Changeset 2066 for trunk/server/doc/install-howto.sh
- Timestamp:
- Nov 22, 2011, 12:45:17 AM (13 years ago)
- Location:
- trunk
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk
- Property svn:mergeinfo changed
-
trunk/server/doc/install-howto.sh
r1961 r2066 7 7 # [WIZARD] Semi-production server that will only have 8 8 # daemon.scripts-security-upd bits, among other 9 # restricted permissions bits, among other10 # restricted permissions bits, among other11 # restricted permissions bits, among other12 9 # restricted permissions 13 10 # [TESTSERVER] Completely untrusted server 14 15 set -e -x16 17 # Some commands should be run as the scripts-build user, not root.18 19 alias asbuild="sudo -u scripts-build"20 21 # Old versions of this install document advised setting22 # NSS_NONLOCAL_IGNORE=1 anytime you're setting up anything, e.g. using23 # yum, warning that useradd will query LDAP in a stupid way that makes24 # it hang forever. As of Fedora 13, this does not seem to be a problem,25 # so it's been removed from the instructions. If an install is hanging,26 # though, try adding NSS_NONLOCAL_IGNORE.27 11 28 12 # This is actually just "pick an active scripts server". It can't be … … 41 25 server=YOUR-SERVER-NAME-HERE 42 26 43 # Start with a Scripts kickstarted install of Fedora (install-fedora) 44 45 # Take updates, reboot if there's a kernel update. 46 yum update -y 47 48 # Get rid of network manager 49 yum remove NetworkManager 50 51 # Copy over root's dotfiles from one of the other machines. 52 # Perhaps a useful change is to remove the default aliases 53 cd /root 54 ls -l .bashrc 55 ls -l .screenrc 56 ls -l .ssh 57 ls -l .vimrc 58 ls -l .k5login 59 # [PRODUCTION] This rc file has sensitive data on it and should only 60 # be pushed onto production servers. 61 ls -l .ldapvirc 62 # Trying to scp from server to server won't work, as scp 63 # will attempt to negotiate a server-to-server connection. 64 # Instead, scp to your trusted machine as a temporary file, 65 # and then push to the other server 66 scp -r root@$source_server:~/{.bashrc,.screenrc,.ssh,.vimrc,.k5login} . 67 scp -r {.bashrc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~ 68 # [PRODUCTION] 69 scp root@$source_server:~/.ldapvirc . 70 scp .ldapvirc root@$server:~ 71 72 # Install the initial set of credentials (to get Kerberized logins once 73 # krb5 is installed). Otherwise, SCP'ing things in will be annoying. 74 # o Install the machine keytab. 75 ls -l /etc/krb5.keytab 76 # Use ktutil to combine the host/scripts.mit.edu and 77 # host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in 78 # the keytab. Do not use 'k5srvutil change' on the combined keytab 79 # or you'll break the other servers. (real servers only). Be 80 # careful about writing out the keytab: if you write it to an 81 # existing file the keys will just get appended. The correct 82 # credential list should look like: 83 # ktutil: l 84 # slot KVNO Principal 85 # ---- ---- --------------------------------------------------------------------- 86 # 1 5 host/old-faithful.mit.edu@ATHENA.MIT.EDU 87 # 2 3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU 88 # 3 2 host/scripts.mit.edu@ATHENA.MIT.EDU 89 # o [PRODUCTION] Replace the ssh host keys with the ones common to all 90 # scripts servers (real servers only) 91 ls -l /etc/ssh/*key* 92 # You can do that with: 93 scp root@$source_server:/etc/ssh/*key* . 94 scp *key* root@$server:/etc/ssh/ 95 service sshd reload 96 97 # Check out the scripts /etc configuration 98 # backslash to make us not use the alias 99 cd /root 100 \cp -a etc / 101 chmod 0440 /etc/sudoers 102 27 # ----------------------------->8-------------------------------------- 28 # FIRST TIME INSTRUCTIONS 29 # 103 30 # [PRODUCTION] If this is the first time you've installed this hostname, 104 31 # you will need to update a bunch of files to add support for it. These … … 120 47 # o Set up Nagios monitoring on sipb-noc for the host 121 48 # o Set up the host as in the pool on r-b/r-b /etc/heartbeat/ldirectord.cf 122 XXX TODO COMMANDS 123 124 # NOTE: You will have just lost DNS resolution and the ability 125 # to do password SSH in. If you managed to botch this step without 126 # having named setup, you can do a quick fix by frobbing /etc/resolv.conf 127 # with a non 127.0.0.1 address for the DNS server. Be sure to revert it once 128 # you have named. 