source: branches/fc15-dev/server/doc/install-howto.sh @ 1938

Last change on this file since 1938 was 1880, checked in by andersk, 14 years ago
Remove 00scripts-home.pth for Fedora 15 The path for user-installed Python modules needs to change anyway from ~/lib/python2.6/site-packages because the Python version is changing, and nobody will be using ~/lib/python2.7/site-packages yet, so let’s take this opportunity to switch to the upstream-supported path: ~/.local/lib/python2.7/site-packages. This is also where modules installed using ‘easy_install --user’ go. (The relevant documentation has already been updated, since this works already as of Python 2.6.)
File size: 16.3 KB
Line 
1# This document is a how-to for installing a Fedora scripts.mit.edu server.
2# It is semi-vaguely in the form of a shell script, but is not really
3# runnable as it stands.
4
5set -e -x
6
7# Some commands should be run as the scripts-build user, not root.
8
9alias asbuild="sudo -u scripts-build"
10
11# Old versions of this install document advised setting
12# NSS_NONLOCAL_IGNORE=1 anytime you're setting up anything, e.g. using
13# yum, warning that useradd will query LDAP in a stupid way that makes
14# it hang forever.  As of Fedora 13, this does not seem to be a problem,
15# so it's been removed from the instructions.  If an install is hanging,
16# though, try adding NSS_NONLOCAL_IGNORE.
17
18# This is actually just "pick an active scripts server".  It can't be
19# scripts.mit.edu because our networking config points that domain
20# at localhost, and if our server is not setup at that point things
21# will break.
22source_server="cats-whiskers.mit.edu"
23
24# 'branch' is the current svn branch you are on.  You want to
25# use trunk if your just installing a new server, and branches/fcXX-dev
26# if your preparing a server on a new Fedora release.
27branch="trunk"
28
29# 'server' is the public hostname of your server, for SCP'ing files
30# to and from.
31server=YOUR-SERVER-NAME-HERE
32
33# Start with a Scripts kickstarted install of Fedora (install-fedora)
34
35# Take updates, reboot if there's a kernel update.
36    yum update -y
37
38# Get rid of network manager
39    yum remove NetworkManager
40
41# Copy over root's dotfiles from one of the other machines.
42# Perhaps a useful change is to remove the default aliases
43    cd /root
44    ls -l .bashrc
45    ls -l .ldapvirc
46    ls -l .screenrc
47    ls -l .ssh
48    ls -l .vimrc
49    ls -l .k5login
50    # Trying to scp from server to server won't work, as scp
51    # will attempt to negotiate a server-to-server connection.
52    # Instead, scp to your trusted machine as a temporary file,
53    # and then push to the other server
54scp -r root@$source_server:~/{.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} .
55scp -r {.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~
56
57# Install the initial set of credentials (to get Kerberized logins once
58# krb5 is installed).  Otherwise, SCP'ing things in will be annoying.
59#   o You probably installed the machine keytab long ago
60    ls -l /etc/krb5.keytab
61#     Use ktutil to combine the host/scripts.mit.edu and
62#     host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in
63#     the keytab.  Do not use 'k5srvutil change' on the combined keytab
64#     or you'll break the other servers. (real servers only).  Be
65#     careful about writing out the keytab: if you write it to an
66#     existing file the keys will just get appended.  The correct
67#     credential list should look like:
68#       ktutil:  l
69#       slot KVNO Principal
70#       ---- ---- ---------------------------------------------------------------------
71#          1    5 host/old-faithful.mit.edu@ATHENA.MIT.EDU
72#          2    3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU
73#          3    2      host/scripts.mit.edu@ATHENA.MIT.EDU
74#   o Replace the ssh host keys with the ones common to all scripts servers (real servers only)
75    ls -l /etc/ssh/*key*
76#     You can do that with:
77scp root@$source_server:/etc/ssh/*key* .
78scp *key* root@$server:/etc/ssh/
79    service sshd reload
80
81# Check out the scripts /etc configuration
82    # backslash to make us not use the alias
83    cd /root
84    \cp -a etc /
85    chmod 0440 /etc/sudoers
86
87# If this is the first time you've installed this hostname, you will
88# need to update a bunch of files to add support for it. These include:
89#   o Adding all aliases to /etc/httpd/conf.d/scripts-vhost-names.conf
90#     (usually this is hostname, hostname.mit.edu, h-n, h-n.mit.edu,
91#     scriptsN, scriptsN.mit.edu, and the IP address.)
92#   o Adding routing rules for the static IP in
93#     /etc/sysconfig/network-scripts/route-eth1
94#   o Adding the IP address to the hosts file (same hosts as for
95#     scripts-vhost-names)
96#   o Update SSH config at
97#       - server/fedora/config/etc/ssh/shosts.equiv
98#       - server/fedora/config/etc/ssh/ssh_known_hosts
99#       - server/fedora/config/etc/ssh/sshd_config : DenyUsers
100#     (the last part is critical to ensure that rooting one server
101#     doesn't give you root to all the other servers)
102#   o Put the hostname information in LDAP so SVN and Git work
103#   o Set up Nagios monitoring on sipb-noc for the host
104#   o Set up the host as in the pool on r-b/r-b /etc/heartbeat/ldirectord.cf
105    XXX TODO COMMANDS
106
107# NOTE: You will have just lost DNS resolution and the ability
108# to do password SSH in.  If you managed to botch this step without
109# having named setup, you can do a quick fix by frobbing /etc/resolv.conf
110# with a non 127.0.0.1 address for the DNS server.  Be sure to revert it once
111# you have named.
