pcp updates: client certs, perfevent config

[Nathan Scott <nathans@xxxxxxxxxx>]

Changes committed to git://git.pcp.io/pcp.git master

Martins Innus (28):
      Pre-allow self signed server certificates in secure connections
      Add client certificate support in secure connections.
      Reject insecure remote connections if PMCD_REQUIRE_CLIENT_CERT is set
      Add client cert functionality to pmproxy
      Better check for local connections to pmproxy and pmcd
      Pre-allow certificates from mismatched domains in secure connections
      Start implementing PM_SERVER_FEATURE_CERT_REQD
      Fix a typo
      Allow pmproxy to pass through the CERT_REQD feature to clients
      Fix option for secure connection required in pmcd
      Handle common code used by both pmproxy and pmcd for client certs.
      Add an nssdb directory to hold pcp user owned certs
      Allow the name of the server certificate to be customized
      Fix options typo
      Adds some documentation for new secure connection features.
      Fix some broken logic with client certs
      Allow the client to change the cert directory
      Update hostname for __pmSecureClientHandshake in pmproxy
      Allow the server-side NSS_Init be read/write
      Cleanup some debugging
      Add a missing commit from previous specfile changes
      Fix a typo for PM_SERVER_FEATURE_CERT_REQD feature checking.
      Add some more documentation and cleanup some debug for client certs.
      More cleanups for client cert support
      Add a missing file from last commit
      QA for Client certs
      Add tutorial on new client certificate use
      qa: only add pmcd -Q option with force_client_cert setting

Joseph White (2):
      Updated SandyBridge conf to use cpu reference cycles.
      Added configuration settings for Intel Haswell.

Nathan Scott (1):
      qa: ensure papi test 967 is notrun if perfevent active


 GNUmakefile                        |    1 
 build/rpm/pcp.spec.in              |    6 
 man/html/lab.secureclient.html     |  281 +++++++++++++++++++++++++++++++++++++
 man/man1/pcpintro.1                |   35 +++-
 man/man1/pmcd.1                    |   13 +
 man/man1/pmproxy.1                 |    8 +
 qa/006.out                         |    2 
 qa/1069                            |    3 
 qa/1069.out                        |    4 
 qa/820                             |   45 +++++
 qa/820.out                         |   15 +
 qa/967                             |    2 
 qa/common.secure                   |    9 +
 qa/group                           |    1 
 src/include/pcp.conf.in            |    4 
 src/include/pcp/impl.h             |    9 -
 src/include/pcp/pmapi.h            |    1 
 src/libpcp/src/auxserver.c         |   30 +++
 src/libpcp/src/connect.c           |   53 +++++-
 src/libpcp/src/err.c               |    2 
 src/libpcp/src/exports             |    4 
 src/libpcp/src/secureconnect.c     |   71 ++++++---
 src/libpcp/src/secureserver.c      |   76 +++++++---
 src/pmcd/src/dopdus.c              |   56 +++++--
 src/pmcd/src/pmcd.c                |   34 +++-
 src/pmdas/perfevent/perfevent.conf |   20 ++
 src/pmdas/pmcd/help                |    3 
 src/pmdas/pmcd/root_pmcd           |   19 +-
 src/pmdas/pmcd/src/pmcd.c          |    2 
 src/pmproxy/pmproxy.c              |  280 ++++++++++++++++++++++--------------
 src/pmproxy/pmproxy.h              |    1 
 31 files changed, 883 insertions(+), 210 deletions(-)


commit ce871d2b02fa46342d7b33071543c53d6ea42417
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date:   Mon May 23 14:58:59 2016 +1000

    qa: ensure papi test 967 is notrun if perfevent active
    
    Previous update to perfevent config seems to be conflicting
    with papi PMDA - so make sure these two don't run together.
    