129 130 # NOTE: You can get password SSH back by editing /etc/ssh/sshd_config (allow 131 # password auth) and /etc/pam.d/sshd (comment out the first three auth 132 # lines). However, you should have the Kerberos credentials in place 133 # so as soon as you install the full set of Scripts packages, you'll get 134 # Kerberized logins. 135 136 # Make sure network is working. If this is a new server name, you'll 137 # need to add it to /etc/hosts and 138 # /etc/sysconfig/network-scripts/route-eth1. Kickstart should have 49 # o Update locker/etc/known_hosts 50 # 51 # You will also need to prepare the keytabs for credit-card. In particular, 52 # use ktutil to combine the host/scripts.mit.edu and 53 # host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in 54 # the keytab. Do not use 'k5srvutil change' on the combined keytab 55 # or you'll break the other servers. (real servers only). Be 56 # careful about writing out the keytab: if you write it to an 57 # existing file the keys will just get appended. The correct 58 # credential list should look like: 59 # ktutil: l 60 # slot KVNO Principal 61 # ---- ---- --------------------------------------------------------------------- 62 # 1 5 host/old-faithful.mit.edu@ATHENA.MIT.EDU 63 # 2 3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU 64 # 3 2 host/scripts.mit.edu@ATHENA.MIT.EDU 65 # 66 # The LDAP keytab should be by itself, so be sure to delete it and 67 # put it in its own file. 68 69 # ----------------------------->8-------------------------------------- 70 # INFINITE INSTALLATION 71 72 # Start with a Scripts kickstarted install of Fedora (install-fedora) 73 74 # Take updates, reboot if there's a kernel update. 75 yum update -y 76 77 # Get rid of network manager (XXX figure out to make kickstarter do 78 # this for us) 79 yum remove NetworkManager 80 81 # Make sure sendmail isn't installed 82 yum remove sendmail 83 84 # Check out the scripts /etc configuration 85 cd /root 86 \cp -a etc / 87 chmod 0440 /etc/sudoers 88 89 # Make sure network is working. Kickstart should have 139 90 # configured eth0 and eth1 correctly; use service network restart 140 # to add the new routes in route-eth1. 141 service network restart 91 # to add the new routes from etc in route-eth1. 92 systemctl restart network.service 93 # Check everything worked: 142 94 route 143 95 ifconfig … … 151 103 # Some of these packages are naughty and clobber some of our files 152 104 cd /etc 153 svn revert resolv.conf hosts sysconfig/openafs 105 svn revert resolv.conf hosts sysconfig/openafs nsswitch.conf 154 106 155 107 # Replace rsyslog with syslog-ng by doing: 156 108 rpm -e --nodeps rsyslog 157 109 yum install -y syslog-ng 158 chkconfig syslog-ng on 159 160 # [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs 161 # mapping. 162 echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo 163 echo "athena.mit.edu" > /usr/vice/etc/ThisCell 164 165 # [TESTSERVER] If you're installing a test server, this needs to be 166 # much smaller; the max filesize on XVM is 10GB. Pick something like 167 # 500000. Also, some of the AFS parameters are kind of retarded (and if 168 # you're low on disk space, will actually exhaust our inodes). Edit 169 # these parameters in /etc/sysconfig/openafs 170 echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo 171 XXX TODO COMMANDS 172 173 # Test that zephyr is working 174 chkconfig zhm on 175 service zhm start 176 echo 'Test!' | zwrite -d -c scripts -i test 110 systemctl enable syslog-ng.service 177 111 178 112 # Install the full list of RPMs that users expect to be on the … … 184 118 # it can't install /one/ package. 