Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to SUSE Linux Enterprise Point of Service 11 SP3 and SUSE Linux Enterprise Point of Service 12 Image Server

4 Setting Up the Administration Server

The Administration Server is the central administration point for SUSE® Linux Enterprise Point of Service. All system information (system structure, the configuration and deployment method for each Branch Server and Point of Service terminal, image information, and so forth) is stored in an LDAP directory on the Administration Server. The Administration Server is also the central distribution point for the images required to boot and configure Point of Service terminals, and can run the utilities required to build those images. You can set up an Administration Server either with or without the image building software.

Note
Note: Creating an Image Building Server

The utilities required to build Point of Service images can be installed with the Administration Server or on a dedicated image building server. For more information, see Chapter 3, Setting Up an Image Building Server.

Note
Note: Meeting the System Requirements

For a list of system requirements to set up an Administration Server, refer to Section 1.2.1, “Administration Server”.

4.1 Administration Server Configuration

To configure the Administration Server, follow these steps:

  1. Check if the SUSE Linux Enterprise Point of Service Administration Server pattern is installed on the machine to be configured. If it is missing, install it. For more information about installation, see Chapter 2, SUSE Linux Enterprise Point of Service Installation.

    If you want to use the Administration Server to build Point of Service images, also select the Image Server and Images patterns. If you want to use a stand-alone Image Building Server, these patterns are not needed.

  2. Initialize the LDAP server on the Administration Server with the posInitAdminserver command. Follow the on-screen instructions. For more information about LDAP initialization, see Section 4.2, “Initializing the LDAP Directory with posInitAdminserver.

  3. Initialize the LDAP database on the Administration Server:

    1. Use the posAdmin command to add an organizationalUnit object as described in Section 4.6.1.1, “Creating organizationalUnit Objects”.

    2. Use the posAdmin command to add an scLocation object as described in Section 4.6.1.2, “Adding an scLocation Object”.

      Important
      Important: The New --userPassword Attribute

      The new mandatory attribute --userPassword has been introduced in SUSE Linux Enterprise Point of Service11. This password is needed when configuring a Branch Server.

    3. Use the posAdmin command to add an scServerContainer and scBranchServer objects as described in Section 4.6.1.3, “Adding an scServerContainer and scBranchServer Objects”.

  4. Make sure the rsync port (usually 873) is open on the Administration Server. The rsync port is not open in the default SLES11 installation. You need to add its number in the YaST Firewall module under Allowed Services › Advanced › TCP Ports.

  5. The basic configuration of the Administration Server is now finished. If you want to initialize an offline Branch Server without any Internet connection, create an offline installation package, as described in Section 5.2.2.1, “Creating an Offline Installation Package”.

4.1.1 Changing the Administration Server Password

To change the Administration Server password, edit /etc/openldap/slapd.conf and replace both lines containing rootpw old_hashed_password with a new hashed password. You can get the new hashed password with the slappasswd command. Change the password by entering the following commands in the command line:

  1. rcldap stop

  2. sed -i -e 's;rootpw.*$;rootpw '`slappasswd -c "new_password"`';' /etc/openldap/slapd.conf:x

  3. rcldap start

The password stored in /etc/SLEPOS/adminserver.conf needs to be changed and reencoded as well. Enter the following command in the command line to change it:

sed -i -e 's;POS_ADMIN_PASSWORD=.*$;POS_ADMIN_PASSWORD='`echo "new_password" | openssl enc -aes128 -kfile "/etc/SLEPOS/salt.key" -a`';' /etc/SLEPOS/adminserver.conf

4.2 Initializing the LDAP Directory with posInitAdminserver

All system information (system structure, the configuration and deployment method for each Branch Server, available system images, and Point of Service terminal types) is stored in an LDAP directory on the Administration Server.

SUSE Linux Enterprise Point of Service uses the OpenLDAP directory service. The posInitAdminserver command defines the LDAP directory schema and the initial records for OpenLDAP. The SUSE Linux Enterprise Point of Service LDAP directory can coexists with other OpenLDAP directories. Certain limitations however still apply. For limitations, see Note: Limitations of Shared OpenLDAP Service.

To create the SUSE Linux Enterprise Point of Service LDAP directory for OpenLDAP:

  1. After installing the Administration Server, log in as root.

  2. Configure the firewall running on the Administration Server to allow traffic on the LDAP and LDAPs ports, 389 TCP/UDP and 636 TCP/UDP, respectively. Do this by using the YaST Firewall module (yast2 firewall).

  3. Run posInitAdminserver.

  4. Specify your organization/company name without spaces or special characters.

  5. Specify the two-letter code of your country, de for Germany, us for United States, uk for United Kingdom, and so forth.

  6. Specify the alphanumeric LDAP administrator password. The Branch Server uses this account to access the LDAP directory and to run posAdmin for adding objects to the LDAP directory.

  7. Determine if you want to use SSL when the Branch Server connects to the LDAP directory on the Administration Server. By default, SSL is used.

    • Select Y to use an SSL connection when the Branch Server connects to the LDAP Directory.

    • Select N to disable SSL.

    Important
    Important: Securing Your Server Communication

    Using SSL/TLS to secure the connections between Administration Server and Branch Servers is highly recommended.

    The Administration Server uses the YaST CA Management interface for issuing and managing SSL certificates. This provides the standardized SUSE Linux Enterprise Server interface to SSL management and allows viewing and modification of the SUSE Linux Enterprise Point of Service SSL certificates in the YaST CA Management module.

    Note
    Note: Changing CA Certificate

    When CA certificate is changed, public part must be redistributed to individual Branch Servers and all LDAP servers (on the Administration Server and individual Branch Servers) must be restarted to accommodate this change.

    The keys and certificates are located in the /etc/SLEPOS/keys directory on both the Administration and Branch Servers.

  8. To initialize SUSE Manager integration, confirm Enable SUSE Manager integration when asked. After that, SUSE Manager host address, SUSE Manager user name and SUSE Manager password can be entered. The password and user for Administration Server is stored in adminserver.conf

    The SUSE Manager password for branch users is given by userPassword attribute in the appropriate scLocation. The user name is derived form its dn path by changing ',cn=' and similar to '.', for example cn=mybranch1,ou=myorgunit1,o=myorg,c=us becomes mybranch1.myorgunit1.myorg.us. The SUSE Manager host name is stored in the scSUSEManager attribute of scHardware.

