Background
NPToolkit is a knoppix based boot cd with a lot of the internet2 tools built in. This page looks at some features, security considerations and custom installation to be done at SLAC for deployment.
The benefit of running NPT over a standard install is as follows:
- no need to recompile kernels for web100 each time
- no need for taylor as updates are maintained by Internet2 (although time will tell if the security updates are sufficiently regular)
- relocation of performance host trivial - pop cd into new machine and plug in the USB key - settings should be maintained
- SLAC's reverse traceroute server run's on default on port 3765 (perhaps we should redirect to this host).
Disadvantages
- no AFS client (yet?)
- security strongly depends on release cycle of boot disk
Overview
This guide will look at
- setting up a nptoolkit host
- configuring services to suit SLAC, this specifically includes
- syslog logging to a remote host
- setting up the NPT server
- Configuring ntp for SLAC's stratum servers
- setting up bwctl servers
- setting up owamp servers
Boot
The disk was downloaded (the page says version 1.7, but the boot cd says 1.8). It was booted in VMWare. It run's linux 2.6.20.10 with web100 hooks.
After booting, you can log on with user name 'knoppix' - no password is required.
Upon inserting a USB key into the connector, you get:
The drive is automounted, in this case, it's mounted under /mnt/sdb1
.
We then copy the knoppix.sh
file so that the thumbdrive will be picked up and auto run to override the relevant commands.
sudo cp /usr/local/etc/knoppix.sh /mnt/sdb1
Configure
There is a tool called customize.NPTools
that handles the scripting to configure the tools present.
I'm too lazy to use the vmware screen to do the configuration, so i will set up a ssh daemon and ssh into it.
SSH
You can start a ssh daemon by running:
/etc/init.d/ssh start
After generating the keys (are these stored on the usb?), the daemon will run.
We now need to set a password for user 'knoppix' and to determine the IP address to access the NPToolkit machine on.
We can use ifconfig
to determine the IP. You can run passwd
to change the password.
Voila, you can now ssh into the host. (as i'm running under a virtual machine, only the host machine can access it for now).
Setup USB External Storage
Note that you need to copy the knoppix.sh
to the relevant drives first.
knoppix@0[~]$ customize.NPtools Internet2 Network Performance Tool Customization script Tools listed in RED need to be customized 1. Setup Drive(s) to hold customization files 2. bwctl 3. ndt 4. npad 5. ntp 6. owamp 7. staticIP 0. exit 1 Configuring system drive(s) to support customized tools. Configure External USB drive 'sdb1' to hold NPToolkit customization files? [y] - y done.
bwctl
knoppix@0[~]$ customize.NPtools Internet2 Network Performance Tool Customization script Tools listed in RED need to be customized 1. Setup Drive(s) to hold customization files 2. bwctl 3. ndt 4. npad 5. ntp 6. owamp 7. staticIP 0. exit 2 BWCTL server configuration program. echo echo Manual configuration is currently required. Please edit the echo /usr/local/etc/bwctld.conf and /usr/local/etc/bwctld.limits files echo to create custom versions for your site. echo echo See http://e2epi.internet2.edu/bwctl for more details. /bin/rm: remove write-protected regular empty file `/tmp/customize.bwctld'? y /bin/rm: cannot remove `/tmp/customize.bwctld': Operation not permitted Internet2 Network Performance Tool Customization script
Hmm... try with sudo:
knoppix@0[~]$ sudo customize.NPtools Internet2 Network Performance Tool Customization script Tools listed in RED need to be customized 1. Setup Drive(s) to hold customization files 2. bwctl 3. ndt 4. npad 5. ntp 6. owamp 7. staticIP 0. exit 2 BWCTL server configuration program. echo echo Manual configuration is currently required. Please edit the echo /usr/local/etc/bwctld.conf and /usr/local/etc/bwctld.limits files echo to create custom versions for your site. echo echo See http://e2epi.internet2.edu/bwctl for more details.
npt
knoppix@0[~]$ sudo customize.NPtools Internet2 Network Performance Tool Customization script Tools listed in RED need to be customized 1. Setup Drive(s) to hold customization files 2. bwctl 3. ndt 4. npad 5. ntp 6. owamp 7. staticIP 0. exit 3 Welcome to the NDT server configuration program. This program will create a custom tcpbw100.html file for your site. Enter your site name [Internet2] : Stanford Linear Accelerator Center Enter your site's location [Ann Arbor - MI] : Menlo Park - CA Server connection info, enter 1 for 100 Mbps, 2 for 1 Gbps, 3 for 10 Gbps [2] : 2 Information for email trouble reporting Enter email userid [rcarlson] : ytl Enter email domain name [internet2.edu] : slac.stanford.edu Enter default subject line [Trouble report from NPtoolkit-v1.8] : The base web page 'tcpbw100.html' has now been created. You must move this file into the ndt_DATA directory [/usr/local/ndt] created during the 'make' process. Do you want to install this file now? [yes] : yes Enter location [/usr/local/ndt] : NDT customization file being saved to 'sdb1'
NPAD
knoppix@0[~]$ sudo customize.NPtools Internet2 Network Performance Tool Customization script Tools listed in RED need to be customized 1. Setup Drive(s) to hold customization files 2. bwctl 3. ndt 4. npad 5. ntp 6. owamp 7. staticIP 0. exit 4 NPAD server configuration program. /usr/local/npad-1.3 /ramdisk/home/knoppix Importing existing config.xml. --------------------------------------------------------------- | For each configuration value, you will see brief help | | followed by a prompt. Default values are in brackets on | | the prompt line. To accept default values, press Enter. | --------------------------------------------------------------- The directory to install the diagnostic server, including binaries, libraries, and configuration files. It is recommended to use the default value. Exec dir [/usr/local/npad-dist]: The directory to install web pieces, such as the tester page and the Java and C clients. If you are running the built-in web server (recommended), the default value should work. Otherwise you will need to point to a directory accessible by your web server. Web dir [/usr/local/npad-dist/www]: The user as which the server will run. We recommend using a relatively unprivileged user. If you specify a user that doesn't exist, 'make install' will create it. User [npad]: The group as which the server will run. We recommend using a relatively unprivileged group. If you specify a group that doesn't exist, 'make install' will create it. Group [npad]: The port that the control channel listens on. It should be safe to leave this alone unless you must work within firewall restrictions, or unless another service is using this port. Control port [8100]: The bottom of the ephemeral port range used for test connections. Port range min [8002]: The top of the ephemeral port range used for test connections. Port range max [8020]: This package comes with a small python-based web server. If you would like to use the server, enter "yes". Otherwise you will need to have installed and set up another web server such as Apache. Use built-in web server [yes]: The port number used by the built-in web server Built-in web server port [8200]: This name should should complete "NPAD server located at ...", and will be used as the title for your server, as it appears on the tester page. You must supply a value. Site (organization) name [Internet2 Knoppix-based NPAD Server]: Stanford Linear Accelerator Center NPAD Server The geographical location of your server, probably a city name. Since pathdiag works best over short distances, this information will be included on the tester page so users can tell how close they are to the server. You must supply a value. Site location [Please customize]: Menlo Park - CA The (optional) name of the contact for your site. This is probably you or the network support team. Site contact name [RACarlson]: Yee-Ting Li This is the (optional) email address for your site contact. Site contact email [rcarlson@internet2.edu]: ytl@slac.stanford.edu Configuration complete. You're now ready to 'make'. make[1]: Entering directory `/UNIONFS/usr/local/npad-1.3/diag_server' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/UNIONFS/usr/local/npad-1.3/diag_server' make[1]: Entering directory `/UNIONFS/usr/local/npad-1.3/pathdiag' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/UNIONFS/usr/local/npad-1.3/pathdiag' make[1]: Entering directory `/UNIONFS/usr/local/npad-1.3/diag_server' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/UNIONFS/usr/local/npad-1.3/diag_server' make[1]: Entering directory `/UNIONFS/usr/local/npad-1.3/pathdiag' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/UNIONFS/usr/local/npad-1.3/pathdiag' Group npad already exists. Will not create. User npad already exists. Will not create. Installing... rm -f /usr/local/npad-dist/config.xml /usr/local/npad-dist/template_diag_form.html cp config.xml template_diag_form.html /usr/local/npad-dist/ make[1]: Entering directory `/UNIONFS/usr/local/npad-1.3' make[2]: Entering directory `/UNIONFS/usr/local/npad-1.3/diag_server' cp *.py /usr/local/npad-dist cp DiagClient.jar diag-client.c /usr/local/npad-dist/www make[2]: Leaving directory `/UNIONFS/usr/local/npad-1.3/diag_server' make[2]: Entering directory `/UNIONFS/usr/local/npad-1.3/pathdiag' cp pathdiag.py* pathtools.py* prettyhtml.py* pathlib.py* _pathlib.so mkdatasummary.py *.fmt /usr/local/npad-dist cp boxes.css help.html /usr/local/npad-dist/www/ServerData Regenerating report summary... Done. make[2]: Leaving directory `/UNIONFS/usr/local/npad-1.3/pathdiag' make[1]: Leaving directory `/UNIONFS/usr/local/npad-1.3' chown -R npad.npad "/usr/local/npad-dist/www/ServerData" /ramdisk/home/knoppix /usr/local/npad-dist/www /ramdisk/home/knoppix NPAD customization files are being saved to 'sdb1' /ramdisk/home/knoppix
NTP
knoppix@0[~]$ sudo customize.NPtools Internet2 Network Performance Tool Customization script Tools listed in RED need to be customized 1. Setup Drive(s) to hold customization files 2. bwctl 3. ndt 4. npad 5. ntp 6. owamp 7. staticIP 0. exit 5 NTP server configuration program. Manual configuration is currently required. Please edit the /etc/ntpd.conf file to create custom versinos. create custom version for your site.
