Revision 25 as of 2010-12-17 15:41:22

Clear message


This is the baseline deployment recommendation we have for the LDS product using the Debian packages delivery mechanism. At a minimum, we have two machines:

  • a database server, running Ubuntu 10.04 LTS ("lucid"), with Postgresql 8.4
  • an application server, also running Ubuntu 10.04 LTS ("lucid"), hosting the Landscape services

Below is a diagram showing a reasonable default network layout:

(XXX - missing diagram)

Important points:

  • the APP server needs http access to in order to download the USN database and detect security updates

  • the APP server also needs http access to the public Ubuntu archives, in order to update the hash-id-database files and detect new distribution releases

Preparing for the installation

What you will need:

  • Ubuntu 10.04 LTS ("lucid") server install media
  • Landscape Dedicated Server license file
  • Server X509 certificate and key, signed by a publicly known Certificate Authority, and issued for the FQDN hostname of the application server
  • sources.list line that gives access to the PPA that has the LDS packages

    {i} Custom CAs can be used, but this is not documented here as it's considered an advanced topic. Administrators deploying custom CAs most likely know what needs to be done.

Installing the Database Server

After having installed the basic server profile of Ubuntu Server, we need to install the postgresql database and configure it for use by Landscape. Please follow these steps:

Install postgresql and required libraries

sudo apt-get install postgresql-8.4 python-smartpm postgresql-plpython-8.4

Create a superuser Landscape can use

Landscape needs a database superuser in order to create the lower privilege users it needs to perform routine tasks and access the data, as well as alter the database schema whenever needed:

sudo -u postgres createuser --createdb --createrole --superuser --pwprompt landscape_superuser
  • /!\ Use a strong password!

If this database is to be shared with other services, it is recommended that another cluster is created instead for those services (or for Landscape). Please refer to the Postgresql documentation in that case.

Configure PostgreSQL

We now need to allow the application server to access this database server. Landscape uses several users for this access, so we need to allow them all. Edit /etc/postgresql/8.4/main/pg_hba.conf and add the following line to its end:

host all landscape,landscape_maintenance,landscape_superuser <IP-OF-APP> md5

Replace <IP-OF-APP> with the IP address of the application server, followed by /32. Alternatively, you can specify the network address using the CIDR notation. Some examples of valid values:

  • the IP address of the APP server

  • a network address

Now we need to allow network connections to the database. Edit /etc/postgresql/8.4/main/postgresql.conf and find the listen_addresses parameter, which is probably commented, and change it to:

listen_addresses = '*'

Finally, restart the database service:

sudo /etc/init.d/postgresql-8.4 restart

It's strongly recommended to fine tune this postgresql installation according to the hardware of the server machine. This page has some tips. We recommend to at least take a look at the following parameters:

Installing the application server

The application server will host the following Landscape services:

  • application server
  • message server
  • ping server
  • job handler
  • async-frontend

Additionally, other services needed by Landscape will also be running on this machine, such as:

  • apache
  • rabbit-mq

Let's begin.

Adding the Landscape PPA and installing the package

As part of your LDS purchase, you should have been subscribed to a private PPA which hosts the LDS packages. To access that PPA, please follow these steps:

  • access (you will need to authenticate first, if not logged in already)

  • click on the "View" link for the "LDS Stable" PPA and add the line that is being shown to a file in /etc/apt/sources.list.d called lds.list

  • adjust permissions on that file:

sudo chmod 0600 /etc/apt/sources.list.d/lds.list
sudo chown root:root /etc/apt/sources.list.d/lds.list
  • import the signing key for this PPA. Replace <KEYID> below with the key id that is displayed on that page (for example, if it shows 1024R/4652B4E6, then use 4652B4E6 for <KEYID>):

sudo apt-key adv --keyserver --recv-key <KEYID>
  • install the package. Note that it will complain about a missing license file:

sudo apt-get update
sudo apt-get install landscape-server

Install the license file

Copy the license file you received to /etc/landscape:

cp license.txt /etc/landscape

Make sure it's readable by everybody, or at least the landscape user.

Configure database access

Please edit the file /etc/landscape/server.conf and fill in the needed parameters for the access to the database:

host = 
port = 
superuser = 
superuser-password = 
  • host: the hostname or IP address of the database server

  • port: the port number where the database cluster is listening (use 5432 if in doubt)

  • superuser: the name of a superuser account of that database. In our case, this is landscape_superuser, which we created when preparing the database server before

  • superuser-password: the password of the database superuser we created before when preparing the database server

Configure rabbitmq

This one is simple. Just run the following commands:

sudo rabbitmqctl add_user landscape landscape
sudo rabbitmqctl add_vhost landscape
sudo rabbitmqctl set_permissions -p landscape landscape "" ".*" ".*"

Run the Landscape setup script

This script will bootstrap the databases Landscape needs to work and setup the remaining of the configuration:

sudo setup-landscape-server
  • {i} Depending on the hardware, this may take several minutes to complete

Configure Landscape services and schema upgrades

We need to enable the Landscape services now. Please edit /etc/default/landscape-server and change the RUN_ALL line to yes:

# To run all Landscape services set this to "yes"
  • {i} If more performance and availability are needed out of LDS, it's possible to spread out the services amongst several machines. In that case, for example, one could run message servers in one machine, application servers in another one, etc.

In that same file, the UPGRADE_SCHEMA option needs to be reviewed. If set to yes, whenever the package landscape-server is updated it will attempt to update the database schema too. It is a very convenient setting, but please think about the following before enabling it:

  • schema updates can take several minutes
  • if the package is updated while the database is offline, or unreachable, the update will fail
  • you should have a backup of the database before updating the package

Without this setting enabled, a package update might result in services that won't start anymore because of a needed schema change. In that case:

  • stop all the Landscape services
  • backup your database
  • run sudo setup-landscape-server on the application server. This will update the schema

  • start all Landscape services again

Webserver configuration

Landscape uses Apache to, among other things, redirect requests to each service and provide SSL support. The usual way to do this in Ubuntu is to create a Virtual Host for Landscape.

Below is a suggested configuration file that does just that. Install it as /etc/apache2/sites-available/landscape and change the following values:

  • @hostname@: the FQDN of the hostname the clients (browser and machines) will use to connect to LDS. This is what will be in the URL, and it needs to be resolvable via DNS. For example,

  • @certfile@: the full filesystem path to where the SSL certificate for this server is installed. For example, /etc/ssl/certs/landscape_server.pem

  • @keyfile@: the full filesystem path to where the corresponding private key of that certificate is installed. For example, /etc/ssl/private/landscape_server.key.

    /!\ Make sure the user apache runs as can read those files! Also, make sure the private key can only be read by root and that same apache user