[Server-devel] [PATCH] xs-refresh-xobuilds: If contents if missing, rm the build
We are not 100% atomic when we install a new build. If the contents file is missing, something is amiss. rm-fr and start again... --- xs-refresh-xobuilds.py |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/xs-refresh-xobuilds.py b/xs-refresh-xobuilds.py index c99dc15..5d2b802 100755 --- a/xs-refresh-xobuilds.py +++ b/xs-refresh-xobuilds.py @@ -83,7 +83,9 @@ def main(): for buildname in buildsbyname.keys(): bpath = os.path.join(BUILDSDIR,buildname) ppath = os.path.join(PACKEDDIR,buildsbyname[buildname]) -if options.force or not os.path.exists(bpath): +if (options.force +or not os.path.exists(bpath) +or not os.path.exists(os.path.join(bpath,'contents'))): installcmd = [ 'sudo', '-u', 'xs-rsync', os.path.join(os.path.dirname(sys.argv[0]), 'xs-publish-xobuild.py') ] if options.force: -- 1.5.5.1 ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] [PATCH] Add support for usbmount triggers in xs-rsync
This is the first user of usbmount, so several things to note... - The usbmount scripts don't get a tty, which means that we need sudo to allow nontty usage (changed in xs-config for root) - We check manifest.md5 with a custom utility called xs-check-signature, initially a wrapper around md5sum that ensures that all files in the directory are in the manifest. This script is not included here. - We use /usr/bin/logger (to syslog) for output and logging, we log to the 'user' facility. Moodle will later have a 'tail -f /var/log/user.log'. - Stock syslog.conf in fedora drop the user messages, so xs-config has been updated to log to user.log - It is important to show progress towards completion so each msg has an indication of how far along we are. - We'll need to localise these. Tricky - --- Makefile|2 + usbmount-50-xs-rsync-installcontent | 62 +++ xs-rsync.spec.in|2 + 3 files changed, 66 insertions(+), 0 deletions(-) create mode 100755 usbmount-50-xs-rsync-installcontent diff --git a/Makefile b/Makefile index 729b0b4..f78173f 100644 --- a/Makefile +++ b/Makefile @@ -82,6 +82,8 @@ install: install -D -m 644 xinetd-xs-rsyncd.conf $(DESTDIR)/etc/xinetd.d/xs-rsyncd install -D -m 644 crond-xs-rsync.conf $(DESTDIR)/etc/cron.d/xs-rsync + install -D -m 755 usbmount-50-xs-rsync-installcontent $(DESTDIR)/etc/usbmount/mount.d/50-xs-rsync-installcontent + # root owned install -D -d $(DESTDIR)/library/xs-rsync install -D -d $(DESTDIR)/library/xs-rsync/xobuilds-packed diff --git a/usbmount-50-xs-rsync-installcontent b/usbmount-50-xs-rsync-installcontent new file mode 100755 index 000..9bfeed4 --- /dev/null +++ b/usbmount-50-xs-rsync-installcontent @@ -0,0 +1,62 @@ +#!/bin/bash -x +# Part of the xs-sync package +# Author: Martin Langhoff [EMAIL PROTECTED] +# Copyright: One Laptop per Child + +set -e + +VERBOSE=no + +# Log a string via the syslog facility. +log() +{ +if test $1 != debug || expr $VERBOSE : [yY] /dev/null; then + logger -p user.$1 -t xs-rsync[$$] -- $2 +fi +} +STEPS=5 + +if [ -e $UM_MOUNTPOINT/xs-xobuilds -a \ + -e $UM_MOUNTPOINT/xs-xobuilds/manifest.md5 ];then +log notice 'Found xobuilds to install!'; +log notice [1/$STEPS] Checking signature]; + +xs-check-signature $UM_MOUNTPOINT/xs-xobuilds/manifest.md5 + +log notice [2/$STEPS] Checking checksum on external disk; +pushd $UM_MOUNTPOINT/xs-xobuilds +md5sum -c manifest.md5 +popd + +## Do we have enough space? +# note: we could use awk {'print $4'} instead of the +# perl regex, but it breaks with long /dev nodes +# such as those from LVMs -which wrap. The regex captures the +# number just left of the number with the percentage sign. +NEED=`du -s -B1M $UM_MOUNTPOINT/xs-xobuilds | awk {'print $1'}` +HAVE=`df -B1M /library/xs-rsync | tail -n1 | \ + perl -pe 'm/(\d+)\s+\d+\%/; $_=$1;'` +if [ $NEED -gt $HAVE ];then + log err 'Not enough free space in /library for this xo image - cancelling'; + exit 1; +fi + +### Copy it first - as the media is bound to be slow +# - make this atomic by cp'ing to a tmpdir, and mv'ing into place +# to be fail-safe +# - remove - manifest.md5 +# - TODO? we could avoid cp'ing files we already have using +# rsync --copy-dest instead of cp +# +log notice [3/$STEPS] Copying xo-builds to xobuilds-packed; +TMPDEST=`mktemp -d -p /library/xs-rsync/tmp` +cp $UM_MOUNTPOINT/xs-xobuilds/* $TMPDEST +rm $TMPDEST/manifest.md5 +mv $TMPDEST/* /library/xs-rsync/xobuilds-packed/ + +log notice [4/$STEPS] Refreshing XO builds available; +(/usr/bin/xs-refresh-xobuilds.py 21 ) | logger -p user.debug -t xs-rsync[$$] +log notice [5/$STEPS] Finished - XOs can now update.; + + +fi # end if we have xs-xobuilds/manifest.md5 \ No newline at end of file diff --git a/xs-rsync.spec.in b/xs-rsync.spec.in index 0fc0c46..3b0f103 100644 --- a/xs-rsync.spec.in +++ b/xs-rsync.spec.in @@ -20,6 +20,7 @@ Requires: fakeroot Requires: fakechroot Requires: bash Requires: vixie-cron +Requires: usbmount %description XS rsync provides support for publishing resources on the XS via rsync. @@ -79,6 +80,7 @@ make install DESTDIR=$RPM_BUILD_ROOT %config(noreplace) %{_sysconfdir}/xs-rsyncd.conf.in %config(noreplace) %{_sysconfdir}/xinetd.d/xs-rsyncd %config(noreplace) %{_sysconfdir}/cron.d/xs-rsync +%config(noreplace) %{_sysconfdir}/usbmount/mount.d/50-xs-rsync-installcontent %dir /library/xs-rsync/xobuilds-packed %attr(755, xs-rsync, xs-rsync) %dir /library/xs-rsync/pub %attr(755, xs-rsync, xs-rsync) %dir /library/xs-rsync/pub/builds -- 1.5.5.1 ___ Server-devel mailing list Server-devel@lists.laptop.org
Re: [Server-devel] Need help: mounting usb devices on headless machines
On Mon, Aug 11, 2008 at 12:49:06PM +1200, Martin Langhoff wrote: Well, it *seems* that I cannot get a bell to sound on any of the systems I can get my hands on today. [...] Systems that route the PC speaker into the mixer will also need alsamixer settings changed accordingly. -- James Cameronmailto:[EMAIL PROTECTED] http://quozl.netrek.org/ ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] Warning: breakage updating xs-config
A few weeks ago Bryan and David reported breakage with xs-config, and over the last week over various tests we've had xs-config updates making a mess of already-configured XS setups. I haven't had a chance to look at it but yes, it is a high priority bug, and I'll be working on it asap. Earlier updates to xs-config had been mainly tested in new installs or unconfigured XS setups. I also probably blamed something else for the breakage when I saw it. Now it's pretty clear and unambiguous *why* things are broken. I wish I had spotted this earlier - / m -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Warning: breakage updating xs-config
Martin Langhoff wrote: A few weeks ago Bryan and David reported breakage with xs-config, and over the last week over various tests we've had xs-config updates making a mess of already-configured XS setups. I haven't had a chance to look at it but yes, it is a high priority bug, and I'll be working on it asap. Sorry, coming up to speed, Ticket number? Got some info on the method used, and what failed? Earlier updates to xs-config had been mainly tested in new installs or unconfigured XS setups. I also probably blamed something else for the breakage when I saw it. Now it's pretty clear and unambiguous *why* things are broken. I wish I had spotted this earlier - / Based on my F9 testing, while you have xs-config open, can you remove syslogd from the requires? Syslogd will still be installed based on the comp.xml file anyway. Without removing this requires from xs-config, updating past F7 becomes impossible as syslogd was later renamed/replaced. The same goes for newt-perl in xs-pkgs. The package radvd also gave me problems, although I don't recall why. I ended up re-rolling xs-config and xs-pkgs to exclude these above packages. F9 now installs the xs-config package, with one problem, the symlinks in /etc/rc.d/rc1.d/ 23456... don't get created, looks like those need to be copied over also with F9. Some other links were installed as file.olpcnew. also. I'll put together a list later if you want it. Jerry ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] A simple signed bundle/directory trust scheme for the XS
