todo.rst

The next phase

Security

• Implement untrusted account restrictions for workers. We can start by making workers derive from the unconfined_t role in CentOS. * explore SELinux or some other solution for untrusted users (like LXC):

  • http://magazine.redhat.com/2008/04/17/fedora-9-and-summit-preview-confining-the-user-with-selinux/
  • http://fedoraproject.org/wiki/SELinux
  • http://docs.fedoraproject.org/en-US/Fedora/18/html/Security_Guide/index.html
  • http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
  • http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-four-customized.html
  • http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml
  • http://debian-handbook.info/browse/wheezy/sect.selinux.html

  • see also Linux containers: http://www.docker.io/, http://pyvideo.org/video/1852/the-future-of-linux-containers. see also http://www.ibm.com/developerworks/linux/library/l-lxc-security/
  • Here's another crazy idea for managing diskspace: per-process filesystem namespaces (like http://glandium.org/blog/?p=217) along with copy-on-write unionfs mounts. When a sage process is done, just throw away the unionfs mount, and poof, everything is gone. See also http://www.ibm.com/developerworks/linux/library/l-mount-namespaces/index.html or http://blog.endpoint.com/2012/01/linux-unshare-m-for-per-process-private.html and the bottom of http://linux.die.net/man/2/mount
  • Make ssh more secure: http://wiki.centos.org/HowTos/Network/SecuringSSH
  • Polyinstantiated directories: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/polyinstantiated-directories.html
  • rate limiting for incoming computations and permalink requests, both total and by IP. This may involve upgrading HAProxy to 1.5dev: http://blog.serverfault.com/2010/08/26/1016491873/ or http://blog.exceliance.fr/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ or https://code.google.com/p/haproxy-docs/wiki/rate_limit_sessions

• Have a pool of user accounts to execute code in. Have the forking kernel manager drop privileges when forking and switch users to an unused user account, then clean up any files by the user when the computation is done. (see #233)

• Get tinc working for a private network between database and servers.

Permalink database

• Benchmark the current permalink server. Possibly implement a distributed permalink database server. Right now we use a

tornado/sqlite server. * Make sure the permalink server restarts if it goes down

Reliability and Scalability

• Test taking down a server. Do clients automatically redirect to other servers from HAProxy noticing it is down?
• Benchmark a test setup identical to production setup for throughput of computations
• Automatically expire and restart idle workers. See #391

Interacts

• look into putting output in iframe to avoid all of the styling issues we've dealt with
• interactive 2d plots using Matplotlib's new tools
• Diagnose the error in this interact: http://localhost:8888/?z=eJyNlVtr2zAUx98L_Q4iL5ZS1bPdlkHBY9Ax-hTG6FsIQbHlVKssGUlZkn76HUlxLk4bpgfZupyLf-cvWbSdNg6pVdttEbNIdej6quYNWgg177Tczo3WzuJJyzaoRHkGjRqm3mBQ3Pu3unwxK04er68QNCYlrDwx47gVTP0yul5VDo_dqpMcT6e3Oc1nszH2Lm5yQkg0m5RgmFbM1EIxKdwW7xZEg0Lob5NdgLAbZspJHL9zwyCi6lLedmAXMh1794TWbtvxEpYq3UL4zc5n7BttkKKwskBCIQ4EwJPjGBIhR7EgAYXKMsQ8mvZtYTh7O9npcQw2BYaV5k1jPbIxZON36TY8hHI4owW14p2Xeyi3-cEHl5ZfdOm_4LDucUxV-P5HrMBZeJ3BPo_IW-Y1PnJAUhONDXcroyLOwOg75AaDykU9zLHy1KdeAfTBd1ELRdZP7GayWdBHaaWoucE5vYMFCi7YSrqyuCc93c5ABJQ8MVmtJHNCLVHQGkXCobUAITn2xhHrOqM3aUJ9_C8QiCaWV1rVNjnx86Idk17IC26QbgIlpVvBpH1MaDHea46i0ZofBYjlkNtRiBB9_nYe7QdnoPR7Dgdgp6hOOhh22pcTvYsO-ypzJjH4IRQGomXLMCCx1Dk60eKe9W58AF70HHve0O9hZuRYqaeaDbZlNpROYDX6Ydh6z9vDigx6ZgHaaGApXWpf9Ro3Yhk-4YFcFul5dRthLEwFzAVNLhbbkwz7fMXJsOR9A6LFhToVw5vqJ3wXJ_-HRBvAzusTJuk5lOLTwhcnlS_2pYc7R2pTJuA8QbTHeT9IC4PvG--ffI59KJteOjVXFu7QeSe1wwDHltOM3kftFP6A_vWEcJbewRTN0vxER0cqCrZnIhqQsxz-H1rBzaGDAXIaWQ617PMIAvNYR-d-PlBO354p2vB6yUEj2_BE8Z5_FdbppWFtUX9-zmhIHfu6-DdC92_ES2HJS_8vSr9SBN2MoqPBjCptWr77r32cW8ucEZsIGMJKvcTPhFYt68rkD3dJJOw7eihcLCT5B72dHfI=&lang=sage (Click on 100 bins. I get: "/Users/grout/projects/sagenb/sagecell/receiver.py:43: RuntimeWarning: divide by zero encountered in log self.dealer.send(source, zmq.SNDMORE)" below the picture)
• Implement IPython comm spec. Here is a working example:

