XS-activation: Difference between revisions
m (Xs activation moved to XS-activation: consistency with XS-rsync et al.) |
No edit summary |
||
(6 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
[[Category:Software]] |
[[Category:Software]] |
||
[[Category:SchoolServer]] |
[[Category:SchoolServer]] |
||
[[Category:Security, activation and deployability]] |
|||
The XS Activation service runs on the school server, and provides antitheft services. It can serve 'standard' leases, or delegated leases, depending on how it is set up. |
|||
The XS Activation service runs on the school server. It listens on port 191 serving un-activated XO laptops with activation leases. If it doesn't know a laptop's activation lease, it does nothing. The leases are automatically imported when a USB drive with a valid lease.sig file is attached (see [[Firmware Key and Signature Formats]]). The USB stick can also be used to activate XOs directly: this package is a short cut in that process and has an identical effect. |
|||
'''This page describes xs-activation as shipped in xs-0.6. For earlier versions, see the README file included in the package.''' |
|||
The activation service uses xinetd, which means it does not run as a daemon but is started up whenever necessary. |
|||
= Use cases = |
|||
XS-activation is useful in a number of scenarios. The main ones are: |
|||
This service is primarily used by brand new laptops, at boot time. Once the laptops have activation leases they renew them via other means. A laptop will only need this service again if its lease expires. |
|||
* Activating just-shipped XOs in large numbers via Wireless, using 'standard' leases. |
|||
Often the laptops will be activated in batches in a warehouse situation. Early laptops depolyments have being given very long leases and are unlikely to need re-activation in the hardware's lifetime. |
|||
* Running in a school, generating short-lived leases for the XOs in the school. For this, delegated leases are needed. In this role, an XO can be marked as stolen on the XS. Next time the laptop is seen, it will cause the laptop to shut down. |
|||
For more detail on the usage scenarios, see [[XS Blueprints:Lease and update server]]. |
|||
== Releases == |
|||
= Configuration, setup = |
|||
* [http://dev.laptop.org/git?p=users/dbagnall/xs-activation.git;a=tags Latest tagged releases] |
|||
* for Fedora 7 based releases (up to XS 0.4): [http://xs-dev.laptop.org/xsrepos/testing/olpc/7/i386/xs-activation-0.2-1.xs7.noarch.rpm xs-activation-0.2] |
|||
XS-activation starts up automatically with the XS. For xs-activation to do useful work, it must have either 'standard' act01 leases, or a combination of keys and delegations. |
|||
== README in the latest development version == |
|||
== Loading activation data == |
|||
<gitembed>users/dbagnall/xs-activation.git||README||660||700</gitembed> |
|||
To load data for xs-activation, the procedure is as follows: |
|||
* On a FAT formatted USB disk, create a directory called "xs-activation" |
|||
** If you want to use the same USB disk for many servers, you can instead create a directory called <code>xs-activation/SERVERNAME</code> where servername is the output of <code>hostname -d | cut -f1 -d. </code>. For example, on a server <code>schoolserver.'''foo'''.bar.edu.pr</code>, the directory will be <code>xs-activation/foo</code>. |
|||
* Place in the directory the files you intend to load |
|||
* Create a manifest for the set of files. |
|||
cd /path/to/directory |
|||
TMP=$(mktemp) |
|||
sha1sum * > $TMP |
|||
mv $TMP manifest.sha1 |
|||
* If the XS server has "xs-security-on" as described here http://dev.laptop.org/git/users/martin/xs-tools/tree/README , then you will need to provide the signature for the manifest file. |
|||
With this, you have a USB disk that you can plug on the XS, and the XS will automatically read and import the data from it. For debugging, see /var/log/user.log |
|||
== Standard leases == |
|||
Follow the general loading procedure above, only listing 'leases.sig' in the directory. Leases are split up per-machine so you can later load a different leases.sig file, which will add to the leases the XS can serve. |
|||
== Delegated leases == |
|||