    967 22s ... - output mismatch (see 967.out.bad)
    184,185c184
    <   126.0.NUMBER (<noname>): numval: 1 valfmt: 1 vlist[]:
    <    value NUMBER
    ---
    >   126.0.NUMBER (<noname>): Missing metric value(s)
    190c189
    <    value "Papi is running, TOT_INS(5) NUMBER"
    ---
    >    value "Papi is stopped, "
    Failures: 967

commit 71e5df4d076d2920c567e0ca06b9dd1e8fc911c5
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Mon May 23 10:54:53 2016 +1000

    qa: only add pmcd -Q option with force_client_cert setting

commit ddb6582d5568adf68e7b1399defb4b354d834796
Author: Marko Myllynen <myllynen@xxxxxxxxxx>
Date:   Fri May 20 11:51:54 2016 +1000

    pmrep: fix infinity handling
    
    pmrep(1) did not handle infinite values properly like other clients,
    for example the expression: "tst = proc.memory.vmrss / 0" generates
    exception: OverflowError: cannot convert float infinity to integer
    
    Handle it better, and similar example to above as a regression test.

commit 2a613adceda44417f03856b9ce5d51178b2440d5
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Wed May 18 16:29:37 2016 +0000

    Add tutorial on new client certificate use

commit 452f59837a2a112eb6e33a45da543c829a23f5ca
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Wed May 18 13:13:18 2016 +0000

    QA for Client certs
    
    Ensure that local clients can still connect if we use -Q

commit 9292a178d71447dbcb1bd006ad8d4acacd57e1f6
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Tue May 17 17:43:49 2016 +0000

    Add a missing file from last commit

commit 07519d0f4d084605e2799a6d92d04aebbc797bd5
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Tue May 17 17:15:59 2016 +0000

    More cleanups for client cert support
    
    Add documentation
    
    Change build process to create the nssdb dir during make
    
    Remove conditionals so protocol message from pmcd is always
    the same. Deal with enforcement later in the handshake process.

commit 314d4decc75a6f43f69b4fe78d3af7fdde8a750b
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Thu May 5 20:03:28 2016 +0000

    Add some more documentation and cleanup some debug for client certs.

commit 035479d5e77e89dba9c4a104d7fd80fa92c67048
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Thu May 5 19:25:06 2016 +0000

    Fix a typo for PM_SERVER_FEATURE_CERT_REQD feature checking.

commit cc0ee7d67cbb259f42de2149eaa7ee90d4fdc856
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Thu May 5 13:54:31 2016 +0000

    Add a missing commit from previous specfile changes

commit fcf13e50c5907d62bc0cf915e9cce52be75846a7
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Thu May 5 13:53:52 2016 +0000

    Cleanup some debugging

commit 60e2becd00d991b2b0b3a1a024aad88634bd2e52
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Thu May 5 13:51:36 2016 +0000

    Allow the server-side NSS_Init be read/write
    
    pmproxy acts as both a client and server. Since the
    server init path happens first, the db previously
    got opened readonly.  Instead try to open RW.
    Any downside to doing this by default?
    Should this be conditional on something?

commit 795600adfcd23a9f099169c865116a1fa01e009b
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Thu May 5 13:40:52 2016 +0000

    Update hostname for __pmSecureClientHandshake in pmproxy
    
    I think this should be the peer hostname, not localhost. As far as
    I can tell, all other uses of this function set it to the remote
    pmcd hostname.  This is used in the call to SSL_SetURL/SSL_RevealURL
    in order to validate the name in the remote cert.

commit 597a97c1f95bf3720f350d5325796ec3a0c39fb8
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Thu May 5 14:27:53 2016 +0000

    Allow the client to change the cert directory

commit 5feca757d5668066afcc8464292c2cbbe03a341f
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Wed May 4 17:26:17 2016 +0000

    Fix some broken logic with client certs

commit f7c364ef9e0edd198b3897458a0f2d5db44d6569
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Wed May 4 10:18:57 2016 +0000

    Adds some documentation for new secure connection features.

commit 389a3eecb0b2ca64c9cbb753173e833a4eff35b5
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Wed May 4 13:57:03 2016 +0000

    Fix options typo

commit c4ea4540abb01ed0bf6bb1a78ed9d4dabe9df59a
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Tue May 3 18:57:38 2016 +0000

    Allow the name of the server certificate to be customized
    
    Add a -M option to pmproxy and pmcd to change the name of the
    collector certificate that is searched for in the nssbd.
    
