$Id: README.txt 149 2004-08-11 20:58:51Z saahbs $ NIUS v.1.0.beta.1 (NCDM's Node Interactive Use Scheduler) GPL Licensed Software 1. Architecture The National Center for Data Mining at the University of Illinois at Chicago needed a system for scheduling data servers for exclusive interactive use by researchers. Requirements included the ability to schedule linux and unix systems, integration with LDAP, and a web interface for controlling reservations. NIUS, NCDM's reservation system, meets the above requirements. [image: architecture-diagram.gif] The entire reservation system is composed of three components. Server Web Interface, Server Cron Jobs and Node Cron Jobs. Together they allow scheduling and enforcement of reservations. 1.1 Server Web Interface The Web interface is implemented in Mason, a powerful Perl-based web site development and delivery engine. All reservation management is carried out by connecting to the web server with a browser supporting Cascading Style Sheets, JavaScript and SSL. After connecting to the web server, users will be asked to authenticate themselves [image: img-0-login.jpeg]. A Mason component 'template.mas' wraps around all html components checking for session, if needed authenticating users against LDAP, and then loading the target page component. Upon successfully logging in, the 'index.html' component will display a table of reservations [image: img-1-view.jpeg]. Each reservation occupies a single row and lists reservation's effective date and time, duration, a list of users authorized to login, and a list of servers under reservation. The first user listed, always highlighted in blue, is the reservation owner and only owners are able to change or remove their reservations. Other functions can be selected by clicking on blue buttons. The 'Change' button loads 'change.html' component, which displays the reservation edit form [img: img-2-change.jpeg]. After clicking on the 'Change' confirmation button, the component will check all values for valid ranges and will display a status message. The 'Remove' button loads 'remove.html' component, which displays reservation settings and asks for removal confirmation [img: img-3-remove.jpeg]. The 'Reserve' button loads 'reserve.html' component which displays a new reservation input form [img-4-reserve.jpeg]. Just as with 'change.html' component, all values are checked after submitting the form, and a status message is displayed. The Following screenshot shows the reservation list after submitting the above entry [image: img-5-view.jpeg]. Clicking on 'Users:' and 'Servers:' buttons activates popup windows listing authorized users and available servers [img: users-window.jpeg] [img: servers-window.jpeg]. Server file descriptions: server/ |-- background.jpeg background image of all pages |-- change-form.mas change reservation form |-- change.html change reservation component |-- check_collision.mas verifies reservation overlaps |-- check_date.mas verifies data/time |-- check_duration.mas verifies duration |-- check_servers.mas verifies server list |-- check_users.mas verifies user list |-- create_reservation.mas commits new reservation into storage |-- email.mas sends email alerts to admin |-- erase_reservation.mas removes reservation from storage |-- find_reservations.mas finds reservations within time interval |-- index.html presents a table of all reservations |-- late_change.mas verifies that it is not too late to make changes |-- lock.mas creates storage global lock |-- login.mas displays login form |-- makereservations.html generates a list of recently modified reservations (called from cron) |-- ncdm-scheduler.conf sample configuration file |-- parse_list.mas parses and cleans free-form text lists |-- popup | |-- list_servers.html lists available servers | |-- list_users.html lists authorized users | `-- template.mas template for the popup windows |-- read_reservation.mas reads reservation from storage |-- remove-confirm.mas remove reservation confirm form |-- remove.html remove reservation component |-- remove_reservation.mas temporarily removes reservation |-- reserve-form.mas new reservation form |-- reserve.html new reservation component |-- show_config.html displays server configuration settings |-- style.css cascading style sheet for all pages |-- template.mas main template, takes care of authentication and session |-- unlock.mas removes storage global lock `-- unremove_reservation.mas restores temporarily removed reservation 1.2 Server Cron Jobs There are two cron jobs active on the server. The first one runs `lynx-sslhttps://scheduler/makereservations.html`, which activates the 'makereservations.html' component. This component reads all reservations soon to be active and compares them with the contents of file data/prev_notices.dat. For each new, missing or changed entry, a notice file in data/notices directory is created. This file is named after the server affected and it lists all reservations of that server. After all the needed notice files are created, new prev_notices.dat file is generated. The second server cron job is `data/send_reservations.pl`. This program reads all notices in data/notices/ and sends the content of each one to the server named by the filename. The content is piped over the ssh tunnel to `client/get_reservations.pl` program receiving at the other end. 'get_reservations.pl' takes care of file locking and storing data in reservations.dat file. Upon successful send, each notice file is erased. 1.3 Node Cron Job Each node has the `sudo update_sshd.pl` cron job, which reads reservations.dat and based on current time and reservation times, edits AllowUsers field of '/etc/ssh/sshd_config'. 'reservations.dat' is created when the NIUS server connects via ssh to a node and sends a reservations list by running `get_reservations.pl` on the node. At this time this is the only reservation enforcement mechanism. In the future, a pluggable authentication module (PAM) based mechanism will be added. 2. Security All communications between clients, server and nodes are encrypted guaranteeing data security. 2.1 LDAPS NIUS relies on the LDAP server for client authentication into reservation web interface and into nodes. It is expected that NIUS is deployed in environments using LDAP server configured with SSL encrypted LDAP protocol called LDAPS. 2.2 HTTPS Connections between clients and reservation web interface are encrypted using SSL. An apache web server must be configured to serve NIUS content using HTTPS protocol. 2.3 SSH Connections from users and NIUS server to nodes are strongly encrypted using SSH protocol. 3. Backend Version 1.0 stores reservations in a native format so that it does not require a database backend. This greatly simplifies configuration, backup and maintenance of the system. Future versions will include plugins to use various SQL databases for backends. Reservations are stored in directory data/reservations. Each reservation start time is defined by a filename, and its contents list duration, users and servers. As it is unlikely that a reservation server will have more than a few hundred reservations defined simultanously, performance shouldn't be affected during typical usage due to the filesystem. This storage mechanism simplifies debugging (this is version 1.0 :), installation and backup. At the same time the code is quite modular, so that in the near future other storage mechanisms will be implemented. 4. Dependancies To install NIUS Server interface, following software needs to be available: Apache 1.3.x Mod_ssl Mason 1.24+ (HTML::Mason) Perl 5.8+ Perl Modules: MasonX::Request Apache::SessionX Mail::Sendmail IO::Socket:SSL Net::LDAP +dependancies of the above OpenSSL OpenSSH Lynx-ssl (or any browser that can fetch a https page from cron) Each node under NIUS control requires following software: Perl 5.x system configured to use libnss-ldap and pam-ldap 5. Installation generate ssl keys for apache edit httpd.conf create mason cache/session directories create scheduler account generate ssh private key on scheduler account install scheduler code in /exports/www/scheduler change ownership of files using: `chown -R scheduler.www-data *` allow writes to files using: `chmod -R g+w *` add lynx (ssl-enabled) job to scheduler's cron: `lynx --dump https://my.scheduler/makereservations.html &> /dev/null; /exports/www/scheduler/data/send_reservations.pl` create scheduler accounts on all nodes send scheduler's public ssh key to authorized_keys of scheduler accounts on all nodes install get_reservations and update_sshd on all nodes add root job /home/scheduler/update_sshd.pl on all nodes More detailed instructions will be released with version 1.0. # vim:textwidth=70:nowrap: