close Warning: Can't synchronize with repository "(default)" (/common/SVN/wimax does not appear to be a Subversion repository.). Look in the Trac log for more information.

Version 30 (modified by ssugrim, 8 years ago) ( diff )

Configure OS Services

Table of Contents

    Post-installation OS Services Configuration

    1. Run the OS configuration script as root:
      It should produce:
      root@console:~# /usr/sbin/geni_os_setup 
      Loading /etc/omf-aggmgr-5.4/site.yaml... done.
      stop: Unknown instance: 
      Generating a 2432 bit RSA private key...
      Generating a self signed certificate...
      X.509 Certificate Information:
      	Version: 3
      	Serial Number (hex): 544e96f4
      		Not Before: Mon Oct 27 19:03:16 UTC 2014
      		Not After: Tue Oct 27 19:03:16 UTC 2015
      	Subject: CN=GENI 4G Authority for
      	Subject Public Key Algorithm: RSA
      	Certificate Security Level: Normal
      		Modulus (bits 2432):
      		Exponent (bits 24):
      		Basic Constraints (critical):
      			Certificate Authority (CA): TRUE
      		Subject Key Identifier (not critical):
      Other Information:
      	Public Key Id:
      Signing certificate...
      ** Note: Please use the --sec-param instead of --bits
      Generating a 1024 bit RSA private key...
      Generating a signed certificate...
      X.509 Certificate Information:
      	Version: 3
      	Serial Number (hex): 544e96f4
      		Not Before: Mon Oct 27 19:03:16 UTC 2014
      		Not After: Tue Oct 27 19:03:16 UTC 2015
      	Subject: O=GENI 4G Site for,
      	Subject Public Key Algorithm: RSA
      	Certificate Security Level: Weak
      		Modulus (bits 1024):
      		Exponent (bits 24):
      		Basic Constraints (critical):
      			Certificate Authority (CA): FALSE
      		Key Purpose (not critical):
      			TLS WWW Server.
      		Key Usage (critical):
      			Digital signature.
      			Key encipherment.
      		Subject Key Identifier (not critical):
      		Authority Key Identifier (not critical):
      Other Information:
      	Public Key Id:
      Signing certificate...
      SASL/EXTERNAL authentication started
      SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
      SASL SSF: 0
      SASL/EXTERNAL authentication started
      SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
      SASL SSF: 0
      This script attempts to configure several of the services to standard defaults. It depends on the following files:
      • site.yaml
      • /usr/sbin/geni_common
      • /etc/hostname (via the hostname -f command)

    The following files are modified:


    This file is populated based on the contents of the site.yaml file. It will produce appropriate entries for all the interfaces of the nodes. Note that this requires the interfaces be ordered according to the original labeling. The contents looks like:

    option domain-name "";
    use-host-decl-names on;
    get-lease-hostnames true;
    ping-check false;
    ping-timeout 0;
    log-facility local7;
    default-lease-time 86400;
    max-lease-time 86400;
    ddns-updates off;
    subnet netmask {
     option domain-name-servers;
     option routers;
     option ntp-servers;
     host cons1 { hardware ethernet 00:20:4a:d5:94:83; fixed-address; }
     host cons2 { hardware ethernet 00:20:4a:d5:94:f1; fixed-address; }
     host cons3 { hardware ethernet 00:20:4a:d5:94:e1; fixed-address; }
    subnet netmask {
     option domain-name-servers;
     option routers;
     option log-servers;
     option ntp-servers;
     filename "pxelinux.0";
     host node1 { hardware ethernet 00:03:1d:0c:d3:73; fixed-address; }
     host node2 { hardware ethernet 00:03:1d:0c:d3:89; fixed-address; }
     host node3 { hardware ethernet 00:03:1d:0c:d3:71; fixed-address; }
    subnet netmask {
     option ntp-servers;
     filename "/pxelinux.fake";
     host data1 { hardware ethernet 00:03:1d:0c:d3:72; fixed-address; }
     host data2 { hardware ethernet 00:03:1d:0c:d3:88; fixed-address; }
     host data3 { hardware ethernet 00:03:1d:0c:d3:70; fixed-address; }


    The script will blindly replace the /etc/nsswitch.conf with the following:

    passwd:         files ldap compat
    group:          files ldap compat
    shadow:         files compat
    hosts:          files dns
    networks:       files
    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files
    netgroup:       nis


