a secure infrastructure for system console and reset access a
TRANSCRIPT
A Secure Infrastructure For System Console and Reset Access
Andras Horvath, Markus Schulz, Emanuele Leonardi
A.Horvath, IT/ADC/LE 27/03/03
1A Secure Infrastructure For System Console and Reset Access
Area of operation
� Commodity computing(cheap standard PC + Linux)
� Large number of nodes
� Maximum CPU power / $$$
A.Horvath, IT/ADC/LE 27/03/03
2A Secure Infrastructure For System Console and Reset Access
Current technology
A.Horvath, IT/ADC/LE 27/03/03
3A Secure Infrastructure For System Console and Reset Access
Requirements
� keep costs low
� least possible restriction on the hardware of nodes managed
� remote access (without special client software)
� secure communication and data storage
� strong authentication, role - based authorization, strict accounting
� automatization possible
A.Horvath, IT/ADC/LE 27/03/03
4A Secure Infrastructure For System Console and Reset Access
Available technology
�KVM switches
� analogue:cheapnot accessible remotelyno resets
� digital:expensivealso no resets
� IPMI (Intelligent Platform Management Interface)all-in-one solutiontests not satisfactorynot widespread enough
� Serial consolewidespread, common technologyCC boxes: either cheap or secure but not bothno resetsno BIOS access
� VGA emulator PCI cards ("weasel board" etc.)all-in-one solutionvery expensive
A.Horvath, IT/ADC/LE 27/03/03
5A Secure Infrastructure For System Console and Reset Access
Rack of PCs
A.Horvath, IT/ADC/LE 27/03/03
6A Secure Infrastructure For System Console and Reset Access
Console servers
console servers (CS)
A.Horvath, IT/ADC/LE 27/03/03
7A Secure Infrastructure For System Console and Reset Access
Our hardware solution
A.Horvath, IT/ADC/LE 27/03/03
8A Secure Infrastructure For System Console and Reset Access
Console and reset servers
Relay box
both CS and RS
reset server (RS)
A.Horvath, IT/ADC/LE 27/03/03
9A Secure Infrastructure For System Console and Reset Access
Interfacing the system
� web-based human interface, SSL, X.509 authentication
� role-based access control model
� well-defined database API for machines
� interconnection data and authorization information in the database
� internal communication over SSH
A.Horvath, IT/ADC/LE 27/03/03
10A Secure Infrastructure For System Console and Reset Access
A.Horvath, IT/ADC/LE 27/03/03
11A Secure Infrastructure For System Console and Reset Access
A.Horvath, IT/ADC/LE 27/03/03
12A Secure Infrastructure For System Console and Reset Access
Architecture - consoles
A.Horvath, IT/ADC/LE 27/03/03
13A Secure Infrastructure For System Console and Reset Access
Architecture - reset subsystem
A.Horvath, IT/ADC/LE 27/03/03
14A Secure Infrastructure For System Console and Reset Access
Costs
� serial console solution: $24 / node
� remote reset system: $17 / node
� worktime:
� node cabling: 10 nodes / person / hour
� (cable making: for 5 nodes / person / hour)
Commercial ssh-enabled serial console servers:starting from about $110 / node
Digital KVM switches:from about $500 / node
A.Horvath, IT/ADC/LE 27/03/03
15A Secure Infrastructure For System Console and Reset Access
Current status, next steps
� Current status
� hand-made cabling - deployed to 50 nodes
� received user feedback
� got request for more nodes
� Immediate future
� move to large-scale deployment
� Goal: LHC grid - 6000 nodes!
A.Horvath, IT/ADC/LE 27/03/03
16A Secure Infrastructure For System Console and Reset Access
Thank you for your attention
Reset board control software developed by:
� Preslav Konstantinov
� Guner Passage
For more information, please e-mail:[email protected]
A.Horvath, IT/ADC/LE 27/03/03
17A Secure Infrastructure For System Console and Reset Access