Architecture

This section of the document describes the network architecture and services provided by a Skolelinux installation.

Network

The Debian Edu network topology

The figure is a sketch of the assumed network topology. The default setup of a Skolelinux network assumes that there is one (and only one) main-server, while allowing the inclusion of both normal workstations and thin-client-servers (with associated thin-clients). The number of workstations can be as large or small as you want (starting from none to a lot). The same goes for the thin-client servers, each of which is on a separate network so that the traffic between the thin-clients and the thin-client server doesn't affect the rest of the network services.

The reason that there can only be one main server in each school network is that the main server provides DHCP, and there can be only one machine doing so in each network. It is possible to move services from the main server to other machines by setting up the service on another machine, and subsequently updating the DNS-configuration, pointing the DNS alias for that service to the right computer.

In order to simplify the standard setup of Skolelinux, the Internet connection runs over a separate router. It is possible to set up Debian with both a modem and an ISDN connection; however, no attempt is made to make such a setup work out of the box for Skolelinux (the setup needed to adjust the default situation to this should be documented separately).

The default network setup

DHCPD on Tjener serves the 10.0.0.0/8 network, providing a syslinux menu via PXE-boot where you can choose whether to install a new server/workstation, boot a thin client or a diskless workstation, run memtest, or boot from the local hard disk.

This is designed to be modified - that is, you can have the NFS-root in syslinux point to one of the LTSP servers or change next-server in DHCP to have clients directly boot via PXE from the terminal server.

DHCPD on the LTSP servers only serves a dedicated 192.168.0.0/24 network on the second interface and should seldom need to be changed.

Main server (tjener)

A Skolelinux network needs one main server (also called "tjener" which is Norwegian and means "server") which per default has the IP address 10.0.2.2 and is installed by selecting the main server profile. It's possible (but not required) to also select and install the thin-client-server and workstation profiles in addition to the main server profile.

Services running on the main server

With the exception of the control of the thin-clients, all services are initially set up on one central computer (the main server). For performance reasons, the thin-client-server should be a separate machine (though it is possible to install both the main server and thin-client server profiles on the same machine). All services are allocated a dedicated DNS-name and are offered exclusively over IPv4. The allocated DNS name makes it easy to move individual services from the main-server to a different machine, by simply stopping the service on the main-server, and changing the DNS configuration to point to the new location of the service (which should be set up on that machine first, of course).

To ensure security all connections where passwords are transmitted over the network are encrypted, so no passwords are sent over the network as plain text.

Below is a table of the services that are set up by default in a Skolelinux network and the DNS name of each service. If possible all configuration files will refer to the service by name (without the domain name) thus making it easy for schools to change either their domain (if they have an own DNS domain) or the IP addresses they use.

Table of services

Service description

Common name

DNS service name

Centralised Logging

rsyslog

syslog

Domain Name Service

DNS (BIND)

domain

Automatic Network Configuration of Machines

DHCP

bootps

Clock Synchronisation

NTP

ntp

Home Directories via Network File System

SMB / NFS

homes

Electronic Post Office

IMAP/POP3 (Dovecot)

postoffice

Directory Service

OpenLDAP

ldap

User Administration

GOsa²

---

Web Server

Apache/PHP

www

Central Backup

sl-backup, slbackup-php

backup

Web Cache

Proxy (Squid)

webcache

Printing

CUPS

ipp

Secure Remote Login

OpenSSH

ssh

Automatic Configuration

Cfengine

cfengine

Thin Client Server/s

LTSP

ltsp

Machine and Service Surveillance with Error Reporting, plus Status and History on the Web. Error Reporting by email

munin, nagios and site-summary

munin, nagios and site-summary

Personal files for each user are stored in their home directories, which are made available by the server. Home directories are accessible from all machines, giving users access to the same files regardless of which machine they are using. The server is operating system agnostic, offering access via NFS for Unix clients, SMB for Windows and Macintosh clients.

By default email is set up for local delivery (i.e. within the school) only, though email delivery to the wider Internet may be set up if the school has a permanent Internet connection. Mailing lists are set up based on the user database, giving each class their own mailing list. Clients are set up to deliver mail to the server (using 'smarthost'), and users can access their personal mail through either POP3 or IMAP.

All services are accessible using the same username and password, thanks to the central user database for authentication and authorisation.

To increase performance on frequently accessed sites a web proxy that caches files locally (Squid) is used. In conjunction with blocking web-traffic in the router this also enables control of Internet access on individual machines.

Network configuration on the clients is done automatically using DHCP. Normal clients are allocated IP addresses in the private subnet 10.0.0.0/8, while thin clients are connected to the corresponding thin-client-server via the separate subnet 192.168.0.0/24 (this is to ensure that the network traffic of the thin clients doesn't interfere with the rest of the network services).

Centralised logging is set up so that all machines send their syslog messages to the server. The syslog service is set up so that it only accepts incoming messages from the local network.

By default the DNS server is set up with a domain for internal use only (*.intern), until a real ("external") DNS domain can be set up. The DNS server is set up as caching DNS server so that all machines on the network can use it as the main DNS Server.

Pupils and teachers have the ability to publish websites. The web server provides mechanisms for authenticating users, and for limiting access to individual pages and subdirectories to certain users and groups. Users will have the ability to create dynamic web pages, as the web server will be programmable on the server side.