    The script will blindly replace the /etc/ldap/ldap.conf with the following

    # LDAP Defaults
    # See ldap.conf(5) for details
    # This file should be world readable but not world writable.
    #BASE	dc=example,dc=com
    #URI	ldap:// ldap://
    #DEREF		never
    # TLS certificates (needed for GnuTLS)
    TLS_CACERT	/etc/ssl/certs/cacert.pem
    TLS_REQCERT     never


    The script will build a db.DOMAIN file in the /etc/bind directory based on contents of the site.yaml file, and the host FQDN. An example might look like (this assumed a domain of

    ; BIND data file for
    $TTL    604800
    @       IN      SOA (
                       2014101501  ; Serial
                       604800      ; Refresh
                       86400       ; Retry
                       2419200     ; Expire
                       604800 )    ; Negative Cache TTL
                    IN      A
    @               IN      NS
    @               IN      A
    @               IN      AAAA    ::1
    consolec        IN      A
    xmpp            IN      CNAME
    node1           IN      A
    node2           IN      A
    node3           IN      A
    cons1           IN      A
    cons2           IN      A
    cons3           IN      A
    data1           IN      A
    data2           IN      A
    data3           IN      A


    The reverse database will also be created to match the db.DOMAIN.

    ; BIND reverse data file for 10.
    $TTL    604800
    @       IN      SOA     consolec. (
                       2014101501  ; Serial
                       604800      ; Refresh
                       86400       ; Retry
                       2419200     ; Expire
                       604800 )    ; Negative Cache TTL
    @       IN      NS      consolec.
    101.0.3     IN      PTR
    102.0.3     IN      PTR
    103.0.3     IN      PTR
    1.0.1     IN      PTR
    2.0.1     IN      PTR
    3.0.1     IN      PTR
    254.0.1   IN      PTR
    1.0.2     IN      PTR
    2.0.2     IN      PTR
    3.0.2     IN      PTR


    The supporting config files will also be created. The local file looks like:

    // Do any local configuration here
    // Consider adding the 1918 zones here, if they are not used in your
    // organization
    //include "/etc/bind/zones.rfc1918";
      zone "" {
       type master;
       file "/etc/bind/";
      zone "" {
        type master;
        file "/etc/bind/db.10";


    This option file assumes that you can directly query Google's DNS server. If this is not the case, you may need to adjust these values to reflect your environments DNS settings.

    options {
            directory "/var/cache/bind";
            // If there is a firewall between you and nameservers you want
            // to talk to, you may need to fix the firewall to allow multiple
            // ports to talk.  See
            // If your ISP provided one or more IP addresses for stable 
            // nameservers, you probably want to use them as forwarders.  
            // Uncomment the following block, and insert the addresses replacing 
            // the all-0's placeholder.
             forwarders {
            // If BIND logs error messages about the root key being expired,
            // you will need to update your keys.  See
            dnssec-validation no;
            auth-nxdomain no;    # conform to RFC1035
            listen-on-v6 { any; };


    The Ldap clinet configurations that were choosen during the package installation will be overwritten with the following:

    base dc=geni,dc=rutgers,dc=edu
    uri ldap://localhost
    rootbinddn cn=admin,dc=geni,dc=rutgers,dc=edu
    ldap_version 3
    pam_check_host_attr yes
    pam_password md5
    ssl start_tls
    tls_checkpeer yes
    tls_cacertfile /etc/ssl/certs/cacert.pem
    tls_cacertdir /etc/ssl/certs
    nss_initgroups_ignoreusers backup,bin,bind,daemon,dhcpd,games,gnats,irc,landscape,libuuid,libvirt-qemu,list,lp,mail,man,messagebus,mysql,news,ntp,openfire,openldap,postfix,proxy,root,sshd,statd,sync,sys,sysl


    This file will be generated based on the FQDN:

    cn = GENI 4G Authority for


    This file will be generated based on the FQDN:

    organization = GENI 4G Site for
    cn =
    expiration_days = 3650


    The /etc/phpldapadmin/config.php will have the following lines modified:


    These lines should have your LDAP DN which is dervied from your FQDN. (e.g. for ⇒ dc=geni,dc=rutgers,dc=edu). The result should look like:


    http://console.geni.DOMAN/phpldapamin should be accessible, and you should be able to login to the portal using the ldap credentials you specified during package installation.