To use delegated leases you first need to use the [http://dev.laptop.org/git/bios-crypto bios-crypto package] to |
|||
# Create OATS and ACT keys for your deployment, and get them installed on the XOs |
|||
# Create server keys |
|||
# Create delegations of the OATS and ACT keys from the OATS and ACT keys to the server, ''for each XO that will be managed by the XS''. |
|||
The [http://dev.laptop.org/git/bios-crypto bios-crypto package] includes tools to the keys and delegations described above. To load them on a XS, follow the loading procedure described above. |
|||
You can supply the following files: |
|||
* 'server.pri' and 'server.pub': keys for the XS. |
|||
* 'd-lease.sig': lease delegations |
|||
* 'd-oats.sig': OATS delegations |
|||
Note that not all the files are needed. The keys files are only needed the first time (and will be rejected subsequent times). |
|||
If after the initial load of data, a new USB disk is prepared with new d-leases.sis and d-oats.sig files (plus the updated manifest), the new delegations will be added to the data already in the XS. |
|||
=== Limiting lease length === |
|||
To set the length of the delegated leases served, create a file /library/xs-activation/leasetimelimit with the number of days the leases should be valid for. Example: |
|||
# 10 day leases |
|||
echo 10 > /library/xs-activation/leasetimelimit |
|||
The maximum value accepted is 300. xs-activation will not serve delegated leases longer than 300 days. |
|||
= Usage = |
|||
In normal use, xs-activation does its job transparently and does not require any user intervention. |
|||
== Monitoring and marking stolen XOs == |
|||
Moodle offers a status page and tools. The school teacher must use an XO that has registered and has 'coursecreator' privileges in the XS. With that XO, the Moodle interface offers an 'Antitheft' page, under 'Admin -> Users -> Antitheft'. |
|||
In that page, a table shows |
|||
* The XOs that have been served leases |
|||
* What account in Moodle they are associated with (if the XO is registered) |
|||
* When the XO last used Moodle, and when it got its last lease. |
|||
* An option to mark the XO as stolen |
|||
* If an XO request a new lease after being marked as stolen, xs-activation will serve a "kill" signal, and this will be noted in the report. |
|||
== Preparing a 'rescue' lease.sig == |
|||
In some situations, XOs may be unable to get their activation leases directly from the XS via wireless, and will need a rescue disk. Some of the cases where this is true are |
|||
* XOs where the lease has run out, and cannot connect directly to Access Points (for example: 8.2.x) |
|||
* XOs with faulty wireless |
|||
* In schools with saturated wireless spectrum |
|||
The procedure is as follows: |
|||
# The school teacher must use an XO that has registered and has 'coursecreator' privileges in the XS. With that XO... |
|||
# Open Browse.xo, visit the 'Local schoolserver' (Moodle) |
|||
# Go to "Admin -> Users -> Antitheft |
|||
# Click on the ''Get a "rescue" leases.sig file'' option. This will download a file to the Journal. |
|||
# Switch to the Journal, rename the file from "File leases.sig downloaded from ..." to "leases.sig" |
|||
# Plug a USB disk, when the USB disk icon appears at the bottom of the screen |
|||
# Copy the leases.sig file to the disk |
|||
# Unmount the USB disk |
|||
Now the USB disk can be used to recover any of the laptops in that school. Note that the rescue leases is valid for only 2 days. |
Latest revision as of 19:53, 14 February 2011
The XS Activation service runs on the school server, and provides antitheft services. It can serve 'standard' leases, or delegated leases, depending on how it is set up.
This page describes xs-activation as shipped in xs-0.6. For earlier versions, see the README file included in the package.
Use cases
XS-activation is useful in a number of scenarios. The main ones are:
- Activating just-shipped XOs in large numbers via Wireless, using 'standard' leases.
- Running in a school, generating short-lived leases for the XOs in the school. For this, delegated leases are needed. In this role, an XO can be marked as stolen on the XS. Next time the laptop is seen, it will cause the laptop to shut down.
For more detail on the usage scenarios, see XS Blueprints:Lease and update server.
