= Setting up Environment for Institutional Federated Identity Access Management = == Minimum Hardware Requirement == PC or Server or VM with 8GB RAM == DNS requirement == Get following DNS added, 1. For the host computer iam.[your institution domain].ac.lk -> 192.248.xx.yy1 2. for your identity database idb.[your institution domain].ac.lk -> 192.248.xx.yy2 3. for your identity provider idp. [your institution domain].ac.lk -> 192.248.xx.yy3 4. for your eduroam radius server irs. [your institution domain].ac.lk -> 192.248.xx.yy4 == Setting up the Host !Computer/Server == 1. Download Ubuntu 18.04 LTS and burn to a USB stick or to a CD ROM as bootable media You may download and free app '''Rufus''' from https://rufus.ie/ to burn IOS image to a USB stick 2. Change your bios setting to boot up from external media 3. install Ubuntu 18.04 LTS while setting the host name as '''iam''' domain as [your institution domain].ac.lk 4. Login to Ubuntu and run following to update your system sudo apt update sudo apt upgrade == Linux Container (LXC) Virtual Environment == LXC should be built in by default. (You need to run these commands as sudo ) * `sudo lxc version` 1. Initiate LXC (single host) * `sudo lxd init` {{{ Would you like to use LXD clustering? (yes/no) [default=no]: Do you want to configure a new storage pool? (yes/no) [default=yes]: Name of the new storage pool [default=default]: Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]: dir Would you like to connect to a MAAS server? (yes/no) [default=no]: Would you like to create a new local network bridge? (yes/no) [default=yes]: no Would you like to configure LXD to use an existing bridge or host interface? (yes/no) [default=no]: no Would you like LXD to be available over the network? (yes/no) [default=no]: Would you like stale cached images to be updated automatically? (yes/no) [default=yes] Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: }}} * Edit network configuration: `sudo nano /etc/netplan/50-cloud-init.yaml` Make sure you edit the network interfaces as per your installation details. (Don't Copy - Paste) {{{ network: version: 2 ethernets: enp0s3: dhcp4: no bridges: lxdbr0: dhcp4: no addresses: - 192.248.xx.yy/cc gateway4: 192.248.xx.zz nameservers: addresses: - 192.248.1.161 interfaces: - enp0s3 }}} * Apply new network configs: `sudo netplan apply` (If you see any error, please check the yaml file. Do not reboot under any circumstances if you are connected via SSH ) * Check IP address of the host machine: `ifconfig` {{{#!comment * Enter `sudo lxc network edit lxdbr0` and edit, ipv4.address: 192.248.xx.yy/24 ipv4.nat: "false" }}} * Modify the default container profile to add bridged network: `lxc profile edit default` {{{ config: {} description: Default LXD profile devices: eth0: nictype: bridged parent: lxdbr0 type: nic root: path: / pool: default type: disk name: default used_by: [] }}} 2. Check remote repositories * `sudo lxc remote list` 3. Local repositories * `sudo lxc image list` 4. Remote images * `sudo lxc image list images:` * `sudo lxc image list images:ubuntu` 5. Create a Ubuntu Container * `sudo lxc launch ubuntu:18.04 test-ct` * `sudo lxc list` Delete a container * `sudo lxc stop test-ct` * `sudo lxc delete --force test-ct` 6. Create Three Production LXCs for your institute * `lxc launch ubuntu:18.04 idb` * `lxc copy idb idp` * `lxc copy idb irs` * `lxc start idp` * `lxc start irs` 7. !Using/Login to container * `lxc exec idb bash` * `lsb_release -dirc` * `free -m` * `nproc` * `uname -r` * `exit` 8. CT info * `lxc info idb` * `pstree -p [pid]` 9. CT configuration * `lxc config show idp` * `lxc profile list` * `lxc profile show default` 10. Restrict Memory * `lxc config set idb limits.memory 4096MB` * `lxc config show idb` * `lxc config set idp limits.memory 4096MB` * `lxc config set irs limits.memory 2048MB` 11. configure CT network IP * Log in to your container `lxc exec bash` * `ifconfig` * `nano /etc/netplan/50-cloud-init.yaml` {{{ network: version: 2 ethernets: eth0: dhcp4: no addresses: - 192.248.xx.yy2/24 gateway4: 192.248.xx.zz nameservers: addresses: - 192.248.1.161 }}} * `netplan apply` * `timedatectl set-timezone Asia/Colombo` 12. SSH to CTs * `nano /etc/ssh/sshd_config` change `PasswordAuthentication no` to `PasswordAuthentication yes` * Restart the ssh service `service sshd restart` * Add a user by * `adduser ` Make that user a '''sudo''' user * `adduser sudo` * `reboot` now you can ssh to your all three CTs over the network. Then you can follow the installation instruction for LDAP, IDP and IRS for the installation of relevant CTs. === OPTIONAL === 1. !Pull/Push file to CT * `echo helle there > myfile` * `lxc file push myfile idp/root/` * `lxc file pull idp/root/myfile /tmp` 2. Snapshot * `lxc snapshot idp idp1` * `lxc restore idp idp1`