Antitheft:Public Server: Difference between revisions

From OLPC
Jump to navigation Jump to search
 
(20 intermediate revisions by one other user not shown)
Line 1: Line 1:
Setting up and running the public server for a deployment.
Setting up and running the Public Antitheft Server for a deployment.


=Pre-requisites=
=Pre-requisites=
Line 7: Line 7:
* XOs have been keyjected (or manufactured) with your public keys
* XOs have been keyjected (or manufactured) with your public keys
* XOs have an OS build that includes delegation support -- that is OS 8.2.2 or newer, and builds based on F11.
* XOs have an OS build that includes delegation support -- that is OS 8.2.2 or newer, and builds based on F11.
* XOs have a localised OS build that sets the domain if your antitheft server.
* XOs have a localised OS build that sets the domain of your antitheft server.


=Setup Public Server=
=Setup Public Antitheft Server=

The recommended distribution is Fedora-11 or newer. At time of this writing, F-12 is available, and RHEL6 seems to be close to release -- it is advisable to install on F-12 and upgrade to RHEL6 or CentOS6 when they are available. RHEL/CentOS provide Long Term Support appropriate for the antitheft server role.

* Perform a minimal installation, using the kickstart file outlined in http://fedoraproject.org/wiki/Features/MinimalPlatform
* Configure hostname to match the domain name assigned
* Configure network to match IP address assigned -- it is strongly recommended to disable NetworkManager and use network-scripts instead. To do this, use chkconfig to turn NetworkManager off, and the "network" service on, and [http://docs.fedoraproject.org/deployment-guide/f12/en-US/html/ch-networkscripts.html configure the network interfaces in the usual way].
** Experimental: [http://fedoraproject.org/wiki/Features/NetworkManagerSystemConnections F-12 has improvements that allow NetworkManager to be used in a server role].


=Add packages from XS repository=
=Add packages from XS repository=


Add the current XS stable yum repository to your yum configuration -- create a file <code>/etc/yum.repos.d/olpcxs.repo</code> with the configuration present in http://dev.laptop.org/git/users/martin/xs-release.git/tree/olpcxs.repo?h=xs-0.6
=Configure services=

Install the required packages:

yum install xs-activation-server olpc-bios-crypto

If you want to use the additional functionality available via Moodle, then you will also need to

yum install moodle-xs

do not leave Moodle un-configured. If you decide not to use it, you must remove it from the system.

=Create Public Antitheft Server keys, load initial delegations=

On the Public Antitheft Server,
* Use obc-makekey to create "server.private" and "server.public"
* Place them in /library/xs-activation/keys
* Copy server.public to a directory in the MSS -- /root/publicserver/server.public

On the MSS, create initial delegations towards the server key.

* Prepare a CSV file ("allxos.csv") with the following 3 fields:
** "Server" - which must contain 'server'
** SN
** UUID
* <code>mkdir /root/publicserver/delegations/</code>
* Create the following <code>create-public-server-delegations.sh</code> script to make the delegations. Set the correct path to the "allxos.csv" file.

#/bin/bash -e
ALLXOSCSV=/path/to/allxos.csv
DAYS=90
obc-make-server-delagations --csv $ALLXOSCSV --serverkeys /root/publicserver \
--outdir /root/publicserver/delegations $DAYS /root/masterkeys/oats
mv /root/publicserver/delegations/{server.sig,d-oats.sig}
obc-make-server-delagations --act --csv $ALLXOSCSV --serverkeys /root/publicserver \
--outdir /root/publicserver/delegations $DAYS /root/masterkeys/lease
mv /root/publicserver/delegations/{server.sig,d-lease.sig}
pushd /root/publicserver/delegations/
sha1sum d-*.sig > manifest.sha1
popd
* Run the script!
* Copy the resulting delegations to a USB stick
rm -fr /media/mydisk/xs-activation/*
mkdir /media/mydisk/xs-activation/
cp /root/publicserver/delegations/* /media/mydisk/xs-activation/

Now inserting this USB stick on the Public Antitheft Server will load up the delegations under <code>/library/xs-activation/lease-delegations</code> and <code>/library/xs-activation/oats-delegations</code>. Executing <code>find library/xs-activation/*-delegations -type f</code> will show the delegation files.

=Configure Services=

==xs-activation XML-RPC==

The xs-activation service is an XML-RPM service, offered via apache+mod_python. To ensure it works

* chkconfig must show httpd service is on
* Test that the XML-RPC code is runnign and answering requests
** <code>HEAD http://[servername]/antitheft/1</code> must be reachable from internet-connected machines.
** On an XO connected through an ISP or the school, running <code>olpc-update-query -v</code> must show the connection working
** Requests will be logged in /var/log/httpd/

The xs-activation service also talks on port 191, this must be disabled (as is only relevant on the XS):

chkconfig xsactivation off

With xs-activation configured, the basic service will be working. Additional functionality is available installing and configuring moodle-xs.

