Landscape Dedicated Server Quickstart Guide
You will need a CA signed SSL certificate. For instructions, please see this tutorial. To get started with LDS, open a terminal and enter the code as shown in the following steps:
1. Install PostgreSQL and required libraries.
$ sudo apt-get install postgresql-8.4 python-smartpm postgresql-plpython-8.4
2. Create a landscape superuser.
$ sudo -u postgres createuser --createdb --createrole --superuser --pwprompt landscape_superuser
3. Configure PostgreSQL.
$ sudo vi /etc/postgresql/8.4/main/pg_hba.conf
And add the following line BEFORE the local all all ident line:
local all landscape,landscape_maintenance md5
Here is an example that shows the lines beginning with local. The order of lines is important:
local all postgres ident local all landscape,landscape_maintenance md5 local all all ident
This allows users to connect to the loopback device, and authenticate with an md5 encrypted password.
Tell PostgreSQL to reload its configuration
$ sudo /etc/init.d/postgresql-8.4 reload
4. Configure your apt sources.list file.
Visit https://launchpad.net/ and click on your username in the top right hand of the page.
Click the View your private PPA subscriptions link in the middle of the page.
This gives you a list of the PPAs you are subscribed to. Click on the View link for the Landscape Standalone Package PPA. Copy and paste the "deb" line into your sources.list file.
$ sudo vi /etc/apt/sources.list
Now you need to add the key for this source to your package keyring.
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4652B4E6
Now you need to update your APT package database.
$ sudo apt-get update
Next you can install the landscape-server package.
$ sudo apt-get install landscape-server
This pulls in a number of dependencies, and prompts you to configure LDS.
When prompted, enter the "landscape_superuser". Select password authentication, and enter the password you entered above.
5. Configure RabbitMQ
$ sudo rabbitmqctl add_user landscape landscape $ sudo rabbitmqctl add_vhost landscape $ sudo rabbitmqctl set_permissions -p landscape landscape "" ".*" ".*"
6. Bootstrap the Landscape databases and settings.
The system prompts you to run setup-landscape-server after completing the installation.
$ sudo setup-landscape-server
This will create two new users: "landscape" and "landscape_maintenance". It will also setup the Landscape database schema.
7. Configure Landscape Services to run.
Now, you need to modify /etc/default/landscape-server:
$ sudo vi /etc/default/landscape-server
And change RUN_ALL to be "yes".
You can now either start all the services manually, or restart the machine.
8. Configure Apache
Create an Apache Virtual Host.
$ sudo vi /etc/apache2/sites-available/landscape
Now copy and paste the configuration file below. Please read the comments in the file and enter the correct values. You need to change the following:
- hostname
- path to certificate and key files
<VirtualHost *:80> # This Hostname is the HTTP/1.1 hostname that users and Landscape clients will access # It must be the same as your SSL Certificate's CommonName # And the DNS Hostname for this machine # It is not recommended that you use an IP address here... ServerName <hostname> ServerAdmin webmaster@<hostname> ErrorLog /var/log/apache2/landscape.error-log CustomLog /var/log/apache2/landscape.access-log combined DocumentRoot /opt/canonical/landscape/canonical/landscape ErrorLog /var/log/apache2/landscape.local.error-log CustomLog /var/log/apache2/landscape.local.access-log combined # Set a Via header in outbound requests to the proxy, so proxied apps can # know who the actual client is ProxyVia on ProxyTimeout 10 <Directory "/"> Options +Indexes Order deny,allow Allow from all ErrorDocument 403 /static/offline/unauthorized.html ErrorDocument 404 /static/offline/notfound.html </Directory> Alias /packages /opt/canonical/landscape/packages Alias /static /opt/canonical/landscape/canonical/static <Directory "/opt/canonical/landscape/packages"> Order allow,deny Allow from all </Directory> <Location "/packages"> Order allow,deny Allow from all </Location> <Location "/icons"> Order allow,deny Allow from all </Location> <Location "/ping"> Order allow,deny Allow from all </Location> <Location "/message-system"> Order allow,deny Allow from all </Location> <Location "/r"> FileETag none ExpiresActive on ExpiresDefault "access plus 10 years" Header append Cache-Control "public" </Location> RewriteEngine On RewriteRule ^/r/([^/]+)/(.