rfc2593.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 1,236 行 · 第 1/4 页
TXT
1,236 行
Network Working Group J. Schoenwaelder
Request for Comments: 2593 TU Braunschweig
Category: Experimental J. Quittek
NEC Europe Ltd.
May 1999
Script MIB Extensibility Protocol Version 1.0
Status of this Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
The IETF Script MIB defines an interface for the delegation of
management functions based on the Internet management framework. A
management script is a set of instructions that are executed by a
language specific runtime system. The Script MIB extensibility
protocol (SMX) defined in this memo separates language specific
runtime systems from language independent Script MIB implementations.
Table of Contents
1. Introduction ................................................ 2
2. Process Model and Communication Model ....................... 3
3. Security Profiles ........................................... 3
4. Start of Runtime Systems and Connection Establishment ....... 4
5. SMX Messages ................................................ 5
5.1 Common Definitions ......................................... 5
5.2 Commands ................................................... 7
5.3 Replies .................................................... 8
6. Elements of Procedure ....................................... 9
6.1 SMX Message Processing on the Runtime Systems .............. 9
6.1.1 Processing the `hello' Command ........................... 10
6.1.2 Processing the `start' Command ........................... 10
6.1.3 Processing the `suspend' Command ......................... 11
6.1.4 Processing the `resume' Command .......................... 12
6.1.5 Processing the `abort' Command ........................... 12
6.1.6 Processing the `status' Command .......................... 12
6.1.7 Generation of Asynchronous Notifications ................. 13
Schoenwaelder & Quittek Experimental [Page 1]
RFC 2593 SMX Protocol 1.0 May 1999
6.2 SMX Message Processing on the SNMP Agent ................... 13
6.2.1 Creating a Runtime System ................................ 13
6.2.2 Generating the `hello' Command ........................... 13
6.2.3 Generating the `start' Command ........................... 14
6.2.4 Generating the `suspend' Command ......................... 15
6.2.5 Generating the `resume' Command .......................... 16
6.2.6 Generating the `abort' Command ........................... 16
6.2.7 Generating the `status' Command .......................... 17
6.2.8 Processing Asynchronous Notifications .................... 18
7. An Example SMX Message Flow ................................. 19
8. Security Considerations ..................................... 19
9. Acknowledgments ............................................. 20
10. References ................................................. 20
11. Authors' Addresses ......................................... 21
12. Full Copyright Statement ................................... 22
1. Introduction
The Script MIB [1] defines a standard interface for the delegation of
management functions based on the Internet management framework. In
particular, it provides the following capabilities:
1. Transfer of management scripts to a distributed manager.
2. Initiating, suspending, resuming and terminating management
scripts.
3. Transfer of arguments for management scripts.
4. Monitoring and control of running management scripts.
5. Transfer of results produced by management scripts.
A management script is a set of instructions executed by a language
specific runtime system. The Script MIB does not prescribe a specific
language. Instead, it allows to control scripts written in different
languages that are executing concurrently.
The Script MIB Extensibility protocol (SMX) defined in this memo can
be used to separate language specific runtime systems from the
runtime system independent Script MIB implementations. The
lightweight SMX protocol can be used to support different runtime
systems without any changes to the language neutral part of a Script
MIB implementation.
Examples of languages and runtime systems considered during the
design of the SMX protocol are the Java virtual machine [2] and the
Tool Command Language (Tcl) [3]. Other languages with comparable
Schoenwaelder & Quittek Experimental [Page 2]
RFC 2593 SMX Protocol 1.0 May 1999
features should be easy to integrate as well.
2. Process Model and Communication Model
Figure 1 shows the process and communication model underlying the SMX
protocol. The language and runtime system independent SNMP agent
implementing the Script MIB communicates with one ore more runtime
systems via the SMX protocol. A runtime system may be able to execute
one or multiple scripts simultaneously (multi-threading). The SMX
protocol supports multi-threading, but it does not require multi-
threaded runtime systems.
The SMX protocol uses a local storage device (usually implemented on
top of the local file system) to transfer scripts from the SNMP agent
to the runtime systems. The SNMP agent has read and write access to
the script storage device while the runtime systems only need read
access. The SMX protocol passes the location of a script in the local
storage device to the runtime engines. It is then the responsibility
of the runtime engines to load the script from the specified
location.
runtime 1
+--------------+ SMX +---------+
| |<-------------->| O O O |<-+
SNMP | Script MIB | +---------+ |
<---------->| | |
| SNMP Agent | runtime 2 |
| | SMX +---------+ |
| |<-------------->| O | |
+--------------+ +---------+ |
^ ^ |
| +---------+ | |
| | script |----------+ |
+------>| storage |------------------+
+---------+
Figure 1: SMX process and communication model
3. Security Profiles
Security profiles control what a running script is allowed to do. It
is useful to distinguish two different classes of security profiles:
- The operating system security profile specifies the set of
operating system services that can be used by the operating
system level process which executes a script. Under UNIX, this
maps to the effective user and group identity for the running
Schoenwaelder & Quittek Experimental [Page 3]
RFC 2593 SMX Protocol 1.0 May 1999
process. In addition, many UNIX versions allow to set other
resource limits, such as the number of open files or the maximum
stack sizes. Another mechanism in UNIX is the chroot() system
call which changes the file system root for a process. The
chroot() mechanism can be used to prevent runtime systems from
accessing any system files. It is suggested to make use of all
applicable operating system security mechanism in order to
protect the operating system from malicious scripts or runtime
systems.
