>
> for (node in `{ndb/query -a role cpu sys})
>   cpu -h $node -c 'name=`{cat ''#c/sysname''}; echo do something with
> $name'
>
>
> torsbohn - Nothing can stop Tor!

not sure what the deal with these emails is.
they're not from gmail and they contain
invalid quoted-printable, which is why things
look so bad.

i've got a patch for upas/fs that i'll put up shortly.
but you may just want to apply this yourself since
you're probablly not running nupas:

mbox.c:/^hex2int should change:

static int
hex2int(int x)
{
	if(x >= '0' && x <= '9')
		return x - '0';
	if(x >= 'A' && x <= 'F')
		return x - 'A' + 10;
	if(x >= 'a' && x <= 'f')
		return x - 'a' + 10;
	return -1;
}

then :/^decquotedline should have the case '='
changed like so

		case '=':
			c = hex2int(*in++)<<4;
			c |= hex2int(*in++);
			if(c != -1)
				*out++ = c;
			else{
				*out++ = '=';
				in -= 2;
			}
			break;

- erik

Re: [9fans] 9grid

[erik quanstrom]

> Hi Eric,
> I check lib/ndb/auth in the file server, this is what i have:
>     hostid°otes
>             uid
> dm uid

i assume poor spelling and cut-n-paste failure. :-)
the key thing here is if the only hostid in /lib/ndb/auth
is bootes, then the cpu server's hostowner must be
bootes.  is it?  can you run commands from the cpu
server's console?

you're doing the right thing, you've just got a
configuration error.

- erik

Re: [9fans] 9grid

[lupin636]

Ok, i just ran some local  commands from cpu server, and it is ok, i'm
gonna use the cpu servers only like a compute nodes. From cpu server i
wanted to see responses , so  i did and got this:
        cpus# ssh terminal name
        ssh: dialing terminal name: connection refused
        cpus# ssh file server name
        ssh: reading server version: unexpected EOF
the second error, i got also when i tried either from terminal or file
server.
yes, bootes is the cpu server's hostowner,but on terminal i log as
Armando.
what do you mean with "configuration error"?where could it be?
is ssh right to launch a task from terminal?

thanks again

Armando

> i assume poor spelling and cut-n-paste failure. :-)
> the key thing here is if the only hostid in /lib/ndb/auth
> is bootes, then the cpu server's hostowner must be
> bootes. �is it? �can you run commands from the cpu
> server's console?
>
> you're doing the right thing, you've just got a
> configuration error.
>
> - erik

Re: [9fans] 9grid

[john]

> Ok, i just ran some local  commands from cpu server, and it is ok, i'm
> gonna use the cpu servers only like a compute nodes. From cpu server i
> wanted to see responses , so  i did and got this:
>         cpus# ssh terminal name
>         ssh: dialing terminal name: connection refused
>         cpus# ssh file server name
>         ssh: reading server version: unexpected EOF
> the second error, i got also when i tried either from terminal or file
> server.
> yes, bootes is the cpu server's hostowner,but on terminal i log as
> Armando.
> what do you mean with "configuration error"?where could it be?
> is ssh right to launch a task from terminal?
>
> thanks again
>
> Armando
>

You want to be sitting at a terminal, and start a command on a cpu
server, right?

cpu -h <cpuserver> -c <command> <args>

That will execute the command on the cpu server and leave you at the
terminal prompt when you are done.

I have no idea why you are trying to ssh from your cpu server to your
terminal or to the fileserver.  Forget ssh.  If you have a Plan 9
network, ssh is 100% wrong for you.


John

Re: [9fans] 9grid

[lupin636]

On 11 Nov, 15:46, j...@csplan9.rit.edu wrote:
> > Ok, i just ran some local �commands from cpu server, and it is ok, i'm
> > gonna use the cpu servers only like a compute nodes. From cpu server i
> > wanted to see responses , so �i did and got this:
> > � � � � cpus# ssh terminal name
> > � � � � ssh: dialing terminal name: connection refused
> > � � � � cpus# ssh file server name
> > � � � � ssh: reading server version: unexpected EOF
> > the second error, i got also when i tried either from terminal or file
> > server.
> > yes, bootes is the cpu server's hostowner,but on terminal i log as
> > Armando.
> > what do you mean with "configuration error"?where could it be?
> > is ssh right to launch a task from terminal?
>
> > thanks again
>
> > Armando
Thanks john, i would like to send simple programs (jobs) to the nodes
(diskless cpu server) of a 9grid from terminal, and get responses from
them. How can i do it?

