Difference between revisions of "Labeled NFS/Demo/Kickstart"

From SELinux Wiki
Jump to: navigation, search
(Setting up the Web server)
(Packages)
Line 222: Line 222:
 
Three custom RPM packages must be available
 
Three custom RPM packages must be available
 
on a web server for installation.  The current versions
 
on a web server for installation.  The current versions
of these packages are:
+
of these packages are identified on the main demo page.
 
<pre>
 
<pre>
         kernel-2.6.28rc3-5.i386.rpm
+
         Linux kernel with Labeled NFS patches
         nfs-utils-1.1.2-7.fc9.labeled.i386.rpm
+
         NFS-Utils with Labeled NFS patches
         sefos-server-policy-0.2-1.fc9.i386.rpm
+
         SEFOS Server SELinux policy
 
</pre>
 
</pre>
  

Revision as of 15:43, 15 December 2008

This page details the steps required to setup the SEFOS NFSv4 client and server, including some optional steps to provide basic network services and a build server.

The services provided by the build server can be mixed and matched as needed to supplement existing network services to provide the basic functionality required to successfully build a client or server from a kickstart.

The binary RPM packages required for the Labeled NFS to work properly were compiled for Fedora Core 9 systems. Source RPMs are available for compiling your own packages.

Boot Server Configuration (Optional)

The sample configurations assume a local network using the 192.168.201.0/24 address block. Network ranges/addresses should be modified to match those currently in use if desired.

A default domain of "example.com" is used throughout the configuration examples and in the demo environment. The domain may be modified to match an existing domain. Changes to the kickstarts will be required to set the new default domain and to change the creation of the ldap structure if the domain name is increased beyond two levels.


Installing packages

The YUM package tool is used to install packages. This requires a connection to the Internet to connect to remote package repositories, or a local repository containing the packages.

Use the command 'yum install <packagename>' to install the indicated packages.

Setting up the DHCP server

packages: dhcp

Edit /etc/dhcpd.conf and configure a subnet range to be served. The example provided is one that is being used in a VMware environment.

[excerpt from sample /etc/dhcpd.conf]

	default-lease-time 1800;		# 30 minutes
	max-lease-time 7200;			# 2 hours

	subnet 192.168.201.0 netmask 255.255.255.0 {
		range 192.168.201.64 192.168.201.96;
		option broadcast-address 192.168.201.255;
		option domain-name-servers 192.168.201.3;
		option domain-name "example.com";
		option routers 192.168.201.2;

		host seserver {
			hardware ethernet 0:c:29:42:3a:25;
			fixed-address 192.168.201.13;
			option host-name "seserver.example.com";
		}
		host client1 {
			hardware ethernet 0:c:29:42:c4:7c;
			fixed-address 192.168.201.50;
			option host-name "client1.example.com";
		}
		host client2 {
			hardware ethernet 0:c:29:42:9f:8e;
			fixed-address 192.168.201.51;
			option host-name "client2.example.com";
		}
	}

As each client machine must be listed in the above group section, it might be useful to generate that portion of the DHCPD config file from a flat text file that contains a list of names and MAC addresses.

Start the dhcpd service and enable it to be run on bootup.

	# service dhcpd start
	# chkconfig dhcpd on

Setting up the DNS Server

packages: named

The default configuration will only listen on the localhost address. You will need to set the listen-on and allow-query addresses in the options section of /etc/named.conf so that named can respond to queries on the local network.

options {
   // ...
   listen-on port 53 { 192.168.201.3; 127.0.0.1; };
   allow-query { 192.168.201.0/24; 127.0.0.1/32; };

};

Add forward and reverse zones for the address range in use:

zone "example.com" in{
  type master;
  file "example.com";
};
// reverse map for class C 192.168.1.0
zone "201.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.201.rev";
};

Create the forward zone in /var/named/example.com:

$TTL 6D
@               IN      SOA     dns.example.com. root.example.com. (
                                200806256       ; Serial
                                1H      ; Refresh
                                300     ; Retry
                                2D      ; Expire
                                12H)     ; Minimum TTL
                        NS      dns.example.com.
;
localhost     A       127.0.0.1

; address of machine acting as DNS server
dns           A       192.168.201.3
seserver      A       192.168.201.13

client1       A       192.168.201.50
client2       A       192.168.201.51
client3       A       192.168.201.52

Create the reverse zone in /var/named/192.168.201.rev:

$TTL 6D
@               IN      SOA     dns.example.com. root.example.com. (
                                200806201       ; Serial
                                1H      ; Refresh
                                300     ; Retry
                                2D      ; Expire
                                12H)     ; Minimum TTL
                        NS      dns.example.com.
;
;
3       IN PTR  dns.example.com.
13      IN PTR  seserver.example.com.

50      IN PTR client1.example.com.
51      IN PTR client2.example.com.
52      IN PTR client3.example.com.

Start the named service and enable it to run on bootup.

	# service named start
	# chkconfig named start

Setting up the Web server

packages: httpd

Download the latest versions of the kickstart files and binary RPMs as identified on the mainLabeled NFS Demo page.

  • Client Kickstart
  • Server Kickstart
  • Linux Kernel with Labeled NFS patches
  • NFS Utils with Labeled NFS patches
  • SELinux policy for labeled NFS server
  • SELinux policy for labeled NFS client

Create a directory to hold the kickstart files [/var/www/html/kickstart/]. Copy the client and server kickstart files into this directory.

Create directories to hold the RPMs and eventually the server CA public certificate [/var/www/html/conf for packages, and /var/www/html/certs for the certificate]. Copy the Kernel, NFS Utils and SEFOS SELinux policies into /var/www/html/conf.

Start the httpd service and enable it to be run on bootup.

	# service httpd start
	# chkconfig httpd on

Source and binary RPM packages are available at http://www.selinuxnow.org/sefos/packages/

Kickstart Customization and System Installation

Documentation at the beginning of the kickstart files details some boot time options that can be specified to customize the installation.

Some generic notes about the kickstarts:

  • Depending on the network environment the kickstart can be configured to use DHCP for address provisioning or static addressing. The default is to use DHCP, however a sample static address configuration is included for reference. If addresses are assigned statically, the kickstarts will need to be modified for each client/server installation (to provide the appropriate address).
  • If installing FC9 from CD/DVD access to an up-to-date FC9 repository (via external network connection or local mirror) is required as some packages required for the installs are not included in the CD/DVD install media.
  • Additional customization of the ldap/kerberos/nfs installation can be performed in the %post section.
  • Installs are currently interactive. To convert the kickstarts to a fully automated install comment out the "interactive" directive at the beginning of the files.
  • Kerberos requires that client and server system times be synchronized to function properly. The install does not customize the default FC9 NTP configuration, though it does attempt to synchronize the system time following reboot against a fedora time server (0.fedora.pool.ntp.org).

Server Kickstart

Introduction

The kickstart installs and configures the server portion of the Labeled NFS Demo environment. It includes many components that would be used in an enterprise to provide authentication and authorization services as well as directory and file sharing services.

  • Warning: Using the kickstart installation will repartition the primary system disk, destroying existing partitions and operating systems already present.

External Dependencies

For successful completion of the kickstart and configuration of the demo environment there several external dependencies that must be met:

Packages

Three custom RPM packages must be available on a web server for installation. The current versions of these packages are identified on the main demo page.

        Linux kernel with Labeled NFS patches
        NFS-Utils with Labeled NFS patches
        SEFOS Server SELinux policy

DNS

For Kerberos to function properly, forward and reverse resolution is required for all clients and servers.

Web Server

The kickstart requires a local web server for providing the kickstart itself to clients and for providing the three custom packages for client installation.

Installation

To install boot the system from FC9 installation media (DVD, CD, netboot, etc). When the grub interface appears, modify the boot options to load the kickstart and provide the desired boot options to customize the installation (i.e. ks=http://webserver/dir/ks.cfg se_var1=val1 ...).

Boot Options

The following options are available at installation time for customizing the installation:

  • se_fqdn - Server's fully qualified domain name.
  • se_krbpass - Kerberos password for root/admin principal.
  • se_kdbpass - Kerberos database password.
  • se_ldappass - LDAP administrator password
  • se_www - DNS name of web server hosting packages/config (default is www.example.com)

If customizing the LDAP certificate the following options can be used to override the defaults:

  • se_certPW - Certificate Authority certificate password
  • se_certCountry
  • se_certState
  • se_certCity
  • se_certOrg
  • se_certEmail
  • se_certCN

Assumptions

Kerberos Realm

The server DNS name is used to generate the kerberos realm name and the ldap structure. The domain of the client and server are currently expected to contain two levels (i.e. DNS: example.com -> LDAP: dc=example,dc=com -> Kerberos: EXAMPLE.COM).

Packages

Packages are expected to be in a directory called conf off of the web server root directory (i.e. http://www.example.com/conf)

Time Zone

The current default time zone is Pacific. Change as desired.

