Landscape Dedicated Server Quickstart Guide
You will need a CA signed SSL certificate. For instructions, please see this tutorial. To get started with LDS, open a terminal and enter the code as shown in the following steps:
1. Install PostgreSQL and required libraries.
$ sudo apt-get install postgresql-8.4 python-smartpm postgresql-plpython-8.4
2. Create a landscape superuser.
$ sudo -u postgres createuser --createdb --createrole --superuser --pwprompt landscape_superuser
3. Configure PostgreSQL.
$ sudo vi /etc/postgresql/8.4/main/pg_hba.conf
And add the following line BEFORE the local all all ident line:
local all landscape,landscape_maintenance md5
Here is an example that shows the lines beginning with local. The order of lines is important:
local all postgres ident local all landscape,landscape_maintenance md5 local all all ident
This allows users to connect to the loopback device, and authenticate with an md5 encrypted password.
Tell PostgreSQL to reload its configuration
$ sudo /etc/init.d/postgresql-8.4 reload
4. Configure your apt sources.list file.
Visit https://launchpad.net/ and click on your username in the top right hand of the page.
Click the View your private PPA subscriptions link in the middle of the page.
This gives you a list of the PPAs you are subscribed to. Click on the View link for the Landscape Standalone Package PPA. Copy and paste the "deb" line into your sources.list file.
$ sudo vi /etc/apt/sources.list
Now you need to add the key for this source to your package keyring.
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4652B4E6
Now you need to update your APT package database.
$ sudo apt-get update
Next you can install the landscape-server package.
$ sudo apt-get install landscape-server
This pulls in a number of dependencies, and prompts you to configure LDS.
When prompted, enter the "landscape_superuser". Select password authentication, and enter the password you entered above.
5. Configure RabbitMQ
$ sudo rabbitmqctl add_user landscape landscape $ sudo rabbitmqctl add_vhost landscape $ sudo rabbitmqctl set_permissions -p landscape landscape "" ".*" ".*"
6. Bootstrap the Landscape databases and settings.
The system prompts you to run setup-landscape-server after completing the installation.
$ sudo setup-landscape-server
This will create two new users: "landscape" and "landscape_maintenance". It will also setup the Landscape database schema.
7. Configure Landscape Services to run.
Now, you need to modify /etc/default/landscape-server:
$ sudo vi /etc/default/landscape-server
And change RUN_ALL to be "yes".
You can now either start all the services manually, or restart the machine.
8. Configure Apache
Create an Apache Virtual Host.
$ sudo vi /etc/apache2/sites-available/landscape
Now copy and paste the configuration file below. Please read the comments in the file and enter the correct values. You need to change the following:
- hostname
- path to certificate and key files
<VirtualHost *:80>
# This Hostname is the HTTP/1.1 hostname that users and Landscape clients will access
# It must be the same as your SSL Certificate's CommonName
# And the DNS Hostname for this machine
# It is not recommended that you use an IP address here...
ServerName <hostname>
ServerAdmin webmaster@<hostname>
ErrorLog /var/log/apache2/landscape.error-log
CustomLog /var/log/apache2/landscape.access-log combined
DocumentRoot /opt/canonical/landscape/canonical/landscape
ErrorLog /var/log/apache2/landscape.local.error-log
CustomLog /var/log/apache2/landscape.local.access-log combined
# Set a Via header in outbound requests to the proxy, so proxied apps can
# know who the actual client is
ProxyVia on
ProxyTimeout 10
<Directory "/">
Options +Indexes
Order deny,allow
Allow from all
ErrorDocument 403 /static/offline/unauthorized.html
ErrorDocument 404 /static/offline/notfound.html
</Directory>
Alias /packages /opt/canonical/landscape/packages
Alias /static /opt/canonical/landscape/canonical/static
<Directory "/opt/canonical/landscape/packages">
Order allow,deny
Allow from all
</Directory>
<Location "/packages">
Order allow,deny
Allow from all
</Location>
<Location "/icons">
Order allow,deny
Allow from all
</Location>
<Location "/ping">
Order allow,deny
Allow from all
</Location>
<Location "/message-system">
Order allow,deny
Allow from all
</Location>
<Location "/r">
FileETag none
ExpiresActive on
ExpiresDefault "access plus 10 years"
Header append Cache-Control "public"
</Location>
RewriteEngine On
RewriteRule ^/r/([^/]+)/(.*) /$2 [L]
# The Landscape Ping Server runs on port 8082
RewriteRule ^/ping$ http://localhost:8082/ping [P]