Information on users and machines can be changed in one central location, and is made accessible to all computers on the network automatically. To achieve this a centralised directory server is set up. The directory will have information on users, user groups, machines, and groups of machines. To avoid user confusion there won't be any difference between file groups, mailing lists, and network groups. This implies that groups of machines which are to form network groups will use the same namespace as user groups and mailing lists.

Administration of services and users will mainly be via the web, and follow established standards, functioning well in the web browsers which are part of Skolelinux. The delegation of certain tasks to individual users or user groups will be made possible by the administration systems.

In order to avoid certain problems with NFS, and to make it simpler to debug problems, the different machines need synchronised clocks. To achieve this the Skolelinux server is set up as a local Network Time Protocol (NTP) server, and all workstations and clients are set up to synchronise with the server. The server itself should synchronise its clock via NTP against machines on the Internet, thus ensuring the whole network has the correct time.

Printers are connected where convenient, either directly onto the main network, or connected to a server, workstation or thin-client-server. Access to printers can be controlled for individual users according to the groups they belong to; this will be achieved by using quota and access control for printers.

LTSP server(s) (Thin client server(s))

A Skolelinux network can have many LTSP servers (also called thin client servers), which are installed by selecting the LTSP server profile.

The thin client servers are set up to receive syslog from the thin clients, and forward these messages to the central syslog recipient.

Thin clients

A thin client setup enables ordinary PCs to function as (X-)terminals. This means that the machine boots from a diskette or directly from the server using network-PROM (or PXE) without using the local client hard drive. The thin client setup used is that of the Linux Terminal Server Project (LTSP).

Thin clients are a good way to make use of older, weaker machines as they effectively run all programs on the LTSP server. This works as follows: the service uses DHCP and TFTP to connect to the network and boot from the network. Next, the file system is mounted via NFS from the LTSP server, and finally the X Window System is started. The display manager (LDM) connects to the LTSP server via SSH with X-forwarding. This way all data is encrypted on the network. For very old thin clients which are too slow for the encryption this can be set to the behavior from former versions, which is to use a direct X connection via XDMCP.

Diskless workstations

For diskless workstations the terms "stateless workstations", "lowfat clients" or "half-thick clients" are also used. For the sake of clarity this manual sticks to the term "diskless workstations".

A diskless workstation runs all software on the PC without a locally installed operating system. This means that client machines boot directly from the server's hard drive without running software installed on a local hard drive.

Diskless workstations are an excellent way of reusing newer hardware with the same low maintenance cost as with thin clients. Software is administered and maintained on the server with no need for local installed software on the clients. Home directories and system settings are stored on the server too.

Diskless workstations were introduced as part of the Linux Terminal Server Project (LTSP) with version 5.0.

Networked clients

The term "networked clients" is used in this manual to refer to both thin clients and diskless workstations, as well as computers running Mac OS or Windows.

Administration

All the Linux machines that are installed by means of a Skolelinux CD or DVD will be administrable from a central computer, most likely the server. It will be possible to log in to all machines via SSH, and thereby have full access to the machines.

We use cfengine to edit configuration files. These files are updated from the server to the clients. In order to change the client configuration, it suffices to edit the server configuration and let the automation distribute the changes.

All user information is kept in an LDAP directory. Updates of user accounts are made against this database, which is used by the clients for user authentication.

Installation

Currently there are two types of installation media: netinst CD and multi-arch DVD. Both types can also be booted from USB sticks.

The aim is to be able to install a server from a CD/DVD type medium once, and install all other clients over the network by booting from the network.

The DVD installation works without access to the Internet.

The installation should not ask any questions, with the exception of desired language (e.g. Norwegian Bokmal, Nynorsk, Sami) and machine profile (server, workstation, thin client server). All other configuration will be set up automatically with reasonable values, to be changed from a central location by the system administrator subsequent to the installation.

File system access configuration

Each Skolelinux user account is assigned a section of the file system on the file server. This section (home directory) contains the user's configuration files, documents, email and web pages. Some of the files should be set to have read access for other users on the system, some should be readable by everyone on the Internet, and some should not be accessible for reading by anyone but the user.

To ensure that all disks that are used for user directories or shared directories can be uniquely named across all the computers in the installation, they can be mounted as /skole/host/directory/. Initially, one directory is created on the file server, /skole/tjener/home0/, in which all the user accounts are created. More directories may then be created when needed to accommodate particular user groups or particular patterns of usage.

To enable shared access to files under the normal UNIX permissions system, users need to be in supplementary shared groups (such as "students") as well as the personal primary group that they're in by default. If users have an appropriate umask to make newly created items group-accessible (002 or 007), and if the directories they're working in are setgid to ensure the files inherit the correct group-ownership, the result is controlled file sharing between the members of a group.

The initial access settings for newly created files are a matter of policy. The Debian default umask is 022 (which would not allow group-access as described above), but Debian Edu uses a default of 002 - meaning that files are created with read access for everybody, which can later be removed by explicit user action. This can alternatively be changed (by editing /etc/pam.d/common-session) to a umask of 007 - meaning read access is initially blocked, necessitating user action to make them accessible. The first approach encourages knowledge sharing, and makes the system more transparent, whereas the second method decreases the risk of unwanted spreading of sensitive information. The problem with the first solution is that it is not apparent to the users that the material they create will be accessible to all other users. They can only detect this by inspecting other users' directories and seeing that their files are readable. The problem with the second solution is that few people are likely to make their files accessible, even if they do not contain sensitive information and the content would be helpful to inquisitive users who want to learn how others have solved particular problems (typically configuration issues).

CategoryPermalink