You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Background

NPToolkit is a knoppix based boot cd with a lot of the internet2 tools built in. This page looks at some features, security considerations and custom installation to be done at SLAC for deployment.

The benefit of running NPT over a standard install is as follows:

  • no need to recompile kernels for web100 each time
  • no need for taylor as updates are maintained by Internet2 (although time will tell if the security updates are sufficiently regular)
  • relocation of performance host trivial - pop cd into new machine and plug in the USB key - settings should be maintained
    • SLAC's reverse traceroute server run's on default on port 3765 (perhaps we should redirect to this host).

Disadvantages

  • no AFS client (yet?)
  • security strongly depends on release cycle of boot disk

Overview

This guide will look at

  • setting up a nptoolkit host
  • configuring services to suit SLAC, this specifically includes
    • syslog logging to a remote host
    • setting up the NPT server
    • Configuring ntp for SLAC's stratum servers
    • setting up bwctl servers
    • setting up owamp servers

Boot

The disk was downloaded (the page says version 1.7, but the boot cd says 1.8). It was booted in VMWare. It run's linux 2.6.20.10 with web100 hooks.

After booting, you can log on with user name 'knoppix' - no password is required.

Upon inserting a USB key into the connector, you get:

The drive is automounted, in this case, it's mounted under /mnt/sdb1.

We then copy the knoppix.sh file so that the thumbdrive will be picked up and auto run to override the relevant commands.

sudo cp /usr/local/etc/knoppix.sh /mnt/sdb1

Configure

There is a tool called customize.NPTools that handles the scripting to configure the tools present.

I'm too lazy to use the vmware screen to do the configuration, so i will set up a ssh daemon and ssh into it.

SSH

You can start a ssh daemon by running:

/etc/init.d/ssh start

After generating the keys (are these stored on the usb?), the daemon will run.

We now need to set a password for user 'knoppix' and to determine the IP address to access the NPToolkit machine on.

We can use ifconfig to determine the IP. You can run passwd to change the password.

Voila, you can now ssh into the host. (as i'm running under a virtual machine, only the host machine can access it for now).

Setup USB External Storage

Note that you need to copy the knoppix.sh to the relevant drives first.

knoppix@0[~]$ customize.NPtools 
Internet2 Network Performance Tool Customization script
    Tools listed in RED need to be customized
        1. Setup Drive(s) to hold customization files
        2. bwctl
        3. ndt
        4. npad
        5. ntp
        6. owamp
        7. staticIP
        0. exit
1
Configuring system drive(s) to support customized tools.
Configure External USB drive 'sdb1' to hold NPToolkit customization files? [y] - y
done.

bwctl

knoppix@0[~]$ customize.NPtools 
Internet2 Network Performance Tool Customization script
    Tools listed in RED need to be customized
        1. Setup Drive(s) to hold customization files
        2. bwctl
        3. ndt
        4. npad
        5. ntp
        6. owamp
        7. staticIP
        0. exit
2
BWCTL server configuration program.  
echo 
echo Manual configuration is currently required. Please edit the
echo /usr/local/etc/bwctld.conf and /usr/local/etc/bwctld.limits files
echo to create custom versions for your site.
echo 
echo See http://e2epi.internet2.edu/bwctl for more details.
/bin/rm: remove write-protected regular empty file `/tmp/customize.bwctld'? y
/bin/rm: cannot remove `/tmp/customize.bwctld': Operation not permitted
Internet2 Network Performance Tool Customization script

Hmm... try with sudo:

knoppix@0[~]$ sudo customize.NPtools 
Internet2 Network Performance Tool Customization script
    Tools listed in RED need to be customized
        1. Setup Drive(s) to hold customization files
        2. bwctl
        3. ndt
        4. npad
        5. ntp
        6. owamp
        7. staticIP
        0. exit
2
BWCTL server configuration program.  
echo 
echo Manual configuration is currently required. Please edit the
echo /usr/local/etc/bwctld.conf and /usr/local/etc/bwctld.limits files
echo to create custom versions for your site.
echo 
echo See http://e2epi.internet2.edu/bwctl for more details.

npt

knoppix@0[~]$ sudo customize.NPtools 
Internet2 Network Performance Tool Customization script
    Tools listed in RED need to be customized
        1. Setup Drive(s) to hold customization files
        2. bwctl
        3. ndt
        4. npad
        5. ntp
        6. owamp
        7. staticIP
        0. exit
3
Welcome to the NDT server configuration program.  This
program will create a custom tcpbw100.html file for your site.

