Antitheft:Public Server: Difference between revisions
(15 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
Setting up and running the |
Setting up and running the Public Antitheft Server for a deployment. |
||
=Pre-requisites= |
=Pre-requisites= |
||
Line 7: | Line 7: | ||
* XOs have been keyjected (or manufactured) with your public keys |
* XOs have been keyjected (or manufactured) with your public keys |
||
* XOs have an OS build that includes delegation support -- that is OS 8.2.2 or newer, and builds based on F11. |
* XOs have an OS build that includes delegation support -- that is OS 8.2.2 or newer, and builds based on F11. |
||
* XOs have a localised OS build that sets the domain |
* XOs have a localised OS build that sets the domain of your antitheft server. |
||
=Setup Public Server= |
=Setup Public Antitheft Server= |
||
The recommended distribution is Fedora-11 or newer. At time of this writing, F-12 is available, and RHEL6 seems to be close to release -- it is advisable to install on F-12 and upgrade to RHEL6 or CentOS6 when they are available. RHEL/CentOS provide Long Term Support appropriate for the antitheft server role. |
The recommended distribution is Fedora-11 or newer. At time of this writing, F-12 is available, and RHEL6 seems to be close to release -- it is advisable to install on F-12 and upgrade to RHEL6 or CentOS6 when they are available. RHEL/CentOS provide Long Term Support appropriate for the antitheft server role. |
||
Line 24: | Line 24: | ||
Install the required packages: |
Install the required packages: |
||
yum install xs-activation-server |
yum install xs-activation-server olpc-bios-crypto |
||
If you want to use the additional functionality available via Moodle, then you will also need to |
|||
=Create Server Keys, Configure services= |
|||
yum install moodle-xs |
|||
On the public server, |
|||
do not leave Moodle un-configured. If you decide not to use it, you must remove it from the system. |
|||
=Create Public Antitheft Server keys, load initial delegations= |
|||
On the Public Antitheft Server, |
|||
* Use obc-makekey to create "server.private" and "server.public" |
* Use obc-makekey to create "server.private" and "server.public" |
||
* Place them in /library/xs-activation/keys |
* Place them in /library/xs-activation/keys |
||
Line 40: | Line 46: | ||
** UUID |
** UUID |
||
* <code>mkdir /root/publicserver/delegations/</code> |
* <code>mkdir /root/publicserver/delegations/</code> |
||
* Create the following <code>create-public-server-delegations.sh</code> script to make the delegations. Set the correct path to the "allxos.csv" file. |
|||
* Generate the delegations thus |
|||
obc-make-server-delagations --csv /path/to/allxos.csv --serverkeys /root/publicserver \ |
|||
#/bin/bash -e |
|||
--outdir /root/publicserver/delegations 90 /root/masterkeys/oats |
|||
ALLXOSCSV=/path/to/allxos.csv |
|||
DAYS=90 |
|||
--outdir /root/publicserver/delegations 90 /root/masterkeys/lease |
|||
obc-make-server-delagations --csv $ALLXOSCSV --serverkeys /root/publicserver \ |
|||
* Copy the delegations to a USB stick |
|||
--outdir /root/publicserver/delegations $DAYS /root/masterkeys/oats |
|||
mv /root/publicserver/delegations/{server.sig,d-oats.sig} |
|||
obc-make-server-delagations --act --csv $ALLXOSCSV --serverkeys /root/publicserver \ |
|||
--outdir /root/publicserver/delegations $DAYS /root/masterkeys/lease |
|||
mv /root/publicserver/delegations/{server.sig,d-lease.sig} |
|||
pushd /root/publicserver/delegations/ |
|||
sha1sum d-*.sig > manifest.sha1 |
|||
popd |
|||
* Run the script! |
|||
* Copy the resulting delegations to a USB stick |
|||
rm -fr /media/mydisk/xs-activation/* |
rm -fr /media/mydisk/xs-activation/* |
||
mkdir /media/mydisk/xs-activation/ |
mkdir /media/mydisk/xs-activation/ |
||
cp /root/publicserver/delegations/ |
cp /root/publicserver/delegations/* /media/mydisk/xs-activation/ |
||
cd /media/mydisk/xs-activation/ |
|||
Now inserting this USB stick on the Public Antitheft Server will load up the delegations under <code>/library/xs-activation/lease-delegations</code> and <code>/library/xs-activation/oats-delegations</code>. Executing <code>find library/xs-activation/*-delegations -type f</code> will show the delegation files. |
|||
sha1sum * > /tmp/manifest.sha1 |
|||
mv /tmp/manifest.sha1 ./ |
|||
=Configure Services= |
|||
==xs-activation XML-RPC== |
|||
