Ammonoidea

1 Reply

It is pretty typical of servers to be without monitors or even without graphics cards. In the process of deciding on some new Sun servers and their configuration, we were discussing terminal servers to allow easier access to the serial consoles. We had several options we were considering. Being Macaholics, we chose the option of using a cast off iMac with Mac OS X as a terminal server. We had already done this sort of thing with my desktop G5 and with our shared MacBook. So we knew how to do it, how to secure it, and could get it done quickly and easily. The only expense would be a USB to Serial Port adapter. We have been using Keyspan adapters and chose the 4 port adapter which we found new on Amazon for $136 with free shipping.

Sorting through the available iMacs, I found one of the last of the CRT iMacs that was made. It is a 700MHz G4 with 256MB RAM and a 60G drive. Well adequate for our needs. The details on it and the latest OS that could be installed on it were found at everymac. So the first step was to wipe the drive and install Mac OS X 10.4, followed by a sequence of Software Updates that ended with Mac OS X 10.4.11. Since the CRT iMac is an “obsolete, shelled creature” that is going to have multiple tentacles (serial cables), I named it Ammonoidea. I made an entry for it in our DHCP server and left the network to configure automatically (actually did this before doing the install and updates).

Mac OS X comes pretty well locked down to begin with. Initially, I left the firewall closed off and all services off. I set the screen saver to require a password, locked System Preferences, and set a few other cosmetic options. At the end of the setup, I opened SSH (Remote Login in the Sharing Preferences) and controlled access to it with TCP-Wrappers. Since SSH is built with the wrappers library, this last step just involved setting up /etc/hosts.deny (ALL:ALL) and /etc/hosts.allow (sshd:<list of allowed IPs>). See `man tcpd` and `man hosts_access` for reference. More complete information on securing Mac OS X Tiger can be found among the NSA’s Security Guides.

The configuration of this system was fairly straightforward. It uses the terminal application to get a command line window and GNU Screen to create detachable serial console sessions. It turns out that Screen is included in Mac OS X. So, with the addition of the Keyspan adapter and the drivers, the iMac with Mac OS X is practically a terminal server out of the box. (Oh, I also grabbed Firefox, just because I always prefer using Firefox). To complete the setup, I needed to configure user accounts, configure screen, and configure a startup service so that the detached screen console sessions would always be there and always be logging.

I decided to set up a sysadmin account for the administrator of the systems whose consoles we would be connecting. In Mac terms, this was set up as an ordinary account without administrator privileges. This is the account that screen will be running as and which will be logged in at the physical interface of the iMac. Then, each administrator has his own account with administrator privileges. We can ssh into those accounts from a limited set of IP addresses within our private network (controlled by TCP Wrappers). Using screen, we can then access the console sessions remotely using, e.g., `screen -rx sysadmin/nemo`, where the “-r” is reconnect, the “-x” is multi-user, and “nemo” is the name of the console session shared by user “sysadmin”.

Screen is a bit of a swiss army knife. `man screen` gives a lot of details, and is important as a reference, but it isn’t exactly an introduction or guide. I found a basic introduction and tutorial at linuxhacks, and a bunch of tips at Softpanarama. I also found the man pages online and a number of links on Wikipedia. Having all of these tabbed in Firefox provided an easy reference during setup. Essentially, aside from learning the ins and outs of screen, all that was needed was to figure out a proper setup for the ~sysadmin/.screenrc configuration file. What worked for me was:


startup_message off
msgminwait 20
msgwait 30
multiuser on
acladd wallace,gromit,sysadmin
aclchg wallace,gromit,sysadmin +rwx "#?"
chdir
autodetach on
logfile log/screenlog.%t
deflog on
logtstamp on
defscrollback 100000

The group of commands that sets multiuser on, adds the users, and changes their accesses to full allows me to run detached sessions that can be reattached by any of those users, even when others already have them attached. This means that the console session for server “nemo” can be on the physical interface of the iMac where user “sysadmin” is logged in while either (or both) wallace and gromit can ssh in and attach the same console session. If one administrator types something, anyone else with the session attached will see the typing and the resulting output. To make multiuser work, I also had to make the screen binary SUID root (`sudo chmod u+s /usr/bin/screen`).

The last group of 4 commands sets up the logging. I created a directory ~sysadmin/log where screen logs are kept. The logs are named screenlog.%t where %t is the title specified when the screen session is started. That allows me to title the sessions for the servers that are on the particular ports. By default, screen will append logs to an existing file. So I will end up with an ongoing log. The deflog sets logging on by default, and the logtstamp puts a timestamp in session (and thus log) when it has been inactive for 2 minutes. It will put a matching timestamp in when the session becomes active again. The logging should go on indefinitely, limited only by disk space, but the defscrollback esures that I can scroll back in the screen session without hitting a blank wall.

Some of the rest of it is more cosmetic.

