XPUB HUB Node: Sandbox: Difference between revisions

From XPUB & Lens-Based wiki
No edit summary
 
(7 intermediate revisions by one other user not shown)
Line 1: Line 1:
The Sandbox is Raspberry Pi used as a UNIX playground/prototyping platform available to all students.
The Sandbox is Raspberry Pi used as a UNIX playground/prototyping platform available to all students.


* location: Xpub Studio
* location: XPUB Studio
* HUB IP: 10.0.0.11
* HUB IP: 10.0.0.11
* Public URL https://hub.xpub.nl/sandbox/
** users public_html https://hub.xpub.nl/sandbox/~username/
* Disk space: total: 59G  Used: 4.5G  Free: 52G  (April 2020)
* Disk space: total: 59G  Used: 4.5G  Free: 52G  (April 2020)
* it is part of the [[HUB]] network
* Webserver: apache2
* where each student is given a shell account and added to the sudo group
* Tinc service files:
 
** /etc/systemd/system/tinc@hub.service
=new users=
** dependent on /etc/systemd/system/tinc.service
* it is part of the Tinc [[HUB]] network


=New users=
==Account creation==
When adding new user account it, they should:
When adding new user account it, they should:
* be added to the sudo group
* have a <nowiki>~/public_html</nowiki> under the group publicweb
* have a <nowiki>~/public_html</nowiki> under the group publicweb
* <nowiki>~/</nowiki> under the group publicweb
* <nowiki>~/</nowiki> under the group publicweb
* be given a default password which they are requested to change
* be given a default password which they are requested to change
* added their public ssh key to <nowiki>~/.ssh/authorized_keys</nowiki>


It is important that
 
The following script will take care of those steps:
 
<source lang="bash">
#!/bin/sh
u=$1
# create user account
adduser $u
# add user to grops sudo publicweb
adduser $u sudo
adduser $u publicweb
 
# create ~/.ssh/authorized_keys
mkdir /home/$u/.ssh/
touch /home/$u/.ssh/authorized_keys
# create public_html dir
mkdir /home/$u/public_html
# make user and group of ~/
chown $u:$u /home/$u -R
# change group of user dir to publicweb
chown $u:publicweb /home/$u
# give permissions rwxr-x--x  others need to be x for apache transversing
chmod 751 /home/$u
# just allow read permission and traversal for the group, no write to public_html dir
chmod 750 /home/$u/public_html
# make the files created under public_html belong to publicweb group       
chmod g+s /home/$u/public_html
# change group of public_html to publicweb
chgrp publicweb /home/$u/public_html
</source>
 
==ssh access==
SSH from outside the HRO network is done via the Tinc [[Hub]] network
 
To allow ssh access:
 
'''New users will need to:'''
* generate a ssh key pair (if don't yet have one)
** <span style="background:yellow">'''ensure the key is generate with ''ed25519'' algorithm, instead of the default rsa'''</span> <code>ssh-keygen -t ed25519</code>
* add public key to user's <nowiki>~/.ssh/authorized_keys</nowiki>
* create/add to '''their laptops'''  ~/.ssh/config
<pre>
Host hub.sandbox
User USERNAME
Hostname 10.0.0.11
ProxyJump USERNAME@xpub.nl:2501
Identityfile ~/.ssh/id_rsa
Serveraliveinterval 30
</pre>
 
===Adduser to HUB network via [[XPUB XVM Jumpuser]]===
{{:XPUB XVM Jumpuser}}
 
You will need:
* username on the Sandbox
* user's ssh public key
* Sandbox Pi IP within [[Hub]]: 10.0.0.11
 
'''After adding users'''
* ask users to try to login with: <code>ssh hub.sandbox</code>
** if unsuccessful try to debug <code>ssh hub.sandbox -vv</code>
** recheck if user public key in both laptop and sandbox ~/.ssh/authorized_keys matches
** that their USERNAME is the same on laptop's ~/.ssh/config and in the sandbox
** if still unsuccessful ask for help! (usually from gnd)


=current users=
=current users=

Latest revision as of 16:01, 9 March 2021

The Sandbox is Raspberry Pi used as a UNIX playground/prototyping platform available to all students.

