Virtual DICE project snapshot

Being the collected Virtual DICE entries from the meetings of the Managed Platform Unit, collected here for posterity.

Chris has started looking at creating a virtual DICE image using virtualbox. He is using DIY DICE but has had some problems with installs using PXE. It is likely that this is because the VM does not have a static IP address and thus does not the necessary DHCP or PXE configuration. We should check that this still does all work correctly. It should be possible to install the VM using a static address and then at a later time switch to using a dynamic address.

With virtualbox it should be possible to create images which are suitable for various different virtualisation software on different platforms (i.e. Windows and MacOSX ).

Chris got a DIY DICE client installed using VirtualBox. He had to install it from a CD image as PXE installs for DIY DICE weren't working.

Stephen has now fixed PXE installs for DIY DICE. Stub profiles now get all supported platforms added to them.

Alastair will alter the PXE installer to make it inherit the NFS PXE root from the kernel command line.

Chris has talked to RAT about teaching software requirements. This should be mostly fine, the main issues are likely to be related to software which requires access to licenses.

There are some concerns about supporting users reconfiguring their VMs (installing new packages, etc). The best solution to any problems is probably to just get them to download the latest image and start again.

Chris has been having trouble with roaming.h on his DIY DICE machine. It should work, but may not be quite appropriate. Stephen and Alastair had some suggestions to make as to what to use instead.

Chris now has a virtual machine using DHCP which all works with NAT enabled. There is a local "guest" account which can be used even when networking is disabled. DICE logins work as normal when network connectivity is available. There is still an issue related to LDAP access when the VM is outside of the Informatics network. Currently it is inaccessible and even if it where the connectivity might not be reliable enough for this to work. We should look at a really simple caching solution for the necessary authorisation information.

There was a question of whether to allow nsu access or whether we should use the more standard sudo. Stephen preferred sudo as this is what most users will be familiar with, it is also well documented and we could easily restrict which commands the users are permitted to execute.

It was agreed that we would configure the size to be dynamic so that the image is no bigger than absolutely necessary.

This project hasn't seen much activity since the last meeting. There are two aspects to look at next:

1. Making LDAP-derived information available in an insecure VM that's probably going to be running outside our firewall. The Infrastructure Unit is taking a look at authenticated LDAP access from outside the firewall, and at LDAP on clients in general, but in the meantime Chris will try Stephen's idea for dumping necessary LDAP info (regularly on a server into nssdb in ACL-protected AFS space, from where it can be pulled down onto a VM after the user has acquired suitable DICE Kerberos and AFS credentials). 2. Make the test VM importable by others and make it available for downloading by interested parties.

Not much has happened. Toby has had some good results with dumping some or all of the LDAP data into a cache on the local disk.

There's a problem with AFS over a NAT interface. When logging in using DICE credentials GNOME often hangs for a while then times out waiting for AFS.

Chris's elderly Mac was struggling mightily to run the DICE VM .ova file. A VirtualBox wiki may have tips on how to get around this.

Toby is working on secure access to the LDAP DB through the firewall. This should allow us to implement a local auth DB cache of some sort.

Chris has had some problems with importing the VM he has created. Exporting appears to work fine but it often fails to import. On DICE it failed the first time but worked correctly on the second attempt. It completely fails to import on various MacOSX machines. Alastair will trying importing the image on Windows. Stephen suggested trying the 4.2 version of VirtualBox on DICE to see if the import problems are actually caused by a bug in the exporter.

Chris hasn't been able to get anywhere with the AFS and NAT problems. The suggestion is that this is related to UDP timeouts. Maybe a quick email to the openafs mailing list on how to tune VirtualBox NAT settings might be the best way forwards.

It should clarify things for this project if Chris writes down the various ways in which a DICE-like VM could be expected to work, and how each of these might be achieved. For example people might login to a guest account then authenticate to their own DICE account and access their AFS homedir via a standard symlink; a DICE account could work when connected to the network; a DICE account could work with no network; etc.

Opening up UDP ports 88 and 7000-7007, along with upgrading VirtualBox to 4.2, seems to have solved the AFS problems.

Chris has written up the notes on the various ways we could configure the DICE VM.

Neil had a good go at the test VMs on his home Windows machine and reported some issues which Chris will follow up.

Chris now has the passwd and groups maps saved into local DB files and he is using the nss_db module to do the lookups. There was some debate about whether we should ship the DB files or source text files which can be used to generate DB files on each machine.

