XS Configuration Management: Difference between revisions
No edit summary |
mNo edit summary |
||
Line 6: | Line 6: | ||
This page describes how the software packages comprising an [[XS_Server_Software|XS School server]] are configured. |
This page describes how the software packages comprising an [[XS_Server_Software|XS School server]] are configured. |
||
<i>This page is |
<i>This page is still growing</i> |
||
=Server Configuration= |
=Server Configuration= |
||
Line 22: | Line 22: | ||
==Access== |
==Access== |
||
Access to the school server is via console login, or ssh. Console login must be used to establish accounts for ssh access. Root access via ssh is disabled by default, and accounts must use an SSH key for authentication. |
Access to the school server is via console login, or ssh. Console login must be used to establish accounts for ssh access. Root access via ssh is disabled by default, and accounts must use an SSH key for authentication. See [[#User Accounts|setting up user accounts]]. |
||
==Networking== |
==Networking== |
||
Line 73: | Line 73: | ||
/var/named/school.zone.32.inaddr.db |
/var/named/school.zone.32.inaddr.db |
||
/var/named/school.zone.48.inaddr.db |
/var/named/school.zone.48.inaddr.db |
||
/etc/resolv.conf |
|||
/etc/sysconfig/olpc-scripts/resolv.conf |
|||
/etc/dhcpd.conf |
|||
/etc/ejabberd/ejabberd.cfg |
|||
The state of the reverse address resolution is admittedly horrible ([http://dev.laptop.org/ticket/6039 Trac ticket #6039]). |
|||
=User Accounts= |
=User Accounts= |
Revision as of 07:56, 17 January 2008
This page describes how the software packages comprising an XS School server are configured.
This page is still growing
Server Configuration
Configuration of packages
School Specific Configuration
The default server setup is to connect to the Internet on the first wired ethernet network interface, using IPv4 DHCP. Laptops connect to the server over the wireless mesh using one or more Active Antenna, connected through USB interfaces. Optional second (and additional) ethernet interfaces are configured by default to provide an internal LAN within the school. Traditional WiFi access points, if used, should be located on this internal LAN.
We are working on a better configuration interface. Suggestions are welcome in the discussion page.
For now, the configuration is mainly manual. See Troubleshooting School Servers for help determining what is wrong.
Access
Access to the school server is via console login, or ssh. Console login must be used to establish accounts for ssh access. Root access via ssh is disabled by default, and accounts must use an SSH key for authentication. See setting up user accounts.
Networking
The school specific configuration is largely done by a script, /etc/init.d/olpc-network-config, run upon every boot. Upon the first boot, this script runs the /etc/sysconfig/olpc-scripts/network_config script, which configures the network interfaces for the server, assuming it is server #1.
There are two main usage scenarios: a single server providing access to a small school, and a set of servers cooperating to provide access to a larger school.
Small School Scenario
The default configuration supported by the software is that of a single School server supporting between one and one hundred and fifty students. Such a school server is equipped with one or more Active Antenna, which provide connectivity with the laptops over the wireless mesh. If the school server has a single wired networking interface, it is dedicated to obtaining internet access (a WAN port).
The network_config script may be run manually to reconfigure a system in response to a change in the wired interfaces, such as the addition of a second wired network interface:
Large School Scenario
The more common scenario is that a school server will be one of many in a school. As each school server provides additional network access and storage, the school infrastructure automatically scales with the number of servers installed. (Sort of) One school server typically provides the connection to the internet, and is designated the 'principal' school server. The other servers in a school are peers, and are designated 'auxiliary' school servers.
For purposes of backup, each laptop is associated with a single school server. Other services, including internet access, are provided either by the closest server or the principal school server. At installation time, each server is given a unique number (currently 1 through 8, soon higher). These numbers do not have to be sequential, but should be viewed as fixed --- if the server number changes, all kids data stored on that server will currently be lost...
When a server first boots, it currently configures itself to support the common usage scenario shown above. It assumes that it is both a principal server and server #1. On auxiliary servers, it is necessary to immediately manually re-run network_config with a unique server number for the school, and also make it an auxiliary server by manually running the auxiliary_config script.
Upon failure of a principal school server, any remaining school server may take its place. Simply run /etc/sysconfig/olpc-scripts/principal_config. This school server will retain its existing number, but will be now provide the services provided only by the principal school server, and will reconfigure its networking to act as the school's internet gateway.
