Contains the utilities for the creation and verification of virtual machine metadata. These metadata descriptions are managed through the Marketplace and used by various cloud services to validate, authorize, and configure the associated images.
Sharing machine and disk images requires standardized, trusted metadata to allow users to find appropriate images and to allow system administrators to judge the suitability of them.
The metadata descriptions are in RDF/XML format and cryptographically signed following the XML Signature specification. The connection between the described image and the metadata description is the image identifier based on the SHA-1 hash. The following table shows the XML namespaces (and usual prefixes) in the metadata descriptions.
Prefix | Namespace |
---|---|
rdf | http://www.w3.org/1999/02/22-rdf-syntax-ns# |
dcterms | http://purl.org/dc/terms/ |
slreq | http://mp.stratuslab.eu/slreq# |
slterms | http://mp.stratuslab.eu/slterms# |
The following XML document is an unsigned example of the metadata description. The first element is the description of the image containing information about the image file, contained operating system, and location. It also contains the endorsement of the information with information on who endorsed the image and when. The email of the endorser is used as the key and is consequently a required element of the description. A digital signature element ("xmldsig:Signature") follows the "rdf:Description" element for signed metadata entries. (Relevant XML namespaces are given below.)
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:dcterms="http://purl.org/dc/terms/"
xmlns:slreq="http://mp.stratuslab.eu/slreq#"
xmlns:slterms="http://mp.stratuslab.eu/slterms#"
xmlns:ex="http://example.org/"
xml:base="http://mp.stratuslab.eu/">
<rdf:Description rdf:about="#MMZu9WvwKIro-rtBQfDk4PsKO7_">
<dcterms:identifier>MMZu9WvwKIro-rtBQfDk4PsKO7_</dcterms:identifier>
<slreq:bytes>100</slreq:bytes>
<slreq:checksum rdf:parseType="Resource">
<slreq:algorithm>SHA-1</slreq:algorithm>
<slreq:value>c319bbd5afc0a22ba3eaed0507c39383ec28eeff</slreq:value>
</slreq:checksum>
<slreq:endorsement rdf:parseType="Resource">
<dcterms:created>2011-01-24T09:59:42Z</dcterms:created>
<slreq:endorser rdf:parseType="Resource">
<slreq:email>jane.tester@example.org</slreq:email>
<slreq:subject>CN=Jane Tester,OU=...</slreq:subject>
<slreq:issuer>CN=Jane Tester,OU=...</slreq:issuer>
</slreq:endorser>
</slreq:endorsement>
<dcterms:type>machine</dcterms:type>
<dcterms:valid>2011-07-23T10:59:42Z</dcterms:valid>
<dcterms:publisher>StratusLab</dcterms:publisher>
<dcterms:title>linux-with-my-apps</dcterms:title>
<dcterms:description>A 32-bit ttylinux...</dcterms:description>
<slterms:location>http://example.org/...</slterms:location>
<slterms:serial-number>0</slterms:serial-number>
<slterms:version>1.0</slterms:version>
<slterms:hypervisor>kvm</slterms:hypervisor>
<slterms:inbound-port>443</slterms:inbound-port>
<slterms:outbound-port>25</slterms:outbound-port>
<slterms:icmp>8</slterms:icmp>
<slterms:os>ttylinux</slterms:os>
<slterms:os-version>9.7</slterms:os-version>
<slterms:os-arch>i486</slterms:os-arch>
<slterms:deprecated>security issue with app</slterms:deprecated>
<ex:other-info>additional metadata</ex:other-info>
<ex:yet-more>still more info</ex:yet-more>
<ex:relatedImages rdf:parseType="Resource">
<dcterms:identifier>MMZu9WvwKIro-rtBQfDk4PsKO7_</dcterms:identifier>
<dcterms:identifier>NMZu9WvwKIro-rtBQfDk4PsKO7_</dcterms:identifier>
<dcterms:identifier>OMZu9WvwKIro-rtBQfDk4PsKO7_</dcterms:identifier>
<dcterms:identifier>PMZu9WvwKIro-rtBQfDk4PsKO7_</dcterms:identifier>
</ex:relatedImages>
</rdf:Description>
</rdf:RDF>
The entries in the Marketplace deal with individual images. If it is desired that collections of images are signed, then one possibility is to include in each individual entry references to the other image descriptions in the collection. This allows the full collection to be reconstructed from any individual entry. One method of doing this is shown in the example metadata description.
For signing and validating metadata files we are using XML Signature specification. Commands to support metadata signatures have been written in Java as recent Java virtual machines contain an API implementing this standard.