    Note that terminal images used with SUSE Manager must include the suse_manager_client_registration package. In the default config.xml it is commented out.

    Note
    Note: Use SUSE Manager 2.1 to Manage POS Terminals

    Since the current version of SUSE Linux Enterprise Point of Service doesn't support SUSE Manager 3 API, SUSE Manager 2.1 must be used for managing POS terminals, including those based on SUSE Linux Enterprise 12 SP2/SP3..

  9. If there is an existing Open LDAP database, posInitAdminserver asks for password to configuration database for existing OpenLDAP directory. If existing OpenLDAP configuration should not be preserved, enter empty string. The posInitAdminserver script will ask for confirmation in this case.

  10. posInitAdminserver provides a summary of the LDAP directory data based on your input. If all data is correct, press Enter.

    If there is something wrong with the input data, abort the installation by pressing CtrlC.

  11. The command initializes the basic LDAP database structure and performs some tests, then displays a summary of the configuration and test results. When the tests are successfully completed, the command displays a confirmation alert.

Note
Note: Limitations of Shared OpenLDAP Service

The SUSE Linux Enterprise Point of Service LDAP directory does not require custom OpenLDAP configuration and can add itself as separate directory. However, the following limitations apply:

  • The OpenLDAP directory must use the configuration database (cn=config) as primary configuration (it does not use static /etc/openldap/slapd.conf configuration file). It is not sufficient to enable the configuration database as ACLs for individual branch locations will not survive an OpenLDAP service restart. They can however be re-created by running posAdmin --refresh.

  • If the existing OpenLDAP configuration is not set to use SSL, SUSE Linux Enterprise Point of Service cannot work with SSL and vice versa. The posInitAdminserver script will however detect and use the right CA certificate when SSL is used and it will distribute the certificate to branch locations.

  • Existing LDAP directories cannot use the same suffix as the SUSE Linux Enterprise Point of Service LDAP directory. SUSE Linux Enterprise Point of Service uses o=<organization>,c=<country> by default.

Note
Note: Unresolvable Host Name

When posInitAdminserver detects that Administration Server's host name is unresolvable, the script automatically adds it to /etc/hosts as 127.0.0.1.

After you run posInitAdminserver, the LDAP directory is initialized on the Administration Server and the LDAP service is available. At this point, you should have a basic tree structure with a root, a Country container, and an Organization container.

You can verify that the LDAP structure is accessible via the ldapsearch command. Use a syntax similar to the first example when using SSL. For setups without SSL, use a syntax similar to the second example.

ldapsearch -x -H ldaps://administration_server_name -b o=myorg,c=us -s base -D cn=admin,o=myorg,c=us -w password
ldapsearch -x -H ldap://administration_server_name -b o=myorg,c=us -s base -D cn=admin,o=myorg,c=us -w password
Tip
Tip: Setting the LDAP Debugging Level

Turn on a more verbose output for the ldapsearch command by enabling the debug option with -d1.

4.3 Creating Point of Service Images

Before you can deploy Point of Service terminals, you must first create image files that contain the operating system and application files required to boot the terminals.

SUSE Linux Enterprise Point of Service provides image templates that can be customized and generated using the Image Creator tool. If you select the Image Server pattern during the Administration Server installation, the image creation utilities (Image Creator and KIWI ) are installed on the Administration Server along with all the files and directories required to create Point of Service images. For a detailed, step-by-step introduction to building SUSE Linux Enterprise Point of Service images using Image Creator, refer to Section 8.1, “Building Images with the Image Creator Tool”.

After you have created the images required for your Point of Service terminals, you must copy the images to the appropriate directories on the Administration Server so that the rsync service can transmit the images to the Branch Server. Depending on whether the Administration Server and the Image Building Server are on the same machine (or whether the images are built on a dedicated Image Building Server), use the different copy procedures outlined in Section 4.5, “Copying the System Image Files”.

To deploy a new image version, for example an image with updated packages from online repositories, follow these steps:

  1. Build new images as described in Section 8.1, “Building Images with the Image Creator Tool”.

  2. Deploy boot images as decribed in Section 4.4, “Copying the Boot Image Files”.

  3. Deploy system images as decribed in Section 4.5, “Copying the System Image Files”.

  4. Synchronize with the Branch Server via the possyncimages command (see Section 4.6.2.8, “Activating Images” for more information).

4.4 Copying the Boot Image Files

This section explains how to copy the default boot images (initrd and the Linux kernel file) to the appropriate directories on the Administration Server, so they are ready to be transferred to the Branch Servers.

If the images have been built on the same machine, use the registerImages command to copy and register them in LDAP.

If the images have been built on a dedicated Image Building Server, use the following command on the Administration Server to copy the images: registerImages --include-boot user@imageserver:/var/lib/SLEPOS/system/images/image_name/. For more information, see Section 4.7.1, “The registerImages Command”.

Alternativelly, you can copy the images manually using the cp command or your favorite file browser, or, if built on a dedicated Image Building Server, scp.

4.4.1 Deploying Boot Images with a New Kernel Version

If you build images with a new kernel version, you can preserve old file names and overwrite existing images. In such a case, there is no need to update objects in LDAP database.

Alternatively, you can copy the new kernel and initrd to /srv/SLEPOS/boot with new file names (for example initrd-2.6.27.25.gz and linux-2.6.27.25). In such a case, you must create a new scDistributionContainer object (see Section 11.5.7, “scDistributionContainer”) and add a new scPosImage object to it (see Section 4.5.1, “Deploying New Versions of System Images”).

4.5 Copying the System Image Files

System images must be located in the /srv/SLEPOS/image directory on the Administration Server. The boot image must be located in /srv/SLEPOS/boot. The Branch Servers can then download the image files and deploy them on Point of Service terminals.

If the images have been built on the same machine, use the registerImages command to copy and register them in LDAP.

If the images have been built on a dedicated Image Building Server, use the following command on the Administration Server to copy the images: registerImages --include-boot user@imageserver:/var/lib/SLEPOS/system/images/image_name/. For more information, see Section 4.7.1, “The registerImages Command”.

Alternativelly, you can copy the images manually using the cp command or your favorite file browser, or, if built on a dedicated Image Building Server, scp.

