<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3243" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=921452116-18022008><FONT face=Arial
color=#0000ff size=2>Hi Tony and Ivan,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=921452116-18022008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=921452116-18022008><FONT face=Arial
color=#0000ff size=2>Thanks for the nice write up! That saves me a lot of
time.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=921452116-18022008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN><FONT face=Arial><FONT color=#0000ff><FONT
size=2></FONT></FONT></FONT> </DIV>
<DIV><FONT><FONT><FONT face=Arial><FONT color=#0000ff><FONT size=2>I<SPAN
class=921452116-18022008> understand we don't want to use this security
implementation. Still, the more examples of scripts we can see the better.
If its a security issue then don't post them. Otherwise we need to
see best practices or even rejected ideas, if not for security or
SSO, then for backup of XOs, config of default home page in the XO browser,
and any other ideas.</SPAN></FONT></FONT></FONT></FONT></FONT></DIV>
<DIV><FONT><FONT><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=921452116-18022008></SPAN></FONT></FONT></FONT></FONT></FONT> </DIV>
<DIV><FONT><FONT><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=921452116-18022008>Aside from tracking the XOs, one new idea stands
out here. You can see if the XO is connecting via Mesh of Wifi and you can pick
which AP it connects to. That may come in handy as we try to test and protect
the mesh from overload.</SPAN></FONT></FONT></FONT></FONT></FONT></DIV>
<DIV><FONT><FONT><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=921452116-18022008></SPAN></FONT></FONT></FONT></FONT></FONT> </DIV>
<DIV><FONT><FONT><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=921452116-18022008>Also, I wonder why they use USB sticks instead
of having a script on the server log in, configure it, then log out.
That seems more efficient when configuring thousands of devices but maybe
there's a good reason its not
done.</SPAN></FONT></FONT></FONT></FONT></FONT></DIV>
<DIV><FONT><FONT><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=921452116-18022008></SPAN></FONT></FONT></FONT></FONT></FONT> </DIV>
<DIV><FONT><FONT><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=921452116-18022008>I noticed Walter mentioned in the weekly news
that Pakistan and South Africa will bring up school servers soon. It would
be very helpful to see any proposed install and configure scripts from there
too. </SPAN></FONT></FONT></FONT></FONT></FONT></DIV>
<DIV><FONT><FONT><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=921452116-18022008></SPAN></FONT></FONT></FONT></FONT></FONT> </DIV>
<DIV><FONT><FONT><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=921452116-18022008>Thanks,</SPAN></FONT></FONT></FONT></FONT></FONT></DIV>
<DIV><FONT><FONT><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=921452116-18022008></SPAN></FONT></FONT></FONT></FONT></FONT> </DIV>
<DIV><FONT><FONT><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=921452116-18022008>Greg S</SPAN></FONT></FONT></FONT></FONT></FONT></DIV>
<DIV><FONT><FONT><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=921452116-18022008></SPAN></FONT></FONT></FONT></FONT></FONT> </DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Tony Pearson [mailto:tpearson@us.ibm.com]
<BR><B>Sent:</B> Sunday, February 17, 2008 11:43 AM<BR><B>To:</B> Greg Smith
(gregmsmi)<BR><B>Cc:</B> sulochan acharya;
server-devel@lists.laptop.org<BR><B>Subject:</B> Ceibal scripts
explained<BR></FONT><BR></DIV>
<DIV></DIV><FONT face=Arial color=#0000ff size=2></FONT><FONT face=Arial
color=#0000ff size=2></FONT><BR><TT><FONT size=2>Greg wrote:</FONT></TT>
<BR><TT><FONT size=2>>Did anyone get a chance to read the Ceibal
scripts<BR>>(http://dev.laptop.org/git?p=projects/ceibal-scripts;a=tree)? I
tried to<BR>>scan them. I think they grab the MAC addres of the XO register
it (hash<BR>>it?), then watch connections to the XS and can block Xos when
needed. We<BR>>may be able to use the MAC address/registration key stuff to
create user<BR>>specific directories for backup but not sure you need to
block Xos.<BR><BR>>Tony, if you get a chance to summarize what they are doing