Martin, Thanks for your note. Unfortunately, it left me with more questions than with answers. Some questions include: * What use cases are you trying to support? * What threats obstruct supporting those use cases? * What trust structure are you trying to create and how does it mitigate the threats while permitting the use cases? * What algorithms are you going to use and why? * What security properties are you trying to check? (Perhaps you've already answered some of these basic questions elsewhere and you simply left out the citation?) Two other comments: If you want to go the route of 'signed content lives in directories', then please examine the programs in olpc-contents http://wiki.laptop.org/go/Olpc-contents and let us know in what way they can be improved before writing your own. If you're more interested 'signed content lives in archives', then JAR-signing might be for you! Regards, Michael P.S. - In the future, please consider CC'ing the security@ list when you write security-related mail. Interesting people live there. ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] EduBlog: Looking for comments/bugs
Hi! I've got good and bad news. I tried BrowseNew, and it works fine for pictures uploading! As you can see, I could upload pictures from an XO for the edublog. Question: Isn't it possible to resize the picture? I also tried pasting pictures from the clipboard and from Write (Ctrl-C Ctrl-V) but it didn't work. Finally, I tried to upload a picture to make a new post from Blogger, but it just doesn't work :-( It seems popups are not working properly in this browser, so I can get to the picture upload page, select the image to upload, upload it, but I can never close the file uploading window! You can see the screenshot of the Uploading window in http://uruguay-xo-test.blogspot.com/2008/07/no-button.html... From this page, you can't go back to the post editing page :( I wonder if this version of the browser won't introduce new troubles... Saludos, Pablo Flores On Wed, Jul 23, 2008 at 11:15 AM, Greg Smith [EMAIL PROTECTED]wrote: Hi All, We are so close!! Awesome team! Now lets bring it home... We have a new version of browse. It only works on build 656 so do not install it on other images. Get it from: http://olpc.betarun.com/BrowseNew-1.xo Just point your XO browser at that and it will install. Can someone test the workflow of: 1 - create text and image in write 2 - open new browse 3 - go to EduBlog (you can use http://olpc.betarun.com/dev/ui/student_sp.php if the new URL/login is not clear) 4 - pick what you created from the journal/file picker and upload it to the blog. I'd like to hear that working on build 656 before I ask the alpha test teachers to try it. Please also give the new browser and the whole XO a sniff test to see if there are any regressions due to this new browse. Tarun, These instructions are good: http://wiki.laptop.org/go/EduBlog_Instructions but I need to the URLs and logins (leave the password out). The shorter the URL the better so maybe we will need a home page but leave that for later. Add the links to the doc and I think we are ready for alpha test. If its not too hard, I think the new write with name changed and in .xo format may be useful. If you can make and post that too, I think we may need it. FYI I pasted the Moodle instructions and URLs below. E-mail me for a password if you want to try this out. Thanks, Greg S Hi, I just did a test, and it looks like everything is working decently. I'd be happy to hear anyone's comments on the UI and if there are any major bugs that need to be fixed before the beta test. Please don't send these links out to too many people, they are to the unstable version. When everything is working, it will be transferred to the stable area linked to from the main site. (Also why I did not send this out to any public list). For testing, I've only made three accounts: tarun (Admin), student, teacher. All three have the root password as the password. The pages that comprise EduBlog (only one blog set up right now) are: Local Blog (Need Student Login): http://edublog.venango.org/test/EduBlog/moodle/mod/oublog/view.php?id=3 New Post (Need Student Login): http://edublog.venango.org/test/EduBlog/moodle/mod/oublog/editpost.php?blog=2 New Blog (Need Teacher Login): http://edublog.venango.org/test/EduBlog/moodle/course/modedit.php?add=oublogtype=course=2section=0return=0 Manage Remote Blogs (Need Teacher Login): http://edublog.venango.org/test/EduBlog/moodle/mod/oublog/manageremoteblogs.php Anyone using build 656 will need to install a patched version of Browse to get the image upload to work. I had planned on attaching these, but my mail client is not cooperating with me at the moment. I will send them out later. You will need to remove the old versions first. Image upload also still needs to be made IE compatible. Other features all work in IE. It should take you to a login screen and after logging in, you should see the appropriate page. There are a few critical bugs I've already found, so please don't report these: 1) Required message shows up on tinyMCE with content and has to be submitted twice. 2) Clicking manage remote blogs when creating a blog results in loss of data entered. 3) Preview does not work on XO. The IFrame ends up being blank. 4) Kids cannot post directly, teachers have to do publishing (more of an added feature than a bug) We also need to resolve how to do auth. Two ideas come to mind: Name Only (No PW), Rename Password to Birthday or something the kids will be familiar with (a tiny bit more secure). In both cases, I'm trying to figure out how to make the info stored in a cookie so they will have to login infrequently. Support for uploading from Write will be challenging. The version of libabiword in 656 does not properly support any popular format that I am aware of despite what abiword says (tried rtf and odt and xhtml) (xhtml does not do images, odt and rtf just don't work). This means I need to figure out how to
Re: [Server-devel] Static Ip settings
The comment about Debian version reminds me to ask about man and info pages. Is there a set of man pages that matches the packages for various XO installations? Since XO disk space is small I expect an online or school server cache On Sat, Jul 26, 2008 at 5:08 PM, James Cameron [EMAIL PROTECTED] wrote: On Sun, Jul 27, 2008 at 09:40:04AM +1100, David Leeming wrote: Thanks James, I think this was a case of a typo and fixation with the error staring me in the face!! Sometimes one should look for the obvious!!! ;-) I used the Debian version of ipcalc in my reply. Should you need it, another variant of ipcalc is on the XO, as part of the initscripts package, but it has different syntax ... $ ipcalc --netmask 202.0.158.96/29 NETMASK=255.255.255.248 -- James Cameronmailto:[EMAIL PROTECTED] http://quozl.netrek.org/ ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel -- T o m M i t c h e l l mitch-at-niftyegg-dot-com ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] EduBlog: Looking for comments/bugs
With the moodle interface I just couldn't upload a picture from the XO... Saludos, Pablo Flores On Wed, Jul 23, 2008 at 2:38 PM, Tarun Pondicherry [EMAIL PROTECTED] wrote: Hi Pablo, I tried BrowseNew, and it works fine for pictures uploading! As you can see, I could upload pictures from an XO for the edublog. Question: Isn't it possible to resize the picture? I think the problem I found is different than what you are reporting. Can you see if the issue also arises for you from the Moodle post blog page? http://edublog.venango.org/test/EduBlog/moodle/mod/oublog/editpost.php?blog=2 Clicking on the image should give you resize handles and let you resize it. Thanks, Tarun ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] Testing EduBlog