    The contents of this file will be blindly replaced with:

    TFTP_OPTIONS="-s -l"

    1. After this script is run, we will need to point the dns resolver to the localhost. To do this edit /etc/network/interfaces file and change the dns-nameservers line to use localhost. We also need to add a dns-search field to specify the local domain, (e.g This should look like:
      # The primary network interface
      auto eth2
      iface eth2 inet static
            dns-nameservers localhost
      then restart the networking service to reflect the DNS change:
      /etc/init.d/networking restart
      Once this setting is done you can test the local dns by tring to resolve node names e.g.:
      host node1 has address
      External name resolution should also work.

      Note: if you have to use a specfic DNS server for external name resolution, you will need to modify the forwarders field in /etc/bind/named.conf.options. e.g.:
      forwarders {;
    2. Add the follow line to the /etc/sudoers file (note this is done with the visudo command).
      %admin ALL=(ALL) ALL
      %sysadmin ALL=NOPASSWD: ALL

    Import initial GENI LDAP content

    Next we will import initial content consisting of first groups and accounts that will be used as administrators for the range of services. The deployment assumes the following delegated accounting structure: users are organized into groups based on their organization or project (or in LDAP terms organizational units (OUs)). Each group can have number of administrators (or users with group management capabilities) but has to have one person who is the main administrator for the OU (the principal investigator - PI). While most of the account management is performed through Control Panel functions, the initial site administrator and the first OU need to be added to LDAP manually. This can be done through phpldapadmin or through LDIF configuration file and command line tools. The LDIF config for initial import looks like:

    dn: ou=GENI,dc=geni,dc=rutgers,dc=edu
    objectClass: organizationalUnit
    objectClass: top
    ou: GENI
    description: GENI
    businessCategory: Academic
    dn: cn=GENI,ou=GENI,dc=geni,dc=rutgers,dc=edu
    objectClass: posixGroup
    cn: GENI
    memberUid: globaladmin
    gidNumber: 1001
    dn: uid=globaladmin,ou=GENI,dc=geni,dc=rutgers,dc=edu
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: hostObject
    objectClass: shadowAccount
    objectClass: organizationalPerson
    uid: globaladmin
    sn: admin
    givenName: global
    cn: global admin
    uidNumber: 1000
    gidNumber: 1001
    loginShell: /bin/bash
    homeDirectory: /home/globaladmin
    shadowExpire: -1
    shadowFlag: 0
    shadowWarning: 7
    shadowMin: 8
    shadowMax: 999999
    shadowLastChange: 10877
    userPassword: password
    o: GENI
    dn: cn=GENI-admin,ou=GENI,dc=geni,dc=rutgers,dc=edu
    objectClass: posixGroup
    cn: GENI-admin
    memberUid: globaladmin
    gidNumber: 1002
    dn: cn=admin,ou=GENI,dc=geni,dc=rutgers,dc=edu
    objectClass: organizationalRole
    objectClass: top
    cn: admin
    roleOccupant: uid=globaladmin,ou=GENI,dc=geni,dc=rutgers,dc=edu

    Typically you will need to replace:

    1. Every occurrence of DN base in the file (i.e. do a global replace of dc=geni,dc=net with corresponding DN e.g. dc=geni,dc=rutgers,dc=edu as was done in the example above)
    2. Initial group/organization name (i.e. do a global replace of GENI with the group name e.g. Rutgers)
    3. Personalize administrator account entries under 'sn:,givenName:,mail: and userPassword:
    4. (optional) Initial administrator account user id (i.e. replace every occurrence of globaladmin with say ruadmin)

    Any person that is a member of sysadmin group in LDAP and admin group in /etc/omf-aggmgr-5.4/ogs-aggmgr.yaml will be able to use Control Panel to manage ALL accounts.

    In order to create initial LDAP structure:

    • Download the protoype configuration file from this link (it can go anywhere, e.g. admin user's home directory):
    • Modify it with your favorite text editor according to the rules described prior.
    • Finally import it into LDAP (Note: change the value of the -D flag in the command below to reflect your domain):
      ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f GENIinit.ldif
      You will be prompted for the LDAP password you specified during installation.

    Attachments (1)

    Download all attachments as: .zip

    Note: See TracWiki for help on using the wiki.