> You want to be sitting at a terminal, and start a command on a cpu
> server, right?
>
> cpu -h <cpuserver> -c <command> <args>
>
> That will execute the command on the cpu server and leave you at the
> terminal prompt when you are done.
>
> I have no idea why you are trying to ssh from your cpu server to your
> terminal or to the fileserver. �Forget ssh. �If you have a Plan 9
> network, ssh is 100% wrong for you.
>
> John

Re: [9fans] 9grid

[Uriel]

What is a '9grid'?

uriel

On Tue, Nov 11, 2008 at 4:12 PM,  <lupin636@gmail.com> wrote:
> On 11 Nov, 15:46, j...@csplan9.rit.edu wrote:
>> > Ok, i just ran some local  commands from cpu server, and it is ok, i'm
>> > gonna use the cpu servers only like a compute nodes. From cpu server i
>> > wanted to see responses , so  i did and got this:
>> >         cpus# ssh terminal name
>> >         ssh: dialing terminal name: connection refused
>> >         cpus# ssh file server name
>> >         ssh: reading server version: unexpected EOF
>> > the second error, i got also when i tried either from terminal or file
>> > server.
>> > yes, bootes is the cpu server's hostowner,but on terminal i log as
>> > Armando.
>> > what do you mean with "configuration error"?where could it be?
>> > is ssh right to launch a task from terminal?
>>
>> > thanks again
>>
>> > Armando
> Thanks john, i would like to send simple programs (jobs) to the nodes
> (diskless cpu server) of a 9grid from terminal, and get responses from
> them. How can i do it?
>
>> You want to be sitting at a terminal, and start a command on a cpu
>> server, right?
>>
>> cpu -h <cpuserver> -c <command> <args>
>>
>> That will execute the command on the cpu server and leave you at the
>> terminal prompt when you are done.
>>
>> I have no idea why you are trying to ssh from your cpu server to your
>> terminal or to the fileserver.  Forget ssh.  If you have a Plan 9
>> network, ssh is 100% wrong for you.
>>
>> John
>
>

Re: [9fans] 9grid

[lupin636]

9grid is a distributed computing project, which features prominently
the Plan 9 from Bell Labs operating system

Armando

On 11 Nov, 16:43, urie...@gmail.com (Uriel) wrote:
> What is a '9grid'?
>
> uriel

Re: [9fans] 9grid

[Uriel]

How cool! Tell me more....

Your ideas intrigue me and I wish to subscribe to your newsletter.

uriel

On Tue, Nov 11, 2008 at 5:32 PM,  <lupin636@gmail.com> wrote:
> 9grid is a distributed computing project, which features prominently
> the Plan 9 from Bell Labs operating system
>
> Armando
>
> On 11 Nov, 16:43, urie...@gmail.com (Uriel) wrote:
>> What is a '9grid'?
>>
>> uriel
>
>

Re: [9fans] 9grid

[ron minnich]

On Tue, Nov 11, 2008 at 7:12 AM,  <lupin636@gmail.com> wrote:

> Thanks john, i would like to send simple programs (jobs) to the nodes
> (diskless cpu server) of a 9grid from terminal, and get responses from
> them. How can i do it?
>

suppose you have a list of nodes

cpu% NODES=(a b c d)
cpu% echo $NODES
a b c d
cpu% for (i in $NODES) {
	cpu -h $i -c some-command&
	}

Go ahead. Try it!
 for (i in $NODES) {
	cpu -h $i -c date&
	}

OK, now suppose you have what in the high end business is still called
an 'input deck'. It's in a weird place. You get to it by saying
some-command -i input-file

for (i in $NODES) {
	cpu -h $i -c some-command -i your-file&
	}

This will work whether there is a mount on those nodes for your home
directory or not. Comes free with cpu.

