Difference between revisions of "Managing the security training sites"

From PDP/Grid Wiki
Jump to navigationJump to search
(Add instructions for publishing the CRL file)
Line 48: Line 48:
 
== Darknet CA ==
 
== Darknet CA ==
  
The test sites will need certificates, so a local simple CA is set up on cobbler.darknet.
+
The test sites will need certificates, so a local simple CA is set up on cobbler.darknet in /srv/ca.
 +
 
 +
Issuing CRLs can be done by calling
 +
./make-crl /var/www/html/7140638d.r0

Revision as of 23:54, 10 March 2014

These are the quick notes about how to set up and run a bunch of virtual grid sites for training purposes.

Overview

The virtual machines for these sites are managed with Xen Cloud Platform (XCP) on blade 0, partition b. Log in as root@bl0b.pool.inst.ipmi.nikhef.nl.

The sites live on vlan 41, which is only available on bl0b. There is only one host with an interface to the outside, called melkstal.nikhef.nl. This host serves as the gateway for all the participants in the training and the site administrators. It also serves as a NAT box.

On the inside of vlan 41, the network addressing is divided up by virtual site:

10.1.0.0/16 management systems and example site ('darknet')
10.2.0.0/16 virtual site #1
10.3.0.0/16 virtual site #2

There is one management host to help install and configure all other machines: cobbler.darknet. This system runs cobbler to help systems install with DHCP, DNS and kickstart files. It also runs saltstack to manage state on each system.

Installing and re-installing machines

Installation of new machines is done on the XCP master node. Log in as

root@pool-bl0b.inst.ipmi.nikhef.nl

In the home directory you will find this script which will create basic machine definitions from a template. It will give the machines a new interface with a generated MAC address.

The next step is to take the list of machines and their mac addresses (using another script) to cobbler.darknet and to define the systems in cobbler. There is a script for that. For example:

echo 22:05:e5:52:19:cc wms.darknet | ./cobbler-add-machine.sh

Right now, the script only adds machines consecutively to the darknet site.

It is also possible (but more tedious) to add machines via cobbler's web interface.

Once the machines are defined in cobbler it is time to start them. This is again done on the XCP node with the command

xe vm-start vm=wms.darknet

This will install a basic system, using cobbler for DHCP and for downloading the kickstart file.

As part of the basic installation, the package salt-minion will be installed with cobbler.darknet as the master. Once the installation is done, accept the key on cobbler with

salt-key -a ACCEPT


re-installation

It may be necessary to start from scratch with a machine. This is easier than a new installation, as the definition already exists in XCP and cobbler. The only thing that needs to be reset is the bootloader. The script Media:Vm-reinstall.sh does just that. After that, run the command

xe vm-reboot vm=wms.darknet

to initiate the reinstallation. Cobbler has some tricks to preserve ssh host keys and minion keys from a previous installation, but this may or may not work.


Darknet CA

The test sites will need certificates, so a local simple CA is set up on cobbler.darknet in /srv/ca.

Issuing CRLs can be done by calling

./make-crl /var/www/html/7140638d.r0