185 119 yum install -y --skip-broken $(cat packages.txt) 186 187 # Make sure sendmail isn't installed188 yum remove sendmail189 120 190 121 # Check which packages are installed on your new server that are not … … 204 135 # explicit versions. So temporarily rpm -e the package, and then 205 136 # install it again after you install haskell-platform. [Note: You 206 # probably won't need this in Fedora 1 5or something, when the Haskell137 # probably won't need this in Fedora 17 or something, when the Haskell 207 138 # Platform gets updated.] 208 139 rpm -e ghc-cgi-devel ghc-cgi … … 212 143 rpm -i ghc-cgi*1.8.1*.rpm 213 144 214 # Check out the scripts /usr/vice/etc configuration 215 cd /root/vice 216 \cp -a etc /usr/vice 145 # ----------------------------->8-------------------------------------- 146 # SPHEROID SHENANIGANS 147 148 # Note: Since ultimately we'd like to move away from using per-language 149 # package manager and all of these be RPMs, it is of questionable 150 # importance how much /good/ automation for these is necessary. 151 152 # Warning: For a new release, we're supposed to check if Fedora has 153 # packaged up the RPM. Unfortunately we don't really have good incants 154 # for this. 217 155 218 156 # Install the full list of perl modules that users expect to be on the … … 242 180 # want to be able to write to ~/.python-eggs. (Also makes sourcediving 243 181 # easier.) 244 cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt 182 # 'easy_install AuthKit jsonlib2 pygit' 183 cat /usr/lib/python2.7/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt 245 184 cat egg.txt | xargs easy_install -Z 185 246 186 # - Look at `gem list` for Ruby gems. 247 187 # Again, use 'yum search' and prefer RPMs, but failing that, 'gem install'. 248 188 # ezyang: rspec-rails depends on rspec, and will override the Yum 249 189 # package, so... don't use that RPM yet 190 # XXX This doesn't do the right thing for old version gems 250 191 gem list --no-version > gem.txt 251 192 gem install $(gem list --no-version | grep -Fxvf - gem.txt) 193 # Also, we need to install the old rails version 194 gem install -v=2.3.5 rails 195 252 196 # - Look at `pear list` for Pear fruits (or whatever they're called). 253 197 # Yet again, 'yum search' for RPMs before resorting to 'pear install'. Note … … 258 202 pear channel-update pear.php.net 259 203 pear install $(pear list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pear.txt) 204 260 205 # - Look at `pecl list` for PECL things. 'yum search', and if you must, 261 206 # 'pecl install' needed items. If it doesn't work, try 'pear install … … 264 209 pecl install --nodeps $(pecl list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pecl.txt) 265 210 266 # Setup some Python config 267 echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth 268 269 # [PRODUCTION] Install the credentials. There are a lot of things to 270 # remember here. Be sure to make sure the permissions match up (ls -l 271 # on an existing server!). 272 scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} . 273 scp signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc 274 scp scripts.key root@$server:/etc/pki/tls/private 275 scp .k5login root@$server:/home/logview 276 # o The SSL cert private key (real servers only) 277 ls -l /etc/pki/tls/private/scripts.key 278 # o The LDAP password for the signup process (real servers only) 279 ls -l /etc/signup-ldap-pw 280 # o The whoisd password (real servers only) 281 ls -l /etc/whoisd-password 282 # o Make sure logview's .k5login is correct (real servers only) 283 cat /home/logview/.k5login 284 285 # All types of servers will have an /etc/daemon.keytab file, however, 286 # different types of server will have different credentials in this 287 # keytab. 288 # [PRODUCTION] daemon.scripts 289 # [WIZARD] daemon.scripts-security-upd 290 # [TESTSERVER] daemon.scripts-test 291 k5srvutil list -f daemon.keytab 292 scp daemon.keytab root@$server:/etc 293 chown afsagent:afsagent /etc/daemon.keytab 294 # o The daemon.scripts keytab (will be daemon.scripts-test for test) 295 ls -l /etc/daemon.keytab 296 297 # Spin up OpenAFS. This will fail if there's been a new kernel since 298 # when you last tried. In that case, you can hold on till later to 299 # start OpenAFS. This will take a little bit of time; 300 service openafs-client start 301 # Then, check that fs sysname is correct. You should see, among others, 302 # 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you 303 # probably did a distro upgrade and should update /etc/sysconfig/openafs. 