Antitheft:Public Server: Difference between revisions
| Line 77: | Line 77: | ||
chkconfig xsactivation off |
chkconfig xsactivation off |
||
With xs-activation configured, the basic service will be working. Additional functionality is available installing and configuring moodle-xs. |
|||
==Moodle== |
==Moodle== |
||
Revision as of 20:40, 26 February 2010
Setting up and running the public server for a deployment.
Pre-requisites
- You have read and followed the Antitheft_HowTo page, and have a Master Signing Server (MSS) with your local private keys.
- You have defined a domain name for your antitheft server -- for example
antitheft.yourproject.foo.tld - XOs have been keyjected (or manufactured) with your public keys
- XOs have an OS build that includes delegation support -- that is OS 8.2.2 or newer, and builds based on F11.
- XOs have a localised OS build that sets the domain if your antitheft server.
Setup Public Server
The recommended distribution is Fedora-11 or newer. At time of this writing, F-12 is available, and RHEL6 seems to be close to release -- it is advisable to install on F-12 and upgrade to RHEL6 or CentOS6 when they are available. RHEL/CentOS provide Long Term Support appropriate for the antitheft server role.
- Perform a minimal installation, using the kickstart file outlined in http://fedoraproject.org/wiki/Features/MinimalPlatform
- Configure hostname to match the domain name assigned
- Configure network to match IP address assigned -- it is strongly recommended to disable NetworkManager and use network-scripts instead. To do this, use chkconfig to turn NetworkManager off, and the "network" service on, and configure the network interfaces in the usual way.
Add packages from XS repository
Add the current XS stable yum repository to your yum configuration -- create a file /etc/yum.repos.d/olpcxs.repo with the configuration present in http://dev.laptop.org/git/users/martin/xs-release.git/tree/olpcxs.repo?h=xs-0.6
Install the required packages:
yum install xs-activation-server moodle-xs olpc-bios-crypto
Create Public Server keys, load initial delegations
On the public server,
- Use obc-makekey to create "server.private" and "server.public"
- Place them in /library/xs-activation/keys
- Copy server.public to a directory in the MSS -- /root/publicserver/server.public
On the MSS, create initial delegations towards the server key.
- Prepare a CSV file ("allxos.csv") with the following 3 fields:
- "Server" - which must contain 'server'
- SN
- UUID
mkdir /root/publicserver/delegations/- Create the following
create-public-server-delegations.shscript to make the delegations. Set the correct path to the "allxos.csv" file.
#/bin/bash -e
ALLXOSCSV=/path/to/allxos.csv
DAYS=90
obc-make-server-delagations --csv $ALLXOSCSV --serverkeys /root/publicserver \
--outdir /root/publicserver/delegations $DAYS /root/masterkeys/oats
mv /root/publicserver/delegations/{server.sig,d-oats.sig}
obc-make-server-delagations --act --csv $ALLXOSCSV --serverkeys /root/publicserver \
--outdir /root/publicserver/delegations $DAYS /root/masterkeys/lease
mv /root/publicserver/delegations/{server.sig,d-lease.sig}
pushd /root/publicserver/delegations/
sha1sum d-*.sig > manifest.sha1
popd
- Run the script!
- Copy the resulting delegations to a USB stick
rm -fr /media/mydisk/xs-activation/* mkdir /media/mydisk/xs-activation/ cp /root/publicserver/delegations/* /media/mydisk/xs-activation/
Now inserting this USB stick on the Public Server will load up the delegations under /library/xs-activation/lease-delegations and /library/xs-activation/oats-delegations. Executing find library/xs-activation/*-delegations -type f will show the delegation files.
Configure Services
xs-activation XML-RPC
The xs-activation service is an XML-RPM service, offered via apache+mod_python. To ensure it works
- chkconfig must show httpd service is on
- Test that the XML-RPC code is runnign and answering requests
HEAD http://[servername]/antitheft/1must be reachable from internet-connected machines.- On an XO connected through an ISP or the school, running
olpc-update-query -vmust show the connection working - Requests will be logged in /var/log/httpd/
The xs-activation service also talks on port 191, this must be disabled (as is only relevant on the XS):
chkconfig xsactivation off
With xs-activation configured, the basic service will be working. Additional functionality is available installing and configuring moodle-xs.