The main SDN Controller daemon (sdnc) is accompanied by an ancillary daemon process (sdna), which runs under user sdnadmin in order to grant it access to some elevated privileges.
The administrative REST API can be used to securely perform various management functions in a privileged context. It would be undesirable for the main SDN Controller process to possess those privileges as it might be hosting execution of third-party code.
The SDN Administrator daemon can be accessed via the REST API via HTTPS on port 8081. The access is secured through either token-based authentication or basic authentication, against the locally running keystone server, which is the same as the main SDN Controller REST API.
The following set of features are accessible through the administrative REST API:
-
Adding/removing the team leader IP alias (required only when in team mode)
-
Configure
iptables
rules to protect team communication
NOTE: If the
iptables
rule programming for Cassandra fails, the Cassandra server will not come up. In previous releases, the server would come up regardless of theiptables
rule programming.
-
Uploading upgrade Debian bundles and installing/removing Debian packages
-
Uploading upgrade ZIP bundles and executing upgrade commands
The install process adds a number of sudoers entries for the sdnadmin user. These are as follows:
All, or any, of the above entries can be blocked or removed from the sudoers configuration. The /sbin/ifconfig
entry is only required when running in teamed mode. Otherwise the controller cannot migrate the team IP address from node to node as team leader changes. The /sbin/iptables is also required in teamed mode to secure team communication.
The sdna
process must be present and active for the SDN controller to function. The sdnc
process will not start without sdna
.