Antitheft:Public Server: Difference between revisions

From OLPC
Jump to navigation Jump to search
 
(One intermediate revision by one other user not shown)
Line 7: Line 7:
* XOs have been keyjected (or manufactured) with your public keys
* XOs have been keyjected (or manufactured) with your public keys
* XOs have an OS build that includes delegation support -- that is OS 8.2.2 or newer, and builds based on F11.
* XOs have an OS build that includes delegation support -- that is OS 8.2.2 or newer, and builds based on F11.
* XOs have a localised OS build that sets the domain if your antitheft server.
* XOs have a localised OS build that sets the domain of your antitheft server.


=Setup Public Antitheft Server=
=Setup Public Antitheft Server=
Line 161: Line 161:
** Generate a "rescue lease file" -- this is a "universal" lease file that covers all the laptops known by the server. It is valid for a short period of time, but is enough to activate a laptop which then can connect to the server and ask for a normal longer-lived lease.
** Generate a "rescue lease file" -- this is a "universal" lease file that covers all the laptops known by the server. It is valid for a short period of time, but is enough to activate a laptop which then can connect to the server and ask for a normal longer-lived lease.


::: Note: generating the rescue lease file for a large set of XOs will be a costly operation. To support a large deployment, we will need a small change in the code so that it is generated once a day instead of on-demand.
'''Note''': generating the rescue lease file for a large set of XOs is a heavy operation. We are planning to change this code ASAP to create the rescue lease once a day instead of on-demand. See http://dev.laptop.org/ticket/10046

Latest revision as of 16:44, 11 July 2011

Setting up and running the Public Antitheft Server for a deployment.

Pre-requisites

  • You have read and followed the Antitheft_HowTo page, and have a Master Signing Server (MSS) with your local private keys.
  • You have defined a domain name for your antitheft server -- for example antitheft.yourproject.foo.tld
  • XOs have been keyjected (or manufactured) with your public keys
  • XOs have an OS build that includes delegation support -- that is OS 8.2.2 or newer, and builds based on F11.
  • XOs have a localised OS build that sets the domain of your antitheft server.

Setup Public Antitheft Server

The recommended distribution is Fedora-11 or newer. At time of this writing, F-12 is available, and RHEL6 seems to be close to release -- it is advisable to install on F-12 and upgrade to RHEL6 or CentOS6 when they are available. RHEL/CentOS provide Long Term Support appropriate for the antitheft server role.

Add packages from XS repository

Add the current XS stable yum repository to your yum configuration -- create a file /etc/yum.repos.d/olpcxs.repo with the configuration present in http://dev.laptop.org/git/users/martin/xs-release.git/tree/olpcxs.repo?h=xs-0.6

Install the required packages:

yum install xs-activation-server olpc-bios-crypto

If you want to use the additional functionality available via Moodle, then you will also need to

yum install moodle-xs

do not leave Moodle un-configured. If you decide not to use it, you must remove it from the system.

Create Public Antitheft Server keys, load initial delegations

On the Public Antitheft Server,

  • Use obc-makekey to create "server.private" and "server.public"
  • Place them in /library/xs-activation/keys
  • Copy server.public to a directory in the MSS -- /root/publicserver/server.public

On the MSS, create initial delegations towards the server key.

  • Prepare a CSV file ("allxos.csv") with the following 3 fields:
    • "Server" - which must contain 'server'
    • SN
    • UUID
  • mkdir /root/publicserver/delegations/
  • Create the following create-public-server-delegations.sh script to make the delegations. Set the correct path to the "allxos.csv" file.
 #/bin/bash -e
 ALLXOSCSV=/path/to/allxos.csv
 DAYS=90
 obc-make-server-delagations --csv $ALLXOSCSV --serverkeys /root/publicserver \
    --outdir /root/publicserver/delegations $DAYS /root/masterkeys/oats
 mv /root/publicserver/delegations/{server.sig,d-oats.sig}
 obc-make-server-delagations --act --csv $ALLXOSCSV --serverkeys /root/publicserver \
    --outdir /root/publicserver/delegations $DAYS /root/masterkeys/lease
 mv /root/publicserver/delegations/{server.sig,d-lease.sig}
 pushd /root/publicserver/delegations/
 sha1sum d-*.sig > manifest.sha1
 popd
  • Run the script!
  • Copy the resulting delegations to a USB stick
 rm -fr /media/mydisk/xs-activation/*
 mkdir /media/mydisk/xs-activation/
 cp /root/publicserver/delegations/* /media/mydisk/xs-activation/

Now inserting this USB stick on the Public Antitheft Server will load up the delegations under /library/xs-activation/lease-delegations and /library/xs-activation/oats-delegations. Executing find library/xs-activation/*-delegations -type f will show the delegation files.

