close Warning: Can't synchronize with repository "(default)" (/common/SVN/wimax does not appear to be a Subversion repository.). Look in the Trac log for more information.

Version 31 (modified by seskar, 9 years ago) ( diff )

OS Services Configuration

Post-installation OS Services Configuration

  1. Run the OS configuration script as root:
    It should produce:
    root@console:~# /usr/sbin/geni_os_setup 
    Loading /etc/omf-aggmgr-5.4/site.yaml... done.
    stop: Unknown instance: 
    Generating a 2432 bit RSA private key...
    Generating a self signed certificate...
    X.509 Certificate Information:
    	Version: 3
    	Serial Number (hex): 544e96f4
    		Not Before: Mon Oct 27 19:03:16 UTC 2014
    		Not After: Tue Oct 27 19:03:16 UTC 2015
    	Subject: CN=GENI 4G Authority for
    	Subject Public Key Algorithm: RSA
    	Certificate Security Level: Normal
    		Modulus (bits 2432):
    		Exponent (bits 24):
    		Basic Constraints (critical):
    			Certificate Authority (CA): TRUE
    		Subject Key Identifier (not critical):
    Other Information:
    	Public Key Id:
    Signing certificate...
    ** Note: Please use the --sec-param instead of --bits
    Generating a 1024 bit RSA private key...
    Generating a signed certificate...
    X.509 Certificate Information:
    	Version: 3
    	Serial Number (hex): 544e96f4
    		Not Before: Mon Oct 27 19:03:16 UTC 2014
    		Not After: Tue Oct 27 19:03:16 UTC 2015
    	Subject: O=GENI 4G Site for,
    	Subject Public Key Algorithm: RSA
    	Certificate Security Level: Weak
    		Modulus (bits 1024):
    		Exponent (bits 24):
    		Basic Constraints (critical):
    			Certificate Authority (CA): FALSE
    		Key Purpose (not critical):
    			TLS WWW Server.
    		Key Usage (critical):
    			Digital signature.
    			Key encipherment.
    		Subject Key Identifier (not critical):
    		Authority Key Identifier (not critical):
    Other Information:
    	Public Key Id:
    Signing certificate...
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    This script attempts to configure several of the services to standard defaults. It depends on the following files:
    • site.yaml
    • /usr/sbin/geni_common
    • /etc/hostname (via the hostname -f command)

The following files are modified:


This file is populated based on the contents of the site.yaml file. It will produce appropriate entries for all the interfaces of the nodes. Note that this requires the interfaces be ordered according to the original labeling. The contents looks like:

option domain-name "";
use-host-decl-names on;
get-lease-hostnames true;
ping-check false;
ping-timeout 0;
log-facility local7;
default-lease-time 86400;
max-lease-time 86400;
ddns-updates off;

subnet netmask {
 option domain-name-servers;
 option routers;
 option ntp-servers;

 host cons1 { hardware ethernet 00:20:4a:d5:94:83; fixed-address; }
 host cons2 { hardware ethernet 00:20:4a:d5:94:f1; fixed-address; }
 host cons3 { hardware ethernet 00:20:4a:d5:94:e1; fixed-address; }


subnet netmask {
 option domain-name-servers;
 option routers;
 option log-servers;
 option ntp-servers;
 filename "pxelinux.0";

 host node1 { hardware ethernet 00:03:1d:0c:d3:73; fixed-address; }
 host node2 { hardware ethernet 00:03:1d:0c:d3:89; fixed-address; }
 host node3 { hardware ethernet 00:03:1d:0c:d3:71; fixed-address; }


subnet netmask {
 option ntp-servers;
 filename "/pxelinux.fake";

 host data1 { hardware ethernet 00:03:1d:0c:d3:72; fixed-address; }
 host data2 { hardware ethernet 00:03:1d:0c:d3:88; fixed-address; }
 host data3 { hardware ethernet 00:03:1d:0c:d3:70; fixed-address; }



The script will blindly replace the /etc/nsswitch.conf with the following:

passwd:         files ldap compat
group:          files ldap compat
shadow:         files compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


The script will blindly replace the /etc/ldap/ldap.conf with the following

# LDAP Defaults

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE	dc=example,dc=com
#URI	ldap:// ldap://

#DEREF		never

# TLS certificates (needed for GnuTLS)
TLS_CACERT	/etc/ssl/certs/cacert.pem
TLS_REQCERT     never


The script will build a db.DOMAIN file in the /etc/bind directory based on contents of the site.yaml file, and the host FQDN. An example might look like (this assumed a domain of

; BIND data file for
$TTL    604800
@       IN      SOA (
                   2014101501  ; Serial
                   604800      ; Refresh
                   86400       ; Retry
                   2419200     ; Expire
                   604800 )    ; Negative Cache TTL
                IN      A
@               IN      NS
@               IN      A
@               IN      AAAA    ::1
consolec        IN      A
xmpp            IN      CNAME

node1           IN      A
node2           IN      A
node3           IN      A

cons1           IN      A
cons2           IN      A
cons3           IN      A

data1           IN      A
data2           IN      A
data3           IN      A


The reverse database will also be created to match the db.DOMAIN.

; BIND reverse data file for 10.
$TTL    604800
@       IN      SOA     consolec. (
                   2014101501  ; Serial
                   604800      ; Refresh
                   86400       ; Retry
                   2419200     ; Expire
                   604800 )    ; Negative Cache TTL
@       IN      NS      consolec.