The xs-activation service is an XML-RPM service, offered via apache+mod_python. To ensure it works |
|||
* chkconfig must show httpd service is on |
|||
* Test that the XML-RPC code is runnign and answering requests |
|||
** <code>HEAD http://[servername]/antitheft/1</code> must be reachable from internet-connected machines. |
|||
** On an XO connected through an ISP or the school, running <code>olpc-update-query -v</code> must show the connection working |
|||
** Requests will be logged in /var/log/httpd/ |
|||
The xs-activation service also talks on port 191, this must be disabled (as is only relevant on the XS): |
|||
chkconfig xsactivation off |
|||
With xs-activation configured, the basic service will be working. Additional functionality is available installing and configuring moodle-xs. |
|||
==Moodle pre-requisite: PostgreSQL== |
|||
Prepare the pg data directory |
|||
/etc/init.d/postgresql initdb |
|||
Check that the host-based access (hba) file <code>/var/lib/pgsql/data/pg_hba.conf</code> contains a line that reads |
|||
# "local" is for Unix domain socket connections only |
|||
local all all ident sameuser |
|||
Set the configuration file <code>/var/lib/pgsql/data/postgresql.conf</code> to only listen on the local socket by setting |
|||
listen_addresses = '' |
|||
Set Pg to start with the server |
|||
chkconfig postgresql on |
|||
==Moodle== |
|||
With moodle-xs installed, enable the moodle-xs service with |
|||
chkconfig moodle-xs on |
|||
Now restarting the server should bring Moodle up, autoconfiguring the database and completing the installation process. The log of this first initialization will be on /var/log/moodle-instupg.log and should end with "Finished install / upgrade - Success". |
|||
Restrict access to Moodle to your, edit the file <code>/etc/httpd/conf.d/moodle.conf</code> so that it contains |
|||
Alias /moodle /var/www/moodle/web |
|||
<Directory /var/www/moodle.web> |
|||
Order allow,deny |
|||
Deny from all |
|||
Allow from 10.10.10.1/8 # your netblock - as seen by the server |
|||
# you may be reaching the server from a proxy or router |
|||
</Directory> |
|||
<Directory /var/www/moodle/data> |
|||
Order deny,allow |
|||
Deny from all |
|||
</Directory> |
|||
And restart apache. |
|||
Now you should be able to access Moodle at <code>http://[yourserver]/moodle</code> from your network, but not from the Internet. |
|||
Login with the "admin" account using [[XS_Techniques_and_Configuration#Logging_in_with_the_admin_account|this recipe]]. Go to admin->users->authentication and disable the "OLPCXS" authentication plugin. |
|||
=Controlling the length of activations= |
|||
Write a number of days into /library/xs-activation/leasetimelimit -- for example for leases valid for 7 days: |
|||
cat 7 > /library/xs-activation/leasetimelimit |
|||
=Monthly update of delegations= |
=Monthly update of delegations= |
||
Every month, you need to generate new delegations at the MSS and load them on the Public Antitheft Server. The process is |
|||
* Run the <code>create-public-server-delegations.sh</code> script |
|||
* Copy the resulting delegations to a USB stick |
|||
rm -fr /media/mydisk/xs-activation/* |
|||
mkdir /media/mydisk/xs-activation/ |
|||
cp /root/publicserver/delegations/* /media/mydisk/xs-activation/ |
|||
* Put the USB stick on the Public Antitheft Server - the delegations will be loaded automatically. |
|||
=Usage and maintenance= |
=Usage and maintenance= |
||
On this server we will only use very specific parts of the UI: |
|||
* Account creation for technicians - create a "manual" account, and assign to them the "course creator" role, which has the appropriate privileges. |
|||
* Users with the "course creator" privileges can use the Admin -> Antitheft UI to |
|||
** Review the list of laptops that have requested leases |
|||
** Mark laptops as stolen |
|||
** Generate a "rescue lease file" -- this is a "universal" lease file that covers all the laptops known by the server. It is valid for a short period of time, but is enough to activate a laptop which then can connect to the server and ask for a normal longer-lived lease. |
|||
'''Note''': generating the rescue lease file for a large set of XOs is a heavy operation. We are planning to change this code ASAP to create the rescue lease once a day instead of on-demand. See http://dev.laptop.org/ticket/10046 |
Latest revision as of 16:44, 11 July 2011
Setting up and running the Public Antitheft Server for a deployment.
