Changes between Initial Version and Version 1 of Software/bDep


Ignore:
Timestamp:
Oct 10, 2014, 6:02:50 PM (10 years ago)
Author:
seskar
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Software/bDep

    v1 v1  
     1[[TOC(Software*, depth=2)]]
     2
     3== Configure DHCP and DNS Services ==
     4
     5
     6=== DHCP ===
     7Once the base OS is installed and we have all of the interfaces properly configured we'll need to instruct the dhcp server to hand out address on the appropriate interfaces. To configure the DHCP server we need to modify the ''/etc/dhcp/dhcpd.conf'' file. The following example has all the relvant configurations.
     8
     9To use this file you will have to modify the following portions:
     10 * domain-name
     11 * Node CMC mac addresses (labeled cons#)
     12 * Node Control mac address (labeled node#)
     13 * Node Data mac address (labeled data#)
     14
     15these fields '''MUST be modified''' to reflect your configuration.
     16
     17{{{
     18option domain-name "geni.net";
     19authoritative;
     20use-host-decl-names on;
     21get-lease-hostnames true;
     22ping-check false;
     23ping-timeout 0;
     24log-facility local7;
     25default-lease-time 86400;
     26max-lease-time 86400;
     27ddns-updates off;
     28
     29subnet 10.1.0.0 netmask 255.255.255.0 {
     30  option domain-name-servers 10.1.0.254;
     31  option routers 10.1.0.254;
     32  option ntp-servers 10.1.0.254;
     33  next-server 10.1.0.254;
     34
     35  host cons1 { hardware ethernet 00:20:4a:d5:94:83; fixed-address 10.1.0.1; }
     36  host cons2 { hardware ethernet 00:20:4a:d5:94:f1; fixed-address 10.1.0.2; }
     37  host cons3 { hardware ethernet 00:20:4a:d5:94:e1; fixed-address 10.1.0.3; }
     38}
     39
     40subnet 10.1.1.0 netmask 255.255.255.0 {
     41  option domain-name-servers 10.1.1.254;
     42  option routers 10.1.1.254;
     43  option log-servers 10.1.1.254;
     44  option ntp-servers 10.1.1.254;
     45  filename "pxelinux.0";
     46#  allow booting;
     47#  allow bootp;
     48#  option option-150 code 150 = text;
     49  next-server 10.1.1.254;
     50
     51  host node1 { hardware ethernet 00:03:1d:0c:d3:73; fixed-address node1.geni.net; }
     52  host node2 { hardware ethernet 00:03:1d:0c:d3:89; fixed-address node2.geni.net; }
     53  host node3 { hardware ethernet 00:03:1d:0c:d3:71; fixed-address node3.geni.net; }
     54}
     55
     56subnet 10.1.2.0 netmask 255.255.255.0 {
     57#  option domain-name-servers 10.1.2.254;
     58#  option routers 10.1.2.254;
     59  option ntp-servers 10.1.2.254;
     60  filename "/pxelinux.fake";
     61
     62  host data1 { hardware ethernet 00:03:1d:0c:d3:72; fixed-address 10.1.2.1; }
     63  host data2 { hardware ethernet 00:03:1d:0c:d3:88; fixed-address 10.1.2.2; }
     64  host data3 { hardware ethernet 00:03:1d:0c:d3:70; fixed-address 10.1.2.3; }
     65}
     66
     67
     68}}}
     69=== DNS ===
     70
     71The DNS configuration is split between a few files. The config files that tell named what db files to ready, and then the specific db files. There are other portions of the config that are included as part of the default install. They are not listed here.
     72
     73This is the default ''/etc/bind/named.conf''.
     74{{{
     75// This is the primary configuration file for the BIND DNS server named.
     76//
     77// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
     78// structure of BIND configuration files in Debian, *BEFORE* you customize
     79// this configuration file.
     80//
     81// If you are just adding zones, please do that in /etc/bind/named.conf.local
     82
     83include "/etc/bind/named.conf.options";
     84include "/etc/bind/named.conf.local";
     85include "/etc/bind/named.conf.default-zones";
     86}}}
     87
     88The ''/etc/bind/named.conf.local'' is modified to point to our specific database files.
     89{{{
     90//
     91// Do any local configuration here
     92//
     93
     94// Consider adding the 1918 zones here, if they are not used in your
     95// organization
     96//include "/etc/bind/zones.rfc1918";
     97
     98zone "geni.net" {
     99     type master;
     100        file "/etc/bind/db.geni.net";
     101};
     102
     103zone "1.10.in-addr.arpa" {
     104        type master;
     105        file "/etc/bind/db.10";
     106};
     107}}}
     108
     109The primary config file is ''/etc/bind/db.geni.net''. The name can be modified to reflect your site, but it has to match the entry in ''named.conf.local''. Aside from the '''domain''', this file can remain in tact.