211 # ----------------------------->8-------------------------------------- 212 # INFINITE CONFIGURATION 213 214 # Create fedora-ds user (needed for credit-card) 215 useradd -u 103 -r -d /var/lib/dirsrv fedora-ds 216 217 # Run credit-card to clone in credentials and make things runabble 218 python host.py push $server 219 220 # This is superseded by credit-card, but only for [PRODUCTION] 221 # Don't use credit-card on [WIZARD]: it will put in the wrong creds! 222 # 223 # # All types of servers will have an /etc/daemon.keytab file, however, 224 # # different types of server will have different credentials in this 225 # # keytab. 226 # # [PRODUCTION] daemon.scripts 227 # # [WIZARD] daemon.scripts-security-upd 228 # # [TESTSERVER] daemon.scripts-test 229 230 # [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs 231 # mapping. 232 echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo 233 echo "athena.mit.edu" > /usr/vice/etc/ThisCell 234 # [TESTSERVER] If you're installing a test server, this needs to be 235 # much smaller; the max filesize on XVM is 10GB. Pick something like 236 # 500000. Also, some of the AFS parameters are kind of retarded (and if 237 # you're low on disk space, will actually exhaust our inodes). Edit 238 # these parameters in /etc/sysconfig/openafs (but wait, that won't 239 # work, will it...) 240 echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo 241 vim /etc/sysconfig/openafs 242 243 # Test that zephyr is working 244 systemctl enable zhm.service 245 systemctl start zhm.service 246 echo 'Test!' | zwrite -d -c scripts -i test 247 248 # Check out the scripts /usr/vice/etc configuration 249 cd /root/vice 250 \cp -a etc /usr/vice 251 252 # [PRODUCTION] Set up replication (see ./install-ldap). 253 # You'll need the LDAP keytab for this server: be sure to chown it 254 # fedora-ds after you create the fedora-ds user 255 ls -l /etc/dirsrv/keytab 256 cat install-ldap 257 258 # Enable lots of services 259 systemctl enable openafs-client.service 260 systemctl enable dirsrv.service 261 systemctl enable nslcd.service 262 systemctl enable nscd.service 263 systemctl enable postfix.service 264 systemctl enable nrpe.service 265 systemctl enable httpd.service # not for [WIZARD] 266 267 systemctl start openafs-client.service 268 systemctl start dirsrv.service 269 systemctl start nslcd.service 270 systemctl start nscd.service 271 systemctl start postfix.service 272 systemctl start nrpe.service 273 systemctl start httpd.service # not for [WIZARD] 274 275 # Note about OpenAFS: Check that fs sysname is correct. You should see, 276 # among others, 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's 277 # not, you probably did a distro upgrade and should update 278 # /etc/sysconfig/openafs (XXX this is wrong: figuring out new 279 # systemd world order). 304 280 fs sysname 281 282 # Postfix doesn't actually deliver mail; fix this 283 cd /etc/postfix 284 postmap virtual 285 286 # Munin might not be monitoring packages that were installed after it 287 munin-node-configure --suggest --shell | sh 288 289 # Run fmtutil-sys --all, which does something that makes TeX work. 290 # (Note: this errors on XeTeX which is ok.) 291 fmtutil-sys --all 292 293 # Ensure that PHP isn't broken: 294 mkdir /tmp/sessions 295 chmod 01777 /tmp/sessions 296 # XXX: this seems to get deleted if tmp gets cleaned up, so we 297 # might need something a little better (maybe init script.) 298 299 # Fix etc by making sure none of our config files got overwritten 300 cd /etc 301 svn status -q 302 # Some usual candidates for clobbering include nsswitch.conf, 303 # resolv.conf and sysconfig/openafs 304 # [WIZARD/TEST] Remember that changes you made should not get 305 # reverted! 