What if you for whatever reason want a ps to show all the proces on
all the nodes you're running on.

for (i in $NODES) {
 import -a $i .com /proc /proc
}

Your /proc is now the unified /proc of all your nodes. (I used to do
this all the time with my plan 9 minicluster)

That way, if you want to kill all the some-commands running on ALL your nodes:
slay some-command | rc

The point being that you only need to run this command on the
front-end, not on each node.

You just can't even try to do this sort of thing with ssh.

ron

Re: [9fans] 9grid

[erik quanstrom]

> What if you for whatever reason want a ps to show all the proces on
> all the nodes you're running on.
>
> for (i in $NODES) {
>  import -a $i .com /proc /proc
> }

what's the .com for?

> Your /proc is now the unified /proc of all your nodes. (I used to do
> this all the time with my plan 9 minicluster)

does ps not mind if several processes have the same pid?

- erik

Re: [9fans] 9grid

[ron minnich]

On Tue, Nov 11, 2008 at 4:11 PM, erik quanstrom <quanstro@quanstro.net> wrote:
>> What if you for whatever reason want a ps to show all the proces on
>> all the nodes you're running on.
>>
>> for (i in $NODES) {
>>  import -a $i .com /proc /proc
>> }
>
> what's the .com for?
>

it's when I forgot to take part of the test :-)

>> Your /proc is now the unified /proc of all your nodes. (I used to do
>> this all the time with my plan 9 minicluster)
>
> does ps not mind if several processes have the same pid?
>

It never seemed to.

But of course if you have procs with same pid, the collisions are obvious.

So, do the easy thing:

for all nodes, mount them at
/proc/localhost
/proc/hostname/whatever

Then modify ps (takes about 5 minutes) so it iterates over /proc/*
where * is a set of host names.

now you can do fun stuff
slay node8/mpirun | rc
slay node*/mpirun | rc

There's a lot of good stuff in there if you want to use it ... I
actually implemented all this a few years back when Vic did hist first
xcpu code. It was really nice.

ron

Re: [9fans] 9grid

[erik quanstrom]

> It never seemed to.
>
> But of course if you have procs with same pid, the collisions are obvious.
>
> So, do the easy thing:
>
> for all nodes, mount them at
> /proc/localhost
> /proc/hostname/whatever
>
> Then modify ps (takes about 5 minutes) so it iterates over /proc/*
> where * is a set of host names.
>
> now you can do fun stuff
> slay node8/mpirun | rc
> slay node*/mpirun | rc
>
> There's a lot of good stuff in there if you want to use it ... I
> actually implemented all this a few years back when Vic did hist first
> xcpu code. It was really nice.

the trivial solution on your hardware would be to partition
the pid space, wouldn't it.  just have 64bit pids?  let each
machine start at a 1<<32 boundary?

four billion machines ought with four billion processes each
ought to be enough for anyone.

- erik

Re: [9fans] 9grid

[ron minnich]

On Tue, Nov 11, 2008 at 4:36 PM, erik quanstrom <quanstro@quanstro.net> wrote:

> the trivial solution on your hardware would be to partition
> the pid space, wouldn't it.  just have 64bit pids?  let each
> machine start at a 1<<32 boundary?

Sure. But you have to change the pid type in the kernel and  and and and and

The point here is that with fairly trivial mods to a few programs you
can build a cluster management suite that unix or windows based
cluster tools can not really touch.

But you don't have gcc. That's an issue. Not kidding here. Don't have
a good fortran compiler either. This is where binary support is very
useful.

ron

Re: [9fans] 9grid

[lupin636]

Thanks a lot Ron, it was clearly a really nice response.
You leave in no doubt about using between cpu and ssh.
I would like to try to do it now, but it semms to me that i have
authentication problems from terminal, because when i try to do cpu(1)
command from terminal (log in as Armando) i got nothing, i.e.
    term% cpu -h NODE -c date
    term%
otherwise by doing:
     term% cpu -h NODE
     term%
i got the same, and /mnt/term is empty, instead i think that cpu's
name space should be mounted on /mtn/term, isn't it?
Furthermore i also checked lib/ndb/auth on the file server, and  this
is what i have:
    hostid=bootes
            uid=!sys uid=!adm uid=*
I think that is correct, is it?
Thank you very much for your patience,

Armando.