I've just done a test sequence on EduBlog and have a lot of comments and questions, so let's start step by step... *Creating a new blog * - The login page isn't in spanish - I'm not sure how to manage users with EduBlog I think we should start a wiki page to start documenting (and discussing it). Volunteers? :-) - In the Adding a new OU blog form, I can't access the Manage Remote Blogs button, it takes me to a page that says Sorry, but you do not currently have permissions to do that ([[oublog:manageremoteblogs]]) More information about this errorhttp://docs.moodle.org/en/error/moodle/nopermissions. * - It would be better if some options could be hidden, like Common module settings. *New blog post* - From the moodle interface, I couldn't upload any picture. I could use the other interface ( http://edublog.venango.org/test/EduBlog/moodle/mod/oublog/editpost.php?blog=2), but with this one I cannot select the blog to post to. * - I tried to upload a Write document, but I couldn't from any of the interfaces (am I doing right? I tried to upload the file as an image). I marked with * the points I find more important. I also would like to summarize some points of how the daily work would be. Let's see... - First of all, the teacher will have to get a user and password for the system. - The teacher creates a new blog using the interface http://edublog.venango.org/test/EduBlog/moodle/course/modedit.php?add=oublogtype=course=2section=0return=0 - All of her children have to get a user and password. - Then, the teacher can propose some work to be done, for which children will have to make their posts to the blog. To do so, children will have to access to the blog page (the moodle one), and click on New blog post. - As children submit their posts, the teacher will be able to see them in the blog page. Children will only see their own posts and the ones already approved by the teacher. Question: How can a child know if his post was approved? - The approved posts will go public, depending on the configuration: If there is a remote blog configured (blogspot for instance), they will appear there. If it's local only, it will be seen by others, depending on the visibility configuration of the blog. All agree with this? Saludos, Pablo Flores ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Testing EduBlog
Saludos, Pablo Flores On Wed, Jul 30, 2008 at 5:34 AM, Tarun Pondicherry [EMAIL PROTECTED] wrote: Hi, *Creating a new blog * * The login page isn't in spanish The UI can be switched to Spanish easily, this will be done in the next update after we get abiword working. Great! * I'm not sure how to manage users with EduBlog I think we should start a wiki page to start documenting (and discussing it). Volunteers? :-) I'm not sure the best way either. There are many many options. I thought the easiest is to just do a bulk upload of all the students. We can also allow students to register themselves or an admin to enter all of them. Comments on which would be best would be really helpful. Students also should only have to login once. Yes, maybe the best way is making a registration form. Once the child is registered, it shouldn't be asked the user/password everytime, it should stay registered in the laptop. One important feature would be letting children use different registration systems, like OpenId... Having many user/password is very confusing for children and even more for teachers! * In the Adding a new OU blog form, I can't access the Manage Remote Blogs button, it takes me to a page that says Sorry, but you do not currently have permissions to do that ([[oublog:manageremoteblogs]]) More information about this error http://docs.moodle.org/en/error/moodle/nopermissions. * I will look into this, but you need teacher not student login. If you are logged in as student, you would have to logout. It doesn't work logged in as teacher. Do teacher's and students share the same machine? Let's assume that teacher do their managing tasks (creating blogs, etc.) from their own laptops. * It would be better if some options could be hidden, like Common module settings. This will be done in the next update. There is button to show all the advanced options at the bottom if needed. Ok. *New blog post* * From the moodle interface, I couldn't upload any picture. I could use the other interface ( http://edublog.venango.org/test/EduBlog/moodle/mod/oublog/editpost.php?blog=2 ), but with this one I cannot select the blog to post to. * For this demo, there was only one blog. The jump to link at the top right was to be used to select other blogs. Perhaps it should be repositioned? Mmmh... students should select the blog in which they'll be working before starting to write the post... otherwise could lead to a lot of confussion in the class... * I tried to upload a Write document, but I couldn't from any of the interfaces (am I doing right? I tried to upload the file as an image). Not implemented yet, hopefully this will work after we get abiword on the server. Ok. I also would like to summarize some points of how the daily work would be. Let's see... * First of all, the teacher will have to get a user and password for the system. * The teacher creates a new blog using the interface http://edublog.venango.org/test/EduBlog/moodle/course/modedit.php?add=oublogtype=course=2section=0return=0 http://edublog.venango.org/test/EduBlog/moodle/course/modedit.php?add=oublogtype=course=2section=0return=0 * All of her children have to get a user and password. Yes, and it will be saved on the XO so only needs to be entered one time. Ok! * Then, the teacher can propose some work to be done, for which children will have to make their posts to the blog. To do so, children will have to access to the blog page (the moodle one), and click on New blog post. * As children submit their posts, the teacher will be able to see them in the blog page. Children will only see their own posts and the ones already approved by the teacher. Question: How can a child know if his post was approved? Hm, I did not think of this. We could automatically post a comment locally. What would you suggest? I'm not sure how teachers and students communicate on the XO. We discussed this issue time ago with some friends of a graphics design company that was studying how children interfaces should be. The conclusion we arrived to is that the best would be to remark the state of the post graphically on the blog. For instance, keeping in gray the posts that are still not approved. I don't know if it can be implemented easily. Teachers could also use the comments form to give feedback, although the most common way would be the straight talk in the class... * The approved posts will go public, depending on the configuration: If there is a remote blog configured (blogspot for instance), they will appear there. If it's local only, it will be seen by others, depending on the visibility configuration of the blog. All agree with this? That looks to be all in accordance with what we are
[Server-devel] Ayuda
Hola Martin como va todo. Como ya te comentó Edgar aun no hemos configurado el servidor. Voy a hacer las preguntas pertinentes en la lista server-devel, tal como nos recomendaste. Si necesitás más información me avisas para mandartela. Muchas gracias por la ayuda. -- Trabajo duro y eficaz en memoria de Tim Russert Luís Fernando Sánchez Hurtado Director Ejecutivo Fundación Marina Orth Tels (4) 3412359 / 3117691792 www.fundacionmarinaorth.org ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] ds-backup - help with a trial happening right now
Hi all, I am in the middle of a largish trial, 500 children, and wanted to get the backup going. Michael Stone was great to help me understand where ds-backup is up to and I'm keen to install, test and contribute to the ds-backup project however I'm rolling out 703 imaged laptops as we need them to the stable for this deploymeent and apparently the software doesn't work on 703. Can anyone help me out with this? The trial is the first 100% saturation in the world, and as I am leaving in 2 days I was hoping to have it fairly done by the time I leave, hwoever I can always return if necessary or work with the local people to make updates. I'm on the IRC #olpc and #sugar channels on freenode as email here is really hard/slow. Many thanks! Pia Waugh ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] [Olpc-france] Fuloong2F (lemo te.com) : group buy/achat groupé