Internet Connection
The internet (WAN) connection is currently the eth0 interface by default. The file which configures this interface is /etc/sysconfig/network-scripts/ifcfg-eth0. The current default is to use DHCP to assign an IP address to this interface, and obtain DNS server info.
IPv6
To enable external IPv6 you will have to configure the global address of the machine and setup an IPv6 tunnel. Unfortunately, you are not currently able to use IPv6 in school with multiple servers. We are working on this ASAP.
Instructions coming
Name Service
Manual Configuration
This name currently set to random.xs.laptop.org is unfortunately embedded in a number of files:
/etc/named.conf /var/named/school.zone.inaddr.db /var/named/school.zone.16.inaddr.db /var/named/school.zone.32.inaddr.db /var/named/school.zone.48.inaddr.db /etc/resolv.conf /etc/sysconfig/olpc-scripts/resolv.conf /etc/dhcpd.conf /etc/ejabberd/ejabberd.cfg
The state of the reverse address resolution is admittedly horrible (Trac ticket #6039).
User Accounts
When a school server is installed, it has no user accounts, remote (SSH) login to the root account is disabled, and remote logins must be authenticated using a public/private key pair. If exploring or developing with a school server, as root from the console you will need to add a new account (username wad in the example):
adduser wad passwd wad wget http://dev.laptop.org/~wad/dsa_public_key mkdir /home/wad/.ssh mv dsa_public_key /home/wad/.ssh/authorized_keys chown -R wad:wad /home/wad/.ssh chmod -R g-w /home/wad/.ssh
The public key, downloaded from http://dev.laptop.org/~wad/dsa_public_key in the above example, can be generated on any Linux system using the ssh-keygen command (which leaves your new public/private key pair in .ssh). You want to copy the id_rsa.pub or id_dsa.pub file to other machines to allow logins.
Example Configurations
Large School
This is a step-by-step guide of what is needed to install in a large school, using XS build 146 (or thereabouts). Here is a diagram of the networking. Just for illustration, the principal school server is not school server one in this case:
On a server with a single wired networking interface, it is considered the WAN port (eth0). If multiple wired network interfaces are provided, one is assigned to be the WAN port and the others LAN ports (eth1, eth2, ...) when <network_config is run (manually, or at first boot). The WAN ports of the two auxiliary servers are connected to a switch along with the LAN port of the principal server.
The school domain name (served by the principal school server) is going to be school.pinewood.net.
Principal Server
- Installed new build from USB key. Rebooted (manually, removing key), and logged in as root
- Went ahead and created an account for myself (this is a test of basic network connectivity as well):
/etc/sysconfig/olpc-scripts/mkaccount wad http://dev.laptop.org/~wad/dsa_public_key passwd wad
- Edited /etc/resolv.conf and /etc/sysconfig/olpc-scripts/resolv.conf, replacing random.xs.laptop.org with school.pinewood.net.
- Edited /etc/dhcpd.conf, replacing random.xs.laptop.org with school.pinewood.net (once).
- Edited /etc/named.conf, replacing random.xs.laptop.org with school.pinewood.net (three places).
- Edited /var/named/school.internal.inaddr.db, /var/named/school.internal.inaddr.db, /var/named/school.internal.inaddr.db, and /var/named/school.internal.inaddr.db, replacing random.xs.laptop.org with school.pinewood.net (once each)
- Edited /etc/ejabberd/ejabberd.cfg, replacing random.xs.laptop.org with school.pinewood.net (twice).
Auxiliary Servers
- Installed new build from USB key. Rebooted (manually, removing key), and logged in as root
- Ran:
/etc/sysconfig/olpc-scripts/network_config 2 /etc/sysconfig/olpc-scripts/auxiliary_config
- Went ahead and created an account for myself:
/etc/sysconfig/olpc-scripts/mkaccount wad http://dev.laptop.org/~wad/dsa_public_key passwd wad
- Rebooted to allow network changes to take effect, and logged in as root
- Edited /etc/resolv.conf, replacing random.xs.laptop.org with school.pinewood.net. It was also necessary to remove a nameserver remaining from a earlier boot on a non-school server network.
- Edited /etc/sysconfig/olpc-scripts/resolv.conf, replacing random.xs.laptop.org with school.pinewood.net.
- Edited /etc/dhcpd.conf, replacing random.xs.laptop.org with school.pinewood.net (once).