> suppose you have a list of nodes
>
> cpu% NODES=(a b c d)
> cpu% echo $NODES
> a b c d
> cpu% for (i in $NODES) {
> � � � � cpu -h $i -c some-command&
> � � � � }
>
> Go ahead. Try it!
> �for (i in $NODES) {
> � � � � cpu -h $i -c date&
> � � � � }
>
> OK, now suppose you have what in the high end business is still called
> an 'input deck'. It's in a weird place. You get to it by saying
> some-command -i input-file
>
> for (i in $NODES) {
> � � � � cpu -h $i -c some-command -i your-file&
> � � � � }
>
> This will work whether there is a mount on those nodes for your home
> directory or not. Comes free with cpu.
>
> What if you for whatever reason want a ps to show all the proces on
> all the nodes you're running on.
>
> for (i in $NODES) {
> �import -a $i .com /proc /proc
>
> }
>
> Your /proc is now the unified /proc of all your nodes. (I used to do
> this all the time with my plan 9 minicluster)
>
> That way, if you want to kill all the some-commands running on ALL your nodes:
> slay some-command | rc
>
> The point being that you only need to run this command on the
> front-end, not on each node.
>
> You just can't even try to do this sort of thing with ssh.
>
> ron

Re: [9fans] 9grid

[john]

> Thanks a lot Ron, it was clearly a really nice response.
> You leave in no doubt about using between cpu and ssh.
> I would like to try to do it now, but it semms to me that i have
> authentication problems from terminal, because when i try to do cpu(1)
> command from terminal (log in as Armando) i got nothing, i.e.
>     term% cpu -h NODE -c date
>     term%
> otherwise by doing:
>      term% cpu -h NODE
>      term%
> i got the same, and /mnt/term is empty, instead i think that cpu's
> name space should be mounted on /mtn/term, isn't it?
> Furthermore i also checked lib/ndb/auth on the file server, and  this
> is what i have:
>     hostid°otes
>             uidys uid
> dm uid

No, that's really really wrong.  You need to have this in your
/lib/ndb/auth:
hostid=bootes
               uid=!sys uid=!adm uid=*

Also, are your terminals and CPU servers using the fileserver as their
root filesystem, the way they should be?



John

Re: [9fans] 9grid

[lupin636]

I have the same in lib/ndb/auth, i think google doesn't read the equal
sign  "=" from here, i don't know how you did it..
I don't understand very well what do you mean with "as their root
filesystem", but if you mean the bootargs line in the plan9.ini, they
have the same bootargs line, otherwise i don't really know, can you re-
explain to me?
thank you for you response,

Armando

> No, that's really really wrong. �You need to have this in your
> /lib/ndb/auth:
> hostid=bootes
> � � � � � � � �uid=!sys uid=!adm uid=*
>
> Also, are your terminals and CPU servers using the fileserver as their
> root filesystem, the way they should be?
>
> John

Re: [9fans] 9grid

[lupin636]

Hi all,

I was trying to use cpu(1) command from file server, because from
terminal as you see the post above i still have problems..
As cpu(1) command build the name space by running /usr/$user/lib/
profile with root of the invoking name space binding it to /mnt/term,
if i do this:
    cpu -h NODE -c cmd args
How can i be really sure that the command was performed by that node?
is there some way on /mnt/term that let me know the node used by me?
for example to know the node name..
thanks for responses

Armando.

