Version 12 (modified by 5 years ago) ( diff ) | ,
---|
Setting up Environment for Institutional Federated Identity Access Management
Minimum Hardware Requirement
PC or Server or VM with 8GB RAM
DNS requirement
Get following DNS added,
- For the host computer
iam.[your institution domain].ac.lk -> 192.248.xx.yy1
- for your identity database
idb.[your institution domain].ac.lk -> 192.248.xx.yy2
- for your identity provider
idp. [your institution domain].ac.lk -> 192.248.xx.yy3
- for your eduroam radius server
irs. [your institution domain].ac.lk -> 192.248.xx.yy4
Setting up the Host Computer/Server
- Download Ubuntu 18.04 LTS and burn to a USB stick or to a CD ROM as bootable media
You may download and free app Rufus from https://rufus.ie/ to burn IOS image to a USB stick
- Change your bios setting to boot up from external media
- install Ubuntu 18.04 LTS while setting
the host name as iam
domain as [your institution domain].ac.lk
- Login to Ubuntu and run following to update your system
sudo apt update
sudo apt upgrade
Linux Container (LXC) Virtual Environment
LXC should be built in by default. (You need to run these commands as sudo )
sudo lxc version
- Initiate LXC (single host)
sudo lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: Do you want to configure a new storage pool? (yes/no) [default=yes]: Name of the new storage pool [default=default]: Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]: dir Would you like to connect to a MAAS server? (yes/no) [default=no]: Would you like to create a new local network bridge? (yes/no) [default=yes]: no Would you like to configure LXD to use an existing bridge or host interface? (yes/no) [default=no]: no Would you like LXD to be available over the network? (yes/no) [default=no]: Would you like stale cached images to be updated automatically? (yes/no) [default=yes] Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
- Edit network configuration:
sudo nano /etc/netplan/50-cloud-init.yaml
Make sure you edit the network interfaces as per your installation details. (Don't Copy - Paste)
network: version: 2 ethernets: enp0s3: dhcp4: no bridges: lxdbr0: dhcp4: no addresses: - 192.248.xx.yy1/24 gateway4: 192.248.xx.zz nameservers: addresses: - 192.248.1.161 interfaces: - enp0s3
- Apply new network configs:
sudo netplan apply
(If you see any error, please check the yaml file. )
- Check IP address of the host machine:
ifconfig
- Modify the default container profile to add bridged network:
lxc profile edit default
config: {} description: Default LXD profile devices: eth0: nictype: bridged parent: lxdbr0 type: nic root: path: / pool: default type: disk name: default used_by: []
- Check remote repositories
sudo lxc remote list
- Local repositories
sudo lxc image list
- Remote images
sudo lxc image list images:
sudo lxc image list images:ubuntu
- Create a Ubuntu Container
sudo lxc launch ubuntu:18.04 test-ct
sudo lxc list
Delete a container
sudo lxc stop test-ct
sudo lxc delete --force test-ct
- Create Three Production LXCs for your institute
lxc launch ubuntu:18.04 idb
lxc copy idb idp
lxc copy idb irs
lxc start idp
lxc start irs
- Using/Login to container
lxc exec idb bash
lsb_release -dirc
free -m
nproc
uname -r
exit
- CT info
lxc info idb
pstree -p [pid]
- CT configuration
lxc config show idp
lxc profile list
lxc profile show default
- Restrict Memory
lxc config set idb limits.memory 4096MB
lxc config show idb
lxc config set idp limits.memory 4096MB
lxc config set irs limits.memory 2048MB
- configure CT network IP
- Log in to your container
lxc exec <container-name> bash
ifconfig
nano /etc/netplan/50-cloud-init.yaml
network: version: 2 ethernets: eth0: dhcp4: no addresses: - 192.248.xx.yy2/24 gateway4: 192.248.xx.zz nameservers: addresses: - 192.248.1.161
netplan apply
timedatectl set-timezone Asia/Colombo
- SSH to CTs
nano /etc/ssh/sshd_config
change
PasswordAuthentication no
to
PasswordAuthentication yes
- Restart the ssh service
service sshd restart
- Add a user by
adduser <username>
adduser <username> sudo
reboot
now you can ssh to your all three CTs over the network. Then you can follow the installation instruction for LDAP, IDP and IRS for the installation of relevant CTs.
OPTIONAL
- Pull/Push file to CT
echo helle there > myfile
lxc file push myfile idp/root/
lxc file pull idp/root/myfile /tmp
- Snapshot
lxc snapshot idp idp1
lxc restore idp idp1