There are a number of different possibilities for user logins. As well as having a local guest user we could support DICE in either offline and online modes. The PAM stack probably needs a bit of thought to ensure it works as required. Chris now has pam_mkhomedir working which provides local home directories.

Chris has been having a lot of trouble with VirtualBox instabilities, is it worth trying a newer version?

Chris is having problems importing a virtual machine. It worked a few weeks ago but now consistently fails with an error like this. It's not a space problem either on the exporting or importing machine; several importing machines have been tried, all Macs; they're running several different versions of the OS; several versions of VirtualBox have been tried; a number of different VM configurations have been tried; the VirtualBox manual and wiki don't seem much help; even the internet search engines just turn up problems which aren't similar enough to help in this case. Alastair and Stephen have suggested some new straws to clutch at:

  • double check the disk space again
  • fill in the form diligently when exporting the VM
  • Give Alastair a go at importing the VMs
  • Try importing to another Linux box

Stephen has pointed out a problem which may hit once the VirtualBox problem has been solved: when Unix authentication is used rather than kerberos authentication, the pam stack still proceeds to the AFS session module, which in this case will fail for lack of a Kerberos ticket. The pam stack may need some adjustment to get round this.

Chris has noticed that the first login after booting a VM takes about 30 seconds longer than subsequent logins. The delay is probably simply down to GNOME being loaded into memory; it's large and involves dozens of processes.

Chris is going to write a script to download the necessary user and group information and build local passwd and group DB files.

Chris will link from the devproj project page to the VirtuallyDICEModes wiki page which describes the various possible ways to configure the authentication for the VM.

Chris is writing a script to download the necessary user and group information and build local passwd and group DB files.

Chris has now written a script for storing the necessary passwd and group data for users. The VM image is ready for testing, Alastair will test it. Chris will write some documentation for users. He will also write up his notes on how to build a new image in case we need to do so when he is not around.

Alastair tried the 64-bit image and it worked well, except that df hung on an amd mount. Chris will eliminate amd.

Chris will look initially into web and AFS for distribution of the images.

The initial version of the Virtual DICE management page is there. Chris is now working on the Virtual DICE user docs.

Stephen noted that USB support was enabled which means that the non-Free extension pack must be installed. This can be a problem for users on Debian, if we don't need the USB support can it be disabled? Stephen also noted that, at least on Debian, the virtualbox file chooser dialog only looks for .ovf files not .ova files, this isn't a big problem as double-clicking on the icon (via something like the nautilus file browser) works just fine. Maybe we just need to document this minor issue.

There was a suggestion that we should create an "upgrade virtual dice" script. Even if this doesn't do much right now we can add it to the documentation and it gives us the option of altering and extending the upgrade process in the future if necessary.

Chris noted that it would be good to have a different background image for the login screen. We also need a license text for the initial startup screen, it needs to note that some of the software may not be distributable so the image must not be shared.

We should add the yum configuration so that users can install packages from our public repositories (lcfg and world). That way they can install any extra RAT software which isn't included in the initial image. This will probably still require edlan or VPN access but that's better that nothing. We should configure yum to get the SL distribution and epel packages from the main upstream repositories so that they can be downloaded from anywhere.

We are unlikely to be able to use updaterpms to manage the software on the VM since users are going to want to use yum to install extra stuff. Running updaterpms would remove any packages installed using yum.

The update-vdice script is now there. It optionally runs updaterpms but not by default.

There's been a lot more work on the documentation.

RAT reckons that all semester 1 software is there apart from isabelle and that many students may not need that anyway, so we should go ahead and make the first release.

Stephen suggested a small readme in the images download directory.

Chris and Alastair found some interesting yum behaviour. Chris repeatedly tried yum search on a freshly installed 32bit VM and found that it crashed with alarming strings of Python errors, whereas Alastair, doing yum update on an existing 64bit VM, had no such difficulties. Stephen recognised this as a known yum bug: it'll crash on a freshly installed machine until you run yum update or yum checkupdate. Chris has added this to the pre-ship procedure list on the Virtual DICE management page.

yum update on the VM wanted to replace, amongst other things, our openafs packages with SL ones. However Stephen reckons that that's fine as they're just as up to date as ours. update-vdice can always restore the local packages if needed. We'll advise users not to run yum update anyway - yum install should be safer.