Re: [9fans] 9grid

[erik quanstrom]

> if i do this:
>     cpu -h NODE -c cmd args
> How can i be really sure that the command was performed by that node?

cpu -c 'cat ''#c/sysname''; echo'

- erik

Re: [9fans] 9grid

[lupin636]

Thanks a lot Eric,
I did it and it works, but do you have any idea why i can do it from
file server as bootes but not from terminal as armando?
Furthermore, i would like to put  that line into a variable, by doing
(maybe in a wrong way):
     fs name% cpu -h NODE -c 'name=(equal sign)cat ''#c/sysname'';
echo'
      /dev/sysname: '/dev/sysname'  permission denied
     fs name%
where is my mistake?
thanks,

Armando

> cpu -c 'cat ''#c/sysname''; echo'
>
> - erik

Re: [9fans] 9grid

[erik quanstrom]

> I have a doubt.....because i was thinking about all i have to do, and
> i don't know if using cpu command is the right thing to do. anyway,
> the fact is, i have to launch a simple task from terminal (connected
> by armando) to a node on the cluster (diskless cpu server), i thought
> that cpu command was right but i'm not really sure anymore, because in
> unix i used to use "rsh" and "rcmd".
> any suggestions please??

you've got some sort of problem starting a shell on the remote machine.
it's likely authentication.  make sure the hostowner has speaksfor
abilities on the auth server (/lib/ndb/auth).

- erik

Re: [9fans] 9grid

[lupin636]

Hi Eric,
I check lib/ndb/auth in the file server, this is what i have:
    hostid=bootes
            uid=!sys uid=!adm uid=*
I think that is correct, does it?
I'd want to launch a task from terminal (logged as Me) to a node of
the 9grid, i was trying with cpu, ssh; because i realize that i don't
need to connect to a node (diskless cpu server) for launching a task
to it, i'd just want to launch some tasks over the nodes of the 9 grid
and get a response from them. maybe it seems easy but i can't.
Thanks a lot for every response.

Armando

> you've got some sort of problem starting a shell on the remote machine.
> it's likely authentication. �make sure the hostowner has speaksfor
> abilities on the auth server (/lib/ndb/auth).

Re: [9fans] 9grid

[erik quanstrom]

> trying with cpu(1) command, i was doing:
>     cpu -h fileservername
> and the prompt changed from term% to cpu%, and i supposed that was
> correct, but when i tried to connect to a cpuserver (all nodes are
> diskless)
>     cpu -h cpuservername
> the prompt didn't change, is that correct? before doing this, i tried
> with

there's nothing in the system itself that changes one's prompt.
this is done by the profile.  typically one can use the convention
that $sysname is the contents of /dev/sysname.
; echo $sysname $cpu
brasstown ladd
; cpu
; echo $sysname

- erik

Re: [9fans] 9grid

[lupin636]

Thanks for replaying...
Sorry but i got confusion about your replay, i think i don't
understand very well
I want to make it clear first that the file/auth server are the same
pc, and the cpuservers are the nodes of the cluster (5 nodes), which
are diskless, and a terminal (my laptop).
I'd like to use the cpu(1) command to connect to one node of the
cluster (cpuserver) from the terminal, i tried by doing:

term% cpu -h cpus
term% ls /mnt/term
term%

but i think it isn't correct, because the prompt is still term%, and /
mnt/term is empty, i did "ls /mnt/term" because i wanted to see if the
namespace was mounted.
is that correct?
I hope i explain to you in the right way.
thanks again..

bye,

Armando



> there's nothing in the system itself that changes one's prompt.
> this is done by the profile. �typically one can use the convention
> that $sysname is the contents of /dev/sysname.
> ; echo $sysname $cpu
> brasstown ladd
> ; cpu
> ; echo $sysname
>
> - erik

Re: [9fans] 9grid

[lupin636]

I have a doubt.....because i was thinking about all i have to do, and
i don't know if using cpu command is the right thing to do. anyway,
the fact is, i have to launch a simple task from terminal (connected
by armando) to a node on the cluster (diskless cpu server), i thought
that cpu command was right but i'm not really sure anymore, because in
unix i used to use "rsh" and "rcmd".
any suggestions please??

thanks in advance to all of you,

bye,
Armando.