101.0.3     IN      PTR
102.0.3     IN      PTR
103.0.3     IN      PTR

1.0.1     IN      PTR
2.0.1     IN      PTR
3.0.1     IN      PTR

254.0.1   IN      PTR
1.0.2     IN      PTR
2.0.2     IN      PTR
3.0.2     IN      PTR


The supporting config files will also be created. The local file looks like:

// Do any local configuration here

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

  zone "" {
   type master;
   file "/etc/bind/";
  zone "" {
    type master;
    file "/etc/bind/db.10";


This option file assumes that you can directly query Google's DNS server. If this is not the case, you may need to adjust these values to reflect your environments DNS settings.

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See

        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.

         forwarders {

        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See
        dnssec-validation no;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };


The Ldap clinet configurations that were choosen during the package installation will be overwritten with the following:

base dc=geni,dc=rutgers,dc=edu
uri ldap://localhost
rootbinddn cn=admin,dc=geni,dc=rutgers,dc=edu
ldap_version 3
pam_check_host_attr yes
pam_password md5
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/ssl/certs/cacert.pem
tls_cacertdir /etc/ssl/certs
nss_initgroups_ignoreusers backup,bin,bind,daemon,dhcpd,games,gnats,irc,landscape,libuuid,libvirt-qemu,list,lp,mail,man,messagebus,mysql,news,ntp,openfire,openldap,postfix,proxy,root,sshd,statd,sync,sys,sysl


This file will be generated based on the FQDN:

cn = GENI 4G Authority for


This file will be generated based on the FQDN:

organization = GENI 4G Site for
cn =
expiration_days = 3650


The /etc/phpldapadmin/config.php will have the following lines modified:


These lines should have your LDAP DN which is dervied from your FQDN. (e.g. for ⇒ dc=geni,dc=rutgers,dc=edu). The result should look like:


http://console.geni.DOMAN/phpldapamin should be accessible, and you should be able to login to the portal using the ldap credentials you specified during package installation.


The contents of this file will be blindly replaced with:


  1. After this script is run, we will need to point the dns resolver to the localhost. To do this edit /etc/network/interfaces file and change the dns-nameservers line to use localhost. We also need to add a dns-search field to specify the local domain, (e.g This should look like:
    # The primary network interface
    auto eth2
    iface eth2 inet static
          dns-nameservers localhost
    then restart the networking service to reflect the DNS change:
    /etc/init.d/networking restart
    Once this setting is done you can test the local dns by tring to resolve node names e.g.:
    host node1 has address
    External name resolution should also work.

    Note: if you have to use a specfic DNS server for external name resolution, you will need to modify the forwarders field in /etc/bind/named.conf.options. e.g.:
    forwarders {;
  2. Add the follow line to the /etc/sudoers file (note this is done with the visudo command).
    %admin ALL=(ALL) ALL
    %sysadmin ALL=NOPASSWD: ALL

Import initial GENI LDAP content

Next we will import initial content consisting of first groups and accounts that will be used as administrators for the range of services. The deployment assumes the following delegated accounting structure: users are organized into groups based on their organization or project (or in LDAP terms organizational units (OUs)). Each group can have number of administrators (or users with group management capabilities) but has to have one person who is the main administrator for the OU (the principal investigator - PI). While most of the account management is performed through Control Panel functions, the initial site administrator and the first OU need to be added to LDAP manually. This can be done through phpldapadmin or through LDIF configuration file and command line tools. The LDIF config for initial import looks like:

dn: ou=GENI,dc=geni,dc=rutgers,dc=edu
objectClass: organizationalUnit
objectClass: top
ou: GENI
description: GENI
businessCategory: Academic

dn: cn=GENI,ou=GENI,dc=geni,dc=rutgers,dc=edu
objectClass: posixGroup
cn: GENI
memberUid: globaladmin
gidNumber: 1001

dn: uid=globaladmin,ou=GENI,dc=geni,dc=rutgers,dc=edu
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: hostObject
objectClass: shadowAccount
objectClass: organizationalPerson
uid: globaladmin
sn: admin
givenName: global
cn: global admin
uidNumber: 1000
gidNumber: 1001
loginShell: /bin/bash
homeDirectory: /home/globaladmin
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
userPassword: password

dn: cn=GENI-admin,ou=GENI,dc=geni,dc=rutgers,dc=edu
objectClass: posixGroup
cn: GENI-admin
memberUid: globaladmin
gidNumber: 1002

dn: cn=admin,ou=GENI,dc=geni,dc=rutgers,dc=edu
objectClass: organizationalRole
objectClass: top
cn: admin
roleOccupant: uid=globaladmin,ou=GENI,dc=geni,dc=rutgers,dc=edu

Typically you will need to replace:

  1. Every occurrence of DN base in the file (i.e. do a global replace of dc=geni,dc=net with corresponding DN e.g. dc=geni,dc=rutgers,dc=edu as was done in the example above)
  2. Initial group/organization name (i.e. do a global replace of GENI with the group name e.g. Rutgers)
  3. Personalize administrator account entries under 'sn:,givenName:,mail: and userPassword:
  4. (optional) Initial administrator account user id (i.e. replace every occurrence of globaladmin with say ruadmin)

Any person that is a member of sysadmin group in LDAP and admin group in /etc/omf-aggmgr-5.4/ogs-aggmgr.yaml will be able to use Control Panel to manage ALL accounts.

In order to create initial LDAP structure:

  • Download the protoype configuration file from this link (it can go anywhere, e.g. admin user's home directory):
  • Modify it with your favorite text editor according to the rules described prior.
  • Finally import it into LDAP (Note: change the value of the -D flag in the command below to reflect your domain):
    ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f GENIinit.ldif
    You will be prompted for the LDAP password you specified during installation.

Attachments (1)

Download all attachments as: .zip

Note: See TracWiki for help on using the wiki.