     110
     111{{{
     112;
     113; BIND data file for geni.net
     114;
     115$TTL    604800
     116@       IN      SOA     geni.net. root.geni.net. (
     117                              2         ; Serial
     118                         604800         ; Refresh
     119                          86400         ; Retry
     120                        2419200         ; Expire
     121                         604800 )       ; Negative Cache TTL
     122;
     123                IN      A       10.1.1.254
     124@               IN      NS      consolec.geni.net.
     125@               IN      A       10.1.1.254
     126@               IN      AAAA    ::1
     127consolec        IN      A       10.1.1.254
     128xmpp            IN      CNAME   consolec.geni.net.
     129
     130node1           IN      A       10.1.1.1
     131node2           IN      A       10.1.1.2
     132node3           IN      A       10.1.1.3
     133
     134cons1           IN      A       10.1.0.1
     135cons2           IN      A       10.1.0.2
     136cons3           IN      A       10.1.0.3
     137
     138data1           IN      A       10.1.2.1
     139data2           IN      A       10.1.2.2
     140data3           IN      A       10.1.2.3
     141}}}
     142
     143''/etc/bind/db.10'' is the reverse look-up database. This file will also need to be modified to reflect the '''domain'''.
     144{{{
     145;
     146; BIND reverse data file for 10.1
     147;
     148$TTL    604800
     149@       IN      SOA     consolec. root.geni.net. (
     150                              1         ; Serial
     151                         604800         ; Refresh
     152                          86400         ; Retry
     153                        2419200         ; Expire
     154                         604800 )       ; Negative Cache TTL
     155;
     156@       IN      NS      consolec.
     1571.0     IN      PTR     cons1.geni.net.
     1582.0     IN      PTR     cons2.geni.net.
     1593.0     IN      PTR     cons3.geni.net.
     160
     1611.1     IN      PTR     node1.geni.net.
     1622.1     IN      PTR     node2.geni.net.
     1633.1     IN      PTR     node3.geni.net.
     164254.1   IN      PTR     consolec.geni.net.
     165
     1661.2     IN      PTR     data1.geni.net.
     1672.2     IN      PTR     data2.geni.net.
     1683.2     IN      PTR     data3.geni.net.
     169}}}
     170
     171
     172== LDAP Server ==
     173Accounting and scheduling depend on LDAP. The following steps will configure the LDAP server.
     174=== Setting up LDAP server ===
     175 1. Create file ''/etc/ssl/geni-site-ca.info'' with:
     176    {{{
     177cn = GENI WiMAX Company
     178ca
     179cert_signing_key
     180    }}}
     181 1. Create file ''/etc/ssl/geni-site-console.info'' with (please change console.geni.net to match
     182    your FQDN):
     183    {{{
     184organization = Example Company
     185cn = console.geni.net
     186tls_www_server
     187encryption_key
     188signing_key
     189expiration_days = 3650
     190    }}}
     191 1. Execute the following command to create SSL certificates:
     192    {{{
     193/usr/sbin/create_ldap_certificates.sh
     194    }}}
     195 1. Create LDIF file for our newly created certificates in the file named
     196    ''/etc/ssl/geni-cert-info.ldif'':
     197    {{{
     198dn: cn=config
     199add: olcTLSCACertificateFile
     200olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
     201-
     202add: olcTLSCertificateFile
     203olcTLSCertificateFile: /etc/ssl/certs/console_slapd_cert.pem
     204-
     205add: olcTLSCertificateKeyFile
     206olcTLSCertificateKeyFile: /etc/ssl/private/console_slapd_key.pem
     207    }}}
     208    and then execute:
     209    {{{
     210ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/geni-cert-info.ldif
     211    }}}
     212    The expected output is:
     213    {{{
     214SASL/EXTERNAL authentication started
     215SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
     216SASL SSF: 0
     217modifying entry "cn=config"
     218    }}}
     219 5. Fix the configuration for newly create LDAP for phpldapadmin by editing
     220    ''/etc/phpldapadmin/config.php'' and changing ''dc=example,dc=com'' to ''dc=geni,dc=net''
     221    {{{
     222$servers->setValue('server','base',array('dc=geni,dc=net'));
     223$servers->setValue('login','bind_id','cn=admin,dc=geni,dc=net');
     224    }}}
     225 6. Point the Firefox web browser to http://<console-ip-address>/phpldapadmin. Set password for group admin user (add attribute -> Password -> set password -> update object)
     226 7. Make sure you can access the service with admin credentials:
     227    {{{
     228   ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=organizationalRole"
     229   ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=organizationalUnit"
     230   ldapsearch -x   -b "dc=geni,dc=net"  "objectclass=organizationalUnit"
     231   ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=posixGroup"
     232   ldapsearch -x localhost -D "cn=admin,dc=geni,dc=net" -W -b "dc=geni,dc=net" uid=*
     233    }}}