306 307 # Reboot the machine to restore a consistent state, in case you 308 # changed anything. (Note: Starting kdump fails (this is ok)) 309 310 # When all is said and done, fix up the Subversion checkouts 311 cd /etc 312 svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ 313 cd /usr/vice/etc 314 svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ 315 cd /srv/repository 316 # Some commands should be run as the scripts-build user, not root. 317 alias asbuild="sudo -u scripts-build" 318 asbuild svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ 319 asbuild svn up # verify scripts.mit.edu works 320 321 # ------------------------------->8------------------------------- 322 # ADDENDA AND MISCELLANEOUS THINGS 323 324 # [OPTIONAL] Your machine's hostname is baked in at install time; 325 # in the rare case you need to change it: it appears to be in: 326 # o /etc/sysconfig/network 327 # o your lvm thingies; probably don't need to edit 305 328 306 329 # [WIZARD/TESTSERVER] If you are setting up a non-production server, … … 337 360 vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu 338 361 339 # [PRODUCTION] Set up replication (see ./install-ldap).340 # You'll need the LDAP keytab for this server: be sure to chown it341 # fedora-ds after you create the fedora-ds user342 ls -l /etc/dirsrv/keytab343 cat install-ldap344 345 # Make the services dirsrv, nslcd, nscd, postfix, and httpd start at346 # boot. Run chkconfig to make sure the set of services to be run is347 # correct.348 service nslcd start349 service nscd start350 service postfix start351 chkconfig nslcd on352 chkconfig nscd on353 chkconfig postfix on354 355 # [PRODUCTION]356 chkconfig dirsrv on357 358 # [PRODUCTION/TESTSERVER]359 # (Maybe WIZARD too once we start doing strange things to autoupgrade360 # installs behind firewalls.)361 service httpd start # will fail if AFS is not running362 chkconfig httpd on363 364 # nrpe is required for nagios alerts365 chkconfig nrpe on366 367 # [PRODUCTION] Check sql user credentials (needs to be done after LDAP368 # is setup)369 chown sql /etc/sql-mit-edu.cfg.php370 371 # Postfix doesn't actually deliver mail; fix this372 cd /etc/postfix373 postmap virtual374 375 # Munin might not be monitoring packages that were installed after it376 munin-node-configure --suggest --shell | sh377 378 # Run fmtutil-sys --all, which does something that makes TeX work.379 # (Note: this errors on XeTeX which is ok.)380 fmtutil-sys --all381 382 # Ensure that PHP isn't broken:383 mkdir /tmp/sessions384 chmod 01777 /tmp/sessions385 # XXX: this seems to get deleted if tmp gets cleaned up, so we386 # might need something a little better (maybe init script.)387 388 # Ensure fcgid isn't broken (should be 755)389 ls -ld /var/run/mod_fcgid390 391 # Fix etc by making sure none of our config files got overwritten392 cd /etc393 svn status -q394 # Some usual candidates for clobbering include nsswitch.conf and395 # sysconfig/openafs396 # [WIZARD/TEST] Remember that changes you made should not get397 # reverted!398 399 # ThisCell got clobbered, replace it with athena.mit.edu400 echo "athena.mit.edu" > /usr/vice/etc/ThisCell401 402 # Reboot the machine to restore a consistent state, in case you403 # changed anything. (Note: Starting kdump fails (this is ok))404 405 # [OPTIONAL] Your machine's hostname is baked in at install time;406 # in the rare case you need to change it: it appears to be in:407 # o /etc/sysconfig/network408 # o your lvm thingies; probably don't need to edit409 410 362 # [TESTERVER] 411 363 # - You need a self-signed SSL cert or Apache will refuse to start … … 420 372 # be an accepted vhost name 421 373 # - Look at the old test server and see what config changes are floating around 422 423 # XXX: our SVN checkout should be updated to use scripts.mit.edu424 # (repository and etc) once serving actually works.425 cd /etc426 svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/427 cd /usr/vice/etc428 svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/429 cd /srv/repository430 asbuild svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/431 asbuild svn up # verify scripts.mit.edu works
Note: See TracChangeset
for help on using the changeset viewer.