FRμIT project meeting #3: Southampton

The third FRμIT project meeting was held on 16 January 2018 at the University of Southampton. The main focus of the meeting was the security and authentication infrastructure requirements for the FRμIT stack, and whether these can satisfied by the Jisc Moonshot implementation of the IETF ABFAB protocols. We also discussed progress with the Pi Stack power supply board for high-density Raspberry Pi clusters.

Photograph of the FRµIT team

The primary focus of this meeting was to understand the security requirements for the FRμIT testbed infrastructure. There are two main parts to this: secure messaging for application control, data dissemination, and software updates; and authentication infrastructure for federated access to the FRμIT testbed. The meeting began with a presentation from Andrew Poulter (University of Southampton and DSTL) on pySRUP, a Python-based implementation of the SRUP secure remote update protocol. This is a publish-subscribe command and control protocol, based on MQTT, for Internet-of-Things (IoT) devices that is applicable for clusters of single board compute clusters such as the FRμIT testbed. It provides a hierarchical message distribution model, with strong authentication and integrity protection, that seems highly suitable for our use cases. The key limitation appears to be the assumption that devices have a robust permanent network connection and can readily communicate with the message broker. This makes it potentially unsuitable for the delay tolerant applications of FRμIT, and might limit applicability for networks subject to middleboxes such as NATs and firewalls - we need to consider how it integrates with the peer-to-peer software update mechanism we've been prototyping in Glasgow.

The second presentation of the day was by Stefan Paetow (Jisc), who spoke about Jisc project Moonshot, an open source implementation of the IETF's ABFAB protocol suite. This is being considered as a federated authentication scheme for access control in the FRμIT testbed — that is, for managing remote login access to the cluster. The goal of this is to do for remote ssh access to the FRμIT cluster what eduroam did for Wi-Fi roaming: using GSSAPI, RADIUS, etc., to provide federated user authentication for access to non-web resources, such as the cluster nodes in our testbed. The protocols here seem to meet our needs. The complexity comes from integrating with the site-wide authentication infrastructure of the universities participating in the FRμIT project, and the political realities of dealing with the bureaucracy in the partner institutions to develop policies that enable shared access to our compute cluster resources.

Photograph of some Pi Stack cluster power supply boards

After the morning break, we moved on from security and authentication to discuss cluster hardware. Phil Basford gave on update on the Pi Stack board, the custom power supply board Southampton are developing to support high-density Raspberry Pi clusters. This provides power to a pair of Raspberry Pi nodes, mounted top-to-top, with remote control via an RS485 link to power-cycle the nodes as necessary. Several of these boards can be stacked, allowing up to 16 Raspberry Pi nodes to be powered and controlled, with power and data provided to the stack via the spacer bars separating the Raspberry Pi nodes. The result is higher density and existing cluster power solutions, cuts down on cabling, and provides remote power control for the cluster nodes. Version 3 of the PCB is believed stable and an initial batch of 50 boards are being manufactured and will be distributed to the project partners for testing and evaluation. If the tests prove successful, the Pi Stack board should allow us to build very high density clusters, and may be suitable for commercialisation.

The second half of the meeting, after lunch, consisted of a status review and planning for future work, publications, etc. We continue to make progress with the Alpine Linux-based FRμIT distribution, the run-time infrastructure to support applications (based on either the Singularity Linux container runtime, unikernels, or bare metal as a service); live migration of bare metal system; and various applications including LoRaWAN IoT sensor networks.

The next project meeting will be in May 2018, at the University of Glasgow.

Opinions expressed are my own, and do not represent those of my employers or the organisations that fund my research.