Hello Sami, Le Thursday 31 July 2008 13:14:55 [EMAIL PROTECTED], vous avez écrit : Hi, xe at OLPC France are planning to test the installation of a XS server on various compact and low power architectures. Out next try will be the Fuloong 2F model of lemote.com. The specifications are detailled above. One unit costs USD 230. I am planning to sell 1 or 2 units 1 pcs : USD 318, 230(computer)+88(shipping cost by DHL) 2 PCs : USD 568, 460(computers)+108(shipping cost by DHL) If someone (ideally in France) is interested by a group buy/achat groupé, in order to reduce the shipping cost, please let me know. Add one for me :p Thanks Best regards, Samy MIPS based machine. Item PartDetail 1 CPU Loongson 2F CPU 800M~900M 2 System Memory DDR2 512MB 3 Hard Disc 2.5'' 80GB 4 GraphicsXGI V2 5 Networking Ethernet 10/100 6 I/O ports USB 2.0 x 4 Line-in x 1 Microphone in x 1 Ethernet RJ-45 x 1 VGA out x 1 Infrared interface x 1 DVI x 1 S-Video x 1 7 LED Power Indicator Hard disc Indicator 8 Button Power Button Reset Button 9 Power Consumtionless than 11W (average) 10Mainboard Dimension 18cmx14cmx3cm 11Size190mm×145mm×37mm 12 ___ Olpc-france mailing list [EMAIL PROTECTED] http://lists.laptop.org/listinfo/olpc-france -- Best regards, Florian Fainelli Email : [EMAIL PROTECTED] http://openwrt.org --- signature.asc Description: This is a digitally signed message part. ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] EduBlog: possible issues with WriteNew
Hi Tarun, Not sure I fully understand that but it doesn't seem like a critical issue to me. The workflow I think we should support if we can is: - Open write - Add text and images - Exit write (Keep first or just exit) - Open Browse - Click insert image link in EduBlog - Pick Write document off the Journal and insert it in to Blog post Is that right. Sounds like you are saying that the work flow of Open Write document from journal will not get you to EduBlog. If that is the only problem, I wouldn't worry about it too much. Thanks, Greg S Tarun Pondicherry wrote: Hi Greg, I've noticed a few issues we could have with the new image supporting Write. Since the XO defaults to open up Journal files of that format in the original Write, kids who use Journal to open up files could get confused when they are working. I think resolving this means changes to the mime handlers for files, which would need root access to alter. I'm wondering if this is a major issue, or if we can avoid worrying about it for the time being. Thanks, Tarun ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Testing EduBlog
Hi Tarun! I agree with Greg you've done an excellent work! We will always have new requirements, which mean new schedules, but it doesn't mean you didn't meet yours. Thank you! Best regards, Pablo Flores On Fri, Aug 1, 2008 at 9:08 AM, Greg Smith [EMAIL PROTECTED] wrote: Hi Tarun, Thanks. I think Pablo is the primary driver of requirements and priorities now. As long as he appreciates that we only have one more week of coding time, we should try to do whatever he needs to get us to Beta and real blog posts from real schools. You have done a super job! Way above and beyond the call of duty and beyond all expectations. The Abiword conversion thing is really tough but its a huge win if it allows uploading images from Write to EduBlog. We changed the requirements. So you didn't miss the deadline, we missed the requirements. Feel free to use that one in the future if you have another paid programming job :-) Have a good trip back and thanks a lot for your hard work. Greg S Tarun Pondicherry wrote: Hi Greg, FYI presentation will be in 1CC at 12:30 - 1:30 US ET Friday so please don't mess with the server for that hour. We won't touch the server until after the demo is all done. Especially since this abiword stuff affects the whole server and is therefore potentially dangerous. Send over any presentation or demo stuff you have done already (we will use it eventually) but top priority is doing what Pablo needs to start the beta. If all goes perfectly well, we should be ready by Wednesday, Friday if there are minor glitches. Sorry for missing the August 1st target, I did not foresee this Write issue in 656. Marcel made good progress in getting abiword installed and there are now a few dependencies to resolve. I am mostly trying to perfect the UI with Pablo's suggestions and we can test both areas of work after abiword is installed. I like your idea of using the mockup/backup for the demo. I just tested the version at: http://edublog.venango.org/test/EduBlog/mockup/ui/student_sp.php and it is working. In the event something goes wrong with that, the older version at: http://olpc.betarun.com/dev/ui/student_sp.php is also still up. == Also, I'm flying back Friday night and will be offline until Monday. == Thanks, Tarun ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] DNS Connectivity Issues
Today just after noon (edt) our Qwest internet connection (not the one the EDU server is on) went down. I was in the middle of upgrading the DNS servers so it frustrated that task enormously. Qwest seemed to have the service more or less restored by 4:30 PM or so. At that time I noticed an email from ATT saying that they had monitored outages on our ATT circuit (the one the EDU server is on). Apparently this was of an intermittent nature. Apparently Verizon had a fiber cut somewhere The result is that DNS was probably down for 5+ hours and the connection otherwise intermittent. There may still be DNS issues but I am too tired to dig too deeply until tomorrow. 65.118.27.2 was probably configured as a secondary dns in /etc/resolv.conf on edublog. It might be better to change that to 208.67.222.222 (opendns.org) as 65.118.27.2 is no long active. Glen _ Total Blog Directory http://www.totalblogdirectory.com ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Understanding the network scripts on F7-based XS
Martin Langhoff wrote: Our current network migration scripts are reportedly build on interfaces that are F7 specific. To reimplement them on F9, we need to understand what they do. Jerry is knowledgeable in F9's networking and has offered help with the port. The first step is to understand what the current scripts do - separated from the how. So I will try to outline the design and behaviour of the current scripts. The first point of entry is reading the whole Networking section in this page. All of it :-) http://wiki.laptop.org/go/XS_Configuration_Management#Networking Nice overview. It introduces - network_config - principal_config - auxiliary_config These scripts deal with - Configuring network interfaces - 1 NIC scenarios have eth0 as WAN / 2 NIC scenarios add eth1 as LAN - Can set preferential MAC address prefix for some interfaces. This can be used by the NOC team to get the right NIC setup as eth0. - Sets up the pair of ethX/mshY interfaces that are attached to every Active Antenna. - Sets up all the bridges between the interfaces considered LAN - Picking non-conflicting IP addresses for auxiliary servers. - Sets the router address for auxiliary servers - Very rough service chkconfig configuration for the auxiliary vs primary servers - Rough firewall config for primary/auxiliary servers That I can help with that also, I'm very (too?) familiar with shorewall, http://www.shorewall.net The top of each script - after the GPL - has an extensive comment explaining what it does. And after that, you can scroll down to the 'main' block -- I find both very readable. The scripts are here if you don't have a checkout http://dev.laptop.org/git?p=projects/xs-config;a=tree;f=fsroot.olpc.img/etc/sysconfig/olpc-scripts;h=dada76a2869dc95c5f538adfa45a2e538dc1d998;hb=HEAD Yea, was reading on the weekend. The 3 scripts make sense to me - - I would attack it with a get-to-work-stable-on-f9 focus, roughly: - Can we make the networking configuration work in a stable manner on F9? Might just work, as is, with what you have now, just not with Network-Manager at the moment. Do we need to hook into the events infrastructure so when an ethernet cable gets plugged into an if we do the right thing? Could we make it so that we autodetect and configure an AA on usb connection? That would be a Dbus/Network-Manager thing, your talking usb event driven responses here, right? - Can we allow additional MAC prefix preferences to be read from an optional config file so that a NOC team can override things easily? How many different MAC prefixes are there? Shoot can't find my web-link to a site that had a db of them all. - Can we consolidate the code / remove duplication? (trivial ;-) ) Could move all the functions into a single file to be sourced. - Can we remove the service mgmt from it? :-) Sorry, can't find part that at the moment, which file? Jerry, does that help? It is meant as a complement while reading the src... BTW, I am tracking this on https://dev.laptop.org/ticket/7672 Much clear thanks, reading src without context leaves you wondering... Jerry ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Need help: mounting usb devices on headless machines
