author | Brock Pytlik <brock.pytlik@oracle.com> |
Wed, 27 Apr 2011 20:30:32 -0700 | |
changeset 2310 | ce10607d5332 |
child 2448 | 2a649d8c190d |
permissions | -rw-r--r-- |
2310
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
1 |
System Repository and Publishers |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
2 |
|
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
3 |
Introduction: |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
4 |
|
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
5 |
Linked images, and zones in particular, must keep certain packages |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
6 |
in sync with the global zone in order to be functional. The global zone will |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
7 |
constrain packages within the non-global zones and configure special publishers |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
8 |
in the non-global zone (NGZ). These publishers (henceforth called system |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
9 |
publishers) are special because the non-global zone cannot make certain kinds of |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
10 |
modifications to them. Among the forbidden operations for the non-global zone on |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
11 |
the system publishers are deleting, disabling, removing or replacing origins |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
12 |
provided by the system repository, and any other operations which might prevent |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
13 |
the solver from meeting the constraints imposed by the constraint package. The |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
14 |
global zone must provide the means for the non-global zone to configure itself |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
15 |
with system publishers by providing information like origins. The global zone |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
16 |
also has to provide a connection to the system publishers' repositories which is |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
17 |
available even in a scratch zone. |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
18 |
|
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
19 |
|
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
20 |
The Data path: |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
21 |
|
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
22 |
The pkg client in the NGZ uses the system repository in the global zone as a |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
23 |
proxy to the system publishers. To ensure that a communication path between the |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
24 |
pkg client in the NGZ and the system repository in the global zone always |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
25 |
exists, the zone proxy client and the zone proxy daemon were created. |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
26 |
|
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
27 |
The zone proxy client runs in the NGZ. When started, it creates a socket which |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
28 |
listens on an inet port on 127.0.0.1 in the NGZ. It passes the file descriptor |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
29 |
for this socket to the zone proxy daemon in the global zone via a door call. The |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
30 |
zone proxy daemon listens for connections on the file descriptor. When zone |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
31 |
proxy daemon receives a connection, it proxies the connection to the system |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
32 |
depot. The system depot is an Apache instance running in the global zone which |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
33 |
provides connectivity to and configuration of publishers. |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
34 |
|
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
35 |
The system depot acts as a proxy for the http and https repositories for |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
36 |
the publishers it provides. When proxying to https repositories, it uses the |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
37 |
keys and certificates in the global zone to identify itself and verify the |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
38 |
server's identity. It also provides a http interface to the file repositories |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
39 |
for the publishers it provides as well as serving publisher and image |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
40 |
configuration via the syspub/0 response. |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
41 |
|
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
42 |
|
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
43 |
Configuration: |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
44 |
|
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
45 |
The syspub/0 response is a p5s file. The p5s file contains publisher |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
46 |
configuration and image configuration. Currently, the only image configuration |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
47 |
it contains is the publisher search order for the provided publishers, but other |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
48 |
information may be added to the response as needed. In addition to the basic |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
49 |
collection of publisher information, the p5s file also contains a list of urls |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
50 |
which the pkg client should proxy to via the system depot instead of contacting |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
51 |
them directly. When creating a p5s file, the urls for origins and mirrors can |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
52 |
be transformed. HTTPS urls are transformed to HTTP urls since the system depot |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
53 |
will be doing the SSL communication, not the pkg client. File urls are |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
54 |
transformed into HTTP urls with a special format. The urls contain the special |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
55 |
token "<sysrepo>" which the p5s parser knows to replace with the url of the zone |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
56 |
proxy client. The rest of the url contains the prefix of the publisher, then |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
57 |
the sha1 hash of the global zone path to the file repository. |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
58 |
|
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
59 |
The information for the syspub/0 response comes from the global zone's image's |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
60 |
configuration. The pkg/sysrepo service is responsible transforming the image |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
61 |
configuration into an Apache configuration file and causing the system depot to |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
62 |
reread its configuration. The global zone pkg client restarts the pkg/sysrepo |
ce10607d5332
11684 desire option to not propagate certs to non-global zones
Brock Pytlik <brock.pytlik@oracle.com>
parents:
diff
changeset
|
63 |
servvice whenever the image's publisher configuration changes. |