==Moodle pre-requisite: PostgreSQL==

Prepare the pg data directory

/etc/init.d/postgresql initdb

Check that the host-based access (hba) file <code>/var/lib/pgsql/data/pg_hba.conf</code> contains a line that reads

# "local" is for Unix domain socket connections only
local all all ident sameuser

Set the configuration file <code>/var/lib/pgsql/data/postgresql.conf</code> to only listen on the local socket by setting

listen_addresses = ''

Set Pg to start with the server

chkconfig postgresql on

==Moodle==

With moodle-xs installed, enable the moodle-xs service with

chkconfig moodle-xs on

Now restarting the server should bring Moodle up, autoconfiguring the database and completing the installation process. The log of this first initialization will be on /var/log/moodle-instupg.log and should end with "Finished install / upgrade - Success".

Restrict access to Moodle to your, edit the file <code>/etc/httpd/conf.d/moodle.conf</code> so that it contains

Alias /moodle /var/www/moodle/web
<Directory /var/www/moodle.web>
Order allow,deny
Deny from all
Allow from 10.10.10.1/8 # your netblock - as seen by the server
# you may be reaching the server from a proxy or router

</Directory>
<Directory /var/www/moodle/data>
Order deny,allow
Deny from all
</Directory>

And restart apache.

Now you should be able to access Moodle at <code>http://[yourserver]/moodle</code> from your network, but not from the Internet.

Login with the "admin" account using [[XS_Techniques_and_Configuration#Logging_in_with_the_admin_account|this recipe]]. Go to admin->users->authentication and disable the "OLPCXS" authentication plugin.

=Controlling the length of activations=

Write a number of days into /library/xs-activation/leasetimelimit -- for example for leases valid for 7 days:

cat 7 > /library/xs-activation/leasetimelimit


=Monthly update of delegations=
=Monthly update of delegations=

Every month, you need to generate new delegations at the MSS and load them on the Public Antitheft Server. The process is

* Run the <code>create-public-server-delegations.sh</code> script
* Copy the resulting delegations to a USB stick
rm -fr /media/mydisk/xs-activation/*
mkdir /media/mydisk/xs-activation/
cp /root/publicserver/delegations/* /media/mydisk/xs-activation/
* Put the USB stick on the Public Antitheft Server - the delegations will be loaded automatically.


=Usage and maintenance=
=Usage and maintenance=

On this server we will only use very specific parts of the UI:

* Account creation for technicians - create a "manual" account, and assign to them the "course creator" role, which has the appropriate privileges.
* Users with the "course creator" privileges can use the Admin -> Antitheft UI to
** Review the list of laptops that have requested leases
** Mark laptops as stolen
** Generate a "rescue lease file" -- this is a "universal" lease file that covers all the laptops known by the server. It is valid for a short period of time, but is enough to activate a laptop which then can connect to the server and ask for a normal longer-lived lease.

'''Note''': generating the rescue lease file for a large set of XOs is a heavy operation. We are planning to change this code ASAP to create the rescue lease once a day instead of on-demand. See http://dev.laptop.org/ticket/10046

Latest revision as of 16:44, 11 July 2011

Setting up and running the Public Antitheft Server for a deployment.

Pre-requisites

  • You have read and followed the Antitheft_HowTo page, and have a Master Signing Server (MSS) with your local private keys.
  • You have defined a domain name for your antitheft server -- for example antitheft.yourproject.foo.tld
  • XOs have been keyjected (or manufactured) with your public keys
  • XOs have an OS build that includes delegation support -- that is OS 8.2.2 or newer, and builds based on F11.
  • XOs have a localised OS build that sets the domain of your antitheft server.

Setup Public Antitheft Server

The recommended distribution is Fedora-11 or newer. At time of this writing, F-12 is available, and RHEL6 seems to be close to release -- it is advisable to install on F-12 and upgrade to RHEL6 or CentOS6 when they are available. RHEL/CentOS provide Long Term Support appropriate for the antitheft server role.

Add packages from XS repository

Add the current XS stable yum repository to your yum configuration -- create a file /etc/yum.repos.d/olpcxs.repo with the configuration present in http://dev.laptop.org/git/users/martin/xs-release.git/tree/olpcxs.repo?h=xs-0.6

Install the required packages: 

yum install xs-activation-server olpc-bios-crypto

If you want to use the additional functionality available via Moodle, then you will also need to 

yum install moodle-xs

do not leave Moodle un-configured. If you decide not to use it, you must remove it from the system.

Create Public Antitheft Server keys, load initial delegations

On the Public Antitheft Server,

  • Use obc-makekey to create "server.private" and "server.public"
  • Place them in /library/xs-activation/keys
  • Copy server.public to a directory in the MSS -- /root/publicserver/server.public

On the MSS, create initial delegations towards the server key.