4.5.1 Deploying New Versions of System Images

If you build new system images, you can preserve old file names and overwrite existing images. In such a case, there is no need to update objects in the LDAP database.

Alternatively, you can copy the new image to a file with a new version number. You must add the new version to the related scPosImage in the LDAP database. This can be done via the scPosImageVersion attribute of the scPosImage object or via a new scImageVersion object. (for more information, see Section 4.6.2.8, “Activating Images”).

You can also use a new name and version number. In such a case, you must create a new scPosImage (see Section 4.6.2.6, “Adding an scPosImage Object”). If the new image uses a different kernel version, the new scPosImage must be added to the corresponding scDistributionContainer.

4.6 Creating the Required LDAP Structure

The necessary LDAP objects for branches, terminals, and global roles must be created.

4.6.1 Creating Branch Server Objects in LDAP

Before you can configure and deploy a Branch Server, you must first create the necessary objects in the LDAP directory stored on the Administration Server. All posAdmin calls must be executed on the Administration Server. These objects include:

Note
Note: LDAP Object Attributes

Each LDAP object has two types of attributes: must and may attributes. The must attributes are required for an object; the may attributes are optional. The tables in this section list only those may attributes that are relevant to SUSE Linux Enterprise Point of Service.

4.6.1.1 Creating organizationalUnit Objects

In a SUSE Linux Enterprise Point of Service system, Organizational Unit (organizationalUnit) objects are containers that typically represent regions, divisions, or branches within a company. These objects can be nested to visually represent the structure and organization of your company. Branch location objects are created in organizationalUnit containers within the LDAP directory. Use only alphanumeric characters for ou objects.

Here is the posAdmin command syntax for adding an Organizational Unit object in LDAP (type the command all on one line):

    posAdmin --base base_context --add --organizationalUnit --ou ou_name [--description `string´]

Section 11.5.1, “organizationalUnit” summarizes the Organizational Unit object attributes.

For example, the following command adds the myorgunit Organizational Unit to the LDAP directory and gives it the description main headquarters:

posAdmin --base o=myorg,c=us --add --organizationalUnit --ou myorgunit --description 'main headquarters'

The LDAP context of the newly created organizationalUnit is the ou=myorgunit,o=myorg,c=us directory.

4.6.1.2 Adding an scLocation Object

An scLocation object is typically used to represent a branch office (a site where a Branch Server and Point of Service terminals are located). scLocation containers are used to store information about the deployed Branch Servers and Point of Service terminals. This and all other information, which can be modified on the Branch Server, should be stored or referenced in the Location containers to limit the need to grant write privileges to subtrees.

Section 11.5.10, “scLocation” summarizes the posAdmin command options for scLocation object attributes.

Here is the posAdmin command syntax to add an scLocation object in LDAP (type the command all on one line):

posAdmin --base
    base_context --add --scLocation --cn
    location_name --ipNetworkNumber
    network_address --ipNetmaskNumber
    subnet_mask --scDhcpRange
    ip_address,ip_address
    --scDhcpFixedRange
    ip_address,ip_address
    --scDefaultGw ip_address --scDynamicIp TRUE |
    FALSE --scDhcpExtern TRUE | FALSE --scWorkstationBaseName
    string --scEnumerationMask
    number --userPassword
    branchpassword

The following command adds an scLocation named harbor to the LDAP directory (type the command all on one line):

posAdmin
--base ou=myorgunit,o=myorg,c=us --add --scLocation --cn harbor
--ipNetworkNumber 192.168.1.0 --ipNetmaskNumber 255.255.255.0
--scDhcpRange 192.168.1.10,192.168.1.54
--scDhcpFixedRange 192.168.1.55,192.168.1.88
--scDefaultGw 192.168.1.1
--scDynamicIp TRUE  --scDhcpExtern FALSE
--scWorkstationBaseName CR --scEnumerationMask 000
--userPassword branchpassword
Note
Note: Network Autoconfiguration

In case of network autoconfiguration, scDhcpRange and scDhcpFixedRange parameters can be ommited. For autoconfiguration option when defining ipNetworkMask and ipNetworkNumber, see Section 5.1, “Branch Server Network Configuration”.

4.6.1.3 Adding an scServerContainer and scBranchServer Objects

There must be an scBranchServer object for every Branch Server in the system. These objects store configuration information that is specific to each Branch Server.

An scBranchServer object contains information about hardware, at least one defined network card, and services like FTP, TFTP, DNS and DHCP. It is located with an scLocation object in the LDAP tree.

Important
Important: Defining the Branch Server Host Name

The location of the scBranchServer object in the LDAP directory must correspond to the host name defined for the Admin/Branch Server during installation. For example, if the host name is bs.mybranch.myorgunit.myorg.us, the dn of the scBranchServer object would be cn=bs,cn=server,cn=mybranch,ou=myorgunit,o=myorg,c=us.

To add an scBranchServer object to the LDAP directory with posAdmin, proceed as follows:

  1. Before you can add the scBranchServer to an scLocation object, you must define an scServerContainer, using the --scServerContainer and common name (--cn) options. For example (type the command all on one line):

    posAdmin
    --base cn=mybranch,ou=myorgunit,o=myorg,c=us
    --add --scServerContainer --cn server
  2. In the new scServerContainer, add a Branch Server object, using the --scBranchServer and common name (--cn) options. For example (type the command all on one line):

    posAdmin
    --base cn=server,cn=mybranch,ou=myorgunit,o=myorg,c=us
    --add --scBranchServer --cn bs

    You can also define the reference hardware with the --scRefServerDn option, a pointer (Distinguished Name) to the global directory.

  3. Add a network interface card (with a static IP address from the subnet defined in the scLocation object) using the --scNetworkcard option and the --scDevice and --scIpHostNumber attributes. For example (type the command all on one line):

    posAdmin --base cn=bs,cn=server,cn=mybranch,ou=myorgunit,o=myorg,c=us
    --add --scNetworkcard --scDevice eth0 --ipHostNumber 192.168.1.1

    Section 11.5.11, “scNetworkcard” summarizes the posAdmin command options for scNetworkcard attributes.