  • location: XPUB Studio
  • HUB IP: 10.0.0.11
  • Public URL https://hub.xpub.nl/sandbox/
  • Disk space: total: 59G Used: 4.5G Free: 52G (April 2020)
  • Webserver: apache2
  • Tinc service files:
    • /etc/systemd/system/tinc@hub.service
    • dependent on /etc/systemd/system/tinc.service
  • it is part of the Tinc HUB network

New users

Account creation

When adding new user account it, they should:

  • be added to the sudo group
  • have a ~/public_html under the group publicweb
  • ~/ under the group publicweb
  • be given a default password which they are requested to change


The following script will take care of those steps:

#!/bin/sh
u=$1
# create user account
adduser $u
# add user to grops sudo publicweb
adduser $u sudo
adduser $u publicweb

# create ~/.ssh/authorized_keys
mkdir /home/$u/.ssh/
touch /home/$u/.ssh/authorized_keys
# create public_html dir
mkdir /home/$u/public_html
# make user and group of ~/ 
chown $u:$u /home/$u -R
# change group of user dir to publicweb
chown $u:publicweb /home/$u
# give permissions rwxr-x--x  others need to be x for apache transversing
chmod 751 /home/$u
# just allow read permission and traversal for the group, no write to public_html dir
chmod 750 /home/$u/public_html
# make the files created under public_html belong to publicweb group         
chmod g+s /home/$u/public_html
# change group of public_html to publicweb
chgrp publicweb /home/$u/public_html

ssh access

SSH from outside the HRO network is done via the Tinc Hub network

To allow ssh access:

New users will need to:

  • generate a ssh key pair (if don't yet have one)
    • ensure the key is generate with ed25519 algorithm, instead of the default rsa ssh-keygen -t ed25519
  • add public key to user's ~/.ssh/authorized_keys
  • create/add to their laptops ~/.ssh/config
Host hub.sandbox
User USERNAME
Hostname 10.0.0.11
ProxyJump USERNAME@xpub.nl:2501
Identityfile ~/.ssh/id_rsa
Serveraliveinterval 30

Adduser to HUB network via XPUB XVM Jumpuser

IN XVM, as root:

XPUB staff can associate usernames + ssh keys to nodes of XPUB HUB tinc network

if you sudo to root, you will be presented with available commands for root, one of them is 'jumpuser'. you can use it to add new users and to add ips to existing users.

also - you dont need to provide a ssh key for the user once the users exists, unless the user has a new key..

you can also use the script like this:

sudo /root/scripts/jumpuser.sh

You will need:

  • username on the Sandbox
  • user's ssh public key
  • Sandbox Pi IP within Hub: 10.0.0.11

After adding users

  • ask users to try to login with: ssh hub.sandbox
    • if unsuccessful try to debug ssh hub.sandbox -vv
    • recheck if user public key in both laptop and sandbox ~/.ssh/authorized_keys matches
    • that their USERNAME is the same on laptop's ~/.ssh/config and in the sandbox
    • if still unsuccessful ask for help! (usually from gnd)

current users

For sanitary reasons graduated students' and past guests' accounts should be deleted.

User list from April 2020

username role year
andre tutor
anna student 2019-2021
avital student 2019-2021
anna student 2019-2021
claranoseda student 2019-2021
damlanur student 2019-2021
ezn (Mika) student 2019-2021
ioanatomici student 2019-2021
markvandenheuvel student 2019-2021
max student 2019-2021
sandra student 2019-2021
tisaneza student 2019-2021
biyiwen student 2018-2020
bootje student 2018-2020
estragon (Artemis) student 2018-2020
outis (Tancredi) student 2018-2020
palomagarcia student 2018-2020
psc (Pedro) student 2018-2020
ritagraca student 2018-2020
saibura (Simon) student 2018-2020
mmurtaugh tutor
gnd sysadmin
dickreckard (Martino) guest(SI12)
implicant_04 (Femke) tutor