Antitheft:Public Server
Setting up and running the Public Antitheft Server for a deployment.
Contents
Pre-requisites
- You have read and followed the Antitheft_HowTo page, and have a Master Signing Server (MSS) with your local private keys.
- You have defined a domain name for your antitheft server -- for example
antitheft.yourproject.foo.tld - XOs have been keyjected (or manufactured) with your public keys
- XOs have an OS build that includes delegation support -- that is OS 8.2.2 or newer, and builds based on F11.
- XOs have a localised OS build that sets the domain of your antitheft server.
Setup Public Antitheft Server
The recommended distribution is Fedora-11 or newer. At time of this writing, F-12 is available, and RHEL6 seems to be close to release -- it is advisable to install on F-12 and upgrade to RHEL6 or CentOS6 when they are available. RHEL/CentOS provide Long Term Support appropriate for the antitheft server role.
- Perform a minimal installation, using the kickstart file outlined in http://fedoraproject.org/wiki/Features/MinimalPlatform
- Configure hostname to match the domain name assigned
- Configure network to match IP address assigned -- it is strongly recommended to disable NetworkManager and use network-scripts instead. To do this, use chkconfig to turn NetworkManager off, and the "network" service on, and configure the network interfaces in the usual way.
Add packages from XS repository
Add the current XS stable yum repository to your yum configuration -- create a file /etc/yum.repos.d/olpcxs.repo with the configuration present in http://dev.laptop.org/git/users/martin/xs-release.git/tree/olpcxs.repo?h=xs-0.6
Install the required packages:
yum install xs-activation-server olpc-bios-crypto
If you want to use the additional functionality available via Moodle, then you will also need to
yum install moodle-xs
do not leave Moodle un-configured. If you decide not to use it, you must remove it from the system.
Create Public Antitheft Server keys, load initial delegations
On the Public Antitheft Server,
- Use obc-makekey to create "server.private" and "server.public"
- Place them in /library/xs-activation/keys
- Copy server.public to a directory in the MSS -- /root/publicserver/server.public
On the MSS, create initial delegations towards the server key.
- Prepare a CSV file ("allxos.csv") with the following 3 fields:
- "Server" - which must contain 'server'
- SN
- UUID
mkdir /root/publicserver/delegations/- Create the following
create-public-server-delegations.shscript to make the delegations. Set the correct path to the "allxos.csv" file.
#/bin/bash -e
ALLXOSCSV=/path/to/allxos.csv
DAYS=90
obc-make-server-delagations --csv $ALLXOSCSV --serverkeys /root/publicserver \
--outdir /root/publicserver/delegations $DAYS /root/masterkeys/oats
mv /root/publicserver/delegations/{server.sig,d-oats.sig}
obc-make-server-delagations --act --csv $ALLXOSCSV --serverkeys /root/publicserver \
--outdir /root/publicserver/delegations $DAYS /root/masterkeys/lease
mv /root/publicserver/delegations/{server.sig,d-lease.sig}
pushd /root/publicserver/delegations/
sha1sum d-*.sig > manifest.sha1
popd
- Run the script!
- Copy the resulting delegations to a USB stick
rm -fr /media/mydisk/xs-activation/* mkdir /media/mydisk/xs-activation/ cp /root/publicserver/delegations/* /media/mydisk/xs-activation/
Now inserting this USB stick on the Public Antitheft Server will load up the delegations under /library/xs-activation/lease-delegations and /library/xs-activation/oats-delegations. Executing find library/xs-activation/*-delegations -type f will show the delegation files.
Configure Services
xs-activation XML-RPC
The xs-activation service is an XML-RPM service, offered via apache+mod_python. To ensure it works
- chkconfig must show httpd service is on
- Test that the XML-RPC code is runnign and answering requests
HEAD http://[servername]/antitheft/1must be reachable from internet-connected machines.- On an XO connected through an ISP or the school, running
olpc-update-query -vmust show the connection working - Requests will be logged in /var/log/httpd/
The xs-activation service also talks on port 191, this must be disabled (as is only relevant on the XS):
chkconfig xsactivation off
With xs-activation configured, the basic service will be working. Additional functionality is available installing and configuring moodle-xs.
Moodle pre-requisite: PostgreSQL
Prepare the pg data directory
/etc/init.d/postgresql initdb
Check that the host-based access (hba) file /var/lib/pgsql/data/pg_hba.conf contains a line that reads
# "local" is for Unix domain socket connections only local all all ident sameuser
Set the configuration file /var/lib/pgsql/data/postgresql.conf to only listen on the local socket by setting
listen_addresses =
Set Pg to start with the server
chkconfig postgresql on
Moodle
With moodle-xs installed, enable the moodle-xs service with
chkconfig moodle-xs on
Now restarting the server should bring Moodle up, autoconfiguring the database and completing the installation process. The log of this first initialization will be on /var/log/moodle-instupg.log and should end with "Finished install / upgrade - Success".
Restrict access to Moodle to your, edit the file /etc/httpd/conf.d/moodle.conf so that it contains
Alias /moodle /var/www/moodle/web
<Directory /var/www/moodle.web>
Order allow,deny
Deny from all
Allow from 10.10.10.1/8 # your netblock - as seen by the server
# you may be reaching the server from a proxy or router
</Directory> <Directory /var/www/moodle/data> Order deny,allow Deny from all </Directory>
And restart apache.
Now you should be able to access Moodle at http://[yourserver]/moodle from your network, but not from the Internet.
Login with the "admin" account using this recipe. Go to admin->users->authentication and disable the "OLPCXS" authentication plugin.
Controlling the length of activations
Write a number of days into /library/xs-activation/leasetimelimit -- for example for leases valid for 7 days:
cat 7 > /library/xs-activation/leasetimelimit
Monthly update of delegations
Every month, you need to generate new delegations at the MSS and load them on the Public Antitheft Server. The process is
- Run the
create-public-server-delegations.shscript - Copy the resulting delegations to a USB stick
rm -fr /media/mydisk/xs-activation/* mkdir /media/mydisk/xs-activation/ cp /root/publicserver/delegations/* /media/mydisk/xs-activation/
- Put the USB stick on the Public Antitheft Server - the delegations will be loaded automatically.
Usage and maintenance
On this server we will only use very specific parts of the UI:
- Account creation for technicians - create a "manual" account, and assign to them the "course creator" role, which has the appropriate privileges.
- Users with the "course creator" privileges can use the Admin -> Antitheft UI to
- Review the list of laptops that have requested leases
- Mark laptops as stolen
- Generate a "rescue lease file" -- this is a "universal" lease file that covers all the laptops known by the server. It is valid for a short period of time, but is enough to activate a laptop which then can connect to the server and ask for a normal longer-lived lease.
Note: generating the rescue lease file for a large set of XOs is a heavy operation. We are planning to change this code ASAP to create the rescue lease once a day instead of on-demand. See http://dev.laptop.org/ticket/10046
