Power for a free world

To content | To menu | To search

Sunday 14 October 2012

Cryptography: SSL support using Mozilla NSS landed in NUT

this week, a new feature was merged into the NUT development tree: beside of the historical OpenSSL support (for more than 10 years), NUT now also provides SSL features using Mozilla NSS.

I've already posted a lengthy mail on the NUT developers list. But there are still a few things to be told:

  • for legal reasons, I won't detail, NUT (GPL v2+), can't be linked on OpenSSL without exiting from the 'main' Debian repository. Thus, NUT packages in Debian (and derivatives) don't provide NUT crypto features!
  • to me, NSS has some advantages, compared to OpenSSL. Among these, NSS is distributed under 3 licenses, including GPL. So it will fix the situation for NUT in Debian! But there will be more things to come with NSS, such as client authentication, and more security for infrastructure power management.
  • other distros (mainly Redhat and Suse) have attempted (and are still attempting) to consolidate crypto features, using NSS. Debian has not taken any decision on this topic though. NUT now offers the choice between OpenSSL and Mozilla NSS.
  • NSS support will be officially available with NUT 2.8.0. There is currently no release date since we're committed to a features set, not a release date. Some would say Debian old school. Everything would be different with more manpower, as everywhere else in our Free land...

For the braves who want to test, here is a small procedure, adapted to Debian. We will use an existing installation, and overwrite upsd, upsmon, libupsclient and few more. Beware that it will obviously breaks the MD5 sums of your nut packages!

  • install NUT, if it's not already done:
# apt-get install nut
  • download the source snapshot, and uncompress it:
$ tar xzvf nut-trunk-r3751.tar.gz
  • install NSS development files:
# apt-get install libnss3-dev 
  • change to NUT source directory and configure it using --with-nss, to force using NSS. For Debian, the following flags are needed:
./configure --without-all --with-nss \
        --prefix=/ --sysconfdir=/etc/nut  \
        --with-statepath=/var/run/nut \
        --with-altpidpath=/var/run/nut \
        --with-drvpath=/lib/nut \
        --with-pidpath=/var/run/nut \
        --datadir=/usr/share/nut \
        --with-pkgconfig-dir=/usr/lib/pkgconfig \
        --with-user=nut --with-group=nut
  • now compile and install:
$ make && make install
  • refer to the documentation, NSS backend usage chapter, for detailed configuration and usage instructions.
  • Enjoy ;-)

Before concluding, here is the traditional thank you guys:

  • Emilien Kia, who developed the NSS support in NUT,
  • Frédéric Bohé, for the validation testing,
  • Charles Lepple, for handling the merge from github to our Alioth Subversion repository,
  • and Eaton for sponsoring this development.

As a conclusion, cryptography integration and usability is still not on par with other proprietary OS. I would love to see the crypto situation improving in Debian (and friends obviously). So this was just my 2 cents (nuts ;-)) to the cause...

cheers,
-- Arno

Tuesday 25 September 2012

Power management and NUT #1: an introduction

in this series of articles, I will be talking in depth about power management through the NUT project, its packaging on Debian, how to use it in general and how I see it being part of the GreenIT thing.

So, let's start with an introduction:

NUT is a Free Software (GPL v2+ and 3 to be precise), originally created for power protection using UPS, from home to data-centers:

To shortly describe the main features, I would say that NUT:

NUT used to stand for Network UPS Tools. That is, a software for talking to your UPS and shutting down your systems when needed. This definition is a bit limited nowadays, since NUT supports 4 types of power device:

  • UPS, obviously, since the origin.
  • PDU (power distribution units), for 4 years. These are somehow big intelligent power switches, that you find in datacenters. These allow to switch on and off specific outlets and / or to measure power consumptions. The latter is more interesting for Green IT and PUE calculation. But this is the topic of another article ;-)
  • SCD (solar controller device), for more than 2 years. NUT only supports 1 SCD (IVT SCD series), but support for another can be very easily added.
  • PSU (power supply unit), for more than a year. This support is limited to server PSU, that are IPMI compatible.
  • meters and gensets are also new device types that are considered. Meters would provide more measurement capabilities, still mainly for PUE calculation, while gensets.

Considering this, is the name Network UPS Tools still suitable? Not really! But the acronym NUT is well known! So, for the time being, I just stick using it, and focus on other more important things, until a better opportunity (ideas and comments are welcome!).

That said, what can you do exactly with NUT? Currently, you can:

  • monitor and manage UPS(s) that protect(s) your system(s), with no redundancy limitation,
  • manage your PDU, to power on / off your systems (not servers directly!), and measure power consumptions,
  • monitor and manage your servers power supplies, power these on / off, and measure power consumption.
  • monitor all these links of the powerchain, that feed your servers.
  • discover all USB, SNMP and IPMI supported devices, locally or on the network.

All the above is available in a standardized way:

  • the manufacturer name will always be in the variable called device.mfr. The first outlet will always be outlet.1, whatever the device is (UPS or PDU here),
  • Tons of command line tools, libraries / language bindings and software are available to help in NUT integration! You can even make your own NUT client implementation very easily and quickly (experiences reports are ~ 2 hours).

Well, this is already a long and dense post, so I will stop there for today. In the next post, we will have a deeper dive into using NUT, for various use cases: submit yours if you can ;-)

cheers,
-- Arno