| Version 14 (modified by , 10 years ago) ( diff ) |
|---|
Configure OS Services
Table of Contents
Post-installation OS Services Configuration
Run the OS configuration script:
/usr/sbin/geni_os_setup.rb
It should produce:
user@testcons:~# sudo /usr/sbin/geni_os_setup.rb Loading /etc/omf-aggmgr-5.4/site.yaml... done. Generating a 2432 bit RSA private key... Generating a self signed certificate... X.509 Certificate Information: Version: 3 Serial Number (hex): 543811fb Validity: Not Before: Fri Oct 10 17:06:03 UTC 2014 Not After: Sat Oct 10 17:06:03 UTC 2015 Subject: CN=GENI 4G Authority for orbit-lab.org Subject Public Key Algorithm: RSA Certificate Security Level: Normal Modulus (bits 2432): 00:f0:49:c6:08:4b:97:31:6a:f0:d6:30:3a:23:2c:92 ac:e8:30:f1:1f:5c:9b:7e:8e:1b:db:37:3b:ae:94:bb f4:82:09:ca:da:48:7b:cd:95:95:e5:7b:9a:d0:f0:85 5d:13:c0:82:a5:12:eb:c5:45:e6:0c:87:05:12:22:4b 94:96:74:f9:34:35:ef:20:4d:85:3d:48:44:6e:87:0b c7:48:65:e0:ea:70:f4:9a:0a:03:7c:86:c5:d0:62:39 1d:a3:1e:c0:ce:09:25:8f:f7:85:21:8f:b9:81:30:8a 2c:17:0e:3b:9c:56:83:4e:52:dc:1b:37:38:4f:a5:79 c8:a3:b9:07:e3:38:a9:c9:59:b5:d3:d0:78:46:5f:f5 81:15:6c:e9:24:a9:46:21:dc:4b:98:22:8c:b5:26:a8 68:23:61:29:d2:8a:de:eb:a8:15:ac:b8:66:3a:03:e4 78:02:5a:4b:d9:ae:ff:ff:42:9d:f2:10:b4:8a:9e:25 25:d4:cb:f1:36:d3:2e:b2:cc:58:de:51:85:4b:82:1a 9b:34:3c:0a:66:f8:a1:7b:7d:39:52:75:7d:6d:9d:e5 fd:ed:c6:a0:5a:fc:39:06:a0:a9:d4:b6:8f:07:e4:18 69:33:f6:34:cf:cf:5e:a3:89:e5:09:23:56:db:e4:7b 13:a8:cd:c1:a6:ea:1d:95:0e:77:07:b2:f0:70:26:65 b9:cc:fa:de:48:ab:8d:b9:b9:80:d1:5a:a8:a7:34:0c 9e:1f:c7:02:03:63:a7:72:ac:59:83:e7:83:89:d2:4b a7 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUE Subject Key Identifier (not critical): 89161ffe61f729a0fc210f3e8b22e8b4379a5638 Other Information: Public Key Id: 89161ffe61f729a0fc210f3e8b22e8b4379a5638 Signing certificate... ** Note: Please use the --sec-param instead of --bits Generating a 1024 bit RSA private key... Generating a signed certificate... X.509 Certificate Information: Version: 3 Serial Number (hex): 543811fb Validity: Not Before: Fri Oct 10 17:06:03 UTC 2014 Not After: Sat Oct 10 17:06:03 UTC 2015 Subject: O=GENI 4G Site for orbit-lab.org,CN=testcons.orbit-lab.org Subject Public Key Algorithm: RSA Certificate Security Level: Weak Modulus (bits 1024): 00:d9:28:ed:fc:f8:c2:57:48:8a:7e:2a:91:cb:b7:48 d0:d8:25:7a:b2:64:b3:3f:95:40:b1:22:3c:8e:c2:8b 6b:dd:53:66:b2:3e:97:f0:48:e2:af:72:93:82:17:18 91:17:3a:0b:01:8b:09:8c:9b:9c:a4:37:0c:c0:a9:1a 3b:b5:66:6c:77:77:84:90:6a:fe:e2:6d:53:cf:8b:33 64:f3:41:54:f2:98:99:1c:0f:d1:1c:5e:bd:70:e8:55 e3:6d:ee:90:36:a7:a2:4f:3f:de:83:85:85:57:7a:bc 98:64:79:b8:be:1d:bd:bc:8d:1a:3b:3f:4a:ec:8a:a0 93 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Key Purpose (not critical): TLS WWW Server. Key Usage (critical): Digital signature. Key encipherment. Subject Key Identifier (not critical): 0324b56406f97f7d19bdc1619dd29cbab231d52f Authority Key Identifier (not critical): 89161ffe61f729a0fc210f3e8b22e8b4379a5638 Other Information: Public Key Id: 0324b56406f97f7d19bdc1619dd29cbab231d52f Signing certificate... SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0
After this script is run, we will need to point the dns resolver to the localhost. To do this edit /etc/network/interfaces file and change the dns-nameservers line to use localhost, e.g.:
# The primary network interface
auto eth2
iface eth2 inet static
address 10.50.0.249
netmask 255.255.0.0
gateway 10.50.0.1
dns-nameservers localhost
then restart the networking service to reflect the DNS change:
/etc/init.d/networking restart
Once this setting is done you can test the local dns by tring to resolve node names e.g.:
host node1.geni.rutgers.edu node1.geni.rutgers.edu has address 10.1.1.1
External name resolution should also work.
Next edit /etc/nsswitch.conf file so that is has the follow non comment lines:
passwd: files ldap compat
group: files ldap compat
shadow: files compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Finally add the follow line to the /etc/sudoers file (note this is done with the visudo command).
%admin ALL=(ALL) ALL
%sysadmin ALL=NOPASSWD: ALL
In file /etc/ldap/ldap.conf make sure you have:
TLS_CACERT /etc/ssl/certs/cacert.pem TLS_REQCERT never
Import initial LDAP content
Next we will import initial content consisting of first groups and accounts that will be used as administrators for the range of services. The deployment assumes the following delegated accounting structure: users are organized into groups based on their organization or project (or in LDAP terms organizational units (OUs)). Each group can have number of administrators (or users with group management capabilities) but has to have one person who is the main administrator for the OU (the principal investigator - PI). While most of the account management is performed through Control Panel functions, the initial site administrator and the first OU need to be added to LDAP manually. This can be done through phpldapadmin or through LDIF configuration file and command line tools. The LDIF config for initial import looks like:
dn: ou=GENI,dc=geni,dc=net objectClass: organizationalUnit objectClass: top ou: GENI description: GENI businessCategory: Academic dn: cn=GENI,ou=GENI,dc=geni,dc=net objectClass: posixGroup cn: GENI memberUid: globaladmin gidNumber: 1001 dn: uid=globaladmin,ou=GENI,dc=geni,dc=net objectClass: inetOrgPerson objectClass: posixAccount objectClass: hostObject objectClass: shadowAccount objectClass: organizationalPerson uid: globaladmin sn: admin givenName: global cn: global admin uidNumber: 1000 gidNumber: 1001 loginShell: /bin/bash homeDirectory: /home/globaladmin shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: ivan@example.org userPassword: password o: GENI host: null.orbit-lab.org dn: cn=GENI-admin,ou=GENI,dc=geni,dc=net objectClass: posixGroup cn: GENI-admin memberUid: globaladmin gidNumber: 1002 dn: cn=admin,ou=GENI,dc=geni,dc=net objectClass: organizationalRole objectClass: top cn: admin roleOccupant: uid=globaladmin,ou=GENI,dc=geni,dc=net
Typically you will needs to replace:
- Every occurrence of DN base in the file (i.e. do a global replace of dc=geni,dc=net with corresponding DN e.g. dc=rutgers,dc=edu)
- Initial group/organization name (i.e. do a global replace of GENI with the group name e.g. Rutgers)
- Personalize administrator account entries under 'sn:,givenName:,mail: and userPassword:
- (optional) Initial administrator account user id (i.e. replace every occurrence of globaladmin with say ruadmin)
Any person that is a member of sysadmin group in LDAP and admin group in /etc/omf-aggmgr-5.4/ogs-aggmgr.yaml will be able to use Control Panel to manage ALL accounts.
In order to create initial LDAP structure:
- Download the protoype configuration file from this link (it can go anywhere, e.g. admin user's home directory):
wget http://wimax.orbit-lab.org/raw-attachment/wiki/WiMAX/dSite/e0LDAP/GENIinit.ldif
- Modify it with your favorite text editor according to the rules described prior.
- Finally import it into LDAP:
ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f GENIinit.ldif
Attachments (1)
- GENIinit.ldif (1.0 KB ) - added by 10 years ago.
Download all attachments as: .zip