http://localhost:8888/?z=eJx1UsFq3DAQvRv8D1NTiARGSQ69bLJ7aEogUGghKTmEImRbXquRJSONk5pl_72S5XS3W2IQlmbevHnzJD95xr3YSs5-iRfha6cGJEVR5JlqyQfslGfP0hmpWW37nvfCBLBjKNxWon86Q-nx7CeFXZ69CAfYCVzHqqt0fgjpR9UELKyhHU2NyhogkWuugfDNTWIkQOLv6iTMrOG935KPbHD290TmRCdMo6UrZxil_9QIrStRP_vAt1N2GCtYwc6OOIwYdgcagQsNT8lylk_3-8AWV54d5McitDgN8q310UAkyPt_HOalacgOqtXlBezLE3H0b5N3TXZyqzxKx5PbJJldwt33CTtr2IhKeyb0q5g8N_KVHOTOjuzzLNwkzbPW2X62FlQ_WIdwH_hvpNY3IRYlLO4fh0lqyo3o5Tp1pgmY5mpUjUSslUHyidKQamQLizWzH6tkx-ACBDYb8PGpcY-NdI7zEgLmGHFyLCx2wWOPY9syxoqU67DXpLiuNp-_ff0C9w8_bm-vz6tNnHHRtryVRch7ii8vZsl59geYrfhK&lang=sage

