Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to SUSE Linux Enterprise Point of Service 11 SP3 and SUSE Linux Enterprise Point of Service 12 Image Server

7 Managing SUSE Linux Enterprise Point of Service

7.1 Monitoring the Terminal Boot-Up

To verify and test your SUSE Linux Enterprise Point of Service installation:

  1. Attach a Point of Service client to the Branch Server network.

  2. Verify the list of properly registered workstations with the pos ws-list command.

    You can also verify if the necessary LDAP objects have been created manually by using the ldapsearch command. For example (setup without SSL):

    ldapsearch -x -H ldap://administration_server_name -b base_context -s base -D dn_of_admin_user -w password

    For setups with SSL, use:

    ldapsearch -x -H ldaps://administration_server_name -b base_context -s base -D dn_of_admin_user -w password
  3. Verify the following LDAP object settings:

    • The scCashRegister object matching the model type of the Point of Service terminal must exist in the LDAP database, for example: IBMSurePOS300Series.

    • There must be an scPosImage object for each image in the /srv/tftpboot/image/ directory on the Branch Server. The scPosImageDn attribute within each object must correspond to an existing Point of Service image.

    For further information how to modify and add LDAP entries for your specific SUSE Linux Enterprise Point of Service system environment, see Chapter 11, The LDAP Directory on SUSE Linux Enterprise Point of Service.

  4. Verify that the Point of Service system images and their corresponding MD5 checksum files are available in the /srv/tftpboot/image/ directory on the Branch Server.

  5. Verify that the initrd.gz and linux images are available in the /srv/tftpboot/boot/ directory on the Branch Server.

  6. Power up the Point of Service client and watch the Branch Server log messages using the following command:

    tail -f /var/log/messages

  7. While the Point of Service client is booting, check if there are tftpd entries.

    For example:

    .. bs1 tftpd[31434]: Serving /boot/pxelinux.0 to 192.168.2.15:2070
    .. bs1 tftpd[31435]: Serving /boot/pxelinux.cfg/C0A8020F to 192.168.2.15:57217
    .. bs1 tftpd[31436]: Serving /boot/pxelinux.cfg/C0A8020 to 192.168.2.15:57090
    .. bs1 tftpd[31437]: Serving /boot/pxelinux.cfg/C0A802 to 192.168.2.15:56963
    .. bs1 tftpd[31438]: Serving /boot/pxelinux.cfg/C0A80 to 192.168.2.15:56836
    .. bs1 tftpd[31439]: Serving /boot/pxelinux.cfg/C0A8 to 192.168.2.15:56709
    .. bs1 tftpd[31440]: Serving /boot/pxelinux.cfg/C0A to 192.168.2.15:56582
    .. bs1 tftpd[31441]: Serving /boot/pxelinux.cfg/C0 to 192.168.2.15:56455
    .. bs1 tftpd[31442]: Serving /boot/pxelinux.cfg/C to 192.168.2.15:56328
    .. bs1 tftpd[31443]: Serving /boot/pxelinux.cfg/default to 192.168.2.15:56201
    .. bs1 tftpd[31444]: Serving /boot/linux to 192.168.2.15:56202
    .. bs1 tftpd[31445]: Serving /boot/initrd.gz to 192.168.2.15:56203
    .. bs1 dhcpd: DHCPDISCOVER from 00:06:29:e3:02:e6 via eth0
    .. bs1 dhcpd: DHCPOFFER on 192.168.2.15 to 00:06:29:e3:02:e6 via eth0
    .. bs1 dhcpd: DHCPREQUEST for 192.168.2.15 (192.168.2.1) from 00:06:29:e3:02:e6 via eth0
    .. bs1 dhcpd: DHCPACK on 192.168.2.15 to 00:06:29:e3:02:e6 via eth0
    .. bs1 tftpd[31454]: Serving CR/config.00:06:29:E3:02:E6 to 192.168.2.15:32768
    .. bs1 tftpd[31455]: Fetching from 192.168.2.15 to upload/hwtype.00:06:29:E3:02:E6

    The Point of Service terminal performs a PXE boot to receive the Linux kernel and its first stage boot image, initrd.gz. For detailed information on the Point of Service boot process, see Section 6.4, “Booting the Point of Service Terminal”.