Chris announced the Virtual DICE image to students and asked for testers. One student had problems with virtualbox, they tried vmware without any success. Eventually they got virtualbox working but they didn't give enough details of the issues encountered. So far the image has had 27 unique downloads according to the apache logs which shows there is at least some interest.

Chris proposed that we use new host names for each release to make it easy to identify. We won't need to make new releases too often just when big changes are made to the RAT software. We're not particularly concerned about minor security updates, most applications such as web browsers should be used in the normal environment (i.e. not the VM). Maybe we should make the next release in early January just before the start of semester 2?

There hasn't been much feedback from students, and nobody has volunteered to test anything. Chris will mail out a reminder asking for feedback.

Chris has had some helpful responses from the students, based on this he has improved the documentation. In particular it was noted that the students hadn't realised they need to use the Informatics VPN if they want a full DICE login. If we could allow access to the Informatics LDAP service from edlan then that requirement would disappear. They could then use their full DICE login from that VPN, resnet, the library, edlan wireless, etc. The other question was about printing, could we enable kerberised printing?

The main thing Chris got from the student feedback was that people were getting confused between Informatics' network and that of the rest of the university. It would simplify things for the students if we could make it possible for them to login to Virtual DICE using their DICE credentials and get their AFS home directory as their home directory, with their computer connected to anywhere on the university network. This is currently possible just from the Informatics network. The current stumbling block is that we don't export our LDAP information beyond the Informatics firewall - at least not without authentication, which isn't possible at the login stage. Following discussion at the operational meeting it was agreed that Toby would try logging in from Virtual DICE in this fashion while using a test "log everything" LDAP server, to see exactly what information would need to be exposed to the rest of EdLAN.

Toby has investigated what LDAP access is required for virtual DICE to work on external networks. A meeting of interested parties is being organised. After the meeting we can decide what further work will be done and what should be held over for the next virtual DICE project. Chris noted that we said that we would make new images before the start of semester 2 to pickup any new teaching software.

Toby has made LDAP changes but not yet changed the ACLs. Once he's done that Chris will test Virtual DICE logins from EdLAN .

Chris discovered that the virtual DICE image does not work with VMWare due to the inclusion of the VirtualBox add-ons package. He has prepared a version for VMWare so that it can be used by the user who reported the problem.

Toby has tried a test LDAP service which has the necessary alterations to the ACLs. He got a DICE login working from edlan, he will now apply the changes to the real service.

Toby has now successfully made his LDAP change, so the people tree is visible from EdLAN.

Chris will test Virtual DICE logins and rewrite the documentation to match.

Chris has tested the LDAP changes. It is now possible to login using DICE credentials from edlan without using a VPN. Chris has revamped the documentation to reflect this change. It was agreed that the notes on how to use the VM with a local user (i.e. for when without network access) would be moved into a separate page to avoid the potential for confusion.

With the documentation page on Virtual DICE's local accounts this project is complete. Chris will tackle the final report.

Chris is now writing the final report.

Chris is writing the final report.

Chris has written the final report, Alastair and Stephen will review.

Stephen has read the draft final report and suggests that it tries to explain the difference between the initial effort estimate and the final total, so we can try to get better at the initial estimates.

Chris has finished the final report and it has been reviewed. The project will be submitted for completion at the Development Meeting on 3rd September.

Oustanding actions before project completion:

  • poster/media display
  • project homepage snapshot
  • school wide announcement
  • user support sign-off
Chris has produced a possible poster to display in the labs, but publicity for Virtual DICE - posters and announcements - would probably be best done when the new session's Virtual DICE release has been done. That will be done once the usual last minute teaching software requests have made it into the stable release - hopefully in the week starting 22 September. A project homepage snapshot would include everything written in connection with the project, including blog posts. In general it's probably an idea to blog about your projects about once a week - if you've done work on the project that week. In this case the Virtual DICE reports from the MPUnitMeetings would probably serve.

Nothing happened, waiting for a couple of weeks for RAT to have the teaching software finished for Semester 1.

(MPUVirtualDICESnapShot.pdf: PDF of this page)

Topic attachments
I Attachment Action Size Date Who Comment
pdfpdf MPUVirtualDICESnapShot.pdf manage 79.4 K 25 Nov 2014 - 11:51 ChrisCooke PDF of this page
Topic revision: r1 - 25 Nov 2014 - 11:51:43 - ChrisCooke
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies