== Configure OS Services == [[TOC(WiMAX/dSite*)]] === Post-installation OS Services Configuration === 1. Run the OS configuration script: {{{ /usr/sbin/geni_os_setup }}} It should produce: {{{ user@testcons:~# sudo /usr/sbin/geni_os_setup Loading /etc/omf-aggmgr-5.4/site.yaml... done. Generating a 2432 bit RSA private key... Generating a self signed certificate... X.509 Certificate Information: Version: 3 Serial Number (hex): 543811fb Validity: Not Before: Fri Oct 10 17:06:03 UTC 2014 Not After: Sat Oct 10 17:06:03 UTC 2015 Subject: CN=GENI 4G Authority for orbit-lab.org Subject Public Key Algorithm: RSA Certificate Security Level: Normal Modulus (bits 2432): 00:f0:49:c6:08:4b:97:31:6a:f0:d6:30:3a:23:2c:92 ac:e8:30:f1:1f:5c:9b:7e:8e:1b:db:37:3b:ae:94:bb f4:82:09:ca:da:48:7b:cd:95:95:e5:7b:9a:d0:f0:85 5d:13:c0:82:a5:12:eb:c5:45:e6:0c:87:05:12:22:4b 94:96:74:f9:34:35:ef:20:4d:85:3d:48:44:6e:87:0b c7:48:65:e0:ea:70:f4:9a:0a:03:7c:86:c5:d0:62:39 1d:a3:1e:c0:ce:09:25:8f:f7:85:21:8f:b9:81:30:8a 2c:17:0e:3b:9c:56:83:4e:52:dc:1b:37:38:4f:a5:79 c8:a3:b9:07:e3:38:a9:c9:59:b5:d3:d0:78:46:5f:f5 81:15:6c:e9:24:a9:46:21:dc:4b:98:22:8c:b5:26:a8 68:23:61:29:d2:8a:de:eb:a8:15:ac:b8:66:3a:03:e4 78:02:5a:4b:d9:ae:ff:ff:42:9d:f2:10:b4:8a:9e:25 25:d4:cb:f1:36:d3:2e:b2:cc:58:de:51:85:4b:82:1a 9b:34:3c:0a:66:f8:a1:7b:7d:39:52:75:7d:6d:9d:e5 fd:ed:c6:a0:5a:fc:39:06:a0:a9:d4:b6:8f:07:e4:18 69:33:f6:34:cf:cf:5e:a3:89:e5:09:23:56:db:e4:7b 13:a8:cd:c1:a6:ea:1d:95:0e:77:07:b2:f0:70:26:65 b9:cc:fa:de:48:ab:8d:b9:b9:80:d1:5a:a8:a7:34:0c 9e:1f:c7:02:03:63:a7:72:ac:59:83:e7:83:89:d2:4b a7 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUE Subject Key Identifier (not critical): 89161ffe61f729a0fc210f3e8b22e8b4379a5638 Other Information: Public Key Id: 89161ffe61f729a0fc210f3e8b22e8b4379a5638 Signing certificate... ** Note: Please use the --sec-param instead of --bits Generating a 1024 bit RSA private key... Generating a signed certificate... X.509 Certificate Information: Version: 3 Serial Number (hex): 543811fb Validity: Not Before: Fri Oct 10 17:06:03 UTC 2014 Not After: Sat Oct 10 17:06:03 UTC 2015 Subject: O=GENI 4G Site for orbit-lab.org,CN=testcons.orbit-lab.org Subject Public Key Algorithm: RSA Certificate Security Level: Weak Modulus (bits 1024): 00:d9:28:ed:fc:f8:c2:57:48:8a:7e:2a:91:cb:b7:48 d0:d8:25:7a:b2:64:b3:3f:95:40:b1:22:3c:8e:c2:8b 6b:dd:53:66:b2:3e:97:f0:48:e2:af:72:93:82:17:18 91:17:3a:0b:01:8b:09:8c:9b:9c:a4:37:0c:c0:a9:1a 3b:b5:66:6c:77:77:84:90:6a:fe:e2:6d:53:cf:8b:33 64:f3:41:54:f2:98:99:1c:0f:d1:1c:5e:bd:70:e8:55 e3:6d:ee:90:36:a7:a2:4f:3f:de:83:85:85:57:7a:bc 98:64:79:b8:be:1d:bd:bc:8d:1a:3b:3f:4a:ec:8a:a0 93 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Key Purpose (not critical): TLS WWW Server. Key Usage (critical): Digital signature. Key encipherment. Subject Key Identifier (not critical): 0324b56406f97f7d19bdc1619dd29cbab231d52f Authority Key Identifier (not critical): 89161ffe61f729a0fc210f3e8b22e8b4379a5638 Other Information: Public Key Id: 0324b56406f97f7d19bdc1619dd29cbab231d52f Signing certificate... SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 }}} This script attempts to configure several of the services to standard defaults. It depends on the following files: * site.yaml * /usr/sbin/geni_common * /etc/hostname (via the hostname -f command) The following files are modified: [[CollapsibleStart(/etc/dhcpd/dhcpd.conf)]] This file is populated based on the contents of the site.yaml file. It will produce appropriate entries