During the XSCE (XS Community Edition) meeting tonight, someone brought up that Puppet for individual XOs would really be too much fuss, so is there something simpler and easier? I remembered that back in 2008, I had looked into Distributed Shell: <a href="http://wiki.laptop.org/go/Dsh">http://wiki.laptop.org/go/Dsh</a><br>
<br>Dsh is deprecated, but now there's something that seems a little more sophisticated. Parallel Distributed Shell (pdsh) is mostly like dsh, but now you can define groups, among other options. Very useful if you want to push different content to different grade levels or if the environment contains a mixture of XO flavors.<br>
<br>I have no idea how pdsh scales, just throwing this out as an idea. Client XOs don't need much setup, just add a key to authorized_keys and enable ssh.<br><br>What follows are very rudimentary instructions if you are curious and keen to hack around with this.<br>
<br>On the "Supervisor" machine:<br><br>Yum install this stuff on non-ARM Fedora machines:<br> pdsh<br> pdsh-mod-dshgroup<br> openssh-askpass<br><br>You have to compile it on the XO-1.75, as it's not in the repos, and you might need, in addition to the usual dev tools:<br>
libtool-ltdl-devel<br> mingw32-libltdl (not sure on this one?)<br><br>Compiling it on the XO-1.75 tonight was very, very ugly and I don't think it came out quite right, though eventually it did work. <br><br>There can be multiple Supervisor machines, just add their id_rsa.pub to the XO's authorized_keys file. Remember, this is all basically just ssh. <br>
<br>I know this is a no-no in "grownup security world," but for testing, put this at the bottom of /etc/ssh/ssh_config and then restart ssh:<br><br>Host *<br> StrictHostKeyChecking no<br><br>Generate keys on the Supervisor machine:<br>
<br>ssh-keygen<br><br>Fix permissions on Supervisor machine:<br><br>chmod 700 /home/olpc/.ssh<br>chmod 600 /home/olpc/.ssh/id_rsa<br><br>Set up your groups as the olpc user in /home/olpc/.dsh/group:<br>A flat text file with the IPs of your target XOs, one per line. For example, in my testing tonight, I have a couple of XO-1's in the xo1 group and a brand new XO4 (So cool, thanks Adam!) in the xo4 group. So in my /home/olpc/.dsh/groups dir, I have two text files: xo1 and xo4.<br>
<br>On the target XOs:<br><br>mkdir /home/olpc/.ssh<br><br>Put the Supervisor machine's /home/olpc/.ssh/id_rsa into the target XO's /home/olpc/.ssh/authorized_keys<br>cat id_rsa.pub >> /home/olpc/.ssh/authorized_keys<br>
<br>Permissions!<br><br>chmod 700 /home/olpc/.ssh<br>chmod 644 /home/olpc/.ssh/authorized_keys<br><br>Start ssh<br><br>sudo systemctl start sshd.service<br><br>Enable ssh on boot<br><br>sudo systemctl enable sshd.service<br>
<br>Here's a quick and dirty script I set up on my XS that makes the XO setup a matter of seconds. Just wget and then run, super simple.<br><br>---------------start my half a**sed script------------------------------<br>
<br>#!/bin/bash<br><br>mkdir /home/olpc/.ssh<br><br>#insert the Supervisor's machine id_rsa.pub inside the quotation marks. Make sure it's a single line.<br>echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVail7ZD10xxowC3QlIAHPpUdIgo9JlaFboa2vGyjw1sGO2Pk5GhscA26wEGZkA6r2iH+ShiA5GB0+0yFsQwGgY3uU/BvdLNAJ03uIhQGRa9JW9cogFqM1PYR2Sd7Qm1LS/oQxWl0d7IDPJfziremMj4Zi5bcB9d9sxu5daFz1vjsbTTSnhX4xghIZMo3zGMqTWlvBsOHKDPfo3Y4G7pkJXNQ9mlMR61Et4owaXCDQtS/ACfuWuWPpfaOXDweRqQPRX0pmW3PRpjs48wySMYEk5PdSVGHFWIQItK5piAhquD01DXqnquIaF8d0QLTU+aRropX5nfGDyNPqtoMFBTGZ olpc@localhost" >> /home/olpc/.ssh/authorized_keys<br>
<br>chmod 700 /home/olpc/.ssh<br>chmod 644 /home/olpc/.ssh/authorized_keys<br><br>su -c 'systemctl start sshd.service'<br>su -c 'systemctl enable sshd.service'<br><br>---------------------end script-------------------------------------------------------<br>
<br>From the supervisor machine, you can test:<br><br>pdsh -g xo1 -g xo4 'aplay /usr/share/sounds/alsa/Noise.wav'<br><br>Did you hear something? Then it worked!<br><br>When I compiled pdsh on the XO 1.75, I don't think it turned out quite right. I had to put the full pathname to the groups:<br>
<br>pdsh -g /home/olpc/.dsh/groups/xo1 -g /home/olpc/.dsh/groups/xo4 'aplay /usr/share/sounds/alsa/Noise.wav'<br><br>It did work with my testing, don't misunderstand, and I should be happy that the workaround was simply that I had to enter the full pathname. Considering compiling stuff on the XO 1.75 sometimes ends in total disappointment, and I was just fiddling with it for a couple hours tonight, this turned out well considering.<br>
<br>What is also neato, you can download and run scripts from the XS or any web server. I just did a simple test with scripting the above aplay command. The -N flag on wget ensures that script.sh gets overwritten if it's been changed on the XS.<br>
<br>pdsh -g xo1 'wget -N <a href="http://schoolserver/olpc/script.sh">http://schoolserver/olpc/script.sh</a> && sh script.sh'<br><br>We're accustomed to running scripts with "su -c 'yum install something'" but that doesn't work. You can't do anything sudo via this. Though you probably could edit sshd_config on the XO clients, add authorized_keys to /root/.ssh and do up direct root pdsh.<br>
<br>Another thing, supposedly pdcp is like a bulk scp (imagine a teacher pdcp'ing a syllabus to all her student's XOs, for example), but I haven't managed to get it to work yet.<br><br><br>Relevant links:<br><a href="http://code.google.com/p/pdsh/">http://code.google.com/p/pdsh/</a><br>
<a href="http://jaclindley.com/2009/04/20/system-administration-pdsh/">http://jaclindley.com/2009/04/20/system-administration-pdsh/</a><br><a href="http://linux.die.net/man/1/pdsh">http://linux.die.net/man/1/pdsh</a><br><a href="http://linux.die.net/man/1/pdcp">http://linux.die.net/man/1/pdcp</a><br>
<br><br>Anna Schoolfield<br>Birmingham<br>