Martin Langhoff wrote: On Thu, Aug 7, 2008 at 9:19 PM, Martin Langhoff [EMAIL PROTECTED] wrote: FWIW, I've imported the history into git, made some minor changes and it installs and works on F7. git git://dev.laptop.org/users/martin/usbmount.git gitweb http://dev.laptop.org/git?p=users/martin/usbmount.git;a=summary Right, Makefile and spec file in the repo linked above, initial SRPM right here. http://fedora.laptop.org/xs/testing/olpc/7/source/SRPMS/usbmount-0.15.4.olpc-1.xs7.src.rpm It's a trivial rpm, review patches welcome Are you going to submit it for review in Fedora? Rahul ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] VoIP
Martin Langhoff wrote: On Mon, Aug 11, 2008 at 4:35 AM, Tim Moody [EMAIL PROTECTED] wrote: What are the bandwidth requirements for these various voip strategies, sip, iax2? Not sure (google away!) - but the latency requirements very tight for many (most?) of our deployments. cheers, m Hi, Bandwidth requirements will depend on the underlying codec used to compress the audio. If you look at http://www.voip-info.org/wiki/index.php?page=Asterisk+bandwidth+iax2 you'll see approx. bandwidth numbers + overhead for different codecs. Speex info is at http://www.voip-info.org/wiki/view/Speex SIP simply establishes the connection and then hands it over to RTP (basically, SIP is establishing RTP ports on both sides). The significant difference between IAX and SIP is that IAX will use the same port for establishing the connection *and* for carrying the signal across (UDP 4569), which makes it easier to use across NATed networks. I've used IAX over three NATs (just for fun) and it still works:-) SIP over NAT is troublesome, the problem being that SIP establishes the RTP port of the *private* IP (behind the NAT fw), which isn't routable from the public side...it will work, but requires port forwarding or tunneling. See http://freshmeat.net/articles/view/2079/ for more details. So, we will need to pick a transport mechanism (SIP, IAX2, etc) and a codec that is good enough for low bandwidth requirements. Then there is the issue of jitter (jitter...sounds...like...this) which is now handled satisfactorily in Asterisk for IAX-based systems. Sameer -- Dr. Sameer Verma, Ph.D. Associate Professor of Information Systems San Francisco State University San Francisco CA 94132 USA http://verma.sfsu.edu/ http://opensource.sfsu.edu/ ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] unregister from schoolserver
On Sun, Aug 10, 2008 at 23:55, Martin Langhoff [EMAIL PROTECTED] wrote: On Sun, Aug 10, 2008 at 8:15 PM, Simon Schampijer [EMAIL PROTECTED] wrote: I was wondering what should/must happen on the server side when an xo wants to unregister. Is there already a command for that? http://dev.laptop.org/ticket/7765 None on the server side, and I don't know if there should be one - there is no useful use case for it. It's OK for the XO to 'forget' its registration and not tell the server so as to be free to register to another server. Use cases are for testing and for change of school. The XS will probably learn (later) to forget accounts that it has not seen in a very long time. There is an ejabberdctl delete-older-users command mentioned on http://wiki.laptop.org/go/Ejabberd_Configuration#Tips to remove users who haven't logged in for some time period. Presence Service automatically reregisters on the jabber server if it gets an authentication error, so we don't track whether you are registed on the server or not, any more - it just does the right thing. Regards Morgan ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] installing a school server
Subject: Re: [Server-devel] installing a school server To: Joshua N Pritikin [EMAIL PROTECTED] Just to get something working, I installed Ubuntu with Squid/Dansguardian. I have about 200Gb of hard drive and 2G RAM. Can I get an ext2 image of the school server and load it on a logical partition? I prefer to store anything important on LVM+RAID1. Does the school server understand this disk format? Yes, but you will need to tweak the kickstart file on the image (no do your own partitioning option yet, sorry). By default, the XS install CD will wipe the disk and setup an LVM (w/o RAID). Joshua, I have documented some of the challenges with LVM+RAID1 here: http://wiki.laptop.org/go/User:Az990tony/edublog-beta-sw You can do RAID1 on a single drive, but it doesn't provide any added protection. To customize the XS ISO so that it allows your own partitioning, the process is here: http://wiki.laptop.org/go/User:Az990tony/squashfs-surgery Tony Pearson (az990tony)___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] A simple signed bundle/directory trust scheme for the XS
On Tue, Aug 12, 2008 at 2:24 AM, Michael Stone [EMAIL PROTECTED] wrote: * What use cases are you trying to support? Insert a usb stick with content that is OK'd by the regional NOC (network operations centre) for execution/installation on the XS. * What threats obstruct supporting those use cases? Content could be modified on the way to insert evil sharks with frikking lasers into the XS. * What trust structure are you trying to create and how does it mitigate the threats while permitting the use cases? As I've written, we trust keys put in place at install time. Install time is privileged, root user is privileged. * What algorithms are you going to use and why? Whatever GPG uses for signatures, SHA1 for file integrity because I'd be an idiot to try and be smarter than crypto researchers. * What security properties are you trying to check? Signed by the NOC, not changed. (Perhaps you've already answered some of these basic questions elsewhere and you simply left out the citation?) I could cite ISBN: 978-0-7645-1679-5 :-) I'll look at JAR signing and olpc-contents. Thanks for the pointers... cheers, m -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] [PATCH] Restrict XO users using rssh
As per ticket #7606, until now XO users have had full shell access over ssh. This (with related commits in ds-backup and xs-config), confines them to rsync over ssh only. The update_users.py script fixes existing users, while create_user will now set the shell of new users. The users' group is also set to xousers, which will allow further restrictions in due course. diff --git a/Makefile b/Makefile index c87dd6f..59b425d 100644 --- a/Makefile +++ b/Makefile @@ -20,16 +20,17 @@ CREATE_REGISTRATION = create_registration LIST_REGISTRATION = list_registration IDMGR_INIT = idmgr IDMGR_CONFIG = idmgr.conf +UPDATE_USERS = update_users.py # This is a directory (w. subdirectories) SERVER = idmgr/ # All scripts SRC_FILES = $(CONF_SRC)/$(CREATE_USER) $(CONF_SRC)/$(CREATE_REGISTRATION) \ $(CONF_SRC)/$(LIST_REGISTRATION) $(CONF_SRC)/$(IDMGR_INIT) \ - $(CONF_SRC)/$(IDMGR_CONFIG) + $(CONF_SRC)/$(IDMGR_CONFIG) $(CONF_SRC)/$(UPDATE_USERS) FILES = $(BIN_DST)/$(CREATE_USER) $(BIN_DST)/$(CREATE_REGISTRATION) \ $(BIN_DST)/$(LIST_REGISTRATION) $(INIT_DST)/$(IDMGR_INIT) \ - $(CONFIG_DST)/$(IDMGR_CONFIG) + $(CONFIG_DST)/$(IDMGR_CONFIG) $(BIN_DST)/$(UPDATE_USERS) # install rules $(DESTDIR): @@ -47,6 +48,9 @@ $(CONFIG_DST): $(DESTDIR) $(BIN_DST)/$(CREATE_USER): $(CONF_SRC)/$(CREATE_USER) $(BIN_DST) cp $(CONF_SRC)/$(CREATE_USER) $(BIN_DST) +$(BIN_DST)/$(UPDATE_USERS): $(CONF_SRC)/$(UPDATE_USERS) $(BIN_DST) + cp $(CONF_SRC)/$(UPDATE_USERS) $(BIN_DST) + $(BIN_DST)/$(CREATE_REGISTRATION): $(CONF_SRC)/$(CREATE_REGISTRATION) $(BIN_DST) cp $(CONF_SRC)/$(CREATE_REGISTRATION) $(BIN_DST) diff --git a/conf.schoolserver/create_user b/conf.schoolserver/create_user index 55e5cfe..40f63e3 100755 --- a/conf.schoolserver/create_user +++ b/conf.schoolserver/create_user @@ -38,11 +38,17 @@ read uuid read pubkey homedir=/library/users/$username +XO_USERS_GROUP=xousers + +#make sure the xousers group exists +getent group $XO_USERS_GROUP /dev/null 21 || groupadd $XO_USERS_GROUP if getent passwd $username /dev/null 21; then true # User exists -else -/usr/sbin/adduser -c $full_name -d $homedir $username || die Unable to create user +else +/usr/sbin/useradd -c $full_name -d $homedir \ +-G $XO_USERS_GROUP -s /usr/bin/rssh $username \ +|| die Unable to create user echo $uuid | passwd --stdin $username || die Unable to set password fi diff --git a/conf.schoolserver/update_users.py b/conf.schoolserver/update_users.py new file mode 100755 index 000..3684f08 --- /dev/null +++ b/conf.schoolserver/update_users.py @@ -0,0 +1,62 @@ +#!