  4. Set up the Branch Server services. At a minimum, define the required DNS, TFTP or FTP, DHCP and posleases services.

    Note
    Note: Using FTP or TFTP

    Most current Wi-Fi networks do not support multicast correctly and switch to the lowest available network speed when multicast TFTP is used. Unless you are using accesspoints supporting high speed multicast over Wi-Fi, it is recommended to use FTP instead of multicast TFTP on such networks.

    The following example demonstrate how to add the DNS service

    posAdmin
    --base cn=bs,cn=server,cn=mybranch,ou=myorgunit,o=myorg,c=us
    --add --scService --cn dns  --ipHostNumber 192.168.1.1
    --scDnsName dns --scServiceName dns --scServiceStartScript named
    --scServiceStatus TRUE

    The following example demonstrate how to add the DHCP service:

    posAdmin
    --base cn=bs,cn=server,cn=mybranch,ou=myorgunit,o=myorg,c=us
    --add --scService --cn dhcp  --ipHostNumber 192.168.1.1
    --scDnsName dhcp --scServiceName dhcp
    --scDhcpDynLeaseTime 300 --scDhcpFixedLeaseTime 14400
    --scServiceStartScript dhcpd --scServiceStatus TRUE

    The following example demonstrate how to add the TFTP service:

    posAdmin
    --base cn=bs,cn=server,cn=mybranch,ou=myorgunit,o=myorg,c=us
    --add --scService --cn tftp  --ipHostNumber 192.168.1.1
    --scDnsName tftp  --scServiceName tftp
    --scServiceStartScript atftpd  --scServiceStatus TRUE

    The following example demonstrate how to add the FTP service:

    posAdmin
    --base cn=bs,cn=server,cn=mybranch,ou=myorgunit,o=myorg,c=us
    --add --scService --cn ftp  --ipHostNumber 192.168.1.1
    --scDnsName tftp  --scServiceName ftp
    --scServiceStartScript pure-ftpd  --scServiceStatus TRUE

    The following example demonstrate how to add the posleases service:

    posAdmin
    --base cn=bs,cn=server,cn=mybranch,ou=myorgunit,o=myorg,c=us
    --add --scService --cn posleases --scDnsName posleases
    --scServiceName posleases
    --scPosleasesTimeout 10 --scPosleasesChecktime 40
    --scPosleasesMaxNotify 6 --scServiceStartScript posleases2ldap
    --scServiceStatus TRUE

    Section 11.5.16, “scService” summarizes the posAdmin command options for the scService object attributes.

Note
Note: Ommiting ipHostNumber

ipHostNumber attribute can be omitted if service is using same IP address as Branch Server.

4.6.2 Creating Point of Service Terminal Objects in LDAP

The configuration parameters for each Point of Service terminal are stored in the central LDAP directory on the Administration Server. Every Point of Service terminal has its own Workstation object (scWorkstation) in the LDAP tree. The Workstation object is automatically created when a Point of Service terminal registers on the Branch Server. posleases2ldap uses information from the Hardware Reference object (scCashRegister) and the Image Reference object (scPosImage) to create the Workstation object. For more information on this process, see Section 6.3.3, “The hwtype.MAC.HASH File”.

Before you can boot the Point of Service terminals, use posAdmin to create the following objects in the LDAP directory (see also Section 11.2, “Using posAdmin to Manage the LDAP Directory”):

With posAdmin, you can add, remove, and modify Point of Service terminal hardware assets such as Point of Service terminals, hard disks, network interface cards, and configuration files with the use of reference objects in the LDAP directory. Hardware reference objects are typically located in the global container in the LDAP directory.

Note
Note: LDAP Attributes

Each LDAP object has two types of attributes: must and may attributes. The must attributes are the minimum requirements for an object; the may attributes are optional.

4.6.2.1 Adding an scCashRegister Object

An associated object representing the cash register must exist in the LDAP database. This scCashRegister object can either represent a specific machine or a generic machine. The generic object is used if a specific image is not found for the given machine. In both cases, the scCashRegister must have a hardware subobject like scRamDisk or scHarddisk which specifies where and how the image should be deployed.

The name of a machine is located in the uploaded hwtype.MAC.HASH file under a HWTYPE entry. For more information, see Section B.2, “Core Script Process”.

Note
Note: Creating Default scCashRegister Objects

To create a default scCashRegister object, define the object's scCashRegisterName attribute as default. This scCashRegister will then be used to register all machines for which no specific scCashRegister exists.

Define only one default scCashRegister object in the Global container.

The scCashRegister objects are stored in the Global container so they can be accessed by all Branch Servers.

Note
Note: Defining a System Image for a Point of Service Terminal

A specific system image can be defined in the scWorkstation object. The setting in the scWorkstation object overrides the default image defined in the scCashRegister object. For information on this procedure, see Section 4.6.2.9, “Assigning an Image to a Point of Service Terminal”.

Section 11.5.3, “scCashRegister” summarizes the posAdmin command options for scCashRegister object attributes.

To add a scCashRegister object for a specific machine (for example with a specific HWTYPE=cshr4152), use the command (note the scCashRegisterName name and image reference in --scPosImageDn):

posAdmin --base cn=global,o=myorg,c=us --add --scCashRegister --cn cr-test --scCashRegisterName cshr4152 --scPosImageDn cn=myGraphical_test,cn=default,cn=global,o=myorg,c=us

To add a scCashRegister object for a generic machine, use the command (note scCashRegister name being default):

posAdmin --base cn=global,o=myorg,c=us --add --scCashRegister --cn cr-test-default --scCashRegisterName default --scPosImageDn cn=myGraphical_test,cn=default,cn=global,o=myorg,c=us

To add a RAID definition to an existing cash register raidCR (under a local role, using one disk specified by id and another by device name), use the following command:

posAdmin --DN cn=raidCR,cn=myrole,cn=rolecontainer,cn=mybranch,ou=myorgunit,o=myorg,c=us --modify --scCashRegister --scRaidScheme '1 /dev/disk/by-id/ata-ST3160815AS_Z4A1ATWL /dev/sdc'

4.6.2.2 Adding an scRamDisk Object

The scRamDisk object stores configuration information for a Point of Service terminal RAM disk. If no hard disk is available, you must configure a RAM disk for the Point of Service terminal.

Section 11.5.13, “scRamDisk”, summarizes the posAdmin command options for scRamDisk object attributes.

