[Server-devel] incomplete XS install notes

Bryan Berry bryan.berry at gmail.com
Fri Aug 1 01:42:34 EDT 2008 

h1. Schoolserver

These are the notes from XS configuration David Van Assche have been
working on this week. It is not yet complete. I will try to put them on
the wiki when they are complete. I haven't included several crucial
pieces of information such as the Shorewall configuration files.

Step 1. Install from .iso

h3. Network Configuration
* IP
** rm /etc/sysconfig/network-scripts/ifcfg-msh*
** rm /etc/sysconfig/network-scripts/ifcfg-eth2-4
** vi /etc/sysconfig/network-scripts/ifcfg-eth0 and ifcfg-eth1 change to
static IP Addresses
** ifcfg-eth0   change to WAN address, in OLE office 192.168.5.xx,
disable ipv6  causes problems w/ ejabberd
** ifcfg-eth1   leave as default
** vi /etc/dhcpd.conf   add Internet DNS under  "option
domain-name-servers " in addition to 172.18.0.1
* DNS changes
** /etc/sysconfig/olpc-scripts/domain_config sanepa.schoolnet.gov.np
where sanepa is the school
** /etc/sysconfig/network   change hostname to
schoolserver.sanepa.schoolnet.gov.np
** cd /var/named
** sed -i 's/random.xs.laptop.org/sanepa.schoolnet.gov.np/g' school*  
** Change comments (#) and "C" in /var/named/school.internal.zone.db to
";" and "CNAME"  (fixed in XS_165)

h3. Squid 
* -- /etc/squid/squid.conf 
** at line 117 change: dns_nameservers  172.18.0.1 192.168.5.1
** acl school src 172.18.0.0/255.255.0.0 192.168.5.0/255.255.255.0  #
add external and internal networks

h3. Moodle
* yum install moodle postgresql-server
* service postgresql initdb
* sudo -u postgres createuser -D -A -P moodle
* sudo -u postgres createdb -E utf8 -O moodle moodle
* sudo -u postgres psql moodle
  # ALTER USER postgres WITH PASSWORD 'moodle';
  # \q
* sudo nano /etc/postgresql/8.1/main/pg_hba.conf  change Method for both
host entries to md5
* sudo /etc/init.d/postgresql restart


h3. Ejabberd
* add this line to /etc/ejabberd/ejabberd.cfg
  {acl, admin, {user, "admin", "schoolserver.sanepa.schoolnet.gov.np"}}.
  Don't forget the period at the end!
* cd /etc/init.d/
* chkconfig --level 345 ejabberd
* disable ipv6 by removing it from 
  {5280, ejabberd_http, [ 
                         ipv6,
* Logging on to http://schoolserver:5280/admin provide full username
admin at schoolserver.sanepa.schoolnet.gov.np
* Create online group @online@

h3. Dansguardian
* zlib-devel pcre-devel autoconf automake gcc-c++ libtool compat-gcc-3.4
* used rpm from dries repo, add to testing.repo, or stable.repo if you
are using that repo
   [dries]
    name=Extra Fedora rpms dries - $releasever - $basearch

baseurl=http://ftp.belnet.be/packages/dries.ulyssis.org/fedora/linux/$releasever/$basearch/dries/RPMS/
* yum update
* yum install dansguardian
* settings in /etc/dansguardian/dansguardian.conf
** filterport=8081  # not 8080
** loglevel =1
** loglocation = /var/log/dansguardian/access.log
** urlcachenumber = 5000
** reverseaddresslookups = on
** reverseclientiplookups = on
** maxchildren=250
** minsparechildren=8
** daemonuser=dansguardian
** daemongroup=dansguardian
* settings in bannedextensionslist
** commented out bans for UNIX archive file types

h3. Shorewall
* yum install shorewall
* settings in /etc/shorewall/shorewall.conf
** Startup_Enabled=Yes
** LOGFILE=/var/log/shorewall
** LOGRATE= ? 
** LOGBURST = ?  to be set
** BRIDGING = Yes
* /etc/shorewall/masq
** eth0 eth1   -- this bridges b/w the two
* /etc/shorewall/interfaces
** net eth0
** loc eth1
* /etc/shorewall/zones  -- these changes make the interfaces use ipv4
** loc   -
** fw    firewall
** net   -
* Setting up policy -- /etc/shorewall/policy
* Setting up Rules -- allow access to ssh at port 2222, ejabberd at 5280
* add to Rules   
   REDIRECT   loc   8081    TCP wwww

h3. Todo

Dansguardian
* Need to consider adding blocks for stuff like myspace.com 
* decide on naughtyness limit set in dansguardianf1.conf ?Higher or
lower? Real concern is the parents and teachers viewing inappropriate
stuff, less so the kids.
* decide which file extensions to ban

Issues:
* Ejabberd a total PITA to set up and modify. We spent 60% of install
time fighting ejabberd.
* Currently XO's seem to need a fqdn to access jabber. This means every
school needs a different XO image configuration. Major hassle
* Routing not yet working properly
* The XS wiki entries are a mess and often provide incorrect information

More information about the Server-devel mailing list