Antitheft:Public Server: Difference between revisions
(→Moodle) |
(→Moodle) |
||
Line 128: | Line 128: | ||
</Directory> |
</Directory> |
||
And restart apache. |
|||
⚫ | |||
⚫ | |||
Login with the "admin" account using [[XS_Techniques_and_Configuration#Logging_in_with_the_admin_account|this recipe]]. Go to admin->users->authentication and disable the "OLPCXS" authentication plugin. |
|||
=Monthly update of delegations= |
=Monthly update of delegations= |
Revision as of 21:20, 26 February 2010
Setting up and running the public server for a deployment.
Pre-requisites
- You have read and followed the Antitheft_HowTo page, and have a Master Signing Server (MSS) with your local private keys.
- You have defined a domain name for your antitheft server -- for example
antitheft.yourproject.foo.tld
- XOs have been keyjected (or manufactured) with your public keys
- XOs have an OS build that includes delegation support -- that is OS 8.2.2 or newer, and builds based on F11.
- XOs have a localised OS build that sets the domain if your antitheft server.
Setup Public Server
The recommended distribution is Fedora-11 or newer. At time of this writing, F-12 is available, and RHEL6 seems to be close to release -- it is advisable to install on F-12 and upgrade to RHEL6 or CentOS6 when they are available. RHEL/CentOS provide Long Term Support appropriate for the antitheft server role.
- Perform a minimal installation, using the kickstart file outlined in http://fedoraproject.org/wiki/Features/MinimalPlatform
- Configure hostname to match the domain name assigned
- Configure network to match IP address assigned -- it is strongly recommended to disable NetworkManager and use network-scripts instead. To do this, use chkconfig to turn NetworkManager off, and the "network" service on, and configure the network interfaces in the usual way.
Add packages from XS repository
Add the current XS stable yum repository to your yum configuration -- create a file /etc/yum.repos.d/olpcxs.repo
with the configuration present in http://dev.laptop.org/git/users/martin/xs-release.git/tree/olpcxs.repo?h=xs-0.6
Install the required packages:
yum install xs-activation-server olpc-bios-crypto
If you want to use the additional functionality available via Moodle, then you will also need to
yum install moodle-xs
do not leave Moodle un-configured. If you decide not to use it, you must remove it from the system.
Create Public Server keys, load initial delegations
On the public server,
- Use obc-makekey to create "server.private" and "server.public"
- Place them in /library/xs-activation/keys
- Copy server.public to a directory in the MSS -- /root/publicserver/server.public
On the MSS, create initial delegations towards the server key.
- Prepare a CSV file ("allxos.csv") with the following 3 fields:
- "Server" - which must contain 'server'
- SN
- UUID
mkdir /root/publicserver/delegations/
- Create the following
create-public-server-delegations.sh
script to make the delegations. Set the correct path to the "allxos.csv" file.
#/bin/bash -e ALLXOSCSV=/path/to/allxos.csv DAYS=90 obc-make-server-delagations --csv $ALLXOSCSV --serverkeys /root/publicserver \ --outdir /root/publicserver/delegations $DAYS /root/masterkeys/oats mv /root/publicserver/delegations/{server.sig,d-oats.sig} obc-make-server-delagations --act --csv $ALLXOSCSV --serverkeys /root/publicserver \ --outdir /root/publicserver/delegations $DAYS /root/masterkeys/lease mv /root/publicserver/delegations/{server.sig,d-lease.sig} pushd /root/publicserver/delegations/ sha1sum d-*.sig > manifest.sha1 popd
- Run the script!
- Copy the resulting delegations to a USB stick
rm -fr /media/mydisk/xs-activation/* mkdir /media/mydisk/xs-activation/ cp /root/publicserver/delegations/* /media/mydisk/xs-activation/
Now inserting this USB stick on the Public Server will load up the delegations under /library/xs-activation/lease-delegations
and /library/xs-activation/oats-delegations
. Executing find library/xs-activation/*-delegations -type f
will show the delegation files.
Configure Services
xs-activation XML-RPC
The xs-activation service is an XML-RPM service, offered via apache+mod_python. To ensure it works
- chkconfig must show httpd service is on
- Test that the XML-RPC code is runnign and answering requests
HEAD http://[servername]/antitheft/1
must be reachable from internet-connected machines.- On an XO connected through an ISP or the school, running
olpc-update-query -v
must show the connection working - Requests will be logged in /var/log/httpd/
The xs-activation service also talks on port 191, this must be disabled (as is only relevant on the XS):
chkconfig xsactivation off
With xs-activation configured, the basic service will be working. Additional functionality is available installing and configuring moodle-xs.
Moodle pre-requisite: PostgreSQL
Prepare the pg data directory
/etc/init.d/postgresql initdb
Check that the host-based access (hba) file /var/lib/pgsql/data/pg_hba.conf
contains a line that reads
# "local" is for Unix domain socket connections only local all all ident sameuser
Set the configuration file /var/lib/pgsql/data/postgresql.conf
to only listen on the local socket by setting
listen_addresses =
Set Pg to start with the server
chkconfig postgresql on
Moodle
With moodle-xs installed, enable the moodle-xs service with
chkconfig moodle-xs on
Now restarting the server should bring Moodle up, autoconfiguring the database and completing the installation process. The log of this first initialization will be on /var/log/moodle-instupg.log and should end with "Finished install / upgrade - Success".
Restrict access to Moodle to your, edit the file /etc/httpd/conf.d/moodle.conf
so that it contains
Alias /moodle /var/www/moodle/web <Directory /var/www/moodle.web> Order allow,deny Deny from all Allow from 10.10.10.1/8 # your netblock - as seen by the server # you may be reaching the server from a proxy or router
</Directory> <Directory /var/www/moodle/data> Order deny,allow Deny from all </Directory>
And restart apache.
Now you should be able to access Moodle at http://[yourserver]/moodle
from your network, but not from the Internet.
Login with the "admin" account using this recipe. Go to admin->users->authentication and disable the "OLPCXS" authentication plugin.