Finally, I want screen to automatically start when the iMac is turned on, not when the user sysadmin logs in. I found details on how to do this in the O’Reilly book “Mac OS X Tiger for Unix Geeks” starting on page 60. I found even more detailed information in the Apple Developer Documentation. While, technically, Apple has moved away from startup items and uses launchd starting with Tiger, they still support it for user and 3rd party applications for backward compatibility. I chose to do it this way because it was simpler. Basically, I created a directory /Library/StartupItems/Screen. Inside that directory, I created an executable shell script “Screen” and a property list “StartupParameters.plist”.

The plist file is:


{
    Description = "GNU Screen detached serial consoles";
    Provides = ("ScreenConsoleSessions");
    OrderPreference = "Last";
    Messages =
    {
        start = "Starting GNU Screen";
        stop = "Stopping GNU Screen";
    };
}
   

The shell script is:


#!/bin/sh
# based in part on Apple developer documentation and
# in part on the example in O'Reilly's "MacOSX Tiger for Unix Geeks"
   
# Source common setup, including hostconfig.
#
. /etc/rc.common
   
# The start subroutine
StartService() {
    # Insert your start command below. For example
    # mydaemon -e -i -e -i -o
    # end example.
   
    # Don't start unless screen is enabled in /etc/hostconfig
    if [ "${SCREEN:=-NO-}" = "-YES-" ]; then
        # ConsoleMessage "Starting GNU Screen detached serial consoles"
        # a plain screen session and 4 console connections
        su - sysadmin -c "screen -dmS base -t base"
        su - sysadmin -c "screen -fn -dmS nemo -t nemo /dev/tty.USA49W191P1.1"
        su - sysadmin -c "screen -fn -dmS dory -t dory /dev/tty.USA49W191P2.2"
        su - sysadmin -c "screen -fn -dmS gill -t gill /dev/tty.USA49W191P3.3"
        su - sysadmin -c "screen -fn -dmS jacques -t jacques /dev/tty.USA49W191P4.4"
    fi
   
}
   
# The stop subroutine
StopService() {
    # Insert your stop command(s) below. For example
    # killall -TERM mydaemon
    # sleep 10
    # killall -9 mydaemon
    # end example.
   
    # each instance has a root process SCREEN and user process screen
    # killing the root process kills both
    killall SCREEN
    sleep 10
    killall -9 SCREEN
   
}
   
# The restart subroutine
RestartService() {
    # Insert your start command below. For example
    # killall -HUP mydaemon
    # end example.
   
    # Don't start unless screen is enabled in /etc/hostconfig
    if [ "${SCREEN:=-NO-}" = "-YES-" ]; then
        # for Screen, HUP doesn't make sense.
        StopService
        StartService
    else
        StopService
    fi
   
}
   
RunService "$1"
   
   

Now, after adding “SCREEN=-YES-” to /etc/hostconfig, if I reboot the system, I find that it starts up with all the console connections as detached screen sessions with output going to the log files. The sessions are under the user sysadmin. Each session is associated with a root process “SCREEN” and a sysadmin user process “screen”. The stop portion of the shell script only has to kill the root process to stop both. The lengthy port names, e.g. “/dev/tty.USA49W191P1.1”, are set up by the KeySpan drivers.

If I ssh to ammonoidea as wallace, I can see all the sessions by doing `sudo su – sysadman -c “screen -list”`. But, since they will always be the same, and should always be there, all I really need to do is `screen -rx sysadmin/nemo` and I will be connected to the console session for server nemo. Within screen, `Ctl-a` is the escape character for screen commands. `Ctl-a d` will detach the session. I could get along with nothing more than that. However, I’ll probably need to be able to scroll back. `Ctl-a [` puts me in the scroll-back and copy/paste mode. I can use the same keystrokes as vi to scroll back in the console session. So `k` is back, and `j` is forward. Left and right don’t really matter in this setting. While in scroll-back mode, `Ctl-u` will scroll back half a screen-full, and `Ctl-d` will scroll down half a screen-full. `Esc` gets out of scrollback mode.

If at any point I needed to manually start or restart the detached screen sessions for the consoles, I can do it with Apple’s command line utility “SystemStarter” by, e.g., `sudo SystemStarter restart ScreenConsoleSessions`. That last item in the command is the service name I defined in the plist file for the Screen startup item.

That’s basically it — an easy to use, secure, BSD based console server that’s inexpensive and totally under our control for configuration and updating. Not an expensive black box. Of course, you could do all this with generic PC hardware and your choice of a linux or BSD distribution. KeySpan makes 4 port PCI serial adapters. But, we’re Macaholics, and we thought this was easier and more secure out-of-the-box without a lot of work.

One thought on “Ammonoidea

  1. fabien

    You should try conserver (.com)
    It does what it’s supposed to very well, is scaleable, and secure

Leave a Reply

Your email address will not be published. Required fields are marked *