When deploying to the RAM disk of a specific machine, use: posAdmin --base cn= cshr4152,cn=global,o=myorg,c=us --add --scRamDisk --cn ram --scDevice /dev/ram1

When deploying to the RAM disk of the generic machine of the previous section, use: posAdmin --base cn= cr-test-default,cn=global,o=myorg,c=us --add --scRamDisk --cn ram --scDevice /dev/ram1

The size of the RAM disk is controlled by kernel parameters ramdisk_size (default value 400000) and ramdisk_blocksize (default value 4096).

4.6.2.3 Adding an scHarddisk Object

The scHarddisk object stores configuration information for a Point of Service terminal hard disk. The attributes of this object are described in Section 11.5.8, “scHarddisk”.

When deploying to the hard disk, the partition table must be specified using the scPartition objects:

posAdmin --base cn=cshr4152,cn=global,o=myorg,c=us
--add --scHarddisk --cn sda --scDevice /dev/sda --scHdSize 10000

posAdmin --base cn=sda,cn=cshr4152,cn=global,o=myorg,c=us
--add --scPartition --scPartNum 0 --scPartType 83 --scPartMount /srv/SLEPOS --scPartSize 1000

posAdmin --base cn=sda,cn=cshr4152,cn=global,o=myorg,c=us
--add --scPartition --scPartNum 1 --scPartType 82 --scPartMount x --scPartSize 1000

posAdmin --base cn=sda,cn=cshr4152,cn=global,o=myorg,c=us
--add --scPartition --scPartNum 2 --scPartType 83 --scPartMount '/' --scPartSize 7000

Of course, you can also use further attributes of the scPartition object. For example, to add the fourth partition with encryption using password mypassword and some decription, use:

posAdmin --base cn=sda,cn=cshr4152,cn=global,o=myorg,c=us
--add --scPartition --scPartNum 3  --scPartType 83 --scPartMount '/data' --scPartSize 1000
--scPassword 'mypassword' --description 'partition for classified data'

Note that the scPartNum attribute is there only to define relative order of the partitions (the first partition with scPartNum 0, scPartType 83 and scPartMount /srv/SLEPOS is the service partition).

The minimum size of the service partition sufficient for the wireless operation is 200 MB. However, the service partition is also used for downloading compressed images with multicast option and will be used for other purposes in the future. The recommended size of the service partition is 20 GB.

If booting from the service partition is required (for example when wireless operation or offline deployment is used), grub must be included in initrd. This can be accomplished by adding <package name="grub" bootinclude="true"/> to the config.xml file or by adding grub to the list of packages to include in boot in via Image Creator.

The service partition cannot be encrypted.

For more information about the scPartition object and its attributes, see Section 11.5.20, “scPartition”. For more information about disk encryption, see Section 10.5.5, “Using Encrypted Partitions on Terminals”.

When deploying to the hard disk of a generic machine (from example used in Section 4.6.2.1, “Adding an scCashRegister Object”), simply use cn=cr-test-default instead of cn=cshr4152.

4.6.2.4 Adding an scConfigFileTemplate Object

scConfigFileTemplate objects are used when running services, such as the X Window service, that require hardware-dependent configuration files. An scConfigFileTemplate object contains the configuration file data that a Point of Service terminal needs to run a given service.

To define the scConfigFileTemplate object with the posAdmin command, you designate the file containing the configuration data as the --scConfigFileData parameter. posAdmin then extracts the scConfigFileData entry of the scConfigFileTemplate object.

When a Point of Service terminal registers with a Branch Server or when you run pos dump-all or pos dump-ws or force update via scConfigUpdate, the Branch Server retrieves the configuration data in the scConfigFileTemplate object to create a configuration file in /srv/tftpboot/KIWI/MAC/ directories on the Branch Server. The configuration file name is the same as the cn name of the respective LDAP entry.

Using TFTP, the configuration file is then distributed from the Branch Server to the appropriate Point of Services terminals at boot time.

Note
Note: Assigning Configuration Files to Point of Services

The scCashRegister or scPosImage object under which the scConfigFileTemplate object is created determines which Point of Service terminals receive the configuration file.

If the scConfigFileTemplate object is defined under an scCashRegister object, all terminals that correspond to the type defined in the scCashRegister object receive the configuration file defined in the scConfigFileTemplate object.

If the scConfigFileTemplate object is defined under an scPosImage object, all terminals that load the system image that corresponds to the scPosImage object receive the configuration file defined in the scConfigFileTemplate object.

Be aware that in this case the posAdmin command does more than just literal insertion of the data specified on the command line. If you want to use some other tool (for example, GQ) to define the scConfigFileTemplate object, you must directly add the configuration data as the scConfigFileData attribute, not the path to the file containing them. Also keep in mind that the created configuration file name is the cn entry of the respective scConfigFileTemplate object, so ensure that they are named differently. This can become an issue when, for example, one configuration object is assigned to the scCashRegister and another with the same name to the scPosImage object.

Section 11.5.4, “scConfigFileSyncTemplate” summarizes the posAdmin command options for scConfigFileTemplate object attributes.

The following example adds a scConfigFileTemplate object below the Hardware Reference object, crtype3 (type the command all on one line):

posAdmin --base cn=crtype3,cn=global,o=myorg,c=us
--add --scConfigFileTemplate --cn xorg.conf
--scConfigFile /etc/X11/xorg.conf --scMust TRUE
--scBsize 1024 --scConfigFileData /mydata/xorg.conf.1234567

Configuration files defined by scConfigFileTemplate and scConfigFileSyncTemplate objects and referenced on the configuration line in the config.MAC file are always checked with regard to the list of deployed configuration files on the terminal (in /etc/KIWI/InstalledConfigFiles). This ensures that all defined configuration files exist on the terminal and that the configuration files removed from the configuration line are also deleted from the terminal.

The content of the configuration files is not checked.

4.6.2.5 Adding an scConfigFileSyncTemplate Object

scConfigFileSyncTemplate objects are used when running services that require hardware-dependent configuration files, for example, the X Window service. The scConfigFileSyncTemplate object points to the configuration file that a Point of Service terminal needs to run a given service. This object differs from scConfigFileTemplate objects because the configuration data is not stored in the object; the object points to a configuration file outside the LDAP directory.