RewriteCond %{REQUEST_URI} !/server-status
RewriteCond %{REQUEST_URI} !/icons
RewriteCond %{REQUEST_URI} !/static
RewriteCond %{REQUEST_URI} !/packages
RewriteCond %{REQUEST_URI} !/handle_messages
RewriteCond %{REQUEST_URI} !/message-system
# Replace the <hostname> with the DNS hostname for this machine.
# If you change the port number that Apache is providing SSL on, you must change the
# port number 443 here.
RewriteRule ^/(.*) https://<hostname>:443/$1 [R=permanent]
</VirtualHost>
<VirtualHost *:443>
ServerName <hostname>
ServerAdmin webmaster@<hostname>
ErrorLog /var/log/apache2/landscape.error-log
CustomLog /var/log/apache2/landscape.access-log combined
DocumentRoot /opt/canonical/landscape/canonical/landscape
SSLEngine On
SSLCertificateFile <enter the path to your SSL .crt file>
SSLCertificateKeyFile <enter the path to your SSL .key file>
# If you have either an SSLCertificateChainFile or, a self-signed CA signed certificate
# uncomment the line below.
# SSLCertificateChainFile /etc/ssl/certs/landscape_server_ca.crt
<Directory "/">
Options -Indexes
Order deny,allow
Allow from all
ErrorDocument 403 /static/offline/unauthorized.html
ErrorDocument 404 /static/offline/notfound.html
</Directory>
<Location "/ajax">
Order allow,deny
Allow from all
</Location>
Alias /config /opt/canonical/landscape/apacheroot
Alias /hash-id-databases /var/lib/landscape/hash-id-databases
ProxyRequests off
<Proxy *>
Order deny,allow
Allow from all
ErrorDocument 403 /static/offline/unauthorized.html
ErrorDocument 500 /static/offline/exception.html
ErrorDocument 502 /static/offline/unplanned-offline.html
ErrorDocument 503 /static/offline/unplanned-offline.html
</Proxy>
ProxyPass /robots.txt !
ProxyPass /favicon.ico !
ProxyPass /static !
ProxyPreserveHost on
<Location "/r">
FileETag none
ExpiresActive on
ExpiresDefault "access plus 10 years"
Header append Cache-Control "public"
</Location>
RewriteEngine On
RewriteRule ^/r/([^/]+)/(.*) /$2 [L]
RewriteRule ^/.*\+\+.* / [F]
# We have two Landscape servers, one running on port 8080 and the other on
# port 8081
# Port 8080 is the Web-UI for users, port 8081 is the message server.
# Replace the <hostname> with the DNS hostname for this machine.
# If you change the port number that Apache is providing SSL on, you must change the
# port number 443 here.
RewriteRule ^/message-system http://localhost:8081/++vh++https:<hostname>:443/++/message-system [P]
RewriteRule ^/ajax http://localhost:9090/ [P]
RewriteCond %{REQUEST_URI} !/robots.txt
RewriteCond %{REQUEST_URI} !/favicon.ico
RewriteCond %{REQUEST_URI} !/static
RewriteCond %{REQUEST_URI} !/config
RewriteCond %{REQUEST_URI} !/hash-id-databases
# Replace the <hostname> with the DNS hostname for this machine.
# If you change the port number that Apache is providing SSL on, you must change the
# port number 443 here.
RewriteRule ^/(.*) http://localhost:8080/++vh++https:<hostname>:443/++/$1 [P]
<Location /handle_messages>
Order allow,deny
Deny from all
</Location>
<Location /message-system>
Order allow,deny
Allow from all
</Location>
<Location />
# Insert filter
SetOutputFilter DEFLATE
# Don't compress images or .debs
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png|deb)$ no-gzip dont-vary
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</Location>
</VirtualHost>You can now enable this site with:
$ sudo a2ensite landscape
After, we need to reload the apache configuration:
$ sudo service apache2 reload
9. Setup the initial user
Visit https://<servername>/new-standalone-user
This prompts you to enter a username/password and create an account, and grants you access to the account.
10. Configure your first client...
$ sudo landscape-config --computer-title "My First Computer" --account-name standalone --url https://<servername>/message-system --ping-url http://<servername>/ping
You can now accept your client in the Landscape UI, and it begins to upload data.
11. Setup a mail alias for the landscape user
We recommend adding an alias for user landscape on your local environment, to ensure that important system emails get attention.
$ sudo vim /etc/aliases
Add a line landscape: <insert recipient's email address> to this file and rebuild your aliases
$ sudo /usr/bin/newaliases