Table of Contents
Dependencies
DHCP
Once the base OS is installed and we have all of the interfaces properly configured we'll need to instruct the dhcp server to hand out address on the appropriate interfaces. To configure the DHCP server we need to modify the /etc/dhcp/dhcpd.conf file. The following example has all the relvant configurations.
To use this file you will have to modify the following portions:
- domain-name
- Node CMC mac addresses (labeled cons#)
- Node Control mac address (labeled node#)
- Node Data mac address (labeled data#)
these fields MUST be modified to reflect your configuration.
option domain-name "geni.net"; authoritative; use-host-decl-names on; get-lease-hostnames true; ping-check false; ping-timeout 0; log-facility local7; default-lease-time 86400; max-lease-time 86400; ddns-updates off; subnet 10.1.0.0 netmask 255.255.255.0 { option domain-name-servers 10.1.0.254; option routers 10.1.0.254; option ntp-servers 10.1.0.254; next-server 10.1.0.254; host cons1 { hardware ethernet 00:20:4a:d5:94:83; fixed-address 10.1.0.1; } host cons2 { hardware ethernet 00:20:4a:d5:94:f1; fixed-address 10.1.0.2; } host cons3 { hardware ethernet 00:20:4a:d5:94:e1; fixed-address 10.1.0.3; } } subnet 10.1.1.0 netmask 255.255.255.0 { option domain-name-servers 10.1.1.254; option routers 10.1.1.254; option log-servers 10.1.1.254; option ntp-servers 10.1.1.254; filename "pxelinux.0"; # allow booting; # allow bootp; # option option-150 code 150 = text; next-server 10.1.1.254; host node1 { hardware ethernet 00:03:1d:0c:d3:73; fixed-address node1.geni.net; } host node2 { hardware ethernet 00:03:1d:0c:d3:89; fixed-address node2.geni.net; } host node3 { hardware ethernet 00:03:1d:0c:d3:71; fixed-address node3.geni.net; } } subnet 10.1.2.0 netmask 255.255.255.0 { # option domain-name-servers 10.1.2.254; # option routers 10.1.2.254; option ntp-servers 10.1.2.254; filename "/pxelinux.fake"; host data1 { hardware ethernet 00:03:1d:0c:d3:72; fixed-address 10.1.2.1; } host data2 { hardware ethernet 00:03:1d:0c:d3:88; fixed-address 10.1.2.2; } host data3 { hardware ethernet 00:03:1d:0c:d3:70; fixed-address 10.1.2.3; } }
DNS
The DNS configuration is split between a few files. The config files that tell named what db files to ready, and then the specific db files. There are other portions of the config that are included as part of the default install. They are not listed here.
This is the default /etc/bind/named.conf.
// This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones";
The /etc/bind/named.conf.local is modified to point to our specific database files.
// // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; zone "geni.net" { type master; file "/etc/bind/db.geni.net"; }; zone "1.10.in-addr.arpa" { type master; file "/etc/bind/db.10"; };
The primary config file is /etc/bind/db.geni.net. The name can be modified to reflect your site, but it has to match the entry in named.conf.local. Aside from the domain, this file can remain in tact.
; ; BIND data file for geni.net ; $TTL 604800 @ IN SOA geni.net. root.geni.net. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; IN A 10.1.1.254 @ IN NS consolec.geni.net. @ IN A 10.1.1.254 @ IN AAAA ::1 consolec IN A 10.1.1.254 xmpp IN CNAME consolec.geni.net. node1 IN A 10.1.1.1 node2 IN A 10.1.1.2 node3 IN A 10.1.1.3 cons1 IN A 10.1.0.1 cons2 IN A 10.1.0.2 cons3 IN A 10.1.0.3 data1 IN A 10.1.2.1 data2 IN A 10.1.2.2 data3 IN A 10.1.2.3
/etc/bind/db.10 is the reverse look-up database. This file will also need to be modified to reflect the domain.
; ; BIND reverse data file for 10.1 ; $TTL 604800 @ IN SOA consolec. root.geni.net. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS consolec. 1.0 IN PTR cons1.geni.net. 2.0 IN PTR cons2.geni.net. 3.0 IN PTR cons3.geni.net. 1.1 IN PTR node1.geni.net. 2.1 IN PTR node2.geni.net. 3.1 IN PTR node3.geni.net. 254.1 IN PTR consolec.geni.net. 1.2 IN PTR data1.geni.net. 2.2 IN PTR data2.geni.net. 3.2 IN PTR data3.geni.net.
LDAP Server
Accounting and scheduling depend on LDAP. The following steps will configure the LDAP server.
- Create file /etc/ssl/geni-site-ca.info with:
cn = GENI WiMAX Company ca cert_signing_key
- Create file /etc/ssl/geni-site-console.info with (please change console.geni.net to match
your FQDN):
organization = Example Company cn = console.geni.net tls_www_server encryption_key signing_key expiration_days = 3650
- Execute the following command to create SSL certificates:
/usr/sbin/create_ldap_certificates.sh
- Create LDIF file for our newly created certificates in the file named
/etc/ssl/geni-cert-info.ldif:
dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/console_slapd_cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/console_slapd_key.pem
and then execute:ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/geni-cert-info.ldif
The expected output is:SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
- Fix the configuration for newly create LDAP for phpldapadmin by editing
/etc/phpldapadmin/config.php and changing dc=example,dc=com to dc=geni,dc=net
$servers->setValue('server','base',array('dc=geni,dc=net')); $servers->setValue('login','bind_id','cn=admin,dc=geni,dc=net');
- Point the Firefox web browser to http://<console-ip-address>/phpldapadmin. Set password for group admin user (add attribute → Password → set password → update object)
- Make sure you can access the service with admin credentials:
ldapsearch -x -b "dc=geni,dc=net" "objectClass=organizationalRole" ldapsearch -x -b "dc=geni,dc=net" "objectClass=organizationalUnit" ldapsearch -x -b "dc=geni,dc=net" "objectclass=organizationalUnit" ldapsearch -x -b "dc=geni,dc=net" "objectClass=posixGroup" ldapsearch -x localhost -D "cn=admin,dc=geni,dc=net" -W -b "dc=geni,dc=net" uid=*