Configure Services

xs-activation XML-RPC

The xs-activation service is an XML-RPM service, offered via apache+mod_python. To ensure it works

  • chkconfig must show httpd service is on
  • Test that the XML-RPC code is runnign and answering requests
    • HEAD http://[servername]/antitheft/1 must be reachable from internet-connected machines.
    • On an XO connected through an ISP or the school, running olpc-update-query -v must show the connection working
    • Requests will be logged in /var/log/httpd/

The xs-activation service also talks on port 191, this must be disabled (as is only relevant on the XS):

chkconfig xsactivation off

With xs-activation configured, the basic service will be working. Additional functionality is available installing and configuring moodle-xs.

Moodle pre-requisite: PostgreSQL

Prepare the pg data directory

/etc/init.d/postgresql initdb

Check that the host-based access (hba) file /var/lib/pgsql/data/pg_hba.conf contains a line that reads

 # "local" is for Unix domain socket connections only
 local all all           ident sameuser

Set the configuration file /var/lib/pgsql/data/postgresql.conf to only listen on the local socket by setting

 listen_addresses = 

Set Pg to start with the server

chkconfig postgresql on

Moodle

With moodle-xs installed, enable the moodle-xs service with

chkconfig moodle-xs on

Now restarting the server should bring Moodle up, autoconfiguring the database and completing the installation process. The log of this first initialization will be on /var/log/moodle-instupg.log and should end with "Finished install / upgrade - Success".

Restrict access to Moodle to your, edit the file /etc/httpd/conf.d/moodle.conf so that it contains

Alias /moodle /var/www/moodle/web
<Directory /var/www/moodle.web>
  Order allow,deny
  Deny from all
  Allow from 10.10.10.1/8 # your netblock - as seen by the server
                          # you may be reaching the server from a proxy or router
</Directory>
<Directory /var/www/moodle/data>
 Order deny,allow
 Deny from all
</Directory>

And restart apache.

Now you should be able to access Moodle at http://[yourserver]/moodle from your network, but not from the Internet.

Login with the "admin" account using this recipe. Go to admin->users->authentication and disable the "OLPCXS" authentication plugin.

Controlling the length of activations

Write a number of days into /library/xs-activation/leasetimelimit -- for example for leases valid for 7 days:

cat 7 > /library/xs-activation/leasetimelimit

Monthly update of delegations

Every month, you need to generate new delegations at the MSS and load them on the Public Antitheft Server. The process is

  • Run the create-public-server-delegations.sh script
  • Copy the resulting delegations to a USB stick
 rm -fr /media/mydisk/xs-activation/*
 mkdir /media/mydisk/xs-activation/
 cp /root/publicserver/delegations/* /media/mydisk/xs-activation/
  • Put the USB stick on the Public Antitheft Server - the delegations will be loaded automatically.

Usage and maintenance

On this server we will only use very specific parts of the UI:

  • Account creation for technicians - create a "manual" account, and assign to them the "course creator" role, which has the appropriate privileges.
  • Users with the "course creator" privileges can use the Admin -> Antitheft UI to
    • Review the list of laptops that have requested leases
    • Mark laptops as stolen
    • Generate a "rescue lease file" -- this is a "universal" lease file that covers all the laptops known by the server. It is valid for a short period of time, but is enough to activate a laptop which then can connect to the server and ask for a normal longer-lived lease.

Note: generating the rescue lease file for a large set of XOs is a heavy operation. We are planning to change this code ASAP to create the rescue lease once a day instead of on-demand. See http://dev.laptop.org/ticket/10046