Skip to content
This repository has been archived by the owner on Jul 21, 2019. It is now read-only.

Latest commit

 

History

History
458 lines (413 loc) · 13 KB

README.md

File metadata and controls

458 lines (413 loc) · 13 KB

Metadata

Build Status

Contains the utilities for the creation and verification of virtual machine metadata. These metadata descriptions are managed through the Marketplace and used by various cloud services to validate, authorize, and configure the associated images.

Metadata Schema and Format

Sharing machine and disk images requires standardized, trusted metadata to allow users to find appropriate images and to allow system administrators to judge the suitability of them.

The metadata descriptions are in RDF/XML format and cryptographically signed following the XML Signature specification. The connection between the described image and the metadata description is the image identifier based on the SHA-1 hash. The following table shows the XML namespaces (and usual prefixes) in the metadata descriptions.

Prefix Namespace
rdf http://www.w3.org/1999/02/22-rdf-syntax-ns#
dcterms http://purl.org/dc/terms/
slreq http://mp.stratuslab.eu/slreq#
slterms http://mp.stratuslab.eu/slterms#

The following XML document is an unsigned example of the metadata description. The first element is the description of the image containing information about the image file, contained operating system, and location. It also contains the endorsement of the information with information on who endorsed the image and when. The email of the endorser is used as the key and is consequently a required element of the description. A digital signature element ("xmldsig:Signature") follows the "rdf:Description" element for signed metadata entries. (Relevant XML namespaces are given below.)

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
         xmlns:dcterms="http://purl.org/dc/terms/"
         xmlns:slreq="http://mp.stratuslab.eu/slreq#"
         xmlns:slterms="http://mp.stratuslab.eu/slterms#"
         xmlns:ex="http://example.org/"
         xml:base="http://mp.stratuslab.eu/">

  <rdf:Description rdf:about="#MMZu9WvwKIro-rtBQfDk4PsKO7_">
    <dcterms:identifier>MMZu9WvwKIro-rtBQfDk4PsKO7_</dcterms:identifier>
    <slreq:bytes>100</slreq:bytes>

    <slreq:checksum rdf:parseType="Resource">
      <slreq:algorithm>SHA-1</slreq:algorithm>
      <slreq:value>c319bbd5afc0a22ba3eaed0507c39383ec28eeff</slreq:value>
    </slreq:checksum>

    <slreq:endorsement rdf:parseType="Resource">
      <dcterms:created>2011-01-24T09:59:42Z</dcterms:created>
      <slreq:endorser rdf:parseType="Resource">
        <slreq:email>[email protected]</slreq:email>
        <slreq:subject>CN=Jane Tester,OU=...</slreq:subject>
        <slreq:issuer>CN=Jane Tester,OU=...</slreq:issuer>
      </slreq:endorser>
    </slreq:endorsement>

    <dcterms:type>machine</dcterms:type>

    <dcterms:valid>2011-07-23T10:59:42Z</dcterms:valid>

    <dcterms:publisher>StratusLab</dcterms:publisher>
    <dcterms:title>linux-with-my-apps</dcterms:title>
    <dcterms:description>A 32-bit ttylinux...</dcterms:description>

    <slterms:location>http://example.org/...</slterms:location>

    <slterms:serial-number>0</slterms:serial-number>
    <slterms:version>1.0</slterms:version>

    <slterms:hypervisor>kvm</slterms:hypervisor>

    <slterms:inbound-port>443</slterms:inbound-port>
    <slterms:outbound-port>25</slterms:outbound-port>
    <slterms:icmp>8</slterms:icmp>

    <slterms:os>ttylinux</slterms:os>
    <slterms:os-version>9.7</slterms:os-version>
    <slterms:os-arch>i486</slterms:os-arch>

    <slterms:deprecated>security issue with app</slterms:deprecated>

    <ex:other-info>additional metadata</ex:other-info>
    <ex:yet-more>still more info</ex:yet-more>

    <ex:relatedImages rdf:parseType="Resource">
      <dcterms:identifier>MMZu9WvwKIro-rtBQfDk4PsKO7_</dcterms:identifier>
      <dcterms:identifier>NMZu9WvwKIro-rtBQfDk4PsKO7_</dcterms:identifier>
      <dcterms:identifier>OMZu9WvwKIro-rtBQfDk4PsKO7_</dcterms:identifier>
      <dcterms:identifier>PMZu9WvwKIro-rtBQfDk4PsKO7_</dcterms:identifier>
    </ex:relatedImages>
  </rdf:Description>
</rdf:RDF>

The entries in the Marketplace deal with individual images. If it is desired that collections of images are signed, then one possibility is to include in each individual entry references to the other image descriptions in the collection. This allows the full collection to be reconstructed from any individual entry. One method of doing this is shown in the example metadata description.

