Index: branches/fc17-dev/server/doc/install-howto.sh =================================================================== --- branches/fc17-dev/server/doc/install-howto.sh (revision 2081) +++ branches/fc17-dev/server/doc/install-howto.sh (revision 2195) @@ -84,6 +84,11 @@ yum remove NetworkManager -# Make sure sendmail isn't installed - yum remove sendmail +# Make sure sendmail isn't installed, replace it with postfix + yum shell < packages.txt # arrange for packages.txt to be passed to the server, then run: -# --skip-broken will (usually) prevent you from having to sit through -# several minutes of dependency resolution until it decides that -# it can't install /one/ package. - yum install -y --skip-broken $(cat packages.txt) + cd /tmp + yumdownloader --disablerepo=scripts ghc-cgi ghc-cgi-devel + yum localinstall ghc-cgi*.x86_64.rpm + yum install -y $(cat packages.txt) +# The reason this works is that ghc-cgi is marked as installonlypkgs +# in yum.conf, telling yum to install them side-by-side rather than +# updating them. If it doesn't work, use --skip-broken on the yum +# command line. # Check which packages are installed on your new server that are not @@ -140,19 +153,12 @@ # ModemManager PackageKit -# We need an upstream version of cgi which we've packaged ourselves, but -# it doesn't work with the haskell-platform package which expects -# explicit versions. So temporarily rpm -e the package, and then -# install it again after you install haskell-platform. [Note: You -# probably won't need this in Fedora 17 or something, when the Haskell -# Platform gets updated.] [It's not obvious to me that this actually -# works] - rpm -e ghc-cgi-devel ghc-cgi - yum install -y haskell-platform - yumdownloader ghc-cgi - yumdownloader ghc-cgi-devel - rpm -i ghc-cgi*1.8.2*.rpm - # ----------------------------->8-------------------------------------- # SPHEROID SHENANIGANS + +# Install the Python eggs and Ruby gems and PEAR/PECL doohickeys that are on +# the other scripts.mit.edu servers and do not have RPMs. +# The general mode of operation will be to run the "list" command +# on both servers, see what the differences are, check if those diffs +# are packaged up as rpms, and install them (rpm if possible, native otherwise) # Note: Since ultimately we'd like to move away from using per-language @@ -163,4 +169,21 @@ # packaged up the RPM. Unfortunately we don't really have good incants # for this. + +# Warning: If you're installing a new server mid-lifecycle (or even if +# this is the start of a cycle, but you've been staggering the +# installation of servers), upstream may have moved on. Because we +# don't normally upgrade spheroid projects, that means executing these +# instructions directly means that you will have mismatched versions +# (the new servers will have newer versions.) Please follow the +# UPGRADE commentary attached to each of these. + +# Warning: The package lists that are generated are inconsistent on +# the question of whether or not they contain all packages (locally +# installed as well as distro packaged), or if they just contain locally +# installed packages. Check this carefully; many of the install incants +# filter out already installed packages. + +# PERL CPAN +# --------- # Install the full list of perl modules that users expect to be on the @@ -174,13 +197,22 @@ perldoc -u perllocal | grep head2 | cut -f 3 -d '<' | cut -f 1 -d '|' | sort -u | perl -ne 'chomp; print "notest install $_\n" if system("rpm -q --whatprovides \"perl($_)\" >/dev/null 2>/dev/null")' > perl-packages.txt # arrange for perl-packages.txt to be transferred to server + # Package list only contains new packages cat perl-packages.txt | perl -MCPAN -e shell - -# Install the Python eggs and Ruby gems and PEAR/PECL doohickeys that are on -# the other scripts.mit.edu servers and do not have RPMs. -# The general mode of operation will be to run the "list" command -# on both servers, see what the differences are, check if those diffs -# are packaged up as rpms, and install them (rpm if possible, native otherwise) -# - Look at /usr/lib/python2.6/site-packages and -# /usr/lib64/python2.6/site-packages for Python eggs and modules. +# These are in /usr/local + +# UPGRADE: Installing old versions of CPAN modules requires you to +# specify the full path of a module, e.g. +# M/MS/MSCHWERN/Test-Simple-0.62.tar.gz. It is not currently clear how +# to get this information programatically. Furthermore, we have a lot +# of CPAN managed modules. Since CPAN is the only thing +# placed in /usr/local at this point, it may be easier to simple tar and +# cp the Perl modules from one server to another, to keep them +# consistent. But doing this is fiddly XXX + +# PYTHON EGGS +# ----------- + +# - Look at /usr/lib/python2.7/site-packages and +# /usr/lib64/python2.7/site-packages for Python eggs and modules. # There will be a lot of gunk that was installed from packages; # easy-install.pth in /usr/lib/ will tell you what was easy_installed. @@ -192,5 +224,16 @@ # 'easy_install AuthKit jsonlib2 pygit' cat /usr/lib/python2.7/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt + # Package list only contains new packages cat egg.txt | xargs easy_install -Z +# These are in /usr + +# UPGRADE: Use 'easy_install -n' to see what new versions are installed, and if there +# are updates validate them and upgrade them on the old servers. Since +# we have a really small package list (around 