Skip to content

SDNRM_configuration

Carolina Fernández edited this page Apr 17, 2015 · 13 revisions

Home > Configuration > SDN RM


Disclaimer: The following configuration manual assumes that installation of the whole software has been done according to the installation manual.

Configuration options

The configuration file is located at optin_manager/src/python/openflow/optin_manager/localsettings.py.

General parameters

FLAG Values Comments
SITE_DOMAIN String SDN RM (Opt-in) host domain name

Root (Island Manager) account information

FLAG Values Comments
ROOT_USERNAME String SDN RM (Opt-in)'s root username (Note: this does not create a superuser account in Django. You will be requested to do that in the last step of the installation)
ROOT_PASSWORD String SDN RM (Opt-in)'s root password
ROOT_EMAIL String SDN RM (Opt-in)'s root email. This mail will be used to send notifications

Database parameters

FLAG Values Comments
DATABASE_USER String MySQL username
DATABASE_PASSWORD String MySQL password
DATABASE_HOST String MySQL host (e.g. 127.0.0.1)
DATABASE_NAME String Opt-in database name.

GUI procedures

Configuring connections and authorisation

From the Manage Website button two actions should be performed:

  1. Set Clearinghouse: This sets the username/password which the Clearinghouse (Expedient) will use to authenticate against Opt-in Manager when it uses the XMLRPC interface. Just set:
    • Username
    • Password

Remember the previous data to set the username and password for the RM in Expedient

  1. Set FlowVisor: This sets the parameters required to communicate with the FlowVisor:
  • FV Name: Name to identify this FlowVisor instance.
  • Username: Username to use to access the FlowVisor (set during FlowVisor installation)
  • Password: Password to use to access the FlowVisor (set during FlowVisor installation)
  • Server URL: URL of the FlowVisor's XMLRPC interface. It should be https://DOMAIN_NAME:PORT/xmlrpc/, default port is 8080. Notice that DOMAIN_NAME can be an IP address as long as it matches the certificate's Common Name of the server where FlowVisor is running.
  • Verify Certificates?: Do not set.

Handling Expedient Flowspace requests

If properly configured, SDN RM (Opt-in manager) will send an email to the root email once a new request comes from the Expedient.

Automatically

Starting from release 0.8, SDN RM (Opt-in manager) be configured to:

  1. Automatically negotiate a VLAN for slices that span several domains
  2. Automatically approve FlowSpace requests

To get to the options, go to Manage Website > Auto-Approve Settings. Once in the page, choose "Approve all requests" in the dropdown list and check one or both "Grant VLANs automatically" and "Approve Flowspace automatically".

  • Grant VLANs automatically: automatically establishes a connection against other OF AMs involved in the experiment.
  • Approve Flowspace automatically: in conjunction with the previous option it allows to automatically approve the FlowSpace at the island

Manually

If the automatic approval has not been enabled on the island, FlowSpace requests must be handled manually. Requests coming from Expedient do NOT appear on the "Request list". To see them you have to go to Administrate Flowspace > Add rule.

SFA and GENI procedures

Setting the URN for your island

In order to advertise the resources of your island in an appropriate manner, you should change the HRN setting in the file optin_manager/src/python/openflow/optin_manager/geni/v3/settings/optin.py as follows:

HRN = ocf.<your_organization_name_in_lowercase> # Example: ocf.i2cat

Finally, restart Apache. If you have RO deployed in your island and at least run once, you should delete the SDNRM resources inside RO's database. In a console, write the following:

mongo
> use felix_ro
> db.resource.of.node.drop()
> db.resource.of.link.drop()
> exit

After that, and assuming that CRM resources are deleted as well, you may restart the RO.

Allowing requests to the SFA and GENIv3 interfaces

The last step for configuration relates to the management of the clients that are allowed to communicate against the GENIv3 API of your resource managers (RMs). Both SDN RM and C RM require to authorise the certificate of the clearinghouse that issues the credentials of the client you want to allow. Such certificate can be found in ~/.gcf/ch-cert.pem in case you are using the GENI Control Framework and Clearinghouse.

Note1: in the first stages of deployment, every FELIX island will use the same certificates (and respective keys) for ClearingHouse and user Alice. Request such certificates and place them in ~/.gcf/ch-cert.pem (~/.gcf/ch-key.pem), ~/.gcf/trusted_roots/ch-cert.pem, ~/.gcf/trusted_roots/CATedCACerts.pem and ~/.gcf/alice-cert.pem (~/.gcf/alice-key.pem), respectively. If using RMs that request to have a copy of the client or peer certificate to be trusted, place the Clearinghouse certificate under their respective folders (see below for SDN RM).

Enabling a specific peer is achieved in two steps:

  1. Add the certificate of the client's clearinghouse in the RM
  • Add it as a new .gid file (you pick the name) to the trusted_roots folder:

    cp -p ~/.gcf/ch-cert.pem <path_to_ocf>/optin_manager/src/python/openflow/optin_manager/geni/v3/trusted_roots/felix-<organisation>.gid
    
  • Note: ensure that this file is unique, i.e. not previously saved under other name or coincident

  1. Append the certificate of the client's clearinghouse in the Apache SSL
  • Append it to the end of the /etc/apache2/ssl.crt/ca_clients.crt file
  • Restart Apache