-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathconfiguration.xml
More file actions
79 lines (79 loc) · 3.63 KB
/
configuration.xml
File metadata and controls
79 lines (79 loc) · 3.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"
[
<!ENTITY % sharedents SYSTEM "shared-entities.xml" >
%sharedents;
]>
<chapter id="configuration">
<info>
<author>
<firstname>Owen</firstname>
<surname>Synge</surname>
</author>
</info>
<section id="Environment Variables.">
<title>Environment Variables.</title>
<itemizedlist>
<listitem>
<para><literal>HOME</literal></para>
<para>Used as a prefix for configuration files and certificates.</para>
</listitem>
<listitem>
<para><literal>VMCASTER_CFG</literal></para>
<para>Path to the configuration file for vmcaster.</para>
</listitem>
<listitem>
<para><literal>VMCASTER_RDBMS</literal></para>
<para>SQLite based connection string, This defaults to 'sqlite:///vmcaster.db'.
This URL refers to the current working directory, to use an absolute path with
SQLite, add an extra slash to the URL like syntax.</para>
</listitem>
<listitem>
<para><literal>VMCASTER_LOG_CONF</literal></para>
<para>vmcaster uses pythons standard logging module, this sets the configuration file
to be used for logging. For specifications on how to set this up see the python
logging documentation.</para>
</listitem>
<listitem>
<para><literal>VMCASTER_X509_DIR</literal></para>
<para>Sets the default directory for the users &x509; certificates. If not set this
value is defaulted to <literal>$HOME/.globus</literal>.</para>
</listitem>
<listitem>
<para><literal>VMCASTER_X509_KEY</literal></para>
<para>Path to the private key for the signing of image lists.</para>
<para>Sets the default path for the users &x509; user key. If not set this
value is defaulted to <literal>$HOME/.globus/userkey.pem</literal>.</para>
</listitem>
<listitem>
<para><literal>VMCASTER_X509_CERT</literal></para>
<para>Path to the certificate for the signing of image lists.</para>
<para>Sets the default path for the users &x509; user key. If not set this
value is defaulted to <literal>$HOME/.globus/usercert.pem</literal>.</para>
</listitem>
</itemizedlist>
</section>
<title>Configuration</title>
<section id="Deployment">
<title>Deployment</title>
<para>It is wise to deploy an "image list subscriber" so you can check for errors with
vmcaster as your "image list" publisher. vmcatcher
(http://github.com/hepix-virtualisation/vmcatcher) is an "image list subscriber"
that has almost the same dependencies as vmcatcher.</para>
<section id="DeploymentSecurityNote">
<title>Security note</title>
<para>It is more secure to use "https" than "http" for serving the image list. While
the authenticity of the image list is secured by the image list signature, the
signature cannot prevent "man in the middle" presenting an old signed image list.</para>
<para>For serving images http is as secure as https, as the authenticity of the image
is secured by the image list's signature, thus the worst a man in the middle
attack can do with images is provide a denial of service when the image does not
match the sha512 hash it will be detected and rejected.</para>
<para>It is expected future versions of vmcatcher will issue a warning when
subscribing to and retrieving image lists from unauthenticated hosts. Image list
subscribers will prefer not to see these warnings, and may decide to only trust
image lists hosted on authenticated servers.</para>
</section>
</section>
</chapter>