- Secure runtime systems provide fine grained control over the set
of services that can be used by a running script at a particular
point during script execution. A runtime security profile
specifying fine grained access control is runtime system
dependent. For a Java virtual machine, the runtime security
profile is interpreted by the SecurityManager and ClassLoader
classes[4]. For Tcl, the runtime security profile maps to the
interpreter's security profile [5].
The SMX protocol allows to execute scripts under different operating
system profiles and runtime system profiles. Multiple operating
system security profiles are realized by using multiple runtime
systems which execute in operating system processes with different
security profiles. Multiple runtime security profiles are supported
by passing a security profile name to a runtime system during script
invocation.
The Script MIB does not define how operating system or runtime system
security profiles are identified. This memo suggests that the
smLaunchOwner is mapped to an operating system security profile and a
runtime system security profile when a script is started.
4. Start of Runtime Systems and Connection Establishment
The SNMP agent starts runtime systems based on the static properties
of the runtime system (multi-threaded or single-threaded) and the
operating system security profiles. Starting a new runtime system
requires to create a process environment which matches the operating
system security profile.
The SNMP agent initially passes information to the runtime system by
means of environment variables. The information is needed to
establish a trusted communication channel between the SNMP agent and
a runtime system.
The SNMP agent first creates a listening TCP socket which accepts
connections from runtime systems. It is the responsibility of the
runtime system to establish a connection to this TCP socket once it
Schoenwaelder & Quittek Experimental [Page 4]
RFC 2593 SMX Protocol 1.0 May 1999
has been started. The port number of the listening TCP socket is
passed from the SNMP agent to the runtime system in the environment
variable SMX_PORT.
The SNMP agent must ensure that only authorized runtime systems
establish a connection to the listening TCP socket. The following
rules are used for this purpose:
- The TCP connection must originate from the local host.
- The SNMP agent queries the runtime system for a security cookie
and closes the TCP connection if no valid response is received
within a given time interval. The security cookie is a random
number generated by the SNMP agent and passed to the runtime
system as part of its environment. The cookie is found in the
environment variable SMX_COOKIE.
The security assumption here is that access to the process
environment is protected by the operating system.
Alternate transports (e.g. UNIX domain sockets) are possible but not
defined at this point in time. The reason to choose TCP as the
transport protocol for SMX was that TCP is supported by all potential
runtime systems, while other transports are not universally
available.
5. SMX Messages
The message formats described below are defined using the Augmented
BNF (ABNF) defined in RFC 2234 [6]. The definitions for `ALPHA',
`DIGIT', `HEXDIG', `WSP', `CRLF', `CR', `LF', `HTAB', `VCHAR' and
`DQUOTE' are imported from appendix A of RFC 2234 and not repeated
here.
5.1. Common Definitions
The following ABNF definitions are used in subsequent sections to
define the SMX protocol messages.
Zero = %x30 ; the ASCII character '0'
AlNum = DIGIT / ALPHA / %x2D-2F
; digits, alphas plus '-', '.', '/'
QuotedString = DQUOTE *(VCHAR / WSP) DQUOTE
HexString = 1*(HEXDIG HEXDIG)
Schoenwaelder & Quittek Experimental [Page 5]
RFC 2593 SMX Protocol 1.0 May 1999
Id = 1*DIGIT ; identifier for an SMX transaction
Script = QuotedString ; script file name
RunId = 1*DIGIT ; globally unique identifier for a
; running script (note, smRunIndex
; is only unique for a smLaunchOwner,
; smLaunchName pair)
Profile = 1*AlNum ; security profile name
RunState = "1" ; smRunState `initializing'
RunState =/ "2" ; smRunState `executing'
RunState =/ "3" ; smRunState `suspending'
RunState =/ "4" ; smRunState `suspended'
RunState =/ "5" ; smRunState `resuming'
RunState =/ "6" ; smRunState `aborting'
RunState =/ "7" ; smRunState `terminated'
ExitCode = "1" ; smRunExitCode `noError'
ExitCode =/ "2" ; smRunExitCode `halted'
ExitCode =/ "3" ; smRunExitCode `lifeTimeExceeded'
ExitCode =/ "4" ; smRunExitCode `noResourcesLeft'
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?