for all the interfaces of the nodes. Note that this requires the interfaces be ordered according to the original labeling. The contents looks like: {{{ option domain-name "geni.rutgers.edu"; authoritative; use-host-decl-names on; get-lease-hostnames true; ping-check false; ping-timeout 0; log-facility local7; default-lease-time 86400; max-lease-time 86400; ddns-updates off; subnet 10.3.0.0 netmask 255.255.255.0 { option domain-name-servers 10.3.0.254; option routers 10.3.0.254; option ntp-servers 10.3.0.254; next-server 10.3.0.254; host cons1 { hardware ethernet 00:20:4a:d5:94:83; fixed-address 10.3.0.101; } host cons2 { hardware ethernet 00:20:4a:d5:94:f1; fixed-address 10.3.0.102; } host cons3 { hardware ethernet 00:20:4a:d5:94:e1; fixed-address 10.3.0.103; } } subnet 10.1.0.0 netmask 255.255.255.0 { option domain-name-servers 10.1.0.254; option routers 10.1.0.254; option log-servers 10.1.0.254; option ntp-servers 10.1.0.254; filename "pxelinux.0"; next-server 10.1.0.254; host node1 { hardware ethernet 00:03:1d:0c:d3:73; fixed-address node1.geni.rutgers.edu; } host node2 { hardware ethernet 00:03:1d:0c:d3:89; fixed-address node2.geni.rutgers.edu; } host node3 { hardware ethernet 00:03:1d:0c:d3:71; fixed-address node3.geni.rutgers.edu; } } subnet 10.2.0.0 netmask 255.255.255.0 { option ntp-servers 10.2.0.254; filename "/pxelinux.fake"; host data1 { hardware ethernet 00:03:1d:0c:d3:72; fixed-address 10.2.0.1; } host data2 { hardware ethernet 00:03:1d:0c:d3:88; fixed-address 10.2.0.2; } host data3 { hardware ethernet 00:03:1d:0c:d3:70; fixed-address 10.2.0.3; } } }}} [[CollapsibleEnd]] [[CollapsibleStart(/etc/nssw)]] The script will blindly replace the ''/etc/nsswitch.conf'' with the following: {{{ passwd: files ldap compat group: files ldap compat shadow: files compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis }}} [[CollapsibleEnd]] [[CollapsibleStart(/etc/ldap/ldap.conf)]] The script will blindly replace the ''/etc/ldap/ldap.conf'' with the following {{{ # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/cacert.pem TLS_REQCERT never }}} [[CollapsibleEnd]] [[CollapsibleStart(/etc/bind/db.DOMAIN)]] The script will build a db.DOMAIN file in the ''/etc/bind'' directory based on contents of the site.yaml file, and the host FQDN. An example might look like (this assumed a domain of geni.rutgers.edu): {{{ ; ; BIND data file for geni.rutgers.edu ; $TTL 604800 @ IN SOA geni.rutgers.edu. root.geni.rutgers.edu. ( 2014101501 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; IN A 10.1.0.254 @ IN NS consolec.geni.rutgers.edu. @ IN A 10.1.0.254 @ IN AAAA ::1 consolec IN A 10.1.0.254 xmpp IN CNAME consolec.geni.rutgers.edu. node1 IN A 10.1.0.1 node2 IN A 10.1.0.2 node3 IN A 10.1.0.3 cons1 IN A 10.3.0.101 cons2 IN A 10.3.0.102 cons3 IN A 10.3.0.103 data1 IN A 10.2.0.1 data2 IN A 10.2.0.2 data3 IN A 10.2.0.3 }}} [[CollapsibleEnd]] [[CollapsibleStart(/etc/bind/db.10)]] The reverse database will also be created to match the db.DOMAIN. {{{ ; ; BIND reverse data file for 10. ; $TTL 604800 @ IN SOA consolec. root.geni.rutgers.edu. ( 2014101501 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS consolec. 101.0.3 IN PTR cons1.geni.rutgers.edu. 102.0.3 IN PTR cons2.geni.rutgers.edu. 103.0.3 IN PTR cons3.geni.rutgers.edu. 1.0.1 IN PTR node1.geni.rutgers.edu. 2.0.1 IN PTR node2.geni.rutgers.edu. 3.0.1 IN PTR node3.geni.rutgers.edu. 254.0.1 IN PTR consolec.geni.rutgers.edu. 1.0.2 IN PTR data1.geni.rutgers.edu. 2.0.2 IN PTR data2.geni.rutgers.edu. 3.0.2 IN PTR data3.geni.rutgers.edu. }}} [[CollapsibleEnd]] [[CollapsibleStart(/etc/bin/named.conf.local)]] The supporting config files will also be created. The local file looks like: {{{ // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; zone "geni.rutgers.edu" { type master; file "/etc/bind/db.geni.rutgers.edu"; }; zone "10.in-addr.arpa" { type master; file "/etc/bind/db.10"; }; }}} [[CollapsibleEnd]] [[CollapsibleStart(/etc/bin/named.conf.options)]] This option file assumes that you can directly query Google's 8.8.8.8 DNS server. If this is not the case, you may need to adjust these values to reflect your environments DNS settings. {{{ options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 8.8.8.8; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation no; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; }}} [[CollapsibleEnd]] [[CollapsibleStart(/etc/ldap.conf)]] The Ldap clinet configurations that were choosen during the package installation will be overwritten with the following: {{{ base dc=geni,dc=rutgers,dc=edu uri ldap://localhost rootbinddn cn=admin,dc=geni,dc=rutgers,dc=edu ldap_version 3 pam_check_host_attr yes pam_password md5 ssl start_tls tls_checkpeer yes tls_cacertfile /etc/ssl/certs/cacert.pem tls_cacertdir /etc/ssl/certs nss_initgroups_ignoreusers backup,bin,bind,daemon,dhcpd,games,gnats,irc,landscape,libuuid,libvirt-qemu,list,lp,mail,man,messagebus,mysql,news,ntp,openfire,openldap,postfix,proxy,root,sshd,statd,sync,sys,sysl og,tftp,usbmux,uucp,whoopsie,www-data }}} [[CollapsibleEnd]] [[CollapsibleStart(/etc/ssl/geni-site-ca.info)]] This file will be generated based on the FQDN: {{{ cn = GENI 4G Authority for geni.rutgers.edu ca cert_signing_key }}} [[CollapsibleEnd]] [[CollapsibleStart(/etc/ssl/geni-site-console.info)]] This file will be generated based on the FQDN: {{{ organization = GENI 4G Site for geni.rutgers.edu cn = console.geni.rutgers.edu tls_www_server encryption_key signing_key expiration_days = 3650 }}} [[CollapsibleStart(/etc/phpldapadmin/config.php)]] The ''/etc/phpldapadmin/config.php'' will have the following lines modified: {{{ ... $servers->setValue('server','base',array('dc=example,dc=com')); ... $servers->setValue('login','bind_id','cn=admin,dc=example,dc=com'); ... }}} These lines should have your LDAP DN which is dervied from your FQDN. (e.g. for geni.rutgers.edu => dc=geni,dc=rutgers,dc=edu). The result should look like {{{ ... $servers->setValue('server','base',array('dc=geni,dc=rutgers,dc=edu')); ... $servers->setValue('login','bind_id','cn=admin,dc=geni,dc=rutgers,dc=edu'); ... }}} '''http://console.geni.DOMAN/phpldapamin''' should be accessible, and you should be able to login to the portal using the ldap credentials you specified during package installation. [[CollapsibleEnd]] 2. After this script is run, we will need to point the dns resolver to the localhost. To do this edit ''/etc/network/interfaces'' file and change the '''dns-nameservers''' line to use '''localhost'''. We also need to add a '''dns-search''' field to specify the local domain, (e.g geni.rutgers.edu). This should look like: {{{ # The primary network interface auto eth2 iface eth2 inet static address 10.50.0.249 netmask 255.255.0.0 gateway 10.50.0.1 dns-search geni.rutgers.edu dns-nameservers localhost }}} then restart the networking service to reflect the DNS change: {{{ /etc/init.d/networking restart }}} Once this setting is done you can test the local dns by tring to resolve node names e.g.: {{{ host node1 