/usr/bin/python +# +# update_users.py +# +# In the past, when an XO user registered, they were given their own +# group and no more. Now we want them to all be in the same group +# because it makes the management of restricted ssh access (and +# possibly other things) easier. + +#The group we are using is xousers, and we're finding the XO users +# by the location of their home directories. + + +import os +import sys +import pwd, grp +import subprocess + +XO_USER_HOME = '/library/users' +XO_USER_GROUP = 'xousers' +RSSH_PATH = '/usr/bin/rssh' + +# first, make sure the group is there +# much like `getent group xousers || groupadd xousers` +try: +group = grp.getgrnam(XO_USER_GROUP) +except KeyError, e: +print sys.stderr, e +result = subprocess.call(['groupadd', XO_USER_GROUP]) +if result: +raise RuntimeError(couldn't add %s group % XO_USER_GROUP) + +# just make sure the rssh executable is there +if not os.access(RSSH_PATH, os.F_OK | os.R_OK | os.X_OK): +raise RuntimeError(%s seems to be missing or otherwise inaccessable % RSSH_PATH) + + +# now find each user who has a /library/users/* home directory and try +# to change their group. +# Execution will stop when one fails BUT any users who's groups have +# been changed will not be changed back. + +users = [ x for x in pwd.getpwall() + if os.path.dirname(x.pw_dir) == XO_USER_HOME ] + +for user in users: +#if for some reason the user's name isn't already a group (e.g., +#they were created with `usermod -g some-other-group`. +try: +group = grp.getgrnam(user.pw_name) +except KeyError, e: +print sys.stderr, e +result = subprocess.call(['groupadd', user.pw_name]) +if result: +raise RuntimeError(couldn't add %s group % XO_USER_GROUP) + +result = subprocess.call(['usermod', '-g', user.pw_name, '-G', XO_USER_GROUP, + '-s', RSSH_PATH, user.pw_name]) +if result: +raise RuntimeError(couldn't change group for user %s (out of %s) + % (user.pw_name, users)) + diff --git a/idmgr.spec b/idmgr.spec index 5616a7f..bc00da0 100644 --- a/idmgr.spec +++ b/idmgr.spec @@ -35,6 +35,8 @@ fi if [ ! -d /library/users/ ] ; then mkdir -p /library/users
[Server-devel] [PATCH] No passwords for XO users, and packaging improvements
XO users were being given their UUIDs as passwords, which was unnecessary. In case the user storage system changes again in the future, the post installation scripts reference /home/idmgr/storage_format_version to decide what to do. diff --git a/Makefile b/Makefile index 59b425d..fad74be 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,8 @@ # This Makefile installs the OLPC ID Management Service NAME = idmgr -VERSION = 0.1.1 -RELEASE = 2 +VERSION = 0.1.2 +RELEASE = 3 ARCH = noarch # install root @@ -20,17 +20,17 @@ CREATE_REGISTRATION = create_registration LIST_REGISTRATION = list_registration IDMGR_INIT = idmgr IDMGR_CONFIG = idmgr.conf -UPDATE_USERS = update_users.py +UPDATE_USERS_01 = update_users_0_to_1.py # This is a directory (w. subdirectories) SERVER = idmgr/ # All scripts SRC_FILES = $(CONF_SRC)/$(CREATE_USER) $(CONF_SRC)/$(CREATE_REGISTRATION) \ $(CONF_SRC)/$(LIST_REGISTRATION) $(CONF_SRC)/$(IDMGR_INIT) \ - $(CONF_SRC)/$(IDMGR_CONFIG) $(CONF_SRC)/$(UPDATE_USERS) + $(CONF_SRC)/$(IDMGR_CONFIG) $(CONF_SRC)/$(UPDATE_USERS_01) FILES = $(BIN_DST)/$(CREATE_USER) $(BIN_DST)/$(CREATE_REGISTRATION) \ $(BIN_DST)/$(LIST_REGISTRATION) $(INIT_DST)/$(IDMGR_INIT) \ - $(CONFIG_DST)/$(IDMGR_CONFIG) $(BIN_DST)/$(UPDATE_USERS) + $(CONFIG_DST)/$(IDMGR_CONFIG) $(BIN_DST)/$(UPDATE_USERS_01) # install rules $(DESTDIR): @@ -48,8 +48,8 @@ $(CONFIG_DST): $(DESTDIR) $(BIN_DST)/$(CREATE_USER): $(CONF_SRC)/$(CREATE_USER) $(BIN_DST) cp $(CONF_SRC)/$(CREATE_USER) $(BIN_DST) -$(BIN_DST)/$(UPDATE_USERS): $(CONF_SRC)/$(UPDATE_USERS) $(BIN_DST) - cp $(CONF_SRC)/$(UPDATE_USERS) $(BIN_DST) +$(BIN_DST)/$(UPDATE_USERS_01): $(CONF_SRC)/$(UPDATE_USERS_01) $(BIN_DST) + cp $(CONF_SRC)/$(UPDATE_USERS_01) $(BIN_DST) $(BIN_DST)/$(CREATE_REGISTRATION): $(CONF_SRC)/$(CREATE_REGISTRATION) $(BIN_DST) cp $(CONF_SRC)/$(CREATE_REGISTRATION) $(BIN_DST) @@ -69,7 +69,7 @@ $(CONFIG_DST)/$(IDMGR_CONFIG): $(CONF_SRC)/$(IDMGR_CONFIG) $(CONFIG_DST) install: $(FILES) $(BIN_DST)/$(SERVER) # rpm target directory -RPMDIR = /usr/src/redhat +RPMDIR = $(PWD)/rpm NV = $(NAME)-$(VERSION) @@ -82,7 +82,7 @@ SOURCES: Makefile $(SRC_FILES) rm -rf $(NV) rpm: SOURCES - rpmbuild -ba --target $(ARCH) $(NAME).spec + rpmbuild -v --define _topdir $(RPMDIR) -ba --target $(ARCH) $(NAME).spec rm -f $(NV)-*.$(ARCH).rpm cp -p $(RPMDIR)/RPMS/$(ARCH)/$(NV)-$(RELEASE).$(ARCH).rpm . diff --git a/conf.schoolserver/create_user b/conf.schoolserver/create_user index 40f63e3..90d9315 100755 --- a/conf.schoolserver/create_user +++ b/conf.schoolserver/create_user @@ -44,12 +44,12 @@ XO_USERS_GROUP=xousers getent group $XO_USERS_GROUP /dev/null 21 || groupadd $XO_USERS_GROUP if getent passwd $username /dev/null 21; then -true # User exists +# $fullname may have changed. +/usr/sbin/usermod -c $full_name $username || die unable to change full name else /usr/sbin/useradd -c $full_name -d $homedir \ -G $XO_USERS_GROUP -s /usr/bin/rssh $username \ || die Unable to create user -echo $uuid | passwd --stdin $username || die Unable to set password fi userhome=`getent passwd $username | awk -F: '{print $6}'` diff --git a/conf.schoolserver/update_users.py b/conf.schoolserver/update_users.py deleted file mode 100755 index 3684f08..000 --- a/conf.schoolserver/update_users.py +++ /dev/null @@ -1,62 +0,0 @@ -#!/usr/bin/python -# -# update_users.py -# -# In the past, when an XO user registered, they were given their own -# group and no more. Now we want them to all be in the same group -# because it makes the management of restricted ssh access (and -# possibly other things) easier. - -#The group we are using is xousers, and we're finding the XO users -# by the location of their home directories. - - -import os -import sys -import pwd, grp -import subprocess - -XO_USER_HOME = '/library/users' -XO_USER_GROUP = 'xousers' -RSSH_PATH = '/usr/bin/rssh' - -# first, make sure the group is there -# much like `getent group xousers || groupadd xousers` -try: -group = grp.getgrnam(XO_USER_GROUP) -except KeyError, e: -print sys.stderr, e -result = subprocess.call(['groupadd', XO_USER_GROUP]) -if result: -raise RuntimeError(couldn't add %s group % XO_USER_GROUP) - -# just make sure the rssh executable is there -if not os.access(RSSH_PATH, os.F_OK | os.R_OK | os.X_OK): -raise RuntimeError(%s seems to be missing or otherwise inaccessable % RSSH_PATH) - - -# now find each user who has a /library/users/* home directory and try -# to change their group. -# Execution will stop when one fails BUT any users who's groups have -# been changed will not be changed back. - -users = [ x for x in pwd.getpwall() - if os.path.dirname(x.pw_dir) == XO_USER_HOME ] - -for user in users: -#if for some reason the user's name isn't already a group (e.g., -#they
[Server-devel] [PATCH]More accurate idmgr shutdown status (#7653) and condrestart option.