*) /$2 [L] # The Landscape Ping Server runs on port 8082 RewriteRule ^/ping$ http://localhost:8082/ping [P] RewriteCond %{REQUEST_URI} !/server-status RewriteCond %{REQUEST_URI} !/icons RewriteCond %{REQUEST_URI} !/static RewriteCond %{REQUEST_URI} !/packages RewriteCond %{REQUEST_URI} !/handle_messages RewriteCond %{REQUEST_URI} !/message-system # Replace the <hostname> with the DNS hostname for this machine. # If you change the port number that Apache is providing SSL on, you must change the # port number 443 here. RewriteRule ^/(.*) https://<hostname>:443/$1 [R=permanent] </VirtualHost> <VirtualHost *:443> ServerName <hostname> ServerAdmin webmaster@<hostname> ErrorLog /var/log/apache2/landscape.error-log CustomLog /var/log/apache2/landscape.access-log combined DocumentRoot /opt/canonical/landscape/canonical/landscape SSLEngine On SSLCertificateFile <enter the path to your SSL .crt file> SSLCertificateKeyFile <enter the path to your SSL .key file> # If you have either an SSLCertificateChainFile or, a self-signed CA signed certificate # uncomment the line below. # SSLCertificateChainFile /etc/ssl/certs/landscape_server_ca.crt <Directory "/"> Options -Indexes Order deny,allow Allow from all ErrorDocument 403 /static/offline/unauthorized.html ErrorDocument 404 /static/offline/notfound.html </Directory> <Location "/ajax"> Order allow,deny Allow from all </Location> Alias /config /opt/canonical/landscape/apacheroot Alias /hash-id-databases /var/lib/landscape/hash-id-databases ProxyRequests off <Proxy *> Order deny,allow Allow from all ErrorDocument 403 /static/offline/unauthorized.html ErrorDocument 500 /static/offline/exception.html ErrorDocument 502 /static/offline/unplanned-offline.html ErrorDocument 503 /static/offline/unplanned-offline.html </Proxy> ProxyPass /robots.txt ! ProxyPass /favicon.ico ! ProxyPass /static ! ProxyPreserveHost on <Location "/r"> FileETag none ExpiresActive on ExpiresDefault "access plus 10 years" Header append Cache-Control "public" </Location> RewriteEngine On RewriteRule ^/r/([^/]+)/(.*) /$2 [L] RewriteRule ^/.*\+\+.* / [F] # We have two Landscape servers, one running on port 8080 and the other on # port 8081 # Port 8080 is the Web-UI for users, port 8081 is the message server. # Replace the <hostname> with the DNS hostname for this machine. # If you change the port number that Apache is providing SSL on, you must change the # port number 443 here. RewriteRule ^/message-system http://localhost:8081/++vh++https:<hostname>:443/++/message-system [P] RewriteRule ^/ajax http://localhost:9090/ [P] RewriteCond %{REQUEST_URI} !/robots.txt RewriteCond %{REQUEST_URI} !/favicon.ico RewriteCond %{REQUEST_URI} !/static RewriteCond %{REQUEST_URI} !/config RewriteCond %{REQUEST_URI} !/hash-id-databases # Replace the <hostname> with the DNS hostname for this machine. # If you change the port number that Apache is providing SSL on, you must change the # port number 443 here. RewriteRule ^/(.*) http://localhost:8080/++vh++https:<hostname>:443/++/$1 [P] <Location /handle_messages> Order allow,deny Deny from all </Location> <Location /message-system> Order allow,deny Allow from all </Location> <Location /> # Insert filter SetOutputFilter DEFLATE # Don't compress images or .debs SetEnvIfNoCase Request_URI \ \.(?:gif|jpe?g|png|deb)$ no-gzip dont-vary # Make sure proxies don't deliver the wrong content Header append Vary User-Agent env=!dont-vary </Location> </VirtualHost>
You can now enable this site with:
$ sudo a2ensite landscape
After, we need to reload the apache configuration:
$ sudo service apache2 reload
9. Setup the initial user
Visit https://<servername>/new-standalone-user
This prompts you to enter a username/password and create an account, and grants you access to the account.
10. Configure your first client...
$ sudo landscape-config --computer-title "My First Computer" --account-name standalone --url https://<servername>/message-system --ping-url http://<servername>/ping
You can now accept your client in the Landscape UI, and it begins to upload data.
11. Setup a mail alias for the landscape user
We recommend adding an alias for user landscape on your local environment, to ensure that important system emails get attention.
$ sudo vim /etc/aliases
Add a line landscape: <insert recipient's email address> to this file and rebuild your aliases
$ sudo /usr/bin/newaliases