  8. Check the hwtype.MAC.HASH file in the /srv/tftpboot/upload directory (for example, hwtype.00:06:29:E3:02:E6). This file contains the information required to create the terminal's workstation object (scWorkstation) in LDAP and determine which image and configuration settings should be included in the terminal's configuration file. For more information, see Section 6.3.3, “The hwtype.MAC.HASH File”.

  9. See if the Point of Service client can boot the second stage image. This is the system image configured in LDAP (scPosImage) and downloaded from the /srv/tftpboot/image/ directory on the Branch Server (for example, the browser-2.0.4 image).

  10. If everything proceeds normally, the Point of Service terminal boots and you see the login prompt.

    If the boot is successful, the config.MAC for the terminal is written to the /srv/tftpboot/KIWI/ directory on the Branch Server. For example, if a terminal's MAC address is 00:06:29:E3:02:E6, the config.00:06:29:E3:02:E6 file will be located in the /srv/tftpboot/KIWI/ directory. Additionally, the scWorkstation object for the Point of Service terminal is created in the LDAP directory.

7.2 SUSE Linux Enterprise Point of Service High-Availability Installation Workflow

SUSE Linux Enterprise Point of Service relies on SUSE Linux Enterprise High Availability Extension to simplify an active-passive high availability scenario. The following workflow assumes basic knowledge of the SUSE Linux Enterprise High Availability Extension configuration. For SUSE Linux Enterprise High Availability Extension details see the SUSE Linux Enterprise High Availability Extension User Guide. Both primary and secondary nodes are assumed to have the SUSE Linux Enterprise High Availability Extension and SUSE Linux Enterprise Point of Service extensions installed.

Before configuring high-availability, it is necessary to prevent all SUSE Linux Enterprise Point of Service services (LDAP, DHCP, etc.) from starting via traditional init scripts. All services are handled by the RA (resource agent). The initialization of services via the traditional way will prevent the RA from initialization and can potentially prevent shared storage from mounting.

Init scripts can be disabled by setting the chkconfig service to off or via the yast runlevel-editor command.

To configure the primary node, follow these steps:

  1. Configure networking (virtual IP for HA services) as defined in the SUSE Linux Enterprise High Availability Extension User Guide (RA ocf:hearbeat:IPaddr2).

  2. Configure shared storage (for example DRBD) as defined in the SUSE Linux Enterprise High Availability Extension User Guide. The following directories should be on the shared storage and linked back:

    /var/lib/SLEPOS
    /var/lib/branchldap
    /var/lib/named
    /var/lib/dhcp
    /etc/named.d/ldap_generated
  3. Configure synchronization using csync2 as defined in the SUSE Linux Enterprise High Availability Extension User Guide and add the following configuration files to synchronize:

    include /etc/SLEPOS/*;
    include /etc/drbd.d;
    include /etc/drbd.conf;
    include /etc/named.conf;
    include /etc/dhcpd.conf;
    include /etc/openldap/*;
    include /etc/sysconfig/atftpd;
    include /etc/sysconfig/named;
    include /etc/sysconfig/dhcpd;
    include /etc/sysconfig/ldap;
    include /etc/sysconfig/openldap;
    include /etc/named.d/forwarders.conf;
  4. Configure the resource agents and the SUSE Linux Enterprise Point of Service resource group containing lsb:posleases, ocf:heartbeat:slapd, osc:heartbeat:named, lsb:atftp, ocf:heartbeat:Pure-FTPd services:

    primitive aftp lsb:atftpd \
        operations $id="aftp-operations" \
        op monitor interval="15" timeout="15"
    primitive dhcpd ocf:heartbeat:dhcpd \
        operations $id="dhcpd-operations" \
        op monitor interval="10" timeout="20" \
        params config="/etc/dhcpd.conf" interface="eth1"
    primitive pureftp ocf:heartbeat:Pure-FTPd \
        operations $id="ftp-operations" \
        op monitor interval="60s" timeout="20s" \
        params script="/usr/sbin/pure-config.pl" conffile="/etc/pure-ftpd/pure-ftpd.conf" pidfile="/var/run/pure-ftpd.pid"
    primitive named ocf:heartbeat:named \
        operations $id="named-operations" \
        op monitor interval="30" timeout="30" \
        params named_config="/etc/named.conf" named_rootdir="/var/lib/named" named_user="named"
    primitive openldap ocf:heartbeat:slapd \
        operations $id="openldap-operations" \
        op monitor interval="60s" timeout="20s" \
        params config="/etc/openldap/slapd.conf" slapd="/usr/lib/openldap/slapd" services="ldap://127.0.0.1:389" bind_dn="<branch server ldap DN>" password="<branch server LDAP password" user="ldap" group="ldap" watch_suffix="<SLEPOS LDAP suffix>"
    primitive posaswatch lsb:posASWatch \
        operations $id="posaswatch-operations" \
        op monitor interval="15" timeout="15"
    primitive posleases lsb:posleases2ldap \
        operations $id="posleases-operations" \
        op monitor interval="15" timeout="15"
    primitive virtual_ip ocf:heartbeat:IPaddr2 \
        params ip="<virtualIP>" broadcast="<broadcast_address>" nic="<bonded device>" iflabel="<num_identifier_of_alias>" \
        op monitor interval="10s"
    group pos virtual_ip mount_mnt openldap named dhcpd aftp pureftp posaswatch posleases \
        meta target-role="Started"