owamp
knoppix@0[~]$ sudo customize.NPtools Internet2 Network Performance Tool Customization script Tools listed in RED need to be customized 1. Setup Drive(s) to hold customization files 2. bwctl 3. ndt 4. npad 5. ntp 6. owamp 7. staticIP 0. exit 6 OWAMP server configuration program. Manual configuration is currently required. Please edit the /usr/local/etc/owampd.conf and /usr/local/etc/owampd.limits files to create custom versions for your site. See http://e2epi.internet2.edu/owamp for more details.
Reboot
Let's reboot to see if things stick...
Knoppix looses it's password (so you'll have to passwd again)
SSHD regenerates keys (so you have to modify known_hosts)
Keeping SSH Up (not recommended)
As per the FAQ,
knoppix@0[~]$ cat /usr/local/NPToolkit/contrib/remote.access >> /mnt/sdb1/knoppix.sh knoppix@0[~]$ cp /usr/local/NPToolkit/contrib/remote.access /mnt/sdb1/NPTools/
however, there is a bit more to it to this (from looking into the remote.access file)
Passwords:
knoppix@0[~]$ sudo cp /etc/passwd /mnt/sdb1/NPTools/passwd.new knoppix@0[~]$ sudo cp /etc/shadow /mnt/sdb1/NPTools/shadow.new
SSH:
knoppix@0[~]$ sudo cp /etc/ssh/sshd_config /mnt/sdb1/NPTools/sshd_config
don't i need to copy the keys over too? ie
/etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub
So append /mnt/sdb1/knoppix.sh
to include
# Maintain SSH keys through reboot and host transfer # append to knoppix.sh file on any external storage medium # by Yee-Ting Li (ytl@slac.stanford.edu) if [ -f /UNIONFS/media/$MNT/NPTools/ssh_host_key ]; then restore_NPT_file $MNT ssh_host_key /etc/ssh fi if [ -f /UNIONFS/media/$MNT/NPTools/ssh_host_key.pub ]; then restore_NPT_file $MNT ssh_host_key.pub /etc/ssh fi if [ -f /UNIONFS/media/$MNT/NPTools/ssh_host_rsa_key ]; then restore_NPT_file $MNT ssh_host_rsa_key /etc/ssh fi if [ -f /UNIONFS/media/$MNT/NPTools/ssh_host_rsa_key.pub ]; then restore_NPT_file $MNT ssh_host_rsa_key.pub /etc/ssh fi if [ -f /UNIONFS/media/$MNT/NPTools/ssh_host_dsa_key ]; then restore_NPT_file $MNT ssh_host_dsa_key /etc/ssh fi if [ -f /UNIONFS/media/$MNT/NPTools/ssh_host_dsa_key.pub ]; then restore_NPT_file $MNT ssh_host_dsa_key.pub /etc/ssh fi
And copy the keys over to a directory on the thumbdrive:
knoppix@0[~]$ sudo cp /etc/ssh/ssh_host_* /mnt/sdb1/NPTools/
The sshd server should start at boot now.