The status returned by /etc/init.d/idmgr stop is less often the inverse of its actual success. /etc/init.d/idmgr start will not start if the daemon is already running. /etc/init.d/idmgr condrestart works. diff --git a/conf.schoolserver/idmgr b/conf.schoolserver/idmgr index d7a6d9f..23f1c7f 100755 --- a/conf.schoolserver/idmgr +++ b/conf.schoolserver/idmgr @@ -33,11 +33,12 @@ prog=idmgr SERVER=/home/idmgr/idmgr/server.py RETVAL=0 + start() { # Start daemons. echo -n Starting $prog: export PYTHONPATH=/home/idmgr/:/home/idmgr/idmgr/simplejson-1.7.1-py2.5.egg - daemon $SERVER $OPTS +daemon --pidfile=${PID_FILE} $SERVER $OPTS RETVAL=$? return $RETVAL } @@ -45,8 +46,10 @@ start() { stop() { # Stop daemons. echo -n Shutting down $prog: - kill `cat $PID_FILE` + killproc -p ${PID_FILE} -d 10 $prog RETVAL=$? + echo + [ $RETVAL = 0 ] rm -f ${PID_FILE} return $RETVAL } @@ -63,12 +66,19 @@ case $1 in start RETVAL=$? ;; + condrestart) + if [ -f $PID_FILE ] ; then + stop + start + RETVAL=$? + fi + ;; status) status idmgr $PID_FILE RETVAL=0 ;; *) - echo $Usage: $0 {start|stop|restart|status} + echo $Usage: $0 {start|stop|restart|condrestart|status} exit 1 esac ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] [PATCH] Utility function for the batch removal of XO users
This removes the named XO users from both the SQL and system databases. To remove all users, use something like /home/idmgr/remove_user `sqlite3 /home/idmgr/identity.db \ select serial from laptops` diff --git a/Makefile b/Makefile index fad74be..1065310 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ NAME = idmgr VERSION = 0.1.2 -RELEASE = 3 +RELEASE = 5 ARCH = noarch # install root @@ -16,6 +16,7 @@ CONF_SRC = conf.schoolserver # Scripts CREATE_USER = create_user +REMOVE_USER = remove_user CREATE_REGISTRATION = create_registration LIST_REGISTRATION = list_registration IDMGR_INIT = idmgr @@ -27,10 +28,12 @@ SERVER = idmgr/ # All scripts SRC_FILES = $(CONF_SRC)/$(CREATE_USER) $(CONF_SRC)/$(CREATE_REGISTRATION) \ $(CONF_SRC)/$(LIST_REGISTRATION) $(CONF_SRC)/$(IDMGR_INIT) \ - $(CONF_SRC)/$(IDMGR_CONFIG) $(CONF_SRC)/$(UPDATE_USERS_01) + $(CONF_SRC)/$(IDMGR_CONFIG) $(CONF_SRC)/$(UPDATE_USERS_01) \ + $(CONF_SRC)/$(REMOVE_USER) FILES = $(BIN_DST)/$(CREATE_USER) $(BIN_DST)/$(CREATE_REGISTRATION) \ $(BIN_DST)/$(LIST_REGISTRATION) $(INIT_DST)/$(IDMGR_INIT) \ - $(CONFIG_DST)/$(IDMGR_CONFIG) $(BIN_DST)/$(UPDATE_USERS_01) + $(CONFIG_DST)/$(IDMGR_CONFIG) $(BIN_DST)/$(UPDATE_USERS_01) \ + $(BIN_DST)/$(REMOVE_USER) # install rules $(DESTDIR): @@ -48,6 +51,9 @@ $(CONFIG_DST): $(DESTDIR) $(BIN_DST)/$(CREATE_USER): $(CONF_SRC)/$(CREATE_USER) $(BIN_DST) cp $(CONF_SRC)/$(CREATE_USER) $(BIN_DST) +$(BIN_DST)/$(REMOVE_USER): $(CONF_SRC)/$(REMOVE_USER) $(BIN_DST) + cp $(CONF_SRC)/$(REMOVE_USER) $(BIN_DST) + $(BIN_DST)/$(UPDATE_USERS_01): $(CONF_SRC)/$(UPDATE_USERS_01) $(BIN_DST) cp $(CONF_SRC)/$(UPDATE_USERS_01) $(BIN_DST) diff --git a/conf.schoolserver/remove_user b/conf.schoolserver/remove_user new file mode 100755 index 000..47926ae --- /dev/null +++ b/conf.schoolserver/remove_user @@ -0,0 +1,7 @@ +#!/bin/sh + +for serial; do +echo $serial | grep -s -E '^[A-Z]{3}[A-F0-9]{8}$' || exit 1 +sqlite3 /home/idmgr/identity.db DELETE FROM laptops WHERE serial = '$serial' || exit 1 +userdel $serial +done \ No newline at end of file diff --git a/idmgr.spec b/idmgr.spec index b405560..dd6f1f0 100644 --- a/idmgr.spec +++ b/idmgr.spec @@ -4,7 +4,7 @@ Summary: XS Registration Manager Name: idmgr Version: 0.1.2 -Release: 3 +Release: 5 License: GPL Group: Base System/System Tools URL: http://dev.laptop.org/git.do?p=projects/idmgr;a=summary @@ -79,6 +79,7 @@ rm -rf $RPM_BUILD_ROOT /etc/idmgr.conf /home/idmgr/create_registration /home/idmgr/create_user +/home/idmgr/remove_user /home/idmgr/update_users_0_to_1.py /home/idmgr/update_users_0_to_1.pyo /home/idmgr/update_users_0_to_1.pyc ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] [PATCH] More checking and logging of registration information.
The create_user script tries to give useful information to syslogd, and ensures that the username it is given is a valid XO serial. It also checks the ssh public key, but is not terribly strict. If a system user is created but some later process fails, create_user tries to remove the user. server.py also takes better notice the values it receives, and will fail if the username or public key contain multiple lines. The way errors are handled has also been changed, to reduce dupication. If the server.py script is called without a pidfile argument, it runs in the foreground and prints messages on stderr. Previously it would have crashed. diff --git a/conf.schoolserver/create_user b/conf.schoolserver/create_user index 90d9315..4a6f90f 100755 --- a/conf.schoolserver/create_user +++ b/conf.schoolserver/create_user @@ -21,22 +21,33 @@ # This script creates a user account for the registration server # # echo entering as `whoami` /tmp/create_user.log +LOG_LEVEL=user.warning +LOG_TAG=olpc_idmgr if [ `whoami` != root ]; then -# echo execing as root /tmp/create_user.log -exec sudo -S $0 /tmp/create_user.log 21 +exec sudo -S $0 fi +log() { +echo $1 | logger -t $LOG_TAG -s -p $LOG_LEVEL +} + die() { -echo $1 12 +log $1 exit 1 } read username read full_name -read uuid +read uuid #unused! read pubkey +# check for sane values +export LC_ALL=C +echo $username | grep -s -E '^[A-Z]{3}[A-F0-9]{8}$' /dev/null || die bad username +echo $pubkey | grep -s -E '^[A-Za-z0-9+/=]+$' /dev/null || die bad public key + + homedir=/library/users/$username XO_USERS_GROUP=xousers @@ -46,16 +57,34 @@ getent group $XO_USERS_GROUP /dev/null 21 || groupadd $XO_USERS_GROUP if getent passwd $username /dev/null 21; then # $fullname may have changed. /usr/sbin/usermod -c $full_name $username || die unable to change full name -else +NEW_USER=0 +else /usr/sbin/useradd -c $full_name -d $homedir \ -G $XO_USERS_GROUP -s /usr/bin/rssh $username \ || die Unable to create user +NEW_USER=1 fi +#from here, if a new user was created, a failure will leave the user +#there but unconfigured. So rather than simply dying, we try to clean +#up first. + +clean_up_and_die(){ +log $1 +if [ $NEW_USER == 1 ]; then +log deleting half-created user +/usr/sbin/userdel $username || log ... failed! +fi +exit 1 +} + + userhome=`getent passwd $username | awk -F: '{print $6}'` -cd $userhome +cd $userhome || clean_up_and_die Couldn't cd into user's home directory + +mkdir -p --mode=700 .ssh || clean_up_and_die Unable to mkdir .ssh +echo ssh-dss $pubkey .ssh/authorized_keys || clean_up_and_die Unable to set up authorized_keys +chmod 600 .ssh/authorized_keys || clean_up_and_die Unable to chmod authorized_keys +chown -R $username .ssh || clean_up_and_die Unable to chown .ssh -mkdir -p --mode=700 .ssh || die Unable to mkdir .ssh -echo ssh-dss $pubkey .ssh/authorized_keys || die Unable to set up authorized_keys -chmod 600 .ssh/authorized_keys || die Unable to chmod authorized_keys -chown -R $username .ssh || die Unable to chown .ssh +#clean_up_and_die goodbye \ No newline at end of file diff --git a/idmgr/server.py b/idmgr/server.py index 06b9bcb..9a4c164 100755 --- a/idmgr/server.py +++ b/idmgr/server.py @@ -42,11 +42,16 @@ IDMGR_CONFIG_FILE = '/etc/idmgr.conf' # Default maximum for the number of available file descriptors. MAXFD = 1024 +# Port on which to listen + +PORT = 8080 + # The specs are a little unclear on the encoding of UUIDs, so be # flexible in what we accept uuidre = re.compile(r'[a-fA-F0-9-]{32,40}') serialre = re.compile(r'^[A-Z]{3}[A-F0-9]{8}$') +base64re = re.compile(r'^[A-Fa-z0-9+/=]+$') # The standard I/O file descriptors are redirected to /dev/null by default. if (hasattr(os, devnull)): @@ -69,12 +74,12 @@ def createDaemon( pidfilename ): # unless we stop executing due to failure. # import signal # Set handlers for asynchronous events. # signal.signal(signal.SIGHUP, signal.SIG_IGN) - + try: pid = os.fork()# Fork a second child. except OSError, e: raise Exception, %s [%d] % (e.strerror, e.errno) - + if (pid == 0): # The second child. # Since the current working directory may be a mounted filesystem, # we avoid the issue of not being able to unmount the filesystem at @@ -87,10 +92,10 @@ def createDaemon( pidfilename ): try: pidfile = open( pidfilename, w ); pidfile.write( str( pid ) ); -pidfile.write( \n ); +pidfile.write( \n ); pidfile.close(); except OSError, e: -syslog.openlog( 'olpc_idmgr', 0, syslog.LOG_DAEMON ) +syslog.openlog( 'olpc_idmgr', 0,