http://localhost:8888/?z=eJzNWF-P4zQQf6_U72DCreLslWxX4l627QpxcOLeEBzwsKwib-O25lInsp1tq9V-d2ZsJ3HSdheEEFRqk47nn2d-M55kpcotWZbbLRHbqlSG_MzW_D0vivdIY5rgdTzyi3Ut8vFoPFqh1McfD2ZTyrQ2otCpUUyYghvdKPqB6U9I0xPyURq-5mpCfpFiWeZ8Qr4tywLp2jC5hP8fipKZgd5c6Kpgh0bfJRoej5YF05r8JvI1N7S1kdyMRwQ-himgZ5JtOVk05mi0s-xR4phEHqx5Ws5XJBN5BldWF4ZqXqwapfhR3NRKkthp-upCx-TChiPFn69pkm743rG7XxvTRbtFinEMbeH6WWs5MwyEkZzifX_lLhZ5fN-sY0YGXqItipyTMCALyx4QktDfbypVVlyZQ-cjajgXiKfnRtgl5Ccm19xnxV1eSYlCgSYjWyFhzYKATlVDZPuWeD1tyY-sqHm78K6la8Orjr-hZp_5QQP5LgYb8YTEoBUvVgveoFh875mFzDZM5gVXIIIYpR9YofuBstkDcQHh4RlwZ3WFtzZSE4L7nJCyyOGW78LIiZVLmNvArfsD7gQsNsBMaE5-RabvlSoVjZzARU74fsl5rm1kLvIIEEg7jZNWYZL0jIIbZO4Xhfzr1h54Ue5sas7aEjK01bdaGscUBHVg2y774B2HGOSEyTIf1svLzzsAkg4DqmsALA2Q59xK0la2lQqE0CgWX1rKbKvXblfOQfwfsH4JYF8LAIgiwGsbXLbcoDnCVkhFKyF7aTZc7TCgvrAdWDVZMhkbCCjRFV-KleD5wKGBfufUKZT5yFtY_6P6BQU3EDJmjPIhBkpCVqXCG9haYOh5mJwA8b2EtLHVXOa0bV_O0TC3ilfK5_aEc9HcJpXQi_R6lRD8vWl_bs9isasAf4e1fQSsLtV-35j04Sb6neCTqvlRcwaxu3hZwtEmTXx_FyO5aST4MeowwPvJ2A54fPV4NtR5gsG5OcjdxJ0NcHcfYHglJCuKoScn9mgbXRCFg4bw5WVt0p0SkOv4d-UOPZuzk4yrotabE5Vsk70x2-I44ZUS0vWJYxBE0TwXj8SeL4voQke38ysg3MKCd6M9-wLMu6Hh-EQN6YNkdy1oPMLtZBpmoCz9gz0yvVSiMhRM4uIjU-FBB1Fb1XJpRCkJRdg7LJEnf_BthE79GICXWTcYNL3nTQpVuz9Qy9oBc2Jlk2QWKoI0PrDlZzzMnoJOW1b1A7kJSfiBdFS1AfopC27RG-nkfJU_z3Crrd0z56c7NkMHu7JIfVVYUshiB6-WGf6GizgkQHop7tr5EIQad2FKc6h4w9cLfhtzzJBbfEMjuEkj8rax3YQTyoviUsHl2mzIYrEg0yQMoAegrIvCizz3JaGochoJCVGMkvN6XN4Uxw5uxx0UTvoqvS1YeGXboZ7e3uHMQbVhBBqmNzSeWy-hctw1TlLbNWLUiXm0rHHjlA2fy2ObpllYYtjCKHKJxXRGBMwVLUh8HID69m0vDMiO_WzR8d6JBjo2BuiD82vQxwaxsnzQ9O1s67p_0nPPxSJlVYXnT2cBwDDXFZNXt5AvlufvsafQCCAN_w3fG6cR5xknlBzrsNbPrp6zwPZ9CzCdvajjQaGGv2vGhqJnyAXH65mF8SsljdyUEU367cHK-AkkD3rQ83lU9kR6sOSPpodJCbPkws6i39lmGxQjLn3lwAHbMa26OYGxvwelqyuYxIqDnz8If-TqQKbpNTxjQmTHI1jvF3EfQF13OOo4w9I5KvPjCnl6nv2LRdEWAbBUTGnuHmz6tZIMKqRL_SkprJxWotsg4ik9VQpnOE9A-jTnOVT2jrV2WvTPq72zrsfaw8YCAfVKy-wO1B4ywzM6SOdLB5dnCcivQAlh_UXYll-C5EuY-x-03f8eKecav0u-356SvLBwyrZMwgCn0ubpLXOvIKg_7CaDN1es2LGDzqA1hc-StlBg7rNTIQ7I4RsOIKrm_ZSbG_1Lqi0zGwCx2PKWJOttdcA3abIaj_CNhqzSQkjY95LTqZpc2697v4HZejdVMLNQ4NJC0n1CLol7yYEgkPhU0Ezzqi112pxbaDnVBecVnabT6TuV_AkvV77E&lang=sage

http://localhost:8888/?z=eJzNGWtv47jxe4D8B9aJISnrle27LlDEcdDe9hZ3wLZXdNP2Qy4wGIu2uStTKknF9gX5750hKYl6ONn0WrRZrC0PhzPDeXO0ktmWLLPtlvBtnklNPtE1e8_S9D3CqCL4fXriFouCJ6cnpycr3PXjXw56k4m40DxVsZaU65RpVRL6gaobhKkR-VFotmZyRP4m-DJL2Ih8l2UpwpWmYgm_P6QZ1SPykSvdop5wlaf0UFK9QPanJ8uUKkX-wZM102HFKbo8PSHwp6kE-ELQLSPzkmk42Bn0QWSReOKtOVjCVmTBkwV80yLVoWLpqiSKf5LpQgoSWEpvhyogQ6OUGD9-G0bxhu0tuv00mp1XBw1Rmz4vXD_KLaGawmYEx_jcXLkNeBLcletol5aUyCtEzJGvkLlB9wCRL-_vc5nlTOpDLSNSOKaIx6dyszXIX6lYM2cV-_WCSSRuKC2y5QLWjCuEE1kC6b4CTicV-IGmBasW3lVwpVle45fQxRd2UAC-DYBHMCIBUMUvQwUfcFtw55C5WGyoSFImYQt6aviBpqqpKGM92M5BPWwB2Isix0ejqRHBc45IlibwyHa-5vjKGswe4Nr-AHE8FKNgyhUjf0ek76XMZDiwG4YJYfslY4kymhkmA_DAsKY4qghGUYMpiEGu3CIXX8_tnqXZzpjmKC8ufF5Nrpm2SJ5SW7zNslNeV8Wwj-vFwqn14uLLDhxJ-QpVBThs6HmeFSuKq73VLm8TMsXgizOx2Kq1PZUVEH97qGfg7GvIS-ANgGvS3GK5QXaErhCKXHz0TG-Y3KFCXWBbZ1VkSUWgQaFE5WzJV5wlLYFa9K1QfV7mNG_c-lfFLxC4BJVRraVTMUAissokPsDRPEZPbeN4Ht8wSKVbxUQSVunLCurbVrJcOtv2CDe4MkYl4TCeriKCn5fVx_VRX6wjwD1hbHccqza1OzcavX2IZia4kQXrJGfYdhssMyhwQgd3twGCy0SCf1oeWv7eq9sWjoseh4Y0exCsmC3bjWxtgKc7z4dXXNA0bUvSc0aT6DwtHBSoL8kKHe8kB1sHP0tb9IzNehFXaaE2PZFsjL3R27Rr8FxyYfNE1wkGg6uEPxBTX-aDoRpcX40BcA0LToyq9nk-b5uGbkX14S1j1yno9ASPs1DQCS3iz_SBqqXkuQ6BJS4-UOkXOtDaqhBLzTNBQnR760vk0RW-DVexawPwa1Y3BmXuOY8haveH0KDWjjkye6No5hMCM97T5RcsZo9eps3y4p5c-iD8A3PkhQZ4Hwe76JjU-1yUP83wqBXfI_XTlk1fwDosYhcVBuSjmMarQoaf_iI2CWDeEE9tZfBUjafQmT7krMRrKL_SOVrILp6HA3iIB-RNybtUJ4RXiEspE2u9IfP5nEwiX4HOAUWRpm7LU3MnBFUSDrgALQ6i43Ss3STDDG7aHdwcNUk6XrDwwrF9Oo2zQ81Bsr4GSqTzMLgyUkLk2O8gik3WCJAm2tGgBqVQRn3WjpWZZn6IYQoLEYvPJzPCoa-onMTpAaBv3jTUgOiYz-Y17i0vXcfoAGWwcrXyWEtXBg-SvultbfaPGuJZXcQ0z7H-1BzAGa5UTsX4GuxFk-Q95pRwAC4NvzXba0sR-xm7KerSMNyPrh7jQPdNDtCdPUvjXiKF17IxqmgwsspxdGa-_jIRDmyXMRg104PZ4zqQxMtBT8e9srGl4ZbsQTd8UkAvOTe96B9NsvWCEZfeWueA4-iK3BWBtr_hSuMxdGLpwfUfhD0weSCTeAo3TdDs6QmsN4O46UB1duhknHbodMK8GyGPT7P_YlBUQQAoOZWK2YtNM1aiVoTUpu_bhZFT7agPiP4U94XCEcwel-7HPOaVjbJWdYvuvtqodQ3Uhm_M0aFeSJl1QW14pl-jPXM-V7gcigd-wZXQrX_jp-XnXPI5n_s_SLv_e085lvit8d3xpGCpcafFlgpo4GRc3t4WdgQRumI3as2vaLqjB7WA1OTfJU2gQN9nukJskP0JBwBlOZ-yfaMbUm2p3oAT8y2rQKLY5gecp4n89AQnGiKPUy7g3EsWTuRoav6bMQYa691EQssSApLiItxH5ILYGQf6gMBLQdnMyyrSw7JsIeNYpYzl4SSeTN7Jqhk_gz_y4eNPN-T7Pd3mKatnaZAidO_kBqRk2PvhbK5s6_unOcEKaOTwP-h0_2qT7V66KCZ8qUPDzc6ozGPUIYUM3H0HbniHDkGzrayZKQr9C8_D_QjSZLvlN1J1RhfIZJkyKvsFLvVxe_cMtV93FbHcX3WFKieT5rLEE3NTKi9NaBY3-3SXp8C_Oj173TnHpPbJAoLxeJmIz5CZ06xIVimVDM03pp_pfpzyezVGTuNJ_Lt4Ov78zwLKcowQTA7xZ2X6S9O66EPKCCbneYCxPl4qFVyTuJbzkcC33lxi6R_OyIbx9UZfkm8nk3w_e7oaGwqm-TFmvsnCwYbRxOVKzHm1O_9797P6ptKuCPWF5XV3OJumarleV6JAApWlLE6zdVjPp4ArRgN0-GeBd8UZdYW2wVS2cV-fLKuQfiZf1mdqpMtVqu0kVtf5EmB-xuxJhO_k6Js6D1YJ0G41p92PKmgHvMyUBdt_r35PUb6P-IM41KnxE-jupy1b05vuq4YM4f6EvzGI_LKbm6wGATCHVCxNgzqf2ke8PAN0Co8mhc-nAAbbQduT7RYiE2zuz53REj6jWrGwRa7VPCzz25mbNBYKoqw67o7D9dSVISnBds7RgeafgZf9dWj8wtmQOaDXcHkTIi8zWazGPeDFSbhJQJ6R8VZwYaH6uUztsfWnw92ZcG23zki4Td_If2T-2nO26tVBm47ur-zf1C8u-k7uiWCLeY8azghc9MgPN3_6SHSGV1ySZNsXy8kZYUIVkjk_VSlPcGKtSCLpTvQqoTmKr8se9t24C8SefFUdfaH626ug6VXww98PfbNxMwJ5sbwYNoWIoPmF0Gm_xjBF8BnBgVRr1dSnoyXdrFYNR-xeLcSH_0iVP-LTLxf5wo5ETRG0FfQtTflaXJIl5HsmZ3BTEPqt4r-wSwKuNxzOgutzdLSfrRvo6Nz2AVf38nqo8PPcLp1fEmwcytG6Ob8vUTTyXaWxAicBFhmo0cuXDujw7bu8byeyAXWv7KYl9EgMTU0IGYxKc_8CrYzxbA==&lang=sage