When a Point of Service terminal registers with a Branch Server, or you run pos dump-all, or pos dump-ws or you force an update via scConfigUpdate, the Branch Server first uses rsync to synchronize the configuration files in the /srv/SLEPOS/config directory on the Administration Server which the same directory on the Branch Server and then copies relevant configuration files, as specified in the scConfigFileSyncTemplate objects from the /srv/SLEPOS/config directory to the /srv/tftpboot/KIWI/MAC/ directory. The file names are changed to the respective cn names of the corresponding scConfigFileSyncTemplate LDAP entries.

Important
Important: Location of Configuration Files

Any configuration files referenced in the scConfigFileSyncTemplate object must be located in the /srv/SLEPOS/config/ directory on the Administration Server, otherwise they will not be transferred to the Branch Server.

Using TFTP, the configuration file is then distributed from the Branch Server to the appropriate Point of Service terminals at boot time.

Note
Note: Assigning Configuration Files to Point of Service Terminals

The scCashRegister or scPosImage object under which the scConfigFileSyncTemplate object is created determines which Point of Service terminals receive the configuration file.

If the scConfigFileSyncTemplate object is defined under an scCashRegister object, all terminals that correspond to the type defined in the scCashRegister object receive the configuration file designated in the scConfigFileSyncTemplate object.

If the scConfigFileSyncTemplate object is defined under an scPosImage object, all terminals that load the system image that corresponds to the scPosImage object receive the configuration file designated in the scConfigFileSyncTemplate object.

Also keep in mind that the created configuration file name is the cn entry of the respective scConfigFileTemplate object. Make sure they are named. This can become an issue when for example, one configuration object is assigned to the scCashRegister and another with the same name to the scPosImage object.

Section 11.5.4, “scConfigFileSyncTemplate”, summarizes the posAdmin command options for scConfigFileSyncTemplate object attributes.

The following example adds an scConfigFileSyncTemplate object below the Hardware Reference object, crtype3 (type the command all on one line):

posAdmin
--base cn=crtype3 ,cn=global,o=myorg,c=us
--add --scConfigFileSyncTemplate --cn xorg.conf
--scConfigFile /etc/X11/xorg.conf --scMust TRUE --scBsize 1024
    --scConfigFileLocalPath /srv/SLEPOS/config/xorg.conf.cr3

4.6.2.6 Adding an scPosImage Object

All system images that you want to distribute to Point of Service terminals must have a corresponding scPosImage object in the LDAP directory. These objects are typically organized within Distribution Container objects under the Global container in the LDAP tree.

Note
Note: Referring to Boot Images

Boot images do not have scPosImage objects; they are referenced in the scInitrdName attribute in the scDistributionContainer object (see Distribution Container (scDistributionContainer)).

After the installation and configuration of SUSE Linux Enterprise Point of Service, an scPosImage object is automatically added to the Default Distribution Container for the Minimal image. However, this LDAP entry is only intended to serve as an example. You must manually add an scPosImage object for each system image you want to distribute to Point of Service terminals.

Important
Important

The reference objects for SUSE Linux Enterprise Point of Service images should be created in the Default Distribution Container. It references the current kernel version included and the default booting image in the product and therefore, should store all the scPosImage objects for SUSE Linux Enterprise Point of Service images.

Section 11.5.12, “scPosImage”, summarizes the posAdmin command options for scPosImage object attributes.

The following commands add a scPosImage object into the default container (and set its version via the scImageVersion object):

posAdmin
--base cn=default,cn=global,o=myorg,c=us --add --scPosImage --cn myMinimal
--scImageName myTestMinimal --scDhcpOptionsRemote /boot/pxelinux.0 --scDhcpOptionsLocal LOCALBOOT
--scImageFile myMinimal.i686 --scBsize 8192

posAdmin --base cn=myMinimal,cn=default,cn=global,o=myorg,c=us
--add --scImageVersion --scDisabled FALSE --scVersion 3.4.2

If you already have specified another container as scDistributionContainer, you can also add an scPosImage object to this other container (anothercontainer in this case):

posAdmin
--base cn=anothercontainer,cn=global,o=myorg,c=us --add --scPosImage --cn myMinimal
--scImageName myTestMinimal --scDhcpOptionsRemote /boot/pxelinux.0 --scDhcpOptionsLocal LOCALBOOT
--scImageFile myMinimal.i686 --scBsize 8192

posAdmin --base cn=myMinimal,cn=anothercontainer,cn=global,o=myorg,c=us
--add --scImageVersion --scDisabled FALSE --scVersion 3.4.2

If you want to add a new image version to an existing scPosImage object, see Section 4.6.2.8, “Activating Images”.

4.6.2.7 Adding an scDistributionContainer Object

Each collection of system images built against a specific kernel and initrd must have a corresponding scDistributionContainer object in the LDAP dabase. Therefore, if deploying a system image built against a new kernel or initrd version, a new scDistributionContainer object must be created.

The scInitrdName attribute of the scDistributionContainer object references the appropriate boot images.

4.6.2.8 Activating Images

Each image can be available in several versions. Each image version can be either enabled (active) or disabled (passive). If there are more enabled versions of one image, the highest version is used. If there is no enabled version of the image, no terminals can download and use the image.

The version (and activation) data for each image can be stored on two different places in the LDAP database – in the scPosImageVersion attribute of the relevant scPosImage object and in the scImageVersion objects placed under it. The scPosImageVersion attribute can hold information about multiple versions, while the scImageVersion object holds information about one version (but it supports more features, such as image encryption). More scImageVersion objects can be created to store information about multiple versions.

The scPosImageVersion attribute is considered deprecated and it may become unsupported in the future. For more information, see Appendix C, Deprecated Elements. If the scPosImageVersion attribute and the scImageVersion objects are used together, the data are combined. In case of a conflict, scImageVersion takes precedence.

For more information about the scPosImage object and its scPosImageVersion attribute, see Section 11.5.12, “scPosImage”. For more information about the scImageVersion object, see Section 11.5.19, “scImageVersion”.

A convenient way to add the scImageVersion object offers the registerImages --ldap command. For more information, see Section 4.7.1, “The registerImages Command”.

