Building a Linux HPC Cluster with xCAT An IBM Redbooks publication Published 25 September 2002 IBM Form #: SG24-6623-00 Download PDF Tips for viewing (based on 1 review) Authors: Luis Ferreira, Christopher Turcksin, Brad Elkin, Scott Denham, Benjamin Khoo, Matt Bohnsack, Egan Ford This IBM Redbooks publication will guide system architects and systems engineers toward a basic understanding of cluster technology, terminology, and the installation of a Linux High-Performance Computing (HPC) cluster (a Beowulf type of cluster) into an IBM eServer Cluster 1300/Cluster 1350.This book focus on xCAT Version 1.1.0 (Extreme Cluster Administration Toolkit) for installation and administration. All nodes and components of the cluster, such as compute nodes and management nodes, are installed with xCAT. This toolkit is a collection of scripts, tables, and commands used to build and administer a Beowulf type of cluster or a farm of replicated nodes. xCAT commands and configuration files are explained in the appendixes of the book.
Detailed procedures on how to properly configure the Red Hat Linux 7.3 operating system in the nodes of an HPC cluster are also presented.HPC clustering conceptsChapter 2. Management node installationChapter 5. Management node configurationChapter 6. Cluster installationAppendix A. xCAT commandsAppendix B. xCAT configuration tablesAppendix C. Other hardware componentsAppendix D. Application examples Others who read this publication also read xCAT 2 Guide for the CSM System Administrator Twitter LinkedIn Youtube Facebook GoogleXCat is a command line program that aides in the exploitation of blind XPath injection vulnerabilities. It can be used to retrieve the whole XML document being processed by a vulnerable XPath query, read arbitrary files on the hosts filesystem and utilize out of bound HTTP requests to make the server send data directly to xcat. XCat is built to exploit boolean XPath injections (Where only one bit of data can be extracted in one request)
and it requires you to manually identify the exploit first, this does not do that for you. Features planned for future releases: You can install XCat via pip: pip install xcat. You should then have an xcat command available. an example application you can test against, this can be found in the example_application directory. readme file to see how to run it. If you run a windows machine you can install Jython and start the example application (example_application/ironpython_site.py). The syntax for a simple command you can execute against this server is: This command specifies the HTTP method (GET), target URL (our localhost server), the GET or POST) data to send (title=Bible), the vulnerable parameter (title) and a string to indicate a true response (Book found). Executing this will retrieve the entire XML file being queried. The the retrieval of documents can be sped up in a number of different ways, such as using the doc function to make the
server send data directly to XCat (explained in more detail below). Each of the techniques is called a feature and can be viewed by using the test_injection command. This will display information about the injection, including the type (integer, string, path name) and various features that XCat has is able to use. XCat knows which features are best and will gracefully degrade if they fail for any reason. Before specifying what data you want to extract from the injection you need to tell XCat how to exploit it. do this for you, so you have to do the initial hard work of finding a vulnerability. XCat needs a target URL it can reach, URL encoded arguments, the vulnerable parameter and a string to match in the response. The initial data given must be valid and trigger either a true or false response. The two most useful commands are run retrieve and run file_shell. The first allows you to retrieve the whole document being processed by the query in either XML or JSON format and specify a file for it to be dumped to.
The second command takes no additional arguments but enables you to read arbitrary files on the filesystem. works if the vulnerable parameter supports the doc feature (and optionally entity injection): There are also two other commands simple and console that will help you navigate larger XML file without having to get everything. useful to have a quick overview of the XML document. The console command will open an interactive shell : The supported command of the shell are ls, cd, attr, comment, content, name. Check out the readme to try out XCat with the provided example application. Possibly the most advanced feature of XCat is its 'HTTP postback' feature. The XPath 2.0 schema defines a function called doc which allows the programmer to load external documents from the file system or even from a remote network resource via HTTP/HTTPS. If the doc function is enabled and working then XCat will use it where possible to greatly speed up document retrieval times.
It does this by running a small HTTP server within the program which listens on a specified port and by then calling the doc() function with the currently targeted node's data URI encoded and appended to a query. This means the XPath library will make a HTTP request to your IP (requires the port to be forwarded and/or a public IP) in the following format similar to: This is far more efficient than iterating over the string character by character and can greatly reduce the retrieval times. You can (ab)use this function to load XML file on the system, as long as you have read permissions over it, allowing you to retrieve lots of lovely XML configuration files - you can jump into a pseudo-shell within XCat by using the fileshell command (shown above) and enter the file path for an XML file. This can be taken one step further by using entity injection to read arbitrary files on the file system. by starting a HTTP server and makes the vulnerable application load an XML file from it.