http://localhost:8888/?z=eJzNG9mO20by3YD_oUEHIGkzzFzeBxp6CIIkyG6QDRDv7sOsTLTIlkSbF9jNGckD_ftW9UE2KeqYSTxrwZb6qKquu6vJHr7lYczpisXhR3pHedJktfAcx3n54o42hDPOs6okMyLWGX-nBt-vG8b-_sd_snTFBEwt2zIRAOUlVVEEpOArnzy8fEHgg-BiTUVPwIwmNM8XNPnEYeohq-p2QSLyULWibkVEvgnrptpsPb1-uKZlmrNYTQeGLX-3syim2R3QSpjnQMsJyAMX25xFxFlUTcqaiFzVG8KrPEvJIm_Zu4I2q6yMLt7VNE2zcgUtZ-drgt94QMQPOc3vWh4LlPgj90C0MKlKwUoRplRQA82ZeJ8VDNjzOmWADlDysFp8BLY0PUTyXEX1W03V9XcBubq4uPANMSWzEhbxAlK2eW4WU9_ffUd-qhpSADBYj5NlUxXk961Yg7VERXpjviP3jKRV6QrScibNQLJS_bINLeqcKYpovbAqYxCyl8I2pgIqQYUszKuVnHvXT0kbgHwg7VhPIyixrRlA4UwIoDH2LZCU5Uywg9PZ0sOR2WzmguHcAXv4MVoPYTa-TlcNrddZwmMY8myj4WdHWA5KyZako9mwErzlCFkFEPOElewcguAc8bKhBTtCs4OZILhPkZZZQcUxehpin5pqdm4OfXSE8BNrSpaH6AJxQUvwqAbkXGVcgKQCAoUJzzX-GpBflKOFrchyHtL8nm55XLJ7b5AafFwFUgn49csX0j-RPsmKumoE-QMW-YHl-Q84RjnBXw3WthCjGgzbNziPjZcvyqpkWYn5JKfFIqWkhLRRonbgi5PfYFrrqxReCSsnOeXcpCwPdMMS4UdK-pQtSRxnZSbiGFJNvgyIMi5rZkgpIPdZKta6vWbZai1UZ6h2-ZHmm71vWgBNoNnQOAX90TJhs8uL8CIgmO5WTdWWqaa4rEDH9sDr19mqhMHUcKjyQb4MQSEzwkXjoRo83x9NS8XOpA6lzWcPrpHEjUxriuupjyuldiOta092_bOxlZ56dNU_H3-kPDda5hUV3mj4fHq92t2ob5-N3hsJOOnaZ2JDZlfRE5foHV0ITdnP5F45oNpjsNgkM7D17RzDCqfQjS1ctQNbDtQn5VtXZ2V3fuvisDvvwTbBViflW3fjzgPd3NowdYPB5wGo36_Nwb_6lWW6VsgDJnCfd828G3WgOwsmbOu0S1tTKpJLpdbakOP10kY11ynG0af7lNvLYx846IHCGCqMBHbP-C5j97D9x1WNOx73JOpY8TK6gQBOhjIbqpQe_EQh2xy0U0jrGlnu1x2DSonkRgYViwv5yY164FhU8UdelXSRM5tGQA77H0RvwxRzUYfbs93P-v5un5luG2roPWacXnifkFdE2Qf2GabyXW-Iwa6oLALRkqiMuJfOlNR6q0XBJawMsITtfNuze54U1U2RlTpdbgq60c1tP7rtRz_3o5_70aTKK5PgUc49FnE3qcTIlNFQ5ciG4kAtrtZVS6rVQH3fXgaXQffVE8AdakRv0WnbLHh7MQ8XmGvQORfVxvOfwMECqMA_2HxuL00DRi7NyKUZuTIjV_PhMmASssKKccTdZTSP9r0QxVgdZfts1r1DPg5AnqSghYNwAAzPSIhkD-8OiGxUgEvbyHLoLGTQ1ucRshwC5M558WM5e18GBuOyrf-4KJfZ8TZqBRcF6seO8eduLXQtnbu10I-L53620LV87mcLXQoIYzKC3Ej-QBeDyI3w22QUK0HrSlSnhJrrwOOiqnWzqOBgUt1B0XUkV5iaVyaLmvflBXSQJaTnRvgNnY6iG3VNlVVkRllX93AwiOu8EnHL0U_NAW813jsO-zMkib1SRaYNCBWkMNp8bveA50D6iryWHnRLF9zb-DLYNkghByjpav4b3byc-3O9NJa_pqLV7GqeVM0sMpOZsRXynLHauzbIVpY32cGEjgkMEw3G142Dy2xp73gCD1mW1rpRbXU90DDRNnDmRAu8fKG5xHNriDaQX7AjZ7AbbOIlTVgMLB6G42taM354fkE5O4V9pY8achrq6jYBDlkIJ88CyiOjyB9V1zhOt51ujHuAE2TgQMqiUBYZDNuJtfA6foca2RjSB_b8GgkpDCgNYnSFvdKvpg1n8nQL_-2FiwpO0hrcjKGDZYIV6GPy4FnnmfCc_5aOP8rmIJoDoVOI3EFgRJrI96Ko9cEEAVCTWT04nliAhv2H3cR0s52gPkZ00KmajOaynHYi_A4c9JhrJ5I_qnejejeq91b13k4s26nJFGpmtQkJ2CZhNRS__6Z5y35sGkh9_yplZvi1SmguR8ZKNJ8aDqH7M5LjkYHsuZsjc28PzFnqmpouVRkLUNr0PoS2CksbDI2__EvsLsO5bPF0mrPSsxaeAgbvlAnUAjug0Wzp9aRnN4fAJK8Hfctm8tq4AG4qYoo789GO0PvBCerK-NMwLB8K8rc_L8jbLyzItBh7Be3jGb95NgsMQv7PZpVBwafzulygD6s-TQu2wY1GJfZOPWoQSoNkHLd6Cs-udWjgYHe0q2o7pze0XDHvIpCxpnH9sU8ZOnWFQWzAQuiOi3WM63KlI91CG4HJ1Wca2uwpnqNyiw2o04_KGQosALCLEZgsLHvWcMVQjo3kgFyndfbg2LaTsI6qT3fTsiOenfSxP2VJG942Jz7TkfQ9uaRlGlvbJ0wjwfc3Xnv6FtHnt0o8KBlnUodTWWKsNAtZ6WNiO5AT3X4he1gHqsalaVzNJ1AXDaOfhsMHssBwkfmeivv5_XiB8mMYKzAgYwF-Y3RKyxNpnscmlI-UPYB5ouwp2f0XKHsmd-vDZU9vRZR3lDymcYwHHPHN5yhrzqzl7IClxSKDstmJdCMgDq9Z0uYUwti0YDDNlksoSp1IN2Aoy_O2cCL5I4mjA598POvwdVZmJeMc6Jtmh-5UNU0ysXUi3Yj1erfX86PZxXxsV3yW0nJ_TmvygOMZnR6Y1uIemO11fYj6QKMHgIxqzwA5zs5TS96BSBD2_6B_TcV7fhF7vC7SFjT-ow6QB-uix9REUz4jNcC_Lg0YL31OFaRflwq06z-jBlRC_aqU0CecL6iHKV389rUFxCCxPqNTfGVRMdoYnkER-_yYaks-n61D2PLxjY0uttRxJWxWi4EiJjZ68r0AfS1awSa3-dN8PKZSfFSF-HhmDfnxNvxqT4r_ayH4BYq_EwXf3pnHhrdPPUlV3rFGxMNn4cMjkBxdsapg4AydyfEBcI2XfwYOZ52H7ANVD4CrwUoWOdt4eHlNHrck3enz1OnHyHdfV_IYifzFkofpFVt1B_DBGVhOPT_quoGDtyGcyB2a3g2cEb9ONBoIugdYTmRau6Gt8D4UubVe_uNLMsbX7vgdLpirDmNIBw2N5Z2JjMuXWvimbkLgO-kcFry8ZADRiPATigTydydIdhq7ZfiGrHsVcucP3HKwAUp4fyqOMLNdp_uP267TmLeLWBnGJO8hSKzvyuhHKj1GqJ5z9dAm7TmvHPJmDIyp1qRjP1yD3eSmYOeEV4S3tXzhJG2FyiT6Noq6iKBmWSpfw9MVs3M0ah6A-dgStgOUgmef5YO3EqzToeiLLHoafOLyyveHeOiGOjyn8HAafel79DnXRsaLooKWItYrL6oq3yMxAAI68v3vQDV97KjocFCVzlRaVzORbblJsLqCrK_37OF7XXmVYArFzvlTAL0qItOaBBuKGw26B-kqWNPaPSUIctjghiEwxtXq1bMRcRBlUs2WHsGZuKMR6lD1j6KIdZZ8ktsuovQvOcNu4uitPm2HjkcZbfWhADtKiUICv4_XjEJdGynfhCTQDfq7ST1KEc9TZKQVdFyHeZU4SnvQOgqJtkeqapOC_Q_6ZynrpJ6mRU0qqL9KKu-A1-Mn2vKGgkyao_ytruk33saXL7qnypoSpgcEh6_QTSoOpl_rh-8bWnLgofi5qdp6v_48UD1ZCXP_GbXh2qztSwSb_Q7iCOMTHA_ZCH_B7k_Q-2P4kgA_3aPwKQFs7k-vqi44hO_B1CdWUTvV46ifYYU9WcDmT1jk5-5KxDmrWA77FHVdhb9CxjuxBibFpxH_HXPBCeoyXzxBT783WZGJ7I79c3C5_dGetRcXDc04gzJN_IJ_JILXWlgqK1_PaUsVEqn6Ww4nkL8QH1bg9EGj48nixqTNly-W8jLxbPN6--HqO2_z4erN9sMNgNczJaO3DADi2-vg2g-8rW4QeXVL7TizS_mXM0cuddX-_wBvckJx&lang=sage

