Quick Start
Getting started
Access management

Access management

This page describes the sharing policy for the resources in the cluster.

Machines in the cluster are classified into compute nodes and network nodes, as described in cluster overview. The resource sharing policy is different for the two.

The following design may be subject to changes in the future, as the cluster is upgraded with new compute/network nodes.

minifyme

Compute nodes

Each tenant has one or more virtual machine (VM) on the compute nodes, and can login into them independently. ssh login to the VMs is always enabled. Virtual machines images comes pre-configured with Intel P4 Software Development Environment (SDE).

The virtual NICs (vNICs) of these VMs are bridged to the 100 Gbps dataplane network, therefore the VMs can communicate with the P4 switches directly. VMs should be privileged to run the experiments, though for performance critical experiments direct access to (some of) the nodes is also possible.

VMs are useful to let tenants to test simulataneously their P4 code for a Tofino target, without having access to the physical Tofino ASIC.

Network nodes

Intel Tofino programmable data-plane hardware lacks the essential support for multi-tenancy. Currently, we do not implement any mechanism to overcome this limitation. See also About multi-tenancy in Tofino switches. This means that no more than one tenant at a time will be granted access to the Tofino switches.

The Edgecore Wedge100BF-32X switches available in the cluster feature on board:

  • an Intel Tofino P4 programmable dataplane ASIC
  • an x86 control plane CPU

It is from the control plane CPU that P4 programs are pushed to the Tofino ASIC.

A tenant willing to deploy and test its P4 code on SUP4RNET Tofino switches, must first reserve its own slot through a dedicated dashboard.

Access the Tofino reservation dashboard

Once a slot has been reserved, a tenant will be granted exclusive access to the control plane CPU. The tenant can then login via ssh using the account he/she obtained and perform operations on the switch.

Prerequisite: you setup PoliTO VPN to access the dashboard.

Isolation between tenants on the switch is implemented via Linux user accounts.

Testing P4 code without access to Tofino ASIC

While the reservation mechanism to access the Tofino ASIC might be tedious, there is a way to prototype your P4 code on a Tofino emulator before deploying to the actual hardware. The Intel P4 SDE comes with a register-level Tofino emulator, which reproduces most of the pipeline features via software. Only some Tofino features are not supported by the emulator.

For all code that do not require these special features, we highly advise to first test your project on the emulator and move to the actual hardware when you are relatively confident about the correctness of your code.

This is especially recommended for inexperienced users for at least two reasons:

  1. A detailed log is available in the emulator and not on the ASIC
  2. You don’t block any other tentant

About sudo privileges

All tenants are granted elevated privileges in their VMs. Instead, as a default policy, sudo privileges are disabled for all tenants on the switch OS and on the server OS. Should any user demand elevated permissions, it must ask the cluster admins. Only if strictly necessary, sudo privileges may be granted for specific commands and revoked when not needed anymore. In general, alternative solutions must be preferred.