Opened 16 years ago

Closed 16 years ago

Last modified 16 years ago

#33 closed task (fixed)

Serial console access

Reported by: ecprice Owned by: broder
Priority: major Milestone: Demo-able
Component: vnc Version:
Keywords: Cc:

Description

We should have access to the serial console. One proposed solution is to

  • use conserver to allow some VM (e.g. sipb-xen-dev) to access the serial console
  • Have this VM run an SSH daemon that connects user <machine-name> to the appropriate console.

Change History (9)

comment:1 Changed 16 years ago by broder

  • Owner changed from quentin to broder
  • Status changed from new to accepted

This is done short of getting a keytab for the server and installing that.

We are using libnss-pgsql to create a virtual user that corresponds to a database-managed VM.

  • These virtual users have a shell set that does nothing more than ssh into black-mesa as user console and setting the environment variable VM_NAME

We use nscd to work around a deadlock in libnss-pgsql We use a Fuse filesystem to create a fake homedir for each of the fake users with a .k5login that has the correct values for a given VM.

Once we get the keytab, we can turn on Kerberos auth for console.servers.csail.mit.edu, and we'll be all set.

On the black-mesa side, we:

  • Create a console user account
  • Gave it permission to run /usr/local/bin/sipb-xen-console with passwordless sudo
  • /usr/local/bin/console-shell is the shell for the account, and it runs sudo /usr/local/bin/sipb-xen-console $VM_NAME
  • sipb-xen-console runs xm console

The changes to console.servers.csail.mit.edu have been packaged. We believe that installing the sipb-xen-console package will do almost all of the configuration (except for installing trusted secrets). The changes to black-mesa have not been packaged.

comment:2 Changed 16 years ago by anonymous

Oh, also - console.servers.csail.mit.edu is a HVM instead of a ParaVM because Fuse apparently doesn't work with etch's ParaVM kernel.

comment:3 Changed 16 years ago by broder

Weird things start to happen if multiple people try to connect at once. We should disallow that for now. Or look into quentin's conserver thing, which we haven't done yet.

comment:4 Changed 16 years ago by broder

The fuse module doesn't get modprobe'd by default at bootup. I'm not really sure how I'm supposed to do that...

comment:5 Changed 16 years ago by tabbott

The easiest solution is to add "modprobe fuse" to an init script.

I think if you run something newer than etch, fuse gets automatically loaded when you try to fusermount.

comment:6 Changed 16 years ago by price

  • Milestone set to Demo-able

comment:7 Changed 16 years ago by price

  • Milestone set to Demo-able

comment:8 Changed 16 years ago by broder

  • Resolution set to fixed
  • Status changed from accepted to closed

The serial console is working. It is using conserver. There are packages to support this both on black-mesa and sipb-xen-console.

All VMs (Para- and H-) have /dev/ttyS0 connected to the serial console. ssh'ing to $MACHINE_NAME@… (or sipb-xen-console.mit.edu) will connect you to your VM's serial console using conserver. I recommend https://help.ubuntu.com/community/SerialConsoleHowto for instructions on how to enable the console on your Debian or Ubuntu VM.

Note that, in particular, this allows VMs to be owned by principals that don't have certs.

comment:9 Changed 16 years ago by price

The autoinstall clone image now supports this too.

Note: See TracTickets for help on using tickets.