Frontend

• Extend codemirror's multiplexing mode addon to handle the string decorators (including end delimiter syntax, which probably involves extending the mode to have strings from the opening regex substituted into the closing string)
• Change output model so that output of a request can be confined, and the browser knows where the output goes (instead of just trusting the python side to send an output id). This would help with displaying errors, for example. (see #387)

Fall 2013

• [X] Revamp the timeout mechanism: - no purpose to linked message attribute---just request a default

  timeout when the kernel is created

  • To set the default timeout from code, we should just have a special function that will deliver a message to the intermediate zmq/websocket bridge to set the timeout, instead of surreptitously adding timeout data to every message.

• [X] Implement submit button for matrix control

Summer 2013

• [X] new interacts, maybe based on William's system

• [X] string decorators

• [X] (they are in my github branch, anyway) get sagecell patches into Sage

• Configure and deploy CentOS images using SELinux, a cloud database, and nginx for static assets. Kernels should be tied to different users. Rate limits and request logging should be in place. All things should be proper daemons with appropriate watchdog processes. * Virtual image

  [X] sagecell server [X] sage worker account and ssh setup [X] tar up sage install so installing it doesn't involve recompiling [X] Make temporary directory writable by both the worker and the server (maybe just group-writeable) [X] sage cell config [X] Figure out permissions so that sageworker can execute sage [X] Set up http port forward [X] snapshots so I don't have to reinstall every single time. Figure out how to make an image that is based on a single base image [X] Figure out appropriate firewall rules (lokkit --disabled to disable firewall) [X] permanent and temporary disks for database and tmp (leave tmp

  alone, just mount permanent disk)

  [X] diagnose and fix network problem when cloning:

  http://adam.younglogic.com/2010/06/eth0-not-present-after-libvirt-clone/, http://crashmag.net/correcting-the-eth0-mac-address-in-rhel-or-centos, https://bugzilla.redhat.com/show_bug.cgi?id=756130, We now delete the hardcoded mac address, and then delete the automatic generation of the eth0 rules.

  [X] quotas [X] immutable .ssh, .sage, etc. for sage worker [X] clean tmp directory (added cron script using tmpwatch) [X] use systemd or some other service to keep the cell server up

  • Final solution: use systemd and a cron script that checks every 2 minutes to make sure the website is still up. This is way less complicated than monit, at the cost of a possible 2-minute downtime for a server. If the server crashes, it is immediately restarted. We could make the polling interval smaller.

  [X] Nginx -- installed and haproxy points to it [X] (right now, the sqlite solution works great as a separate

  permalink server. Re-evaluate after benchmarking. Figure out better(?) database solution.

  • benchmark the current tornado/sqlite permalink server solution.
  • estimate the load we expect
  • examine postgresql, couchbase, and cassandra for backend
  • examine node, go, tornado for front end
  • build centos-derived shadow vm for db server, probably separate from sagecell exec servers

  [X] Add google analytics code to the sage cell root page [X] Better logging: log for web and service: where computations are coming from,

  compute code

  • log to permalink server (requests made from server, so should be fast; this means that logs are stored offsite from the untrusted images) we could also just use a remote logging service; centos comes with nice logging: http://www.server-world.info/en/note?os=CentOS_6&p=rsyslog, http://blog.secaserver.com/2013/01/centos-6-install-remote-logging-server-rsyslog/ (log with python logging module: http://stackoverflow.com/questions/3968669/how-to-configure-logging-to-syslog-in-python), http://help.papertrailapp.com/kb/configuration/configuring-centralized-logging-from-python-apps
  • make logging address configurable from the config file?

  • log:

    • where computations are coming from (embedding page URL or requesting IP address if /service)
    • type of computation (/service or normal evaluate; should we also track interact changes?)
    • date/time
    • kernel id (this will track separate computations)
    • code executed

  [X] Set up centos servers on combinat [X] Set up test servers

Christmas 2014

• [X] implement IPython widgets in the cell server: http://sagecell.sagemath.org/?q=rgppxi (including my new start of a three.js widget)

• [X] install haproxy dev for ssl:

  • compiled haproxy 1.5dev19 from source and installed into /usr/local/sbin * I installed libpcre3-dev and compiled haproxy with make TARGET=linux2628 CPU=native USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
  • make install
  • renamed /usr/sbin/haproxy to /usr/sbin/haproxy-1.4, and made /usr/sbin/haproxy a symbolic link to /usr/local/sbin/haproxy
  • sudo apt-get --purge remove stunnel4
  • modify /etc/haproxy/haproxy.cfg to take care of ssl:

  frontend http_server

  bind *:80 bind :443 ssl crt <CERT_PATH> # and move the pem file to <CERT_PATH>

Spring 2014

Look at executing each statement interactively (conformance to Sage...)