Configuration, setup
XS-activation starts up automatically with the XS. For xs-activation to do useful work, it must have either 'standard' act01 leases, or a combination of keys and delegations.
Loading activation data
To load data for xs-activation, the procedure is as follows:
- On a FAT formatted USB disk, create a directory called "xs-activation"
- If you want to use the same USB disk for many servers, you can instead create a directory called
xs-activation/SERVERNAME
where servername is the output ofhostname -d | cut -f1 -d.
. For example, on a serverschoolserver.foo.bar.edu.pr
, the directory will bexs-activation/foo
.
- If you want to use the same USB disk for many servers, you can instead create a directory called
- Place in the directory the files you intend to load
- Create a manifest for the set of files.
cd /path/to/directory TMP=$(mktemp) sha1sum * > $TMP mv $TMP manifest.sha1
- If the XS server has "xs-security-on" as described here http://dev.laptop.org/git/users/martin/xs-tools/tree/README , then you will need to provide the signature for the manifest file.
With this, you have a USB disk that you can plug on the XS, and the XS will automatically read and import the data from it. For debugging, see /var/log/user.log
Standard leases
Follow the general loading procedure above, only listing 'leases.sig' in the directory. Leases are split up per-machine so you can later load a different leases.sig file, which will add to the leases the XS can serve.
Delegated leases
To use delegated leases you first need to use the bios-crypto package to
- Create OATS and ACT keys for your deployment, and get them installed on the XOs
- Create server keys
- Create delegations of the OATS and ACT keys from the OATS and ACT keys to the server, for each XO that will be managed by the XS.
The bios-crypto package includes tools to the keys and delegations described above. To load them on a XS, follow the loading procedure described above.
You can supply the following files:
- 'server.pri' and 'server.pub': keys for the XS.
- 'd-lease.sig': lease delegations
- 'd-oats.sig': OATS delegations
Note that not all the files are needed. The keys files are only needed the first time (and will be rejected subsequent times).
If after the initial load of data, a new USB disk is prepared with new d-leases.sis and d-oats.sig files (plus the updated manifest), the new delegations will be added to the data already in the XS.
Limiting lease length
To set the length of the delegated leases served, create a file /library/xs-activation/leasetimelimit with the number of days the leases should be valid for. Example:
# 10 day leases echo 10 > /library/xs-activation/leasetimelimit
The maximum value accepted is 300. xs-activation will not serve delegated leases longer than 300 days.
Usage
In normal use, xs-activation does its job transparently and does not require any user intervention.
Monitoring and marking stolen XOs
Moodle offers a status page and tools. The school teacher must use an XO that has registered and has 'coursecreator' privileges in the XS. With that XO, the Moodle interface offers an 'Antitheft' page, under 'Admin -> Users -> Antitheft'.
In that page, a table shows
- The XOs that have been served leases
- What account in Moodle they are associated with (if the XO is registered)
- When the XO last used Moodle, and when it got its last lease.
- An option to mark the XO as stolen
- If an XO request a new lease after being marked as stolen, xs-activation will serve a "kill" signal, and this will be noted in the report.
Preparing a 'rescue' lease.sig
In some situations, XOs may be unable to get their activation leases directly from the XS via wireless, and will need a rescue disk. Some of the cases where this is true are
- XOs where the lease has run out, and cannot connect directly to Access Points (for example: 8.2.x)
- XOs with faulty wireless
- In schools with saturated wireless spectrum
The procedure is as follows:
- The school teacher must use an XO that has registered and has 'coursecreator' privileges in the XS. With that XO...
- Open Browse.xo, visit the 'Local schoolserver' (Moodle)
- Go to "Admin -> Users -> Antitheft
- Click on the Get a "rescue" leases.sig file option. This will download a file to the Journal.
- Switch to the Journal, rename the file from "File leases.sig downloaded from ..." to "leases.sig"
- Plug a USB disk, when the USB disk icon appears at the bottom of the screen
- Copy the leases.sig file to the disk
- Unmount the USB disk
Now the USB disk can be used to recover any of the laptops in that school. Note that the rescue leases is valid for only 2 days.