Enter your site name [Internet2]  : Stanford Linear Accelerator Center
Enter your site's location [Ann Arbor - MI]  : Menlo Park - CA
Server connection info, enter 1 for 100 Mbps, 2 for 1 Gbps, 3 for 10 Gbps [2]  : 2

Information for email trouble reporting
Enter email userid [rcarlson]  : ytl 
Enter email domain name [internet2.edu]  : slac.stanford.edu
Enter default subject line [Trouble report from NPtoolkit-v1.8]  : 
The base web page 'tcpbw100.html' has now been created.  You
must move this file into the ndt_DATA directory [/usr/local/ndt]
created during the 'make' process.
Do you want to install this file now? [yes]  : yes
Enter location [/usr/local/ndt]  : 
NDT customization file being saved to 'sdb1'

NPAD

knoppix@0[~]$ sudo customize.NPtools 
Internet2 Network Performance Tool Customization script
    Tools listed in RED need to be customized
        1. Setup Drive(s) to hold customization files
        2. bwctl
        3. ndt
        4. npad
        5. ntp
        6. owamp
        7. staticIP
        0. exit
4
NPAD server configuration program.  

/usr/local/npad-1.3 /ramdisk/home/knoppix

Importing existing config.xml.

---------------------------------------------------------------
| For each configuration value, you will see brief help       |
| followed by a prompt. Default values are in brackets on     |
| the prompt line.  To accept default values, press Enter.    |
---------------------------------------------------------------



The directory to install the diagnostic server,
including binaries, libraries, and configuration files.
It is recommended to use the default value.

Exec dir [/usr/local/npad-dist]: 


The directory to install web pieces, such as the tester
page and the Java and C clients.  If you are running the
built-in web server (recommended), the default value
should work.  Otherwise you will need to point to a
directory accessible by your web server.

Web dir [/usr/local/npad-dist/www]: 


The user as which the server will run.  We recommend using
a relatively unprivileged user.  If you specify a user
that doesn't exist, 'make install' will create it.

User [npad]: 


The group as which the server will run. We recommend using
a relatively unprivileged group.  If you specify a group
that doesn't exist, 'make install' will create it.

Group [npad]: 


The port that the control channel listens on.  It should be
safe to leave this alone unless you must work within
firewall restrictions, or unless another service is
using this port.

Control port [8100]: 


The bottom of the ephemeral port range used for test
connections.

Port range min [8002]: 


The top of the ephemeral port range used for test
connections.

Port range max [8020]: 


This package comes with a small python-based web server.
If you would like to use the server, enter "yes".
Otherwise you will need to have installed and set
up another web server such as Apache.

Use built-in web server [yes]: 


The port number used by the built-in web server

Built-in web server port [8200]: 


This name should should complete "NPAD server located at ...", and
will be used as the title for your server, as it appears on the
tester page.  You must supply a value.

Site (organization) name [Internet2 Knoppix-based NPAD Server]: Stanford Linear Accelerator Center NPAD Server


The geographical location of your server, probably a city name.
Since pathdiag works best over short distances, this information
will be included on the tester page so users can tell how close
they are to the server.  You must supply a value.

Site location [Please customize]: Menlo Park - CA


The (optional) name of the contact for your site.
This is probably you or the network support team.

Site contact name [RACarlson]: Yee-Ting Li


This is the (optional) email address for your site contact.

Site contact email [rcarlson@internet2.edu]: ytl@slac.stanford.edu

Configuration complete.  You're now ready to 'make'.

make[1]: Entering directory `/UNIONFS/usr/local/npad-1.3/diag_server'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/UNIONFS/usr/local/npad-1.3/diag_server'
make[1]: Entering directory `/UNIONFS/usr/local/npad-1.3/pathdiag'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/UNIONFS/usr/local/npad-1.3/pathdiag'
make[1]: Entering directory `/UNIONFS/usr/local/npad-1.3/diag_server'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/UNIONFS/usr/local/npad-1.3/diag_server'
make[1]: Entering directory `/UNIONFS/usr/local/npad-1.3/pathdiag'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/UNIONFS/usr/local/npad-1.3/pathdiag'

Group npad already exists.  Will not create.

User npad already exists.  Will not create.

Installing...

rm -f /usr/local/npad-dist/config.xml /usr/local/npad-dist/template_diag_form.html
cp config.xml template_diag_form.html /usr/local/npad-dist/
make[1]: Entering directory `/UNIONFS/usr/local/npad-1.3'
make[2]: Entering directory `/UNIONFS/usr/local/npad-1.3/diag_server'
cp *.py /usr/local/npad-dist
cp DiagClient.jar diag-client.c /usr/local/npad-dist/www
make[2]: Leaving directory `/UNIONFS/usr/local/npad-1.3/diag_server'
make[2]: Entering directory `/UNIONFS/usr/local/npad-1.3/pathdiag'
cp pathdiag.py* pathtools.py* prettyhtml.py* pathlib.py* _pathlib.so mkdatasummary.py *.fmt /usr/local/npad-dist
cp boxes.css help.html /usr/local/npad-dist/www/ServerData

Regenerating report summary...  Done.