Metadata files can be signed using grid certificates (in PKCS12 format), PGP key pairs, or DSA/RSA key pairs. Verification and validation automatically detects signature algorithm and type of private key used for signing metadata files, verifies the metadata file and prints, for grid certificates, the DN of the user who signed the metadata file.
Where possible the Dublin Core metadata vocabulary has been used for the metadata description. The following table shows the terms taken from the Dublin Core specification.
NS | qname | freq. | XSD | Constraints | Notes |
---|---|---|---|---|---|
dcterms | identifier | 1 | string | valid identifier | image identifier |
dcterms | isReplacedBy | ? | string | valid identifier | image identifier for replacement image |
dcterms | replaces | ? | string | valid identifier | image identifier for image replaced by this one |
dcterms | isVersionOf | ? | string | valid identifier | image identifier for parent image |
dcterms | valid | ? | dateTime | XML DateTime format | expiration date for image metadata |
dcterms | title | ? | string | short title for humans | |
dcterms | description | 1 | string | longer description of the image | |
dcterms | type | 1 | string | 'machine' or 'disk' | type of the described image |
dcterms | creator | ? | string | name of image or metadata record creator | |
dcterms | created | ? | dateTime | XML DateTime format | date when metadata record was created |
dcterms | publisher | ? | string | publisher (group, experiment, project) of image | |
dcterms | format | 1 | string | format of machine or disk image |
Additional terms have been defined by StratusLab to complete the metadata description. The following table shows those terms.
<tr>
<td>slterms</td>
<td>disks-bus</td>
<td>*</td>
<td>string</td>
<td></td>
<td>value to use for disk device driver</td>
</tr>
<tr>
<td>slterms</td>
<td>location</td>
<td>*</td>
<td>URI</td>
<td></td>
<td>location hint for download (none if unavailable)</td>
</tr>
<tr>
<td>slterms</td>
<td>serial-number</td>
<td>?</td>
<td>non-negative integer</td>
<td></td>
<td>numeric index of image within a series</td>
</tr>
<tr>
<td>slterms</td>
<td>version</td>
<td>?</td>
<td>string</td>
<td></td>
<td>version of the image</td>
</tr>
<tr>
<td>slterms</td>
<td>hypervisor</td>
<td>?</td>
<td>string</td>
<td></td>
<td>appropriate hypervisors for machine image</td>
</tr>
<tr>
<td>slterms</td>
<td>inbound-port</td>
<td>*</td>
<td>unsigned short</td>
<td>0 for all</td>
<td>required inbound port</td>
</tr>
<tr>
<td>slterms</td>
<td>outbound-port</td>
<td>*</td>
<td>unsigned short</td>
<td>0 for all</td>
<td>required outbound port</td>
</tr>
<tr>
<td>slterms</td>
<td>icmp</td>
<td>*</td>
<td>unsigned byte</td>
<td></td>
<td>ICMP packet types</td>
</tr>
<tr>
<td>slterms</td>
<td>os-arch</td>
<td>?</td>
<td>string</td>
<td></td>
<td>OS architecture</td>
</tr>
<tr>
<td>slterms</td>
<td>os-version</td>
<td>?</td>
<td>string</td>
<td></td>
<td>OS version</td>
</tr>
<tr>
<td>slterms</td>
<td>os</td>
<td>?</td>
<td>string</td>
<td></td>
<td>OS</td>
</tr>
<tr>
<td>slterms</td>
<td>deprecated</td>
<td>?</td>
<td>string</td>
<td></td>
<td>reason that image is deprecated (missing if OK)</td>
</tr>
NS | qname | freq. | XSD | Constraints | Notes |
---|---|---|---|---|---|
slreq | endorsement | 1 | complex | endorsement information | |
slreq | endorser | 1 | complex | endorser information | |
slreq | bytes | 1 | positive integer | number of bytes in described image | |
slreq | checksum | + | string | lowercase hex digits only | checksum in hex with algorithm prefix |
slreq | 1 | string | email address of the metadata record creator | ||
slreq | subject | 1 | string | certificate subject | |
slreq | issuer | + | string | certificate issuer |
Additional terms can be added to the metadata descriptions, but they should appear in their own XML namespaces. This allows for application-specific metadata and also evolution of the standard schema. These should appear after the endorsement element in the description.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
This software originated in the StratusLab project that was co-funded by the European Community’s Seventh Framework Programme (Capacities) Grant Agreement INFSO-RI-261552 and that ran from June 2010 to May 2012.