XS Blueprints:Lease and update server

Jump to: navigation, search

Lease and activation services are a key role of the XS. They are key enablers at the school and in the warehouse where the XOs are prepared for deployment.

Note: This blueprint has been implemented. See XS-activation for notes on how to use it.


  • Tama is a field technician, he's visiting a rural school without internet. He has a new OS build to install on the existing laptops and 20 new laptops to hand out with serial numbers that the existing XS doesn't have leases for.
  • Lee is a field technician. He is deploying an XS to a school that did not have one earlier - so the XOs had very long leases, which now need to be shortened.
  • Teacher Catalina travelled to town and got leases and an OS image on a USB stick. The XS at her school is slow -- she wonders whether anything is happening with the USB stick.
  • Jocinta is a NOC sysadmin and wants to get all the XSs out there with the new leases for a XO shipment that is being handed out, new blacklist (a few machines have been misplaced) and updated XO OS images. She has to prepare an update for the internet-connected XSs, and a usb img for the non-connected ones.
  • Ludmilla and Jim are technicians at the warehouse in Wellingtonia-- they have 5K XOs to activate and update. They want to use a temporary machine - perhaps one of the XOs even - as lease and update server.
  • In Zoolandia it is the first day of school after summer holidays -- kids are returning to school and those who haven't visited school in the holidays have their XOs locked. The wireless signal in the Zoolandia schools is unencrypted.
  • First day at school in Oz is a bit more complicated -- wireless network signal is WPA encrypted or perhaps the wireless antenna is broken, flaky, saturated. Teacher wants to prepare an "unlocker" usb stick to pass around.

Implementation Notes

XO side

  • OFW: delegation support is a nice-to-have (but unlikely to happen soon).

Leases/OATC checks against XS in 2 places: initrd and olpc-update-query.


  • Trivial proto port 191
  • 'STOLEN' response is taken "unwrapped", but is transient
  • Fix: hardcoded XS url in init, differs from activate.py -> service announcement (if we have dns at this stage!)


  • Fix: hardcoded XS url -> svc announcement
  • Review/dev: frequency is weird, can we simplify it?
  • Dev: checks only for update
    • add 'lease' support (dsd patches)
    • add 'stolen' support (&& touch /security/.private/stolen)
  • Test/review: Bitfrost delegated keys support seems to be complete - test!


  • Review/dev: do we need an "I don't know you" response from the server?
  • Fix/dev: Large JSON files problem in initrd. We need a stream parser for this :-)

XS side

Main areas of work

  • DNS-SD'ish svc announcement
  • Service on port 191
  • OATC server - taking code from oats-lite
  • Moodle UIs
  • Data updates from NOC, report to NOC

DNS-SD svc announcement

  • Publish via BIND or similar

OATC server

  • Base on oats-lite
  • Dev - Port to mod_python
  • Dev - Add 'stolen'
  • Dev - read from imported "canonical" data + local data (from Moodle)
  • Dev - sign/create new leases dynamically if we have delegation certs
  • Dev - "I don't know you" responses?
  • Dev - Moodle-readable logs
  • Dev - must handle: first degree leases/OATC and delegated leases/OATC

Port 191

  • Dev: integrate with OATC server


  • Dev - add-to-blacklist UI.
    • From user-profile page, and from "request log" pages
    • "remove from blacklist"?
  • Log views showing
    • All leases we have
    • Leases requested & served, sorted by request timestamp
    • Highlight "requested buy don't have" and "requested but in blacklist"
  • Recover tool for teachers:
    • "Download lease for this user" from profile page - to laptops having trouble unlocking
    • "Download (short) leases for all the school" for mass-unlocking

Data updates from NOC, report to NOC

  • Read new leases/delegations/stolen data from USB stick or dropbox
  • Write log of lease requests to USB stick or dropbox


  • add support for dropbox directories
  • idmgr: port to mod_python as well?

NOC team tools

This is composed of bios-crypto and related tools, and provides tools for the NOC workflow

  • Tool to create a list of new XS keys against a list
  • Tool to create delegation certs for each XS - inputs: CSV file listing XO/XS mapping, XS pubkeys

Test plans and user walkthrough


TODOs and future work