Installation of Hyrax

1
Installation of Hyrax
2
Possible Installations

• Both OLFS and BES run on one machine
• OLFS on one machine and BES on another
• One OLFS and several instances of BES on
  different machines
• OLFS communicating with one or more BESs and
  other backend processors

3
Tradeoffs single host

• Running both the OLFS and BES on one host is the
  easiest (thats how we have configured the
  virtual machine)
• If the OLFS is compromised, then the host with
  the data is also compromised
• A firewall can still protect network access to
  the BES (limit access to its port to localhost)
• A compromised host still leaves the BES
  vulnerable to exploitation

4
Tradeoffstwo hosts

• Running the OLFS on one host (in the DMZ) and the
  BES on another is more complex
• Must check that during power on both reboot and
  connect
• Increased LAN traffic since the assumption is
  that the BES and OLFS are close to each other
  and ample bandwidth is available
• A compromise of the DMZ (via the OLFS or some
  other web app) does not leave the BES vulnerable
  unless the attackers can leave the DMZ and access
  the internal machine on which the BES runs

5
Tradeoffs multiple BESs

• A more complex configuration that provides a way
  to isolate loads for large archives
• Also provides a way to fit Hyrax into the
  existing organization of data within an
  organization (e.g., NASA GSFC is using this
  because they have different data on several
  computers for historical reasons)
• The affect of an exploit is limited if it does
  make it past the DMZ but this is not really a
  security feature per se, but flexibility to adapt
  to different organizations of data
• Its tempting to accomplish the same goal using
  NFS but this has lead to poor performance in the
  past.

6
Installation Security

• A separate issue from Ac/Az
• The BES must be protected
• With a firewall or
• TLS Client certificates
• Running the OLFS and BES on separate machines
  limits the scope of a compromise of the OLFS
• Ensure that the BES, Tomcat and Apache all run
  with limited access to the server host

7
Getting the Software

• Hyrax is composed of both a C/C daemon (BES)
  and a Java/Servlet Web application (OLFS)
• Several ways to get the software
• Download binaries for your hardware and operating
  system www.opendap.org/download/
• Download source code distributions Same as above
• Use Subversion SCM system scm.opendap.org8090/tr
  ac

8
Tradeoffs

• Subversion
• Gets you the absolute latest code and developers
  may even get write access to submit fixes
• You must have a full development environment
• Theres limited support
• Source distributions
• Correspond to development milestones
• We try to coordinate between projects
• You still must be able to build from source
• Binaries
• Easiest, if your platform is supported - this is
  primarily an issue for the BES, not the OLFS
• We build a limited set of binaries
• Others also build binaries (Fedora Core extras,
  RPMFIND

9
so what is a full development environment?

• In a word, GNU. Specifically
• gcc/g/g77
• JDK 1.5
• flex/bison
• make
• ant
• autoconf/automake/libtool
• dejagnu/CppUnit
• Libraries libcurl, libreadline, libxml2
• Apache, Tomcat
• Emacs?, Eclipse?
• Get the latest of everything

10
Whats on the Virtual Machine

• Development tools
• All of the preceding except Eclipse
• Sources
• Libdap 3.7.7, linbc-dap 3.7.0
• Bes 3.5.1, dap-server 3.7.4, netcdf_handler
  3.7.6, freeform_handler 3.7.5
• Netcdf 3.6.2 (from Unidata needed for the netCDF
  handler)
• Some sources for clients (NCO)
• Binaries
• OLFS 1.2.3
• Clients ODC, ncBrowse