On 10 Nov, 15:13, lupin...@gmail.com wrote:
> Thanks for replaying...
> Sorry but i got confusion about your replay, i think i don't
> understand very well
> I want to make it clear first that the file/auth server are the same
> pc, and the cpuservers are the nodes of the cluster (5 nodes), which
> are diskless, and a terminal (my laptop).
> I'd like to use the cpu(1) command to connect to one node of the
> cluster (cpuserver) from the terminal, i tried by doing:
>
> term% cpu -h cpus
> term% ls /mnt/term
> term%
>
> but i think it isn't correct, because the prompt is still term%, and /
> mnt/term is empty, i did "ls /mnt/term" because i wanted to see if the
> namespace was mounted.
> is that correct?
> I hope i explain to you in the right way.
> thanks again..
>
> bye,
>
> Armando

Re: [9fans] 9grid

[ron minnich]

On Mon, Nov 10, 2008 at 9:35 AM,  <lupin636@gmail.com> wrote:
> I have a doubt.....because i was thinking about all i have to do, and
> i don't know if using cpu command is the right thing to do. anyway,
> the fact is, i have to launch a simple task from terminal (connected
> by armando) to a node on the cluster (diskless cpu server), i thought
> that cpu command was right but i'm not really sure anymore, because in
> unix i used to use "rsh" and "rcmd".
> any suggestions please??
>

rsh and ssh suck in clusters. cpu is almost exactly what you want. You
don't get cpu on linux because the linux guys have not reinvented them
yet. Give them time.

ron

Re: [9fans] 9grid

[lupin636]

Thanks Ron, of course cpu doesn't exists on linux...but as you said,
it seems that i have to connect to a cpu server, but i would like to
launch a task from terminal to cpu server, and after obtain a result
from that cpu server,what do i have to do??or what do i have to use??

thanks in advance to everybody
Armando


> On Mon, Nov 10, 2008 at 9:35 AM, �<lupin...@gmail.com> wrote:
> > I have a doubt.....because i was thinking about all i have to do, and
> > i don't know if using cpu command is the right thing to do. anyway,
> > the fact is, i have to launch a simple task from terminal (connected
> > by armando) to a node on the cluster (diskless cpu server), i thought
> > that cpu command was right but i'm not really sure anymore, because in
> > unix i used to use "rsh" and "rcmd".
> > any suggestions please??
>
> rsh and ssh suck in clusters. cpu is almost exactly what you want. You
> don't get cpu on linux because the linux guys have not reinvented them
> yet. Give them time.
>
> ron

[9fans] 9grid

[lupin636]

Hi All,
I'm accomplishing a 9grid, that is composed of a file server, 2
cluster (diskless cpuserver nodes) and a terminal..
I'm trying to connect to a cpuserver (node of 9grid) from a terminal,
to launch some tasks, but i don't really know how to do it, i was
trying with cpu(1) command, i was doing:
    cpu -h fileservername
and the prompt changed from term% to cpu%, and i supposed that was
correct, but when i tried to connect to a cpuserver (all nodes are
diskless)
    cpu -h cpuservername
the prompt didn't change, is that correct? before doing this, i tried
with
    cpu -h cpuservername -c cmd args
but i'm not really sure if the replay i obtained was neither from that
cpuserver or from terminal.
All of this, i was trying to do to testing nodes, in effect, i'd want
to launch from terminal a simple program i.e.: i say "hello" and the
chosen node replays "hasta la vista baby".
Thanks in advance for every response.

Armando.

Re: [9fans] 9grid

[YAMANASHI Takeshi]

On Thu Jun  9 10:42:09 JST 2005, andrey mirtchovski wrote:
> > I wonder how globus is managing these issues...
> 
> globus leaves trust relationships to the certificate authorities which
> create accounts and issue CN's (callnames) for grid users.

What about other issues like posting spam and organising DDos attack?
-- 

Re: [9fans] 9grid

[andrey mirtchovski]

> What about other issues like posting spam and organising DDos attack?

users don't (aren't supposed to) have access directly to the compute
nodes of the clusters on a particular "grid", only to the head nodes
where they submit their jobs.  in theory they should submit jobs from
their local workstation even.  ok, you can take the head node off
(which may or may not be redundant) and that's it, jobs still run.
technically all the main services such as schedulers, file and
monitoring run somewhere else.  a real malicious attack would target
the main service providers such as the file server or the scheduler,
without which a cluster isn't of much use.

you can only do that once anyway, especially on high-profile networks.
once you get caught you're off.  and all those nodes are used to
downtime anyways :)

on the other hand it's much more interesting to try and figure out a
way to usurp the schedulers so you consume more than your dedicated
fair share of resources.  now that's really tricky to prevent :)

Re: [9fans] 9grid

[andrey mirtchovski]

> I wonder how globus is managing these issues...

globus leaves trust relationships to the certificate authorities which
create accounts and issue CN's (callnames) for grid users.