node1.geni.rutgers.edu has address 10.1.0.1 }}} External name resolution should also work. 3. Add the follow line to the /etc/sudoers file (note this is done with the visudo command). {{{ %admin ALL=(ALL) ALL %sysadmin ALL=NOPASSWD: ALL }}} === Import initial GENI LDAP content === Next we will import initial content consisting of first groups and accounts that will be used as administrators for the range of services. The deployment assumes the following delegated accounting structure: users are organized into groups based on their organization or project (or in LDAP terms organizational units (OUs)). Each group can have number of administrators (or users with group management capabilities) but has to have one person who is the main administrator for the OU (the principal investigator - PI). While most of the account management is performed through Control Panel functions, the initial site administrator and the first OU need to be added to LDAP manually. This can be done through ''phpldapadmin'' or through LDIF configuration file and command line tools. The LDIF config for initial import looks like: {{{ dn: ou=GENI,dc=geni,dc=rutgers,dc=edu objectClass: organizationalUnit objectClass: top ou: GENI description: GENI businessCategory: Academic dn: cn=GENI,ou=GENI,dc=geni,dc=rutgers,dc=edu objectClass: posixGroup cn: GENI memberUid: globaladmin gidNumber: 1001 dn: uid=globaladmin,ou=GENI,dc=geni,dc=rutgers,dc=edu objectClass: inetOrgPerson objectClass: posixAccount objectClass: hostObject objectClass: shadowAccount objectClass: organizationalPerson uid: globaladmin sn: admin givenName: global cn: global admin uidNumber: 1000 gidNumber: 1001 loginShell: /bin/bash homeDirectory: /home/globaladmin shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: ivan@example.org userPassword: password o: GENI host: null.orbit-lab.org dn: cn=GENI-admin,ou=GENI,dc=geni,dc=rutgers,dc=edu objectClass: posixGroup cn: GENI-admin memberUid: globaladmin gidNumber: 1002 dn: cn=admin,ou=GENI,dc=geni,dc=rutgers,dc=edu objectClass: organizationalRole objectClass: top cn: admin roleOccupant: uid=globaladmin,ou=GENI,dc=geni,dc=rutgers,dc=edu }}} Typically you will need to replace: 1. Every occurrence of DN base in the file (i.e. do a global replace of '''dc=geni,dc=net''' with corresponding DN e.g. '''dc=geni,dc=rutgers,dc=edu''' as was done in the example above) 1. Initial group/organization name (i.e. do a global replace of '''GENI'' with the group name e.g. '''Rutgers''') 1. Personalize administrator account entries under ''''sn:''','''givenName:''','''mail:''' and '''userPassword:''' 1. (optional) Initial administrator account user id (i.e. replace every occurrence of '''globaladmin''' with say '''ruadmin''') Any person that is a member of sysadmin group in LDAP and admin group in /etc/omf-aggmgr-5.4/ogs-aggmgr.yaml will be able to use Control Panel to manage ALL accounts. In order to create initial LDAP structure: * Download the protoype configuration file from this link (it can go anywhere, e.g. admin user's home directory): {{{ wget http://wimax.orbit-lab.org/raw-attachment/wiki/WiMAX/dSite/e0LDAP/GENIinit.ldif }}} * Modify it with your favorite text editor according to the rules described prior. * Finally import it into LDAP ('''Note:''' change the value of the -D flag in the command below to reflect your domain): {{{ ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f GENIinit.ldif }}} You will be prompted for the LDAP password you specified during installation.