    Do not forget to add the configuration for shared storage (for example, ocf:linbit:drbd) and its collocation with the SUSE Linux Enterprise Point of Service services group (pos) and order in which services are activated.

  5. Initialize the Branch Server normally.

  6. Check if the directories moved in step 2 are still linking back to the shared storage. If not, repeat step 2.

  7. Start HA (openais).

To configure the primary node, follow these steps:

  1. Configure the network interfaces.

  2. Link the directories to the shared storage (see step 2 of the primary node configuration).

  3. Join the cluster and synchronization configuration as defined in the SUSE Linux Enterprise High Availability Extension user guide (for example `sleha-join`).

7.3 Booting Special Images on Terminals

It is possible to boot special non-SUSE Linux Enterprise Point of Service images on a terminal, for example images provided by a hardware vendor to update the BIOS on the terminals.

To set up booting of these image files via PXE menu, use the following command:

pos sync pxe-bootmenu --set --imagespath path

The optional --imagespath option holds the path to the directory containing files to add into the menu. These files will be copied into the boot/ext subdirectory. If this option is not supplied, only BIOS boot images currently existing in boot/ext will be used.

The optional --force option allows to overwrite existing backup files.

In order for the PXE menu to not be reverted back, posleases2ldap must be stopped, and no pos dump command can be run. Rebooting of the Branch Server should also be avoided to ensure the PXE menu stays intact, since the Branch Server automatically starts the posleases2ldap service.

To restore the previous state, use pos sync pxe-bootmenu --undo. The optional --force option allows to overwrite the current file by backups (for specific PXE, default is always overwritten). The images copied into the boot/ext directory are not removed by the undo command, they should be deleted manually if they are not needed anymore.

7.4 Remotely Managing Point of Service Terminals with admind and adminc

In a SUSE® Linux Enterprise Point of Service system, admind and adminc enable you to perform tasks like shutdown, configuration reload, or application restart on multiple Point of Service terminals from a single location.

7.4.1 admind

The daemon admind allows simple commands to be executed on Point of Service terminals from a remote location. Using it with adminc, an administrator can perform tasks like shutdown, configuration reload, or application restart on multiple Point of Service terminals from a single location. admind is typically started by the xinetd super-server, but can be run as a regular service.

Important
Important: admind with Limited Authentication Only

admind does not provide strong authentication. Its level of security is adequate only for systems that boot from the network, thus relying on the integrity of the network infrastructure (DHCP and DNS in particular). Authentication is provided through verification of the host name and user against a list in the configuration file.

admind writes its diagnostics via syslog to /var/log/messages.

7.4.1.1 Command Line Options

admind has the following command syntax:

admind [-vIP] [configfile] [options]

Table 7.1, “admind Command Line Options” summarizes the admind command line options.

7.4.1.2 admind.conf

The standard configuration information for admind is located in /etc/SLEPOS/admind.conf. The file format typically appears as follows:

S=hostname1
S=hostname2
U=username1
U=username1
X:0=init 0
X:6=init 6
X:r=/etc/init.d/rc/POSApplication restart
(...)

Option

Description

-S

Defines a valid server. The names of the connecting servers are compared against this list. Short names can be used and are expanded for the local domain.

-U

Defines a valid user name on the connecting machine.

-X

Defines the fixed commands. Each command has a single letter or digit key (X:[0-9a-zA-Z]).

Executed commands are expected to terminate and deliver a return value. Long-running commands or commands that do not terminate must be wrapped in a script that executes the command in the background.

7.4.2 adminc

adminc distributes commands to Point of Service terminals running admind. It sends a command string to the list of IP addresses. adminc attempts to connect to clients in parallel up to a specified maximum number.

adminc can also be used to start (wake) a series of terminals designated by MAC address.

7.4.2.1 Command Line Options

adminc has the following command syntax:

adminc [--port] portno
       [--parallel] maxparallel
       [--commands] keys IP [IP*]
adminc [--wake] MAC [MAC*]

summarizes the available options for adminc.

Table 7.2: adminc Command Line Options

Option

Description

--port

The port number that admind listens to. The default is 8888.

--parallel

The maximum number of parallel sessions to start. The default is 8.

--commands

The command keys to be sent to clients. The command keys are specified in the client’s admind.conf file.

--wake MAC MACes

The wake command starts the designated clients. Clients are designated by their MAC addresses.

7.4.2.2 adminc Examples

adminc --command 0 192.168.99.11 192.168.99.12 192.168.99.13
Node: 192.168.99.11   Exit Code: 0
Node: 192.168.99.12   Exit Code: 65280
Node: 192.168.99.13   Exit Code: 0

7.4.3 posGetIP

posGetIP is a helper script that is used with adminc. It finds all addresses for Point of Service terminals that are managed by the local Branch Server. This tool must be run on the Branch Server. The output is a list of addresses, one line each.

Both IP and MAC addresses can be listed. The default is to list the IP addresses. It finds its server base by looking at the IP addresses that are configured on the local machines. /etc/SLEPOS/branchserver.conf is used to find the LDAP connection information.

7.4.3.1 Command Line Options

posGetIP has the following command syntax:

posGetIP [--ip|noip] [--mac]

Table 7.3, “posGetIP Command Options” summarizes the available posGetIP command options.

Table 7.3: posGetIP Command Options

Option

Description

--ip

Prints the IP addresses of all Point of Service terminals that are managed by the local Branch Server.

This option is enabled by default.

--noip

Provides a screen dump of the Point of Service terminals that are managed by the local Branch Server. This option does not print the IP addresses of the terminals managed by the current Branch Server.

--mac

Prints the MAC address of all Point of Service terminals that are managed by the local Branch Server.

7.4.3.2 posGetIP Examples

adminc --command 6 `posGetIP`
adminc --wake `posGetip --mac --noip`

7.4.4 Installing admind on a Point of Service Terminal

The following sections outline how to add admind to a terminal system image.

  1. Use the Image Creator tool to start this procedure.

    For information about using Image Creator, see Section 8.1, “Building Images with the Image Creator Tool”.

  2. To start the xinetd service on the Point of Service terminal, activate the Scripts tab. In the Image Configuration Script box, add after the line suseActivateDefaultServices:

    suseInsertService xinetd
  3. Create the admind.conf file in the /usr/share/kiwi/image/SLEPOS/image_name-version/root/etc directory.

  4. Set the configuration parameters in the admind.conf file.

    1. Set the branch.local parameter to the fully qualified host name of the Administration or Branch Server, on which you want to run adminc. This allows the terminals to trust the designated box. If you are running adminc from multiple stations, they must be included in this list. For example:

      S=branch.local
      S=branch2.local
      S=localhost
    2. Add all users with rights to execute commands on Point of Service terminals. For example:

      U=root
      U=tux
    3. Add any additional commands you want to execute on the POS terminals. For example:

      X:0=/sbin/init 0
      X:3=/sbin/init 3
      X:5=/sbin/init 5
      X:6=/sbin/init 6
      X:p=/sbin/poweroff
      X:r=/sbin/reboot
  5. Build the image with the --extend option to include the setup.admind file.

    Note
    Note

    The setup.admind file is located in the /usr/share/kiwi/SLEPOS/templates/addons/ directory. It references the RPMs required to add the admind utility to a standard client image.

  6. Distribute the image to your Point of Service terminals.

7.4.5 Installing the admind Client on Administration and Branch Servers

To install admind on an Administration or Branch Server, follow these steps:

  1. Install the admind-client RPM on the Administration Server or Branch Server: Start YaST, Software › Software Management, and select admind-client for installation.

    Note
    Note

    It may also be necessary to install the tcpd, xinetd, and pidentd RPMs.

  2. Start identd using YaST: System › System Services (Runlevel) and enable identd.

7.5 Backup and Restore

All system information (system structure, the configuration and deployment method for each Branch Server and Point of Service terminal, image information, and so forth) is stored in an LDAP directory on the Administration Server. This information must be backed up regularly to avoid data loss in case of storage failure and administration errors. The following sections discuss several methods for backing up and restoring the LDAP directory in SUSE® Linux Enterprise Point of Service so you can decide which method suits your needs best.

Warning
Warning: Risk of Data Loss

Before starting to reconfigure your SUSE® Linux Enterprise Point of Service system, take precautions against data loss and execute at least a logical online backup to a local file as described in Section 7.5.3, “Online Backup”.

7.5.1 Offline Physical Backup

An offline backup must be executed on the Administration Server and does not put any load on the LDAP server. The drawback is that the LDAP server is not available during the time of the backup.

To perform a physical file backup of the LDAP directory, follow these steps:

  1. Stop the LDAP server with rcldap stop.

  2. Copy all the files in the /var/lib/ldap/ directory to an archive directory using cp, tar or any other command line tool for archiving or compressing files.

  3. After the copy completes, start the LDAP server with rcldap start.

Procedure 7.1, “Restoring an Offline Backup”, describes how to restore a physical backup.

7.5.2 Offline Logical Backup

To perform a logical backup of the LDAP directory (database dump):

  1. Stop the LDAP server with rcldap stop.

  2. Run the following command:

    slapcat > "ldap.$(date '+%F-%T')"

    This generates a file in LDAP Data Interchange Format (LDIF file) named ldap. datetime where datetime is the current date and time. LDIF files are structured ASCII files that can be viewed, for example, with less. The resulting output file can be archived, backed up on offline media, and restored with the slapadd command as described in Section 7.5.4, “Restoring Data”.

  3. After the backup completes, start the LDAP server with: rcldap start.

Procedure 7.1, “Restoring an Offline Backup” describes how to restore a logical backup.

7.5.3 Online Backup

An online backup uses the LDAP server to extract all data. This has the advantage that the server is available at all times and the backup can be stored to a remote machine that has an LDAP client, using an authenticated LDAP bind. Of course, the LDAP communication can also be secured with SSL.

  1. To create an LDIF file similar to the one created during an offline logical backup, proceed as follows:

    ldapsearch -x -D adminDN1 -w adminPassword2 -H ldap://LDAPServer/3 -b baseDN4 > "ldap.$(date '+%F-%T')"

    1

    DN of the administrator user (for example, cn=admin,o=myorg,c=us).

    2

    The administrator password (for example, secret).

    3

    LDAP server name or IP address.

    4

    Base DN (distinguished name) of the LDAP structure (for example, o=myorg,c=us).

  2. To use LDAP with SSL, enter the following instead:

    ldapsearch -x -D adminDN -w adminPassword -H ldaps://LDAPServer/ -b baseDN > "ldap.$(date '+%F-%T')"

Procedure 7.2, “Restoring an Online Backup” describes how to restore an online backup.

7.5.4 Restoring Data

Procedure 7.1: Restoring an Offline Backup

To restore offline backups, you need to stop the LDAP server and restart it afterward.

  1. Stop the LDAP server with rcldap stop.

  2. If you did a physical file backup, restore the files in /var/lib/ldap by copying them back or extracting them from the archive you created.

    If you did a logical backup, run the slapadd command to restore the logical database dump:

    slapadd -l backupfile

    where backupfile is the file created by slapcat.

  3. Run /usr/lib/SLEPOS/posACLUpgrade.pl to regenerate missing LDAP ACL.

  4. Start the LDAP server with rcldap start.

Procedure 7.2: Restoring an Online Backup

To restore an online backup, the LDAP server must be running.

  1. In case the LDAP database has been corrupted, remove the database files in /var/lib/ldap/ before restoring the online backup. The LDAP server can run with an empty database.

  2. Restore the backup file created via ldapsearch with either the command:

    ldapadd -x -D adminDN -w adminPassword -H ldap://LDAPServer -f backupfile

    or for secure LDAP communication with SSL:

    ldapadd -x -D adminDN -w adminPassword -H ldaps://LDAPServer -f backupfile
  3. Run /usr/lib/SLEPOS/posACLUpgrade.pl to regenerate missing LDAP ACL.