Re: [Server-devel] Warning: breakage updating xs-config
On Tue, Aug 12, 2008 at 1:49 AM, Jerry Vonau [EMAIL PROTECTED] wrote: Martin Langhoff wrote: A few weeks ago Bryan and David reported breakage with xs-config, and over the last week over various tests we've had xs-config updates making a mess of already-configured XS setups. I haven't had a chance to look at it but yes, it is a high priority bug, and I'll be working on it asap. Sorry, coming up to speed, Ticket number? Got some info on the method used, and what failed? #7708 - If you just install an XS, do the basic config (domain_config, etc) and then install a new xs-config, the install mechanism makes a mess. One tell-tale sign is that the files edited by domain_config are overwritten. Diagnosing more later... Based on my F9 testing, while you have xs-config open, can you remove syslogd from the requires? Syslogd will still be installed based on the comp.xml file anyway. Without removing this requires from xs-config, updating past F7 becomes impossible as syslogd was later renamed/replaced. What is the new name? The depends is there because we do override /etc/syslogd.conf The same goes for newt-perl in xs-pkgs. The package radvd also gave me problems, although I don't recall why. I'll look into removing those. I ended up re-rolling xs-config and xs-pkgs to exclude these above packages. F9 now installs the xs-config package, with one problem, the symlinks in /etc/rc.d/rc1.d/ 23456... don't get created, looks like those need to be copied over also with F9. Ok. Some other links were installed as file.olpcnew. also. I'll put together a list later if you want it. Interesting. Short term plan is to fix it promptly. Long term plan -- discussed with Wad this morn -- is to break xs-config into various parts: - For daemons that accept a parameter pointing to the config file (named for example) we should disable the daemon permanently via chkconfig and install an alternative init script (named-olpc) which points to a different config file (/etc/named-olpc.conf). - For files where we want to search/replace values (as we do with domain_config_ we should ship a template file (/etc/named-olpc.conf.in) with placeholders (@@BASEDOMAIN@@). So domain_config gets simplified a lot and becomes more reliable too. - We prefer conf.d arrangements where possible - and in those cases, avoid the symlink mess. - For actually hardcoded-name files we need to override (ie: /etc/rssh.conf) we can use a version-control scheme (git based probably). - And dismantle the symlink mess we have... cheers, m -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] A simple signed bundle/directory trust scheme for the XS
On Tue, Aug 12, 2008 at 2:24 AM, Michael Stone [EMAIL PROTECTED] wrote: If you're more interested 'signed content lives in archives', then JAR-signing might be for you! JARs look good but there don't seem to be decent cli tools to deal with them (can fastjar sign and check sigs in packages?) and big Java deps for the core XS are not in my plans. cheers. m -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] EduBlog: Status
Hi team, Good news! Marcel was able to install abiword 2.6.3 from the Fedora 9 repository and all the features of EduBlog are decently working. I've recreated the demo student and teacher accounts and linked it to uruguay-xo-test. I'll update the wiki with the exact links needed to go through the use cases tomorrow and also try to work out a few rendering bugs with the css differences between abiword, tinymce, moodle and blogger. Many thanks to Tony and Glen in getting the server back online and to Marcel for getting abiword conversion working! Thanks, Tarun ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] XS inconvenientes
2008/8/12 Henry Vélez [EMAIL PROTECTED]: Estoy guiándome por las indicaciones del Wiki en : http://wiki.laptop.org/go/XS_Configuration_Management y estoy utilizando la versión 163. Necesitamos mas datos :-) Que comandos - exactamente - le estas dando al XS? Pero no he podido ver desde las XO o desde otro pc Que has probado? Como te has conectado? abrazos, martin -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] A simple signed bundle/directory trust scheme for the XS
On Tue, Aug 12, 2008 at 2:24 AM, Michael Stone [EMAIL PROTECTED] wrote: If you want to go the route of 'signed content lives in directories', then please examine the programs in olpc-contents http://wiki.laptop.org/go/Olpc-contents and let us know in what way they can be improved before writing your own. olpc-contents is fairly close to what I am doing. I am thinking about a few things I want moderately technical people to be able to build and check these bundles (usb based or otherwise) on any modern OS: * What I want from olpc-contents is mostly what sha1sum does, and sha1sum is very portable and widespread - even some GUIs are available. * olpc-contents not being self-contained and not being pure Python hampers things further. IOWs, I cannot say just download this portable python script. Of what olpc-contents adds, I only care about the check for extraneous files. Other bits -- file owners and permissions -- I don't need, and in fact get in the way. I would need a version of olpc-contents that does not include (and later, does not care for) file ownership or mode data. So it's close enough, but it gets in the way in a big time. Just picture the instructions: - Only Windows users: install sha1sum from here - link to exe (sha1sum is in stock OSX and Linuxen) - create an empty dir and put what you want inside - check no stray files are there - run 'sha1sum * manifest.md5' - Windows users, here's an alternative GUI if you want... to - Debian/Fedora users - here's a nice rpm deb - Everyone else: install this python script with its related libraries and bits in C... various pages of explanations based on http://docs.python.org/ext/win-cookbook.html - I quote: To build extensions using these instructions, you need to have a copy of the Python sources of the same version as your installed Python. You will need Microsoft Visual C++ ``Developer Studio''... - create empty dir... Must say - I've read the source and it's a good tool. However my thinking right now is that it doesn't add enough for my use case, and it gets in the way big-time. Just to make it usable for the use cases I have will take several times more work to make it usable than to write the little script I'm thinking of. cheers, m -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel