FRμIT project meeting #3: Southampton
16 January 2018
/ fruit
The third
FRμIT project meeting was held on 16 January 2018 at the
University of Southampton. The main focus of the meeting was the
security and authentication infrastructure requirements for the
FRμIT stack, and whether these can satisfied by the
Jisc Moonshot
implementation of the IETF
ABFAB protocols. We also discussed progress with the Pi Stack
power supply board for high-density Raspberry Pi clusters.
The primary focus of this meeting was to understand the security
requirements for the FRμIT testbed infrastructure. There are two
main parts to this: secure messaging for application control, data
dissemination, and software updates; and authentication infrastructure
for federated access to the FRμIT testbed.
The meeting began with a presentation from Andrew Poulter (University
of Southampton and DSTL) on pySRUP, a Python-based implementation of
the SRUP secure remote
update protocol. This is a publish-subscribe command and control
protocol, based on MQTT, for Internet-of-Things (IoT) devices that is
applicable for clusters of single board compute clusters such as the
FRμIT testbed. It provides a hierarchical message distribution
model, with strong authentication and integrity protection, that seems
highly suitable for our use cases. The key limitation appears to be
the assumption that devices have a robust permanent network connection
and can readily communicate with the message broker. This makes it
potentially unsuitable for the delay tolerant applications of FRμIT,
and might limit applicability for networks subject to middleboxes such
as NATs and firewalls - we need to consider how it integrates with the
peer-to-peer
software update mechanism we've been prototyping in Glasgow.
The second presentation of the day was by Stefan Paetow (Jisc), who
spoke about Jisc
project Moonshot, an open source implementation of the IETF's
ABFAB
protocol suite. This is being considered as a federated authentication
scheme for access control in the FRμIT testbed — that is, for
managing remote login access to the cluster. The goal of this is to do
for remote ssh access to the FRμIT cluster what eduroam did for
Wi-Fi roaming: using GSSAPI, RADIUS, etc., to provide federated user
authentication for access to non-web resources, such as the cluster
nodes in our testbed. The protocols here seem to meet our needs. The
complexity comes from integrating with the site-wide authentication
infrastructure of the universities participating in the FRμIT
project, and the political realities of dealing with the bureaucracy
in the partner institutions to develop policies that enable shared
access to our compute cluster resources.
After the morning break, we moved on from security and authentication
to discuss cluster hardware. Phil Basford gave on update on the Pi
Stack board, the custom power supply board Southampton are developing
to support high-density Raspberry Pi clusters. This provides power to
a pair of Raspberry Pi nodes, mounted top-to-top, with remote control
via an RS485 link to power-cycle the nodes as necessary. Several of
these boards can be stacked, allowing up to 16 Raspberry Pi nodes to
be powered and controlled, with power and data provided to the stack
via the spacer bars separating the Raspberry Pi nodes. The result is
higher density and existing cluster power solutions, cuts down on
cabling, and provides remote power control for the cluster nodes.
Version 3 of the PCB is believed stable and an initial batch of 50
boards are being manufactured and will be distributed to the project
partners for testing and evaluation. If the tests prove successful,
the Pi Stack board should allow us to build very high density clusters,
and may be suitable for commercialisation.
The second half of the meeting, after lunch, consisted of a status
review and planning for future work, publications, etc. We continue
to make progress with the Alpine Linux-based FRμIT distribution,
the run-time infrastructure to support applications (based on either
the Singularity Linux container runtime, unikernels, or bare metal
as a service); live migration of bare metal system; and various
applications including LoRaWAN IoT sensor networks.
The next project meeting will be in May 2018, at the University of
Glasgow.