Running services
knoppix@0[~]$ knoppix@0[~]$ ps ax PID TTY STAT TIME COMMAND 1 ? Ss 0:00 init [3] 2 ? S 0:00 [migration/0] 3 ? SN 0:00 [ksoftirqd/0] 4 ? S 0:00 [watchdog/0] 5 ? S< 0:00 [events/0] 6 ? S< 0:00 [khelper] 7 ? S< 0:00 [kthread] 62 ? S< 0:00 [kblockd/0] 63 ? S< 0:00 [kacpid] 124 ? S< 0:00 [ata/0] 125 ? S< 0:00 [ata_aux] 126 ? S< 0:00 [kseriod] 153 ? S 0:00 [pdflush] 154 ? S 0:00 [pdflush] 155 ? S< 0:00 [kswapd0] 156 ? S< 0:00 [aio/0] 812 ? S< 0:00 [kpsmoused] 841 ? S< 0:00 [ksuspend_usbd] 844 ? S< 0:00 [khubd] 867 ? S< 0:00 [khpsbpkt] 957 ? S< 0:00 [aufsd] 958 ? S< 0:00 [aufsd] 959 ? S< 0:00 [aufsd] 960 ? S< 0:00 [aufsd] 1124 ? S<s 0:00 udevd --daemon 1576 ? S< 0:00 [scsi_eh_0] 3047 ? Ss 0:00 /usr/bin/dbus-daemon --system 3054 ? Ss 0:00 /usr/sbin/hald 3055 ? S 0:00 hald-runner 3076 ? S 0:00 /usr/lib/hal/hald-addon-acpi 3089 ? S 0:00 /usr/lib/hal/hald-addon-keyboard 3101 ? S 0:00 /usr/lib/hal/hald-addon-storage 3220 ? Ss 0:01 pump -i eth0 3242 ? Ss 0:00 /sbin/klogd 3247 ? Ss 0:00 /sbin/syslogd 3294 ? Ss 0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid 3303 ? Ss 0:00 /usr/local/bin/bwctld -c /usr/local/etc 3310 ? S 0:00 /usr/local/sbin/fakewww 3311 ? S 0:00 /usr/local/sbin/web100srv -a 3317 ? Sl 0:00 python /usr/local/npad-dist/DiagServer.py -d -u npad -p /var/run/npad.pid 3325 ? Ss 0:00 /usr/local/bin/owampd -c /usr/local/etc 3332 ? S 0:00 /usr/local/sbin/shttpd -p3765 -d /usr/local/rev-tr -c .pl -C/usr/bin/perl 3365 tty1 Ss 0:00 /bin/login -- 3367 tty2 Ss+ 0:00 /sbin/getty 38400 tty2 3368 tty3 Ss+ 0:00 /sbin/getty 38400 tty3 3369 tty4 Ss+ 0:00 /sbin/getty 38400 tty4 3373 ttyS0 Ss+ 0:00 /sbin/getty -L ttyS0 9600 vt100 3386 tty1 S+ 0:00 -bash 3412 ? Ss 0:00 /usr/sbin/sshd 3414 ? Ss 0:00 sshd: knoppix [priv] 3417 ? S 0:00 sshd: knoppix@0 3418 /UNIONFS/dev/pts/0 Ss 0:00 -bash 3467 /UNIONFS/dev/pts/0 R+ 0:00 ps ax
Open ports:
knoppix@0[~]$ netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:8100 *:* LISTEN tcp 0 0 *:bootpc *:* LISTEN tcp 0 0 *:8200 *:* LISTEN tcp 0 0 *:3765 *:* LISTEN tcp6 0 0 *:7123 *:* LISTEN tcp6 0 0 *:ssh *:* LISTEN tcp6 0 0 *:4823 *:* LISTEN tcp6 0 0 *:3001 *:* LISTEN tcp6 0 0 *:861 *:* LISTEN tcp6 0 0 ::ffff:172.16.203.1:ssh ::ffff:172.16.203:54248 ESTABLISHED udp 0 0 172.16.203.130:ntp *:* udp 0 0 NPToolkit:ntp *:* udp 0 0 *:ntp *:* udp6 0 0 fe80::20c:29ff:fe1b:ntp *:* udp6 0 0 ip6-localhost:ntp *:* udp6 0 0 *:ntp *:*
Setting up Syslog
Add the following code for syslog configuration in knoppix.sh
.
# Syslog configuration if [ -f /UNIONFS/media/$MNT/NPTools/syslog.conf ]; then restore_NPT_file $MNT syslog.conf /etc/ fi
The standard syslog.conf was copied from the slac machines.
Testing Services
ntp
knoppix@0[~]$ cp /etc/ntp.conf /mnt/sdb1/NPTools/
All of the servers are remoted from the file /mnt/sdb1/NPTools/ntp.conf
and were replaced with
# You do need to talk to an NTP server or two (or three). server 134.79.18.40 server 134.79.18.41 server 134.79.18.34 server 134.79.18.35
NDT
Going to
http://172.16.203.130:7123/
shows up the ndt webpage where you can run the java applet.