briefly that<BR>>would be interesting. It's the sed and awk more than the
Spanish that<BR>>makes it hard for me to understand :-)</FONT></TT>
<BR><BR><FONT face=sans-serif size=2>Greg,</FONT> <BR><FONT face=sans-serif
size=2>You are lucky I read both "Spanish" and "bash" fluently.</FONT>
<BR><BR><FONT face=sans-serif size=2>Here goes:</FONT> <BR><BR><FONT
face=sans-serif size=2>It appears that these five files would be on a USB stick
to be applied against</FONT> <BR><FONT face=sans-serif size=2>an XO laptop to
customize it.</FONT> <BR><BR><FONT face=sans-serif size=2>install ---</FONT>
<BR><FONT face=sans-serif size=2> This program
creates directories and copies the other USB files over to the right
spots</FONT> <BR><FONT face=sans-serif size=2>
(acutalizador and policia are copied into /home/local/bin directory)</FONT>
<BR><FONT face=sans-serif size=2> It schedules
"actualizador" to run every 15 minutes in CRON scheduler.</FONT> <BR><FONT
face=sans-serif size=2> It adds "python monitoreo.py
&" to rc.local to run as a started background task at boot</FONT> <BR><FONT
face=sans-serif size=2> It installs the gnupg
encryption program and imports an actualizador key</FONT> <BR><FONT
face=sans-serif size=2> It adds "service
NetworkManagerDispatcher start" as part of the rc.local boot sequence</FONT>
<BR><FONT face=sans-serif size=2> It computes a date
approximately one month term into the future and saves as "plazo"</FONT>
<BR><BR><FONT face=sans-serif size=2> The "sed" is
the stream editor, and this line inserts a new line into /etc/rc after "set -m"
near</FONT> <BR><FONT face=sans-serif size=2> the top
of the file. This will run /home/local/bin/policia at boot startup
time.</FONT> <BR><BR><FONT face=sans-serif size=2>
actualizador --> updater</FONT> <BR><FONT face=sans-serif size=2>
plazo --> term</FONT> <BR><FONT face=sans-serif
size=2> seguridad --> security</FONT> <BR><FONT
face=sans-serif size=2> policia --> police</FONT>
<BR><BR><FONT face=sans-serif size=2>atualizador ---</FONT> <BR><FONT
face=sans-serif size=2> create a working directory
/home/local/actualizaciones</FONT> <BR><FONT face=sans-serif size=2>
creates an empty log file, or if log file exists, erases it
and mades it empty</FONT> <BR><FONT face=sans-serif size=2>
sets the Serial number "serie" to the serial number of this XO laptop it
is running on.</FONT> <BR><BR><FONT face=sans-serif size=2>
Note: you can embed python language into a bash shell using the following
technique</FONT> <BR><FONT face=sans-serif size=2>
/usr/bin/python << MARKER</FONT> <BR><FONT face=sans-serif size=2>
=== python code ===</FONT> <BR><FONT face=sans-serif
size=2> MARKER</FONT> <BR><BR><FONT face=sans-serif
size=2> Checks to see if this was already run today,
if so quit. Basically, if you turned on your</FONT> <BR><FONT
face=sans-serif size=2> XO in the morning, shut down
for lunch, then restarted it, won't go through this a second</FONT> <BR><FONT
face=sans-serif size=2> time. </FONT>
<BR><BR><FONT face=sans-serif size=2> /sbin/ip route
issues two lines. On my XO laptop it says:</FONT> <BR><BR><FONT
face=sans-serif size=2> 172.18.10.0/23 dev msh0 proto
kernel scope link src 172.18.11.254</FONT> <BR><FONT face=sans-serif
size=2> default via 172.18.10.1 dev msh0</FONT>
<BR><BR><FONT face=sans-serif size=2> The script
checks if the line containing "default" also contains "eth0" if not, quit.
</FONT> <BR><BR><FONT face=sans-serif size=2>
It pings server (172.18.10.1) for 20 packets. If this fails, quit.</FONT>
<BR><BR><FONT face=sans-serif size=2> Find an IPv4
address in eth0. In my case, eth0 has only IPv6, and msh0 has both.</FONT>
<BR><BR><FONT face=sans-serif size=2> wget to
download the server's "plazo" and copy to this XO's local
/home/local/seguridad/plazo file.</FONT> <BR><BR><FONT face=sans-serif
size=2> Downloads the black-list unique to this XO's
laptop serial number, and confirms using GPG.</FONT> <BR><FONT face=sans-serif
size=2> if the GPG confirmation fails, quits.
If it is successful, the macine is blacklisted, and shuts down.</FONT>
<BR><BR><FONT face=sans-serif size=2> wget download
file /actualizaciones/actualizaciones (updates). If not found,
quits.</FONT> <BR><FONT face=sans-serif size=2> If
the file was downloaded, N_ACT is set to the number of lines in the file.