Signing and Validating StratusLab Metadata Files

For signing and validating metadata files we are using XML Signature specification. Commands to support metadata signatures have been written in Java as recent Java virtual machines contain an API implementing this standard.

Metadata files can be signed using grid certificates (in PKCS12 format), PGP key pairs, or DSA/RSA key pairs. Verification and validation automatically detects signature algorithm and type of private key used for signing metadata files, verifies the metadata file and prints, for grid certificates, the DN of the user who signed the metadata file.

Metadata Elements

Where possible the Dublin Core metadata vocabulary has been used for the metadata description. The following table shows the terms taken from the Dublin Core specification.

NS qname freq. XSD Constraints Notes
dcterms identifier 1 string valid identifier image identifier
dcterms isReplacedBy ? string valid identifier image identifier for replacement image
dcterms replaces ? string valid identifier image identifier for image replaced by this one
dcterms isVersionOf ? string valid identifier image identifier for parent image
dcterms valid ? dateTime XML DateTime format expiration date for image metadata
dcterms title ? string short title for humans
dcterms description 1 string longer description of the image
dcterms type 1 string 'machine' or 'disk' type of the described image
dcterms creator ? string name of image or metadata record creator
dcterms created ? dateTime XML DateTime format date when metadata record was created
dcterms publisher ? string publisher (group, experiment, project) of image
dcterms format 1 string format of machine or disk image

Additional terms have been defined by StratusLab to complete the metadata description. The following table shows those terms.

<tr>
    <td>slterms</td>
    <td>disks-bus</td>
    <td>*</td>
    <td>string</td>
    <td></td>
    <td>value to use for disk device driver</td>
</tr>    
<tr>
    <td>slterms</td>
    <td>location</td>
    <td>*</td>
    <td>URI</td>
    <td></td>
    <td>location hint for download (none if unavailable)</td>
</tr>    
<tr>
    <td>slterms</td>
    <td>serial-number</td>
    <td>?</td>
    <td>non-negative integer</td>
    <td></td>
    <td>numeric index of image within a series</td>
</tr>    
<tr>
    <td>slterms</td>
    <td>version</td>
    <td>?</td>
    <td>string</td>
    <td></td>
    <td>version of the image</td>
</tr>    
<tr>
    <td>slterms</td>
    <td>hypervisor</td>
    <td>?</td>
    <td>string</td>
    <td></td>
    <td>appropriate hypervisors for machine image</td>
</tr>    
<tr>
    <td>slterms</td>
    <td>inbound-port</td>
    <td>*</td>
    <td>unsigned short</td>
    <td>0 for all</td>
    <td>required inbound port</td>
</tr>    
<tr>
    <td>slterms</td>
    <td>outbound-port</td>
    <td>*</td>
    <td>unsigned short</td>
    <td>0 for all</td>
    <td>required outbound port</td>
</tr>    
<tr>
    <td>slterms</td>
    <td>icmp</td>
    <td>*</td>
    <td>unsigned byte</td>
    <td></td>
    <td>ICMP packet types</td>
</tr>    
<tr>
    <td>slterms</td>
    <td>os-arch</td>
    <td>?</td>
    <td>string</td>
    <td></td>
    <td>OS architecture</td>
</tr>    
<tr>
    <td>slterms</td>
    <td>os-version</td>
    <td>?</td>
    <td>string</td>
    <td></td>
    <td>OS version</td>
</tr>    
<tr>
    <td>slterms</td>
    <td>os</td>
    <td>?</td>
    <td>string</td>
    <td></td>
    <td>OS</td>
</tr>    
<tr>
    <td>slterms</td>
    <td>deprecated</td>
    <td>?</td>
    <td>string</td>
    <td></td>
    <td>reason that image is deprecated (missing if OK)</td>
</tr>    
NS qname freq. XSD Constraints Notes
slreq endorsement 1 complex endorsement information
slreq endorser 1 complex endorser information
slreq bytes 1 positive integer number of bytes in described image
slreq checksum + string lowercase hex digits only checksum in hex with algorithm prefix
slreq email 1 string email address of the metadata record creator
slreq subject 1 string certificate subject
slreq issuer + string certificate issuer

Additional terms can be added to the metadata descriptions, but they should appear in their own XML namespaces. This allows for application-specific metadata and also evolution of the standard schema. These should appear after the endorsement element in the description.

License

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Acknowledgements

This software originated in the StratusLab project that was co-funded by the European Community’s Seventh Framework Programme (Capacities) Grant Agreement INFSO-RI-261552 and that ran from June 2010 to May 2012.