Post Install

The client kickstart requires the LDAP CA certificate during installation time to for proper configuration.

The certificate (/etc/openldap/cacerts/cacert.pem) should be copied into conf/certs/cacert.pem on the web server.

Client Kickstart

Introduction

This kickstart installs and configures the client portion of the Labeled NFS Demo. After a successfully client build, the client will be a fairly minimimal Fedora installation configured with GDM and GNOME. The client will be integrated with the authentication/authorization/directory services provided by the server component, and user home directories will be mounted via NFS.

  • Warning: Using the kickstart installation will repartition the primary system disk, destroying existing partitions and operating systems already present.

External Dependencies

For successful completion of the kickstart and configuration of the demo environment there several external dependencies that must be met:

Packages

Three custom RPM packages must be available on a web server for installation. The current versions of these packages are:

        kernel-2.6.28rc3-5.i386.rpm
        nfs-utils-1.1.2-7.fc9.labeled.i386.rpm
        sefos-client-policy-0.1-1.fc9.i386.rpm 

DNS

The kerberos configuration requires an external DNS service that supports forward and reverse resolution for the clients and servers.

Web Server

The kickstart requires a local web server for providing the kickstart itself to clients, for providing the three custom packages, and for providing the ldap server CA certificate. The RPMS are expected to be in /conf, and the CA certificate is expected to be in conf/certs.

Installation

To install boot the system from FC9 installation media (DVD, CD, netboot, etc). When the grub interface appears, modify the boot options to load the kickstart and provide the desired boot options to customize the installation (i.e. ks=http://webserver/dir/ks.cfg se_var1=val1 ...).

Boot Options

The following options are available at installation time to make client configuration customizations.

  • se_fqdn - The fully qualified domain name of the client
  • se_krbpass - Password for the root/admin kerberos principal.
  • se_server - FQDN of the server component. Defaults to seserver.example.com.

Using the Environment

After the installation is complete the following accounts are available:

  • Server
    • root - sefos1
    • Kerberos Database (required to add slave KDCs)
      • kdbpass
    • Kerberos root/admin principal
      • say#fos#
  • Client
    • root - sefos1
    • newuser - newuser1

Passwords should be changed from the defaults after completing installation, especially if the clients or servers are reachable from the Internet.

Using the newuser account you should now be able to login on the client using GDM or on a virtual console.

Troubleshooting (in progress)

Additional information that may be useful for troubleshooting is available in the manual installation guide with the appropriate service.

  • If the newuser account does not work on the client:
    • Switch to a virtual console (ctrl-alt-f1) and login as root
    • Verify that Kerberos was successfully configured:
      • Use klist -k /etc/krb5.keytab.
      • If the keytab does not exist there was an error that prevented kadmin from creating the host and nfs principals during installation. Otherwise the output should show four keys for the host (i.e. host/client.example.com) and one for nfs (i.e. nfs/client.example.com). This is likely either a password mismatch issue or a time synchronization issue.
      • Verify the client and server times are similar using date.
        • If not, use run_init service ntpd stop to turn of ntpd, then use ntpdate -b -x 0.fedora.pool.ntp.org to sync time with the external time server. Use run_init service ntpd start to start ntpd.
        • If the external time server is unreachable, or an internal time source is preferred, reconfigure ntpd to use the desired time source and use that host instead of 0.fedora.pool.ntp.org in the ntpdate command.
        • Manually synchronize both the client and server to ensure they are correct.
      • Once syncronized time has been verified or established, follow the steps in the Kerberos configuration guide to create the host and nfs principals, and store them locally in a keytab.
    • Verify that LDAP was successfully configured:
      • Examine /var/log/messages for LDAP related errors
      • During testing we encountered errors where the client was unable to connect to the LDAP server. The errors were related to forgetting to copy the CA certificate into the appropriate area of the web server, forgetting to update the certificate if we built a new server, or having Apache serve an older certificate that was cached.
      • Use scp to copy the CA certificate from the server to the client: scp seserver:/etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts/
    • Verify that three SELinux booleans were correctly set on the client.
      • Run getsebool allow_kerberos allow_gssd_read_tmp use_nfs_home_dirs and verify the values are all set as on
    • Verify that NFSv4 mounts work properly.
      • Run kinit -p root/admin to initialize your Kerberos credentials.
      • Run mount -v -t nfs4 -o sec=krb5,security_label seserver:/home /mnt to mount /mnt/home from the server.