Antitheft:Public Server
Setting up and running the public server for a deployment.
Pre-requisites
- You have read and followed the Antitheft_HowTo page, and have a Master Signing Server (MSS) with your local private keys.
- You have defined a domain name for your antitheft server -- for example
antitheft.yourproject.foo.tld
- XOs have been keyjected (or manufactured) with your public keys
- XOs have an OS build that includes delegation support -- that is OS 8.2.2 or newer, and builds based on F11.
- XOs have a localised OS build that sets the domain if your antitheft server.
Setup Public Server
The recommended distribution is Fedora-11 or newer. At time of this writing, F-12 is available, and RHEL6 seems to be close to release -- it is advisable to install on F-12 and upgrade to RHEL6 or CentOS6 when they are available. RHEL/CentOS provide Long Term Support appropriate for the antitheft server role.
- Perform a minimal installation, using the kickstart file outlined in http://fedoraproject.org/wiki/Features/MinimalPlatform
- Configure hostname to match the domain name assigned
- Configure network to match IP address assigned -- it is strongly recommended to disable NetworkManager and use network-scripts instead. To do this, use chkconfig to turn NetworkManager off, and the "network" service on, and configure the network interfaces in the usual way.
Add packages from XS repository
Add the current XS stable yum repository to your yum configuration -- create a file /etc/yum.repos.d/olpcxs.repo
with the configuration present in http://dev.laptop.org/git/users/martin/xs-release.git/tree/olpcxs.repo?h=xs-0.6
Install the required packages:
yum install xs-activation-server olpc-bios-crypto
If you want to use the additional functionality available via Moodle, then you will also need to
yum install moodle-xs
do not leave Moodle un-configured. If you decide not to use it, you must remove it from the system.
Create Public Server keys, load initial delegations
On the public server,
- Use obc-makekey to create "server.private" and "server.public"
- Place them in /library/xs-activation/keys
- Copy server.public to a directory in the MSS -- /root/publicserver/server.public
On the MSS, create initial delegations towards the server key.
- Prepare a CSV file ("allxos.csv") with the following 3 fields:
- "Server" - which must contain 'server'
- SN
- UUID
mkdir /root/publicserver/delegations/
- Create the following
create-public-server-delegations.sh
script to make the delegations. Set the correct path to the "allxos.csv" file.
#/bin/bash -e ALLXOSCSV=/path/to/allxos.csv DAYS=90 obc-make-server-delagations --csv $ALLXOSCSV --serverkeys /root/publicserver \ --outdir /root/publicserver/delegations $DAYS /root/masterkeys/oats mv /root/publicserver/delegations/{server.sig,d-oats.sig} obc-make-server-delagations --act --csv $ALLXOSCSV --serverkeys /root/publicserver \ --outdir /root/publicserver/delegations $DAYS /root/masterkeys/lease mv /root/publicserver/delegations/{server.sig,d-lease.sig} pushd /root/publicserver/delegations/ sha1sum d-*.sig > manifest.sha1 popd
- Run the script!
- Copy the resulting delegations to a USB stick
rm -fr /media/mydisk/xs-activation/* mkdir /media/mydisk/xs-activation/ cp /root/publicserver/delegations/* /media/mydisk/xs-activation/
Now inserting this USB stick on the Public Server will load up the delegations under /library/xs-activation/lease-delegations
and /library/xs-activation/oats-delegations
. Executing find library/xs-activation/*-delegations -type f
will show the delegation files.
Configure Services
xs-activation XML-RPC
The xs-activation service is an XML-RPM service, offered via apache+mod_python. To ensure it works
- chkconfig must show httpd service is on
- Test that the XML-RPC code is runnign and answering requests
HEAD http://[servername]/antitheft/1
must be reachable from internet-connected machines.- On an XO connected through an ISP or the school, running
olpc-update-query -v
must show the connection working - Requests will be logged in /var/log/httpd/
The xs-activation service also talks on port 191, this must be disabled (as is only relevant on the XS):
chkconfig xsactivation off
With xs-activation configured, the basic service will be working. Additional functionality is available installing and configuring moodle-xs.