4) checking these manually +# should be fine. Note that dry run is slightly buggy and may fail +# midway processing files on account of a missing build directory. + +# RUBY GEMS +# --------- # - Look at `gem list` for Ruby gems. @@ -200,7 +243,31 @@ # XXX This doesn't do the right thing for old version gems gem list --no-version > gem.txt + # Package list contains distro gems too gem install $(gem list --no-version | grep -Fxvf - gem.txt) # Also, we need to install the old rails version gem install -v=2.3.5 rails +# These are in /usr + +# UPGRADE: You can either upgrade out-of-date gems, or leave them at +# the old version. We recommend the latter (see below for the +# rationale), but note that the install script described here doesn't +# pin against version, so you'll need to supply the -v parameters +# manually (the gems we install manually don't move too quickly, so this +# is fairly tractable if you check 'gem outdated'.) +# +# If you want to upgrade, do NOT use wildcard 'gem update'; use 'gem +# outdated' to find out all gems that are out of date, and verify this +# against our locally installed gems (there will be a lot of out of date +# gems, but this is simply because Fedora packaging lags behind the +# canonical versions (this is a good thing). Manually upgrade just +# those gems. Note that this doesn't save you from having to install +# old gems on the servers that are being installed out-of-cycle, +# because Ruby supports pinning against old versions, and if those gems +# then mysteriously disappear, things will be sad (note that this isn't +# a *huge* problem, because usually when you pin gems it's in +# conjunction with rvm, so they have their local copy of the gem.) + +# PHP PEAR +# -------- # - Look at `pear list` for Pear fruits (or whatever they're called). @@ -209,7 +276,12 @@ # (you might get complaints about the php_scripts module; ignore them) pear list | tail -n +4 | cut -f 1 -d " " > pear.txt + # Package list contains distro packages pear config-set preferred_state beta pear channel-update pear.php.net pear install $(pear list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pear.txt) +# These are in /usr + +# PHP PECL +# -------- # - Look at `pecl list` for PECL things. 'yum search', and if you must, @@ -217,13 +289,20 @@ # pecl/foo' or 'pecl install foo-beta' or those two combined. pecl list | tail -n +4 | cut -f 1 -d " " > pecl.txt + # Package list contains distro packages pecl install --nodeps $(pecl list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pecl.txt) +# These are in /usr # ----------------------------->8-------------------------------------- # INFINITE CONFIGURATION -# Create fedora-ds user (needed for credit-card) +# [PROD] Create fedora-ds user (needed for credit-card) useradd -u 103 -r -d /var/lib/dirsrv fedora-ds # Run credit-card to clone in credentials and make things runabble +# NOTE: You may be tempted to run credit-card earlier in the install +# process in order, for example, to be able to SSH in to the servers +# with Kerberos. However, it is better to install the credentials +# *after* we have run a boatload untrusted code as part of the +# spheroids objects process. So don't move this step earlier! python host.py push $server @@ -238,25 +317,20 @@ # # [TESTSERVER] daemon.scripts-test -# [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs -# mapping. - echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo - echo "athena.mit.edu" > /usr/vice/etc/ThisCell +# Test that zephyr is working + systemctl enable zhm.service + systemctl start zhm.service + echo 'Test!' | zwrite -d -c scripts -i test + +# Check out the scripts /usr/vice/etc configuration + cd /root/vice + \cp -a etc /usr/vice # [TESTSERVER] If you're installing a test server, this needs to be # much smaller; the max filesize on XVM is 10GB. Pick something like # 500000. Also, some of the AFS parameters are kind of retarded (and if # you're low on disk space, will actually exhaust our inodes). Edit -# these parameters in /etc/sysconfig/openafs (This doesn't work in the -# new systemd world order: try editing the unit file instead.) +# these parameters in /etc/sysconfig/openafs (I just chopped a zero +# off of all of our parameters) echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo vim /etc/sysconfig/openafs - -# Test that zephyr is working - systemctl enable zhm.service - systemctl start zhm.service - echo 'Test!' | zwrite -d -c scripts -i test - -# Check out the scripts /usr/vice/etc configuration - cd /root/vice - \cp -a etc /usr/vice # [PRODUCTION] Set up replication (see ./install-ldap). @@ -300,10 +374,4 @@ # (Note: this errors on XeTeX which is ok.) fmtutil-sys --all - -# Ensure that PHP isn't broken: - mkdir /tmp/sessions - chmod 01777 /tmp/sessions - # XXX: this seems to get deleted if tmp gets cleaned up, so we - # might need something a little better (maybe init script.) # Fix etc by making sure none of our config files got overwritten @@ -374,6 +442,7 @@ # or do SSL. Generate with: openssl req -new -x509 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts.cert -nodes -# Also make /etc/pki/tls/certs/ca.pem match up (XXX what's the -# incant for that?) + ln -s /etc/pki/tls/private/scripts.key /etc/pki/tls/private/scripts-1024.key +# Also make /etc/pki/tls/certs/ca.pem match up + openssl rsa -in /etc/pki/tls/private/scripts.key -pubout > /etc/pki/tls/certs/ca.pem # [TESTSERVER] More stuff for test servers