    Also, when a server sends their certficate to the client.  The
    original nickname is not sent.  Use the subject as the name to
    save under.  Since under nss, the nickname:subject mapping must
    be 1:1. If a client received certificates with different subjects
    from different servers, the certificate save would fail with a
    hardcoded nickname on the second certificate.

commit 330d695d738922f18223b8cacc8a34432448da75
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Tue May 3 17:48:13 2016 +0000

    Add an nssdb directory to hold pcp user owned certs

commit 349bf9b818ea054a6764b2acd1f0176bb8e8bbfd
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Tue May 3 14:59:36 2016 +0000

    Handle common code used by both pmproxy and pmcd for client certs.

commit 81eb2fce1c1314408e8adb1f213b0e4f17cc9963
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Tue May 3 14:42:15 2016 +0000

    Fix option for secure connection required in pmcd

commit 5bd496d45b7aadbbeb34b79c160f4ff691e46382
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Tue May 3 10:34:55 2016 +0000

    Allow pmproxy to pass through the CERT_REQD feature to clients

commit caa00f95478882f7075394a0b2e5611fe1665733
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Wed Apr 27 16:02:38 2016 +0000

    Fix a typo

commit e6776d23162864196c032b469d9b4c49afa17a29
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Wed Apr 27 14:12:03 2016 +0000

    Start implementing PM_SERVER_FEATURE_CERT_REQD
    
    Allow pmcd to advertise that it needs a client certificate through
    PDU messages.

commit aaf9a474d7129fe1497b631e3f311fcc98c446de
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Wed Apr 20 14:13:21 2016 +0000

    Pre-allow certificates from mismatched domains in secure connections
    
    By setting PCP_ALLOW_BAD_CERT_DOMAIN, a client can instruct libpcp
    to accept a self signed server certificate on its behalf. Mirrors the
    interactive functionality.

commit 79f6652ec20bc7b111f848326feefba6d3e67895
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Wed Apr 20 14:11:34 2016 +0000

    Better check for local connections to pmproxy and pmcd

commit 1c80e4bb546b040f4f88d3ede3e0ed5eaa951c3d
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Fri Apr 15 16:33:44 2016 +0000

    Add client cert functionality to pmproxy

commit ef2e6cc5e2ca7a998a6f842cc3a10a88c650dc19
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Thu Apr 14 19:55:02 2016 +0000

    Reject insecure remote connections if PMCD_REQUIRE_CLIENT_CERT is set

commit 5ef137dc550b167119a345400a74a4e0921990ba
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Thu Apr 14 19:52:25 2016 +0000

    Add client certificate support in secure connections.
    
    By setting PMCD_REQUIRE_CLIENT_CERT, pmcd can require that a client
    making a secure connection provide a valid certificate.

commit d82c6d468bdca8a523dd0eab1a30d8d7c5850bd0
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date:   Thu Apr 14 19:45:25 2016 +0000

    Pre-allow self signed server certificates in secure connections
    
    By setting PCP_SERVER_SELF_CERT, a client can instruct libpcp
    to accept a self signed server certificate on its behalf.

commit 499fcd215e0838c1b38bdedf1eeca219813ca073
Author: Joseph White <jpwhite4@xxxxxxxxxxx>
Date:   Tue Feb 9 14:52:35 2016 -0500

    Added configuration settings for Intel Haswell.

commit ea99658071b8b27769baf74522144de9dfd187a8
Author: Joseph White <jpwhite4@xxxxxxxxxxx>
Date:   Fri Oct 30 10:14:43 2015 -0400

    Updated SandyBridge conf to use cpu reference cycles.