Pre-requisites
- You have read and followed the Antitheft_HowTo page, and have a Master Signing Server (MSS) with your local private keys.
- You have defined a domain name for your antitheft server -- for example
antitheft.yourproject.foo.tld
- XOs have been keyjected (or manufactured) with your public keys
- XOs have an OS build that includes delegation support -- that is OS 8.2.2 or newer, and builds based on F11.
- XOs have a localised OS build that sets the domain of your antitheft server.
Setup Public Antitheft Server
The recommended distribution is Fedora-11 or newer. At time of this writing, F-12 is available, and RHEL6 seems to be close to release -- it is advisable to install on F-12 and upgrade to RHEL6 or CentOS6 when they are available. RHEL/CentOS provide Long Term Support appropriate for the antitheft server role.
- Perform a minimal installation, using the kickstart file outlined in http://fedoraproject.org/wiki/Features/MinimalPlatform
- Configure hostname to match the domain name assigned
- Configure network to match IP address assigned -- it is strongly recommended to disable NetworkManager and use network-scripts instead. To do this, use chkconfig to turn NetworkManager off, and the "network" service on, and configure the network interfaces in the usual way.
Add packages from XS repository
Add the current XS stable yum repository to your yum configuration -- create a file /etc/yum.repos.d/olpcxs.repo
with the configuration present in http://dev.laptop.org/git/users/martin/xs-release.git/tree/olpcxs.repo?h=xs-0.6
Install the required packages:
yum install xs-activation-server olpc-bios-crypto
If you want to use the additional functionality available via Moodle, then you will also need to
yum install moodle-xs
do not leave Moodle un-configured. If you decide not to use it, you must remove it from the system.
Create Public Antitheft Server keys, load initial delegations
On the Public Antitheft Server,
- Use obc-makekey to create "server.private" and "server.public"
- Place them in /library/xs-activation/keys
- Copy server.public to a directory in the MSS -- /root/publicserver/server.public
On the MSS, create initial delegations towards the server key.
- Prepare a CSV file ("allxos.csv") with the following 3 fields:
- "Server" - which must contain 'server'
- SN
- UUID
mkdir /root/publicserver/delegations/
- Create the following
create-public-server-delegations.sh
script to make the delegations. Set the correct path to the "allxos.csv" file.
#/bin/bash -e ALLXOSCSV=/path/to/allxos.csv DAYS=90 obc-make-server-delagations --csv $ALLXOSCSV --serverkeys /root/publicserver \ --outdir /root/publicserver/delegations $DAYS /root/masterkeys/oats mv /root/publicserver/delegations/{server.sig,d-oats.sig} obc-make-server-delagations --act --csv $ALLXOSCSV --serverkeys /root/publicserver \ --outdir /root/publicserver/delegations $DAYS /root/masterkeys/lease mv /root/publicserver/delegations/{server.sig,d-lease.sig} pushd /root/publicserver/delegations/ sha1sum d-*.sig > manifest.sha1 popd
- Run the script!