make[2]: Leaving directory `/UNIONFS/usr/local/npad-1.3/pathdiag'
make[1]: Leaving directory `/UNIONFS/usr/local/npad-1.3'
chown -R npad.npad "/usr/local/npad-dist/www/ServerData"
/ramdisk/home/knoppix
/usr/local/npad-dist/www /ramdisk/home/knoppix
NPAD customization files are being saved to 'sdb1'
/ramdisk/home/knoppix

NTP

knoppix@0[~]$ sudo customize.NPtools 
Internet2 Network Performance Tool Customization script
    Tools listed in RED need to be customized
        1. Setup Drive(s) to hold customization files
        2. bwctl
        3. ndt
        4. npad
        5. ntp
        6. owamp
        7. staticIP
        0. exit
5
NTP server configuration program.  

Manual configuration is currently required.  Please edit the
/etc/ntpd.conf file to create custom versinos.
create custom version for your site.

owamp

knoppix@0[~]$ sudo customize.NPtools 
Internet2 Network Performance Tool Customization script
    Tools listed in RED need to be customized
        1. Setup Drive(s) to hold customization files
        2. bwctl
        3. ndt
        4. npad
        5. ntp
        6. owamp
        7. staticIP
        0. exit
6
OWAMP server configuration program.

Manual configuration is currently required.  Please edit the
/usr/local/etc/owampd.conf and /usr/local/etc/owampd.limits files
to create custom versions for your site.

See http://e2epi.internet2.edu/owamp for more details.

Reboot

Let's reboot to see if things stick...

Knoppix looses it's password (so you'll have to passwd again)
SSHD regenerates keys (so you have to modify known_hosts)

Keeping SSH Up (not recommended)

As per the FAQ,

knoppix@0[~]$ cat /usr/local/NPToolkit/contrib/remote.access >> /mnt/sdb1/knoppix.sh 
knoppix@0[~]$ cp /usr/local/NPToolkit/contrib/remote.access /mnt/sdb1/NPTools/

however, there is a bit more to it to this (from looking into the remote.access file)

Passwords:

knoppix@0[~]$ sudo cp /etc/passwd /mnt/sdb1/NPTools/passwd.new
knoppix@0[~]$ sudo cp /etc/shadow /mnt/sdb1/NPTools/shadow.new

SSH:

knoppix@0[~]$ sudo cp /etc/ssh/sshd_config /mnt/sdb1/NPTools/sshd_config

don't i need to copy the keys over too? ie

/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub

So append /mnt/sdb1/knoppix.sh to include

# Maintain SSH keys through reboot and host transfer
# append to knoppix.sh file on any external storage medium
#  by Yee-Ting Li (ytl@slac.stanford.edu)

if [ -f /UNIONFS/media/$MNT/NPTools/ssh_host_key ]; then
    restore_NPT_file $MNT ssh_host_key /etc/ssh
fi

if [ -f /UNIONFS/media/$MNT/NPTools/ssh_host_key.pub ]; then
    restore_NPT_file $MNT ssh_host_key.pub /etc/ssh
fi

if [ -f /UNIONFS/media/$MNT/NPTools/ssh_host_rsa_key ]; then
    restore_NPT_file $MNT ssh_host_rsa_key /etc/ssh
fi

if [ -f /UNIONFS/media/$MNT/NPTools/ssh_host_rsa_key.pub ]; then
    restore_NPT_file $MNT ssh_host_rsa_key.pub /etc/ssh
fi      

if [ -f /UNIONFS/media/$MNT/NPTools/ssh_host_dsa_key ]; then
    restore_NPT_file $MNT ssh_host_dsa_key /etc/ssh
fi

if [ -f /UNIONFS/media/$MNT/NPTools/ssh_host_dsa_key.pub ]; then
    restore_NPT_file $MNT ssh_host_dsa_key.pub /etc/ssh
fi

And copy the keys over to a directory on the thumbdrive:

knoppix@0[~]$ sudo cp /etc/ssh/ssh_host_* /mnt/sdb1/NPTools/

The sshd server should start at boot now.