To add version 2.4.2 manually with posAdmin using the scImageVersion object, run the following command:

posAdmin --base cn=minimal,cn=default,cn=global,o=myorg,c=us
--add --scImageVersion --scDisabled FALSE --scVersion 3.4.2

To activate the new image version on a Branch Server, use possyncimage; pos dump-all.

To deactivate an image activated by the scImageVersion object, use the following command:

posAdmin --modify --scImageVersion --scDisabled TRUE --DN
scVersion=3.4.2,cn=minimal,cn=default,cn=global,o=myorg,c=us

To deactivate an image activated by the scPosImageVersion attribute, use the following command:

posAdmin --modify --multival --scPosImage --scPosImageVersion
'3.4.2;active=>3.4.2;passive' --DN
cn=minimal,cn=default,cn=global,o=myorg,c=us

4.6.2.9 Assigning an Image to a Point of Service Terminal

You can manually assign a specific image to a Point of Service terminal through its scWorkstation object.

The following command assigns 'myMinimal' image 2.0.4 to the CR001 scWorkstation object in the cn=mybranch,ou=myorgunit,o=myorg,c=us location (type the command all on one line):

posAdmin
--modify --scWorkstation
--scPosImageDn cn=myMinimal,cn=default,cn=global,o=myorg,c=us
--scPosImageVersion 2.0.4
--DN cn=CR001,cn=mybranch,ou=myorgunit,o=myorg,c=us

When you explicitly assign an image name (scPosImageDn) and its version (scPosImageVersion) in the scWorkstation entry, the version and active/passive status information in the corresponding scPosImage image object in the global container is ignored. However, if you only assign the image name, the version information in the scPosImage image object is used.

The scWorkstation object is automatically created in the LDAP directory the first time you boot a Point of Service terminal. The posleases2ldap daemon detects new registration (hwtype.MAC(.HASH)) files uploaded by terminals and creates appropriate hardware configuration files (config.MAC), along with the corresponding scWorkstation object.

4.6.2.10 Removing Images

To remove the image assigned to a workstation, run the following command (type the command all on one line):

posAdmin
--modify --scWorkstation --scPosImageDn --scPosImageVersion
--DN cn=CR001,cn=mybranch,ou=myorgunit,o=myorg,c=us

4.7 Copying Images to the Administration Server rsync Directory

Before the rsync service can transmit the images to the Branch Server, system image files must be located in the /srv/SLEPOS directory on the Administration Server. Client images must be located in the /srv/SLEPOS/image directory and the boot images must be located in /srv/SLEPOS/boot.

The registerImages command is provided for copying system image files to the /srv/SLEPOS directory on the Administration Server. This command also provides functions for compressing the images, adding them to LDAP and installing boot images. These procedures can also be performed manually.

4.7.1 The registerImages Command

An image can be registered with the registerImages path/to/image/file command. New versions can be installed later using the registerImages --delta name_of_installed_base_image path/to/image/file command. This generates delta files containing only the necessary changes and thus saving bandwidth when images on Branch Server are updated via possyncimages.

System image names must follow the KIWI convention: name.arch-N.N.N and name.arch-N.N.N.md5.

For example, you can install an image and register it in LDAP using this command:

registerImages --ldap --move --gzip
--kernel /var/lib/SLEPOS/system/images/minimal-3.1.5/initrd*.kernel \
--initrd /var/lib/SLEPOS/system/images/minimal-3.1.5/initrd*.splash.gz \
/var/lib/SLEPOS/system/images/minimal-3.1.5/minimal.i686-3.1.5

You can install a new image and create the appropriate delta later, using this command:

registerImages --delta minimal.i686-3.1.5 --ldap --move /var/lib/SLEPOS/system/images/minimal-3.1.6/minimal.i686-3.1.6

For a list of options used by the registerImages command, see Section B.3.10, “registerImages”.

4.7.2 Using registerImages with Remote Files and TAR Archives

To use registerImages with remote files, use the following syntax:

registerImages [ --kernel [scp:][user@]host:remote_kernel_file --initrd  [scp:][user@]host:remote_initrd_file ] [scp:][user@]host:temote_image_file
registerImages [ --kernel http://remote_kernel_file --initrd http://remote_initrd_file ] http//:remote_image_file

The ssh command will ask for a password. Alternativelly it can be configured to use password-less login. For more information see the SSH documentation.

To use registerImages with directories or TAR archives (produced by KIWI or SUSE Studio), use the following syntax:

registerImages [ --include-boot ] local_directory
registerImages [ --include-boot ] local_tarball
registerImages [ --include-boot ] [scp:][user@]host:remote_directory
registerImages [ --include-boot ] [scp:][user@]host:remote_tarball
registerImages [ --include-boot ] http:remote_tarball

With the --include-boot option, the kernel and initrd are extracted directly from the TAR archive or directory (instead of specifying it directly with the --kernel and --initrd options).

4.7.3 Manually Copying Images to the Administration Server's rsync Directory

The system images can also be copied to the Administration Server's rsync directory manually.

4.7.3.1 Copying System Images to the Administration Server's rsync Directory

The following example demonstrates how to put a previously extended Graphical system image in the Administration Server's rsync directory so it can be received, on request, by the Branch Server:

  1. Copy the extended Graphical system image:

    cp /srv/SLEPOS/image/Graphical-2.0.4-2004-12-05 \
       /srv/SLEPOS/image/graphical-2.0.4
  2. Copy the corresponding Graphical image MD5 checksum file:

    cp /srv/SLEPOS/image/Graphical-2.0.4-2004-12-05.md5 \
       /srv/SLEPOS/image/graphical-2.0.4.md5

4.7.3.2 Copying Boot Images to the Administration Server's rsync Directory

The following example demonstrates how to copy the first and second stage boot images to the Administration Server's rsync directory so they can be received, on request, by the Branch Server:

Note
Note

Point of Service terminals boot two images, a first stage image (initrd.gz) and a second stage image (linux). For more information, see Section 6.4, “Booting the Point of Service Terminal”.