- Copy the resulting delegations to a USB stick
rm -fr /media/mydisk/xs-activation/* mkdir /media/mydisk/xs-activation/ cp /root/publicserver/delegations/* /media/mydisk/xs-activation/
Now inserting this USB stick on the Public Antitheft Server will load up the delegations under /library/xs-activation/lease-delegations
and /library/xs-activation/oats-delegations
. Executing find library/xs-activation/*-delegations -type f
will show the delegation files.
Configure Services
xs-activation XML-RPC
The xs-activation service is an XML-RPM service, offered via apache+mod_python. To ensure it works
- chkconfig must show httpd service is on
- Test that the XML-RPC code is runnign and answering requests
HEAD http://[servername]/antitheft/1
must be reachable from internet-connected machines.- On an XO connected through an ISP or the school, running
olpc-update-query -v
must show the connection working - Requests will be logged in /var/log/httpd/
The xs-activation service also talks on port 191, this must be disabled (as is only relevant on the XS):
chkconfig xsactivation off
With xs-activation configured, the basic service will be working. Additional functionality is available installing and configuring moodle-xs.
Moodle pre-requisite: PostgreSQL
Prepare the pg data directory
/etc/init.d/postgresql initdb
Check that the host-based access (hba) file /var/lib/pgsql/data/pg_hba.conf
contains a line that reads
# "local" is for Unix domain socket connections only local all all ident sameuser
Set the configuration file /var/lib/pgsql/data/postgresql.conf
to only listen on the local socket by setting
listen_addresses =
Set Pg to start with the server
chkconfig postgresql on
Moodle
With moodle-xs installed, enable the moodle-xs service with
chkconfig moodle-xs on
Now restarting the server should bring Moodle up, autoconfiguring the database and completing the installation process. The log of this first initialization will be on /var/log/moodle-instupg.log and should end with "Finished install / upgrade - Success".
Restrict access to Moodle to your, edit the file /etc/httpd/conf.d/moodle.conf
so that it contains
Alias /moodle /var/www/moodle/web <Directory /var/www/moodle.web> Order allow,deny Deny from all Allow from 10.10.10.1/8 # your netblock - as seen by the server # you may be reaching the server from a proxy or router
</Directory> <Directory /var/www/moodle/data> Order deny,allow Deny from all </Directory>
And restart apache.
Now you should be able to access Moodle at http://[yourserver]/moodle
from your network, but not from the Internet.
Login with the "admin" account using this recipe. Go to admin->users->authentication and disable the "OLPCXS" authentication plugin.
Controlling the length of activations
Write a number of days into /library/xs-activation/leasetimelimit -- for example for leases valid for 7 days:
cat 7 > /library/xs-activation/leasetimelimit
Monthly update of delegations
Every month, you need to generate new delegations at the MSS and load them on the Public Antitheft Server. The process is
- Run the
create-public-server-delegations.sh
script - Copy the resulting delegations to a USB stick
rm -fr /media/mydisk/xs-activation/* mkdir /media/mydisk/xs-activation/ cp /root/publicserver/delegations/* /media/mydisk/xs-activation/
- Put the USB stick on the Public Antitheft Server - the delegations will be loaded automatically.
Usage and maintenance
On this server we will only use very specific parts of the UI:
- Account creation for technicians - create a "manual" account, and assign to them the "course creator" role, which has the appropriate privileges.
- Users with the "course creator" privileges can use the Admin -> Antitheft UI to
- Review the list of laptops that have requested leases
- Mark laptops as stolen
- Generate a "rescue lease file" -- this is a "universal" lease file that covers all the laptops known by the server. It is valid for a short period of time, but is enough to activate a laptop which then can connect to the server and ask for a normal longer-lived lease.
Note: generating the rescue lease file for a large set of XOs is a heavy operation. We are planning to change this code ASAP to create the rescue lease once a day instead of on-demand. See http://dev.laptop.org/ticket/10046