XS Blueprints:Lease and update server: Difference between revisions
Jump to navigation
Jump to search
Line 41: | Line 41: | ||
==XO side== |
==XO side== |
||
* OFW: delegation support is a nice-to-have (but unlikely to happen soon). |
|||
... |
|||
Leases/OATC checks against XS in 2 places: initrd and olpc-update-query. |
|||
Initrd: |
|||
* Trivial proto port 191 |
|||
* 'STOLEN' response is taken "unwrapped", but is transient |
|||
* FIX: hardcoded XS url in init, differs from activate.py -> service announcement (if we have dns at this stage!) |
|||
olpc-update-query: |
|||
* FIX: hardcoded XS url -> svc announcement |
|||
* REVIEW: frequency is weird |
|||
* FIX: checks only for update |
|||
** add 'lease' support (dsd patches) |
|||
** add 'stolen' support (&& touch /security/.private/stolen) |
|||
* TEST/REVIEW: Bitfrost delegated keys support seems to be complete - test! |
|||
Also: |
|||
* REVIEW: do we need an "I don't know you" response from the server? |
|||
* FIX: Large JSON files problem in initrd. We need a stream parser for this :-) |
|||
==XS side== |
==XS side== |
Revision as of 09:32, 6 May 2009
Lease and activation services are a key role of the XS. They are key enablers at the school and in the warehouse where the XOs are prepared for deployment.
Scenarios
- Tama is a field technician, he's visiting a rural school without internet. He has a new OS build to install on the existing laptops and 20 new laptops to hand out with serial numbers that the existing XS doesn't have leases for.
- Lee is a field technician. He is deploying an XS to a school that did not have one earlier - so the XOs had very long leases, which now need to be shortened.
- Teacher Catalina travelled to town and got leases and an OS image on a USB stick. The XS at his school is slow -- she wonders whether anything is happening with the USB stick.
- Jocinta is a NOC sysadmin and wants to get all the XSs out there with the new leases for a XO shipment that is being handed out, new blacklist (a few machines have been misplaced) and updated XO OS images. She has to prepare an update for the internet-connected XSs, and a usb img for the non-connected ones.
- Ludmilla and Jim are technicians at the warehouse in Wellingtonia-- they have 5K XOs to activate and update. They want to use a temporary machine - perhaps one of the XOs even - as lease and update server.
- In Zoolandia it is the first day of school after summer holidays -- kids are returning to school and those who haven't visited school in the holidays have their XOs locked. The wireless signal in the Zoolandia schools is unencrypted.
- First day at school in Oz is a bit more complicated -- wireless network signal is WPA encrypted or perhaps the wireless antenna is broken, flaky, saturated. Teacher wants to prepare an "unlocker" usb stick to pass around.
- See also the requirements definition Feature_roadmap#Activation_lease_security
Implementation Notes
After talking with Wad, we broke the activation/lease server scenario down to
Warehouse scenario
- Initial activation
- FW client - by Mitch - probably looks for a pre-set ESSID and dns name
- Known to work in Mitch's lab
- Wireless-based reflash
- For perf reasons you really want to do it via multicast with a bumped multicast rate. We can
- document how to bump the MC rate on APs
- document how to bump the MC rate on AAs (script it if we have a "turn into reflash server" script)
- Needs XOs to be booted off a USB stick with a forth script to trigger the "reflash from network"
- Worked -- at least once -- via multicast
- For perf reasons you really want to do it via multicast with a bumped multicast rate. We can
In school
- Lease renewal, blacklists
- olpc-update (done!)
XO side
- OFW: delegation support is a nice-to-have (but unlikely to happen soon).
Leases/OATC checks against XS in 2 places: initrd and olpc-update-query.
Initrd:
- Trivial proto port 191
- 'STOLEN' response is taken "unwrapped", but is transient
- FIX: hardcoded XS url in init, differs from activate.py -> service announcement (if we have dns at this stage!)
olpc-update-query:
- FIX: hardcoded XS url -> svc announcement
- REVIEW: frequency is weird
- FIX: checks only for update
- add 'lease' support (dsd patches)
- add 'stolen' support (&& touch /security/.private/stolen)
- TEST/REVIEW: Bitfrost delegated keys support seems to be complete - test!
Also:
- REVIEW: do we need an "I don't know you" response from the server?
- FIX: Large JSON files problem in initrd. We need a stream parser for this :-)
XS side
...
Test plans and user walkthrough
...
TODOs and future work
...