For each line,</FONT> <BR><FONT face=sans-serif size=2>
if the "version" on the line is greater than the XO's current
version, save it in /tmp/instalables file.</FONT> <BR><FONT face=sans-serif
size=2> If the XO is already at the latest version,
no newer updates found, the quit.</FONT> <BR><BR><FONT face=sans-serif
size=2> For each version xxxxx that is more
recent version, download ceibal-xxxxx.tar.gz and sig files.</FONT> <BR><FONT
face=sans-serif size=2> Use "GPG" to confirm sig
file. If correct, untar the file in /tmp/actualizaciones directory</FONT>
<BR><FONT face=sans-serif size=2> Unless file
indicates "noinstall" run the "instalar" to process the update, and udate the
XO's</FONT> <BR><FONT face=sans-serif size=2> current
version to match the version just installed.</FONT> <BR><BR><FONT
face=sans-serif size=2> Telnet back to the server,
reporting this XO's MAC, Updated Version and Serial number.</FONT>
<BR><BR><BR><FONT face=sans-serif size=2>monitoreo.py --</FONT> <BR><BR><FONT
face=sans-serif size=2> The purpose of this is to
telnet to port 5000 on the nameserver found in /etc/resolv.conf</FONT> <BR><FONT
face=sans-serif size=2> Check to see if the
connection is made via eth0 (Wi-Fi) or msh0 (Mesh). The telnet
sends</FONT> <BR><FONT face=sans-serif size=2>
information about the XO laptop to the server, sleeps for 10 minutes, then does
it again.</FONT> <BR><BR><FONT face=sans-serif size=2>policia ---</FONT>
<BR><FONT face=sans-serif size=2> If this XO laptop
was identified to be black-listed, display the "maqbloq" banner file and</FONT>
<BR><FONT face=sans-serif size=2> perform the
following: scan all networks accessible through eth0. For each one
where</FONT> <BR><FONT face=sans-serif size=2>
encryption is off, save the ESSid, Channel, and Signal power level. In my
case, I had</FONT> <BR><FONT face=sans-serif size=2>
ESSid "school-mesh-0" Channel 1 and Signal power =27 dBm. It also found my
neighbor's</FONT> <BR><FONT face=sans-serif size=2>
ESSid "Apple Network" Channel 1 and Signal power=87 dBm but that was
encrypted.</FONT> <BR><BR><FONT face=sans-serif size=2>
For each un-encrypted channel, create file /tmp/ap0 ap1, ap2, ap3,
etc.</FONT> <BR><FONT face=sans-serif size=2> Find
the connection with the strongest signal (lowest dBm = best signal)</FONT>
<BR><BR><FONT face=sans-serif size=2> For the
strongest signal, save the ESSid and Channel from above.</FONT> <BR><FONT
face=sans-serif size=2> Use "iwconfig" to set eth0 to
this ESSid and channel. (I imagine this is the equivalent of</FONT> <BR><FONT
face=sans-serif size=2> finding the strongest signal
on Neighborhood screen and selecting it)</FONT> <BR><BR><FONT face=sans-serif
size=2> Determine the school server, if not found,
shut down this XO laptop.</FONT> <BR><FONT face=sans-serif size=2>
Otherwise, try to ping the server, and if successful, send the
XO's MAC, Serial Number and</FONT> <BR><FONT face=sans-serif size=2>
Access point information. Then shutdown.</FONT>
<BR><BR><FONT face=sans-serif size=2> If we were not
black-listed, check the "term" date in PLAZO. This was the future date
set</FONT> <BR><FONT face=sans-serif size=2> in
"Install" above as a future date 30 days from now, so if today is beyond that
date, it is</FONT> <BR><FONT face=sans-serif size=2>
time to block the machine. A telnet to the schoolserver via port 5000
provides the MAC</FONT> <BR><FONT face=sans-serif size=2>
address, serial number and AP, with the "GETBLOCKED" identifier.</FONT>
<BR><BR><FONT face=sans-serif size=2>So, Greg, you were correct. It was
reporting the MAC and Serial Number of each XO that connects</FONT> <BR><FONT
face=sans-serif size=2>to the school server. There is an option to provide
automatic file updates, and options to block out</FONT> <BR><FONT
face=sans-serif size=2>XO laptops. However, this only works for laptops
that actually have this code installed on them.</FONT> <BR><FONT face=sans-serif
size=2>A regular XO would not be running these scripts, and therefore be never
blocked nor udpated. The</FONT> <BR><FONT face=sans-serif size=2>status of
being blacklisted is stored on the XO itself, so simply a matter of editing that
particular file</FONT> <BR><FONT face=sans-serif size=2>from "1" to "0".</FONT>
<BR><BR><FONT face=sans-serif size=2>If we can combine the Mac/SN with the
Nickname stored in Sugar, we might have something to work</FONT> <BR><FONT
face=sans-serif size=2>with here.</FONT> <BR>
<TABLE>
<TBODY>
<TR>
<TD>
<TR>
<TD><FONT size=1><BR></FONT>
<TABLE>
<TBODY>
<TR>
<TD>
<TD><FONT face="Microsoft Sans Serif" color=#0060a0 size=1><B>Tony
Pearson</B></FONT><FONT face="Microsoft Sans Serif"
size=1><BR>Senior Storage Consultant, IBM System
Storage™<BR>Telephone: +1 520-799-4309 | tie 321-4309 |
Cell: +1 520 990-8669<BR>email: tpearson@us.ibm.com |
GSA: http://tucgsa.ibm.com/~tpearson<BR>Blog:
http://www.ibm.com/developerworks/blogs/page/InsideSystemStorage
AKA: 990tony Paravane, eightbar specialist
</FONT></TR></TBODY></TABLE><BR>
<TR>
<TD></TR></TBODY></TABLE><BR></BODY></HTML>