wiki:GENIRacksAdministration/OpenGENIRacksAdminAccounts

Version 1 (modified by lnevers@bbn.com, 10 years ago) (diff)

--

OpenGENI Rack Administrative Accounts

Each OpenGENI rack delivers an initial local administrator account that is created when OpenGENI is installed. When each new rack is deployed, the local administrator must request the desired login ID and provide a copy of the SSH version 2 public keys. The keys provided will be used by the administrator to access the control node because GRAM racks do not permit password based authentication. The initial local administrator account will exist on each of the following systems:

  • Control Node
  • Compute Nodes (2)
  • Switches (Force10, PowerConnect)
  • Remote Access System (iDRAC)

Control and Compute Nodes Admin Accounts

Additional administrative accounts can be created or deleted by issuing standard Ubuntu unix commands detailed in this section:

On the Control and the Compute Nodes: Create the user account and set a temporary password.

Note: Replace instances of newAdmin with the user requested login ID

  1. Type "sudo useradd -c newAdmin -s /bin/bash -m newAdmin".
  2. Edit /etc/group and add user, newAdmin, into the sudo group.
  3. Edit /etc/sudoers using visudo and add a line for the user, newAdmin.
  4. Type "sudo passwd newAdmin" to give the user a temporary password.

On the Control Node only: Install the SSH Keys provided by the user and generate the ssh keys to be installed on other rack devices for access:

  1. Type "su - newAdmin" to become newAdmin.
  2. Generate keys that will be used to access other devices in rack. Type "ssh-keygen -t dsa".
  3. Install keys provided by user to allow access to Control Node. Type "cat pub_key >>~/.ssh/authorized_keys
  4. Set appropriate permission for key access. Type "chmod 600 ~/.ssh/authorized_keys".
  5. Copy the public DSA public key generated into the compute nodes and all other devices where access can be done via key pairs.

The local administrator will need to have a local clearinghouse account to use some of the OpenGENI tools to check the rack component status.

  1. "sudo su - gram"
  2. "cd /opt/gcf/src"
  3. "./gen-certs.py --exp -u newAdmin --notAll"
  4. "exit"
  5. As newAdmin, "mkdir ~/.gcf"
  6. "sudo cp ~gram/.gcf/newAdmin-*.pem ~/.gcf"
  7. "sudo cp ~gram/.gcf/omni_config ~/.gcf/tmpOmni"
  8. "sudo chown newAdmin ~/.gcf/*"
  9. "sed 's/gramuser/newAdmin/g' ~/.gcf/tmpOmni>> ~/.gcf/omni_config"
  10. "rm ~/.gcf/tmpOmni"
  11. "sudo service gram-ch restart"
  12. "sudo service gram-am restart"

On the Compute Nodes: Install the SSH DSA keys that you generated:

  1. Login with your admin account and then "su - newAdmin" to become newAdmin.
  2. Copy the public DSA key generated in step 6 above into the .ssh directory.
  3. Type "cat pub_key >> ~/.ssh/authorized_keys.
  4. Set appropriate permission for key access. Type "chmod 600 authorized_keys".

Delete Account on Control and Compute Nodes:

Note: Replace instances of newAdmin with the user account to be deleted.

  1. Type "sudo userdel -rf newAdmin".

Force10 Admin Accounts

To add a site admin account on the Force10 OpenFlow switch you can either ssh to the switch IP address with user and password, or you access the switch console by using screen /dev/ttyS1, but this necessitates checking that the serial cable is connected to a server and that the other end of the cable is connected to the Force 10.

Once you can login to the switch add a user accounts as shown below, please note that the enable password is shared among the user accounts and should not be modified:

(Using Cisco IOS-like commands)
enable
configure
username <admin name>
username <admin name> password <admin password>
exit
write

To delete the user in the Force 10

(Using Cisco IOS-like commands)
enable
configure
no username <admin name>
exit
write

PowerConnect Admin Accounts

To add a site admin account on the PowerConnect 7048 you can either ssh to the switch IP address with user and password or access the console by using screen /dev/ttyS1, but this necessitates checking that the serial cable is connected to a server and that the other end of the cable is connected to the PowerConnect 7048.

Once you can login to the switch add a user accounts as shown below, please note that the enable password is shared among the user accounts and should not be modified:

(Using Cisco IOS-like commands)
enable
config
username <admin name> password <admin password>
exit 
write

To delete the user in the PowerConnect 7048

(Using Cisco IOS-like commands)
enable
configure
no username <admin name>
exit
write

iDRAC Account

To set up iDRAC accounts: Integrated Dell Remote Access Controller (iDRAC) Configuration