CN's which have access to a particular machine are listed in a grid
mapfile on each machine of the grid.

this isn't the only way to do it, but is the most common.

here's me on westgrid (edited slightly):

"/C=CA/O=Grid/OU=westgrid.ca/CN=andrey mirtchovski_46/Email=mirtchov cpsc ucalgary ca" andrey

the CN's are not secret.

[9fans] 9grid

[Steve Simon]

Hi,

First I wish to apologise as this will offend some people.

Am I the only one who is horrorfied at the lack of security
implied by the two recent cross domain authentication proposals?
I applaud any well written code for plan9 but I don't feel either
are ready for production.

The single central auth server approach uses the
outside.plan9.bell-labs.com auth server allowing anyone who has
a sources account (I.E. anyone who wants to), to attach to grid nodes
and run arbitary software, and read any world readable files
on any node. Ok Plan9 is more secure than some OS's but I wouldn't
allow just _anyone_ access to my machine.

There is no trust relationship with the users. Even if accounts where
explicitly enabled on demand and not by default there is still the problem
of how can an adminstrator on one side of the world trust an unknwon
user on the other side?

The system that delegates authentication to remote, trusted servers
requires the node adminstartor to explicitly set up this trust relationship
so there is much more control here. The adminstrator of each remote authdom
retains responsibility for the actions of their users on remote hosts,
thus we have a distributed system of trust; users would connect to their local
grid node to access the grid as whole, at least here we have a chance that
the adminstartors may know and trust their users who they allow onto the grid.

Unfortunately in the current implementation, exchanges between the auth
servers rely on DNS for mutual authentication. Given knowledge of a valid peer
node's domain name DNS poisining atttacks could easily allow a malacious user
access to all grid node; The once secure Plan9 OS is now wide open.

I can think of only two other possible structures for the grid.

1/ Shared private keys between N grid node's auth servers, these secrets
are used to ensure mutual authentication between auth servers and would
prevent the DNS posioning attack above. Unfortunately this would need 2N
secrets which must be securely distributed.

2/ Public Key encryption to secure the channel between auth servers. This
would need only N public keys, which could be distributed in the clear;
A central Certification Authority would not be needed as plan9 already has
a distributed file system, the certificates _are_ files.

Russ sugested that the certificates could have timestamps allowing remote
users to be proxy authenticated by a local auth server until an expiry timeout
has been reached, at which point an authoratitive certificate would have to be
fetched. This would be a very significant win over long-hall networks.

The solution to 9grid authentication seems clear to me.

Next we need some way to stop grid users hogging too much of a nodes
cpu capacity, network bandwidth, disk space, and to stop them posting spam
or organising DDoS attacks...

-Steve

Re: [9fans] 9grid

[Russ Cox]

> Am I the only one who is horrorfied at the lack of security
> implied by the two recent cross domain authentication proposals?
> I applaud any well written code for plan9 but I don't feel either
> are ready for production.

It depends on whether security is actually your goal.
The current goal for the 9grid appears to be to provide
access in a manner slightly more secure than not requiring
passwords at all, and I believe that that has been 
accomplished.

Russ

Re: [9fans] 9grid

[arisawa]

> Next we need some way to stop grid users hogging too much of a nodes
> cpu capacity, network bandwidth, disk space, and to stop them posting 
> spam
> or organising DDoS attacks...
>

Thank you Steve, I share this opinion.
My 9grid prohibit users
1. to become user "none" except host owner
2. to try to access outside world except host owner and user "none"
try yourself
cpu -h co.aichi-u.ac.jp
I am glad if you give me suggestions.

I believe no one want to offer his PC for 9grid if that is used for 
evil purpose,
but I don't know whether my protection is all to do.

I don't think current plan 9 is robust enough for 9grid.
Depletion of resource such as memory, process table, and storage can 
make problems.

Kenji Arisawa