  1. Copy the initrd-netboot image as initrd.gz:

    cp /srv/SLEPOS/image/initrd-netboot-suse-SLES11.architecture-image_version.splash.gz \
       /srv/SLEPOS/boot/initrd.gz
  2. Copy the kernel image as linux:

    cp /srv/SLEPOS/image/initrd-netboot-suse-SLES11.architecture-image_version.kernel.kernel_version-flavour /srv/SLEPOS/boot/linux

4.8 Simple Administration GUI

SUSE Linux Enterprise Point of Service11 SP2 introduced a simple administration GUI, posAdmin-GUI. The goal of the posAdmin-GUI is to help with the creation of Branch Server, role, image and cashregister objects. Using the posAdmin-GUI, the administrator can avoid typing long posAdmin commands and benefit from a nicer user interface and check data immediately.

The posAdmin-GUI uses YaST libraries, therefore ncurses, GTK and Qt user interfaces are available.

To start the posAdmin-GUI, use the posAdmin-GUI command. If you start it on an already configured Administration Server, the adminserver.conf configuration file is parsed and used to fill organization and country entries. You can also start posAdmin-GUI with the posAdmin-GUI slepos-xml-file command. The provided SUSE Linux Enterprise Point of Service XML file is parsed and all available data are loaded.

Note
Note: posAdmin-GUI Limitations

The posAdmin-GUI can only be used for importing new objects into the LDAP database. It does not allow any modification of existing objects and it is not possible to rename existing objects or to add, remove, or change their attributes. Only creating new objects is supported.

The posAdmin-GUI does not load data from the existing LDAP database.

The posAdmin-GUI interface has four main sections: the BranchServer Configuration, Images Configuration, CashRegisters Configuration, and Finalize. To navigate between them, click the tabs in the top of the window or the Next and Back buttons in the bottom right corner. Whenever you try to navigate between the tabs, the entered data are checked for consistency.

Use the Advanced Mode button to toggle the display of advanced configuration options like IP/DNS mapping functions or RAID schemes.

Use the Default button to revert all configurations to the default state. If posAdmin-GUI was called with a provided XML file, data from the file will be reloaded.

4.8.1 Branch Server Configuration

The BranchServer Configuration tab defines all Branch Server-related data. The values defined on this tab are used for defining the relevant scLocation object and its attributes (as described in Section 11.5.10, “scLocation”.

In the upper section (BranchServer Configuration), enter the name of the Branch Server using the Country, Organization, Organizational Unit, and Location (scLocation) values. If you need to add nested organizational units, click Add Nested OU. Enter the BranchServer Access Password in the appropriate field.

In the middle section (BranchServer Details), check whether an external DHCP server should be used and whether global and/or local roles should be used.

In the lower section (BranchServer Advanced Configuration), available only when the Advanced Mode is toggled on, enter the IP Mapping Function, DNS Mapping Function, Associated Domain, Enumeration Mask, and Workstation Base Name.

To configure Branch Server services, click BranchServer Services Configuration. For more information, see Section 4.8.1.1, “Branch Server Services Configuration”.

To configure Branch Server networking, click BranchServer Network Configuration. For more information, see Section 4.8.1.2, “Branch Server Network Configuration”.

4.8.1.1 Branch Server Services Configuration

To configure Branch Server services, click the BranchServer Services Configuration button.

To add a new service, select add new service in the List of Registered Services. Enter Service Name, Service DNS Name, Name of Service Script in /etc/init.d/, and Service Specific Parameters. The Service Specific Parameters field can contain optional parameters of the scService object.

For example, Service Specific Parameters for posleases service can contain:

scPosleasesMaxNotify=6
scPosleasesTimeout=10
scPosleasesChecktime=40

To enable the service, activate the Service Enabled option. Save the configuration by clicking the Add Service button.

To modify a service, select it in the list, modify any value and click Update Service. To delete a device, select it in the list and click Delete Service.

When the services configuration is finished, click Return to BS Configuration.

Note
Note: Ommiting posleases Service

The posleases can be ommited. Then the object is generated during the Branch Server initialization with default values (see Section B.3.2, “posInitBranchserver”).

4.8.1.2 Branch Server Network Configuration

To configure the Branch Server network, click the BranchServer Network Configuration button.

Enter BranchServer Hostname, BranchServer Network Address, BranchServer Network Mask, BranchServer Default Gateway, DHCP Fixed IP Range, and DHCP Dynamic IP Range.

The BranchServer Network Cards list contains all configured Branch Server network cards. To add a new card, select add new network card in the list, enter NIC Device Name (for example eth1) and NIC IP Address, and click Add Device. To modify a device, select it in the list, modify any value and click Update Device. To delete a device, select it in the list and click Delete Device.

When the network configuration is finished, click Return to BS Configuration.

4.8.2 Images Configuration

The Images Configuration tab lists all registered local and global images. Select an image in the list to edit its properties. Save any changes by clicking the Update Image button. To delete an image from the list, click Remove Image from List. To add a new image, select <add new image> in the list and click Add Image.

For each image, select whether it is a Global Image or BranchServer Local Image. Enter Image Name, Image Version, and the path to the Image File.

If the Advanced Mode is activated, you can enter Image Password and DHCP Options and blockize.

For each image a list of configuration templates and its management is available.

4.8.3 Cash Registers Configuration

The CashRegisters Configuration tab lists all known local and global POS terminals (CashRegisters), as well as terminals defined by their roles. Select a terminal in the list to edit its properties. Save any changes by clicking the Update CashRegister button. To delete a terminal from the list, click Remove CR from List. To add a new terminal, select <add new CR> in the list and click Add CashRegister.

For each terminal, select whether it is a Global CR or Local CR. If global and/or local roles are enabled and roles are registered in the BranchServer Configuration tab, you can also select Role CR for a terminal defined by its role. In such a case, select the needed role from the list of known roles on the right.

Enter CashRegister Name and select the Associate Image from the list of images registered in the Images Configuration tab.

If the Advanced Mode is activated, you can enter Raid Scheme definition and/or enable disk journaling.

For each terminal, lists of associated disks and configuration templates and their management are available.

4.8.4 Finalization

Use the Generate configuration button to create the SUSE Linux Enterprise Point of Service XML file. Before generating the file, the configured data are checked. You will be asked where to save the generated XML file.

If the Update LDAP after generation option is checked, the posAdmin --import --type XML --file generated_xml_file command is automatically called after the XML file is generated.

If the Generate OIF after LDAP modify option is checked, the posAdmin --generate --base branchserver_DN command is automatically called after the XML file is imported into the LDAP database.

Print this page