Chameleon
The Chameleon is a process that provides the ability to start up a service
on a remote machine. ssh could be used, but would also provide general access
and can cause other security issues. As a result, an application has been created
that can only start up Jicos services:
- HSP (Host Service Provider)
- TaskServer
- Host
- TaskServerMatlab
- HostMatlab
By default, all five services may be started. This may be limited using the
chameleon.security.allowable property listed below.
Another issue that the Chameleon addresses is software updates.
Periodic updates to Jicos should be able to be installed with minimal effort required.
To this end, the Chameleon can download the latest codebase, from a location defined
by the site's administrator, and start the service using the new codebase.
Installation
In the .../framework/scripts/admin/startup directory, there are several
tarballs that contain the files necessary to have Chameleon start up automatically at boot time.
The information here is intentionally sparse. If these instructions don't make sense,
please, Please, PLEASE get the help of your administrative staff.
redhat.tar.gz
This contains two files, etc/rc.d/init.d/chameleon and etc/sysconfig/chameleon.
After installing, be sure to activate the service with chkconfig --add chameleon.
Startup values can be placed in the etc/sysconfig/chameleon file.
Future work includes building an RPM.
sh.tar.gz
This tarball contains chameleon.sh, a generic script that can be placed
in the appropriate rc[345].d directory.
Windows
Still needs to be defined
macos-10.3.tar.gz
This file should be extracted in /Library/StartupItems.
Set the site-specific properties in /etc/hostconfig.
Properties
A convenient place to store all of the properties is inside chameleon.jar file itself.
When starting, Chameleon looks
Additional properties can be specified on a site-by-site basis: the URL of the system JAR file, location of the policy file, etc.
This file is located at edu/ucsb/cs/jicos/admin/chameleon/default.properties.
The folowing properties are currently supported:
| Property |
Default Value |
Description |
chameleon.property.filename |
null |
The name of a file containing all the properties. |
chameleon.refresh.jarfile.baseurl |
null |
The "base" URL of the latest jicos-runtime.jar
file. The file will be in the directory dist/jicos-runtime.jar relative to
this directory. |
chameleon.refresh.dirname |
/tmp |
The location that the new jicos-runtime.jar will be placed when downloaded. |
chameleon.security.policy |
null |
The value of java.security.policy that the Chameleon is currently using.
If the policy file is currently in chameleon.jar, then it will strip off the
jar:file:jarfilename! and try to use that. |
chameleon.security.policy.hsp |
null |
Uses value of chameleon.security.policy, if not defined. |
chameleon.security.policy.taskserver |
null |
Uses value of chameleon.security.policy, if not defined. |
chameleon.security.policy.host |
null |
Uses value of chameleon.security.policy, if not defined. |
chameleon.security.policy.taskservermatlab |
null |
Uses value of chameleon.security.policy, if not defined. |
chameleon.security.policy.hostmatlab |
null |
Uses value of chameleon.security.policy, if not defined. |
chameleon.security.allowable |
all |
A comma or whitespace separated list of allowable services.
The names of services are defined in Chameleon.java as CMD_x. |
chameleon.start.refresh |
true |
Perform a codebase refresh before starting any service. |
chameleon.start.jvmoptions |
null |
Any special options to pass to the JVM when starting a service. |
Security Issues
Java has a feature in that if the specified policy file is not found, no error is
displayed. Therefore, if you are getting a "Connection Refused" Exception, make sure
that the policy file is available.
It is common to start the Chameleon from the jar file. When started this
way, the -Djava.security.policy=... must be defined before -jar
chameleon.jar. Otherwise, a very strict security manager is installed before
the java.security.policy property can be read, which prevents any
further properties (including the policy property) from being modified.
|