Running services

knoppix@0[~]$ 
knoppix@0[~]$ ps ax
  PID TTY      STAT   TIME COMMAND
    1 ?        Ss     0:00 init [3] 
    2 ?        S      0:00 [migration/0]
    3 ?        SN     0:00 [ksoftirqd/0]
    4 ?        S      0:00 [watchdog/0]
    5 ?        S<     0:00 [events/0]
    6 ?        S<     0:00 [khelper]
    7 ?        S<     0:00 [kthread]
   62 ?        S<     0:00 [kblockd/0]
   63 ?        S<     0:00 [kacpid]
  124 ?        S<     0:00 [ata/0]
  125 ?        S<     0:00 [ata_aux]
  126 ?        S<     0:00 [kseriod]
  153 ?        S      0:00 [pdflush]
  154 ?        S      0:00 [pdflush]
  155 ?        S<     0:00 [kswapd0]
  156 ?        S<     0:00 [aio/0]
  812 ?        S<     0:00 [kpsmoused]
  841 ?        S<     0:00 [ksuspend_usbd]
  844 ?        S<     0:00 [khubd]
  867 ?        S<     0:00 [khpsbpkt]
  957 ?        S<     0:00 [aufsd]
  958 ?        S<     0:00 [aufsd]
  959 ?        S<     0:00 [aufsd]
  960 ?        S<     0:00 [aufsd]
 1124 ?        S<s    0:00 udevd --daemon
 1576 ?        S<     0:00 [scsi_eh_0]
 3047 ?        Ss     0:00 /usr/bin/dbus-daemon --system
 3054 ?        Ss     0:00 /usr/sbin/hald
 3055 ?        S      0:00 hald-runner
 3076 ?        S      0:00 /usr/lib/hal/hald-addon-acpi
 3089 ?        S      0:00 /usr/lib/hal/hald-addon-keyboard
 3101 ?        S      0:00 /usr/lib/hal/hald-addon-storage
 3220 ?        Ss     0:01 pump -i eth0
 3242 ?        Ss     0:00 /sbin/klogd
 3247 ?        Ss     0:00 /sbin/syslogd
 3294 ?        Ss     0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid
 3303 ?        Ss     0:00 /usr/local/bin/bwctld -c /usr/local/etc
 3310 ?        S      0:00 /usr/local/sbin/fakewww
 3311 ?        S      0:00 /usr/local/sbin/web100srv -a
 3317 ?        Sl     0:00 python /usr/local/npad-dist/DiagServer.py -d -u npad -p /var/run/npad.pid
 3325 ?        Ss     0:00 /usr/local/bin/owampd -c /usr/local/etc
 3332 ?        S      0:00 /usr/local/sbin/shttpd -p3765 -d /usr/local/rev-tr -c .pl -C/usr/bin/perl
 3365 tty1     Ss     0:00 /bin/login --        
 3367 tty2     Ss+    0:00 /sbin/getty 38400 tty2
 3368 tty3     Ss+    0:00 /sbin/getty 38400 tty3
 3369 tty4     Ss+    0:00 /sbin/getty 38400 tty4
 3373 ttyS0    Ss+    0:00 /sbin/getty -L ttyS0 9600 vt100
 3386 tty1     S+     0:00 -bash
 3412 ?        Ss     0:00 /usr/sbin/sshd
 3414 ?        Ss     0:00 sshd: knoppix [priv]
 3417 ?        S      0:00 sshd: knoppix@0  
 3418 /UNIONFS/dev/pts/0 Ss   0:00 -bash
 3467 /UNIONFS/dev/pts/0 R+   0:00 ps ax

Open ports:

knoppix@0[~]$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:8100                  *:*                     LISTEN     
tcp        0      0 *:bootpc                *:*                     LISTEN     
tcp        0      0 *:8200                  *:*                     LISTEN     
tcp        0      0 *:3765                  *:*                     LISTEN     
tcp6       0      0 *:7123                  *:*                     LISTEN     
tcp6       0      0 *:ssh                   *:*                     LISTEN     
tcp6       0      0 *:4823                  *:*                     LISTEN     
tcp6       0      0 *:3001                  *:*                     LISTEN     
tcp6       0      0 *:861                   *:*                     LISTEN     
tcp6       0      0 ::ffff:172.16.203.1:ssh ::ffff:172.16.203:54248 ESTABLISHED
udp        0      0 172.16.203.130:ntp      *:*                                
udp        0      0 NPToolkit:ntp           *:*                                
udp        0      0 *:ntp                   *:*                                
udp6       0      0 fe80::20c:29ff:fe1b:ntp *:*                                
udp6       0      0 ip6-localhost:ntp       *:*                                
udp6       0      0 *:ntp                   *:*                                  

Setting up Syslog

Add the following code for syslog configuration in knoppix.sh.

# Syslog configuration
if [ -f /UNIONFS/media/$MNT/NPTools/syslog.conf ]; then
    restore_NPT_file $MNT syslog.conf /etc/
fi

The standard syslog.conf was copied from the slac machines.

Testing Services

ntp

knoppix@0[~]$ cp /etc/ntp.conf /mnt/sdb1/NPTools/

All of the servers are remoted from the file /mnt/sdb1/NPTools/ntp.conf and were replaced with

# You do need to talk to an NTP server or two (or three).
server 134.79.18.40
server 134.79.18.41
server 134.79.18.34
server 134.79.18.35

NDT

Going to

http://172.16.203.130:7123/

shows up the ndt webpage where you can run the java applet.

bwctl

owamp

thrulay

  • No labels