  • Prepare a CSV file ("allxos.csv") with the following 3 fields:
    • "Server" - which must contain 'server'
    • SN
    • UUID
  • mkdir /root/publicserver/delegations/
  • Create the following create-public-server-delegations.sh script to make the delegations. Set the correct path to the "allxos.csv" file.
 #/bin/bash -e
 ALLXOSCSV=/path/to/allxos.csv
 DAYS=90
 obc-make-server-delagations --csv $ALLXOSCSV --serverkeys /root/publicserver \
    --outdir /root/publicserver/delegations $DAYS /root/masterkeys/oats
 mv /root/publicserver/delegations/{server.sig,d-oats.sig}
 obc-make-server-delagations --act --csv $ALLXOSCSV --serverkeys /root/publicserver \
    --outdir /root/publicserver/delegations $DAYS /root/masterkeys/lease
 mv /root/publicserver/delegations/{server.sig,d-lease.sig}
 pushd /root/publicserver/delegations/
 sha1sum d-*.sig > manifest.sha1
 popd
  • Run the script!
  • Copy the resulting delegations to a USB stick
 rm -fr /media/mydisk/xs-activation/*
 mkdir /media/mydisk/xs-activation/
 cp /root/publicserver/delegations/* /media/mydisk/xs-activation/

Now inserting this USB stick on the Public Antitheft Server will load up the delegations under /library/xs-activation/lease-delegations and /library/xs-activation/oats-delegations. Executing find library/xs-activation/*-delegations -type f will show the delegation files.

Configure Services

xs-activation XML-RPC

The xs-activation service is an XML-RPM service, offered via apache+mod_python. To ensure it works

  • chkconfig must show httpd service is on
  • Test that the XML-RPC code is runnign and answering requests
    • HEAD http://[servername]/antitheft/1 must be reachable from internet-connected machines.
    • On an XO connected through an ISP or the school, running olpc-update-query -v must show the connection working
    • Requests will be logged in /var/log/httpd/

The xs-activation service also talks on port 191, this must be disabled (as is only relevant on the XS): 

chkconfig xsactivation off

With xs-activation configured, the basic service will be working. Additional functionality is available installing and configuring moodle-xs.

Moodle pre-requisite: PostgreSQL

Prepare the pg data directory 

/etc/init.d/postgresql initdb

Check that the host-based access (hba) file /var/lib/pgsql/data/pg_hba.conf contains a line that reads 

 # "local" is for Unix domain socket connections only
 local all all           ident sameuser

Set the configuration file /var/lib/pgsql/data/postgresql.conf to only listen on the local socket by setting 

 listen_addresses =

Set Pg to start with the server 

chkconfig postgresql on

Moodle

With moodle-xs installed, enable the moodle-xs service with 

chkconfig moodle-xs on

Now restarting the server should bring Moodle up, autoconfiguring the database and completing the installation process. The log of this first initialization will be on /var/log/moodle-instupg.log and should end with "Finished install / upgrade - Success".

Restrict access to Moodle to your, edit the file /etc/httpd/conf.d/moodle.conf so that it contains 

Alias /moodle /var/www/moodle/web
<Directory /var/www/moodle.web>
  Order allow,deny
  Deny from all
  Allow from 10.10.10.1/8 # your netblock - as seen by the server
                          # you may be reaching the server from a proxy or router

</Directory>
<Directory /var/www/moodle/data>
 Order deny,allow
 Deny from all
</Directory>

And restart apache.

Now you should be able to access Moodle at http://[yourserver]/moodle from your network, but not from the Internet.

Login with the "admin" account using this recipe. Go to admin->users->authentication and disable the "OLPCXS" authentication plugin.

Controlling the length of activations

Write a number of days into /library/xs-activation/leasetimelimit -- for example for leases valid for 7 days:

cat 7 > /library/xs-activation/leasetimelimit

Monthly update of delegations

Every month, you need to generate new delegations at the MSS and load them on the Public Antitheft Server. The process is

  • Run the create-public-server-delegations.sh script
  • Copy the resulting delegations to a USB stick
 rm -fr /media/mydisk/xs-activation/*
 mkdir /media/mydisk/xs-activation/
 cp /root/publicserver/delegations/* /media/mydisk/xs-activation/
  • Put the USB stick on the Public Antitheft Server - the delegations will be loaded automatically.

Usage and maintenance

On this server we will only use very specific parts of the UI:

  • Account creation for technicians - create a "manual" account, and assign to them the "course creator" role, which has the appropriate privileges.
  • Users with the "course creator" privileges can use the Admin -> Antitheft UI to
    • Review the list of laptops that have requested leases
    • Mark laptops as stolen
    • Generate a "rescue lease file" -- this is a "universal" lease file that covers all the laptops known by the server. It is valid for a short period of time, but is enough to activate a laptop which then can connect to the server and ask for a normal longer-lived lease.

Note: generating the rescue lease file for a large set of XOs is a heavy operation. We are planning to change this code ASAP to create the rescue lease once a day instead of on-demand. See http://dev.laptop.org/ticket/10046

Retrieved from "http://wiki.laptop.org/mediawiki/index.php?title=Antitheft:Public_Server&oldid=257891"