Notary Server/Scanner
From Cmcl
Perspectives Main Page
Contents |
Notary Server TODO
high priority
- Script to automatically build a "starter database" for creating new notary servers. This DB should contain all service-ids being probed by existing servers, but no observations.
- Use multiple failed probes as indication that we should not continue probing that service.
low priority
- implement a DNS proxy to allow anonymized lookups via DNS
- Implement data redundancy
- make sure that public key operations are not slowing down scanning threads.
some day
- Batching of signature, or merkle hash tree, to improve scanning efficiency. (this change would be protocol incompatible)
- implement some type of nonce/client puzzle scheme using portcullis code (this is likely not backward compatible)
- test to see if reusing processes would be more efficient than always spawning a new one.
External Feedback
- Ciprian has some good suggestions:
-- the source code archive does not contain any version information (like x.y.z) either in he archive name or in a file contained in it, so it is hard to tell if a new version is available;
-- in the documentation it is written that the database (the file not the environment folder) will be automatically created; this is not the case; I had to supply an empty file to file2db, in order to create an empty database;
-- the notary_list.txt has the following problem: if I specify a server by hostname it doesn't issue an error, but it results in a very funny IP address being used;
- A helpful soul on washingtonpost.com took a look through the code and offered lots of suggestions, some old, some new, but good things to keep in mind. On a whole, he clearly knows what he is talking about: antibozo_comments
Deploying a New Server
First, tar up the ~/notary directory on an existing server, and copy it to ~/notary on the new machine. Say that the new server's name is 'cmu':
rm -rf log/* cd keys openssl genrsa -out cmu.priv 1369 openssl rsa -in cmu.priv -out cmu.pub -outform PEM -pubout cd ..
Now, we actually want to use the old notary database to generate a new empty database file. Likely the existing database is confusingly called 'starter.db'.
bin/db2file db_env starter.db | grep -v key: | grep -v start: | grep -v end: | grep -v ^$ > starter.txt bin/file2db starter.txt new_db.db keys.cmu.priv mv new_db.db db_env/starter.db
Then edit the file config/scanner_config.txt and set the value of 'private_key_fname' to the new private key (e.g., 'keys/cmu.priv' . If you change the name of your database file, you will also need to change BOTH config/scanner_config.txt and config/server_config.txt
Then, start things up:
scripts/start_server.sh config/server_config.txt scripts/start_scanner.sh config/scanner_config.txt
Finally, do:
cat keys/cmu.pub
and use the result along with the machines IP address to add a new entry to notary_list.txt
Finally, set-up a cron job to run scans twice a day:
crontab -e
Type in:
10 1,13 * * * /home/danwent/notary/scripts/run_scan.sh db config/scanner_config.txt /home/danwent/notary
This will run the scan job twice a day, at 1 am and 1 pm. You can run this line manually if you want the server to start scanning right away.
Updating Notary Server Code on RON Testbed
Updating the server code on RON is a bit of a pain. Here's the scoop.
We have no non-RON machine that matches the RON configuration exactly, as it is 32-bit and runs FreeBSD. So we have to build binaries on one of them, and then copy those binaries to the other machines. I use cmu.ron.lcs.mit.edu as my build machine. Unfortunately, I don't have root on those machines, so I can't install SVN. As a result, I need to build a server source tarball on some other machine, copy it over to cmu.ron and then build it there. Also, to avoid having to install Berkeley DB on each node, I do the "static" server build which manually links in libbdb (lame, I know).
On any machine, from multissh/notarycode :
svn up scripts/package_src_server.sh scp notary_src_server.tar.gz danwent@cmu.ron.lcs.mit.edu:~
Then, SSH into cmu.ron.lcs.mit.edu
The next problem is that we aren't able to install berkeley DB libraries, so we need to reference them locally. To handle this, from the home directory:
tar -xzf notary_src_server.tar.gz cp db-4.6.21/build_unix/.libs/libdb-4.6.a notarycode/common cd notarycode scripts/build_server.sh static
If you don't need to rebuild the scanner binaries (which can take a while), you can just do the following after copying the BDB library:
cd notarycode/common/ make cd ../notary-server make static
You can then copy the binary files over to ~/notary/bin
Then, you need to re-start things.
cd ~/notary scripts/stop_server.sh scripts/stop_scanner.sh scripts/start_server.sh config/server_config.txt scripts/start_scanner.sh config/scanner_config.txt
Of course, then you need to copy whatever binary files you need over to each of the other RON nodes, and then restart their servers to pick up the new binary.