112
113# NOTE: You can get password SSH back by editing /etc/ssh/sshd_config (allow
114# password auth) and /etc/pam.d/sshd (comment out the first three auth
115# lines).  However, you should have the Kerberos credentials in place
116# so as soon as you install the full set of Scripts packages, you'll get
117# Kerberized logins.
118
119# Make sure network is working.  If this is a new server name, you'll
120# need to add it to /etc/hosts and
121# /etc/sysconfig/network-scripts/route-eth1.  Kickstart should have
122# configured eth0 and eth1 correctly; use service network restart
123# to add the new routes in route-eth1.
124    service network restart
125    route
126    ifconfig
127    cat /etc/hosts
128    cat /etc/sysconfig/network-scripts/route-eth1
129
130# This is the point at which you should start updating scriptsified
131# packages for a new Fedora release.  Consult 'upgrade-tips' for more
132# information.
133    yum install -y scripts-base
134    # Some of these packages are naughty and clobber some of our files
135    cd /etc
136    svn revert resolv.conf hosts sysconfig/openafs
137
138# Replace rsyslog with syslog-ng by doing:
139    rpm -e --nodeps rsyslog
140    yum install -y syslog-ng
141    chkconfig syslog-ng on
142
143# Fix the openafs /usr/vice/etc <-> /etc/openafs mapping.
144    echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo
145    echo "athena.mit.edu" > /usr/vice/etc/ThisCell
146
147# [TEST SERVER] If you're installing a test server, this needs to be
148# much smaller; the max filesize on XVM is 10GB.  Pick something like
149# 500000. Also, some of the AFS parameters are kind of retarded (and if
150# you're low on disk space, will actually exhaust our inodes).  Edit
151# these parameters in /etc/sysconfig/openafs
152
153# Test that zephyr is working
154    chkconfig zhm on
155    service zhm start
156    echo 'Test!' | zwrite -d -c scripts -i test
157
158# Install the full list of RPMs that users expect to be on the
159# scripts.mit.edu servers.
160rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > packages.txt
161# arrange for packages.txt to be passed to the server, then run:
162# --skip-broken will (usually) prevent you from having to sit through
163# several minutes of dependency resolution until it decides that
164# it can't install /one/ package.
165    yum install -y --skip-broken $(cat packages.txt)
166
167# Make sure sendmail isn't installed
168    yum remove sendmail
169
170# Check which packages are installed on your new server that are not
171# in the snapshot, and remove ones that aren't needed for some reason
172# on the new machine.  Otherwise, aside from bloat, you may end up
173# with undesirable things for security, like sendmail.
174    rpm -qa --queryformat "%{Name}.%{Arch}\n" | grep -v kernel | sort > newpackages.txt
175    diff -u packages.txt newpackages.txt | grep -v kernel | less
176    # here's a cute script that removes all extra packages
177    yum erase -y $(grep -Fxvf packages.txt newpackages.txt)
178
179# We need an upstream version of cgi which we've packaged ourselves, but
180# it doesn't work with the haskell-platform package which expects
181# explicit versions.  So temporarily rpm -e the package, and then
182# install it again after you install haskell-platform.  [Note: You
183# probably won't need this in Fedora 15 or something, when the Haskell
184# Platform gets updated.]
185    rpm -e ghc-cgi-devel ghc-cgi
186    yum install -y haskell-platform
187    yumdownloader ghc-cgi
188    yumdownloader ghc-cgi-devel
189    rpm -i ghc-cgi*1.8.1*.rpm
190
191# Check out the scripts /usr/vice/etc configuration
192    cd /root/vice
193    \cp -a etc /usr/vice
194
195# Install the full list of perl modules that users expect to be on the
196# scripts.mit.edu servers.
197    cd /root
198    export PERL_MM_USE_DEFAULT=1
199    cpan # this is interactive, enter the next two lines
200        o conf prerequisites_policy follow
201        o conf commit
202# on a reference server
203perldoc -u perllocal | grep head2 | cut -f 3 -d '<' | cut -f 1 -d '|' | sort -u | perl -ne 'chomp; print "notest install $_\n" if system("rpm -q --whatprovides \"perl($_)\" >/dev/null 2>/dev/null")' > perl-packages.txt
204# arrange for perl-packages.txt to be transferred to server
205    cat perl-packages.txt | perl -MCPAN -e shell
206
207# Install the Python eggs and Ruby gems and PEAR/PECL doohickeys that are on
208# the other scripts.mit.edu servers and do not have RPMs.
209# The general mode of operation will be to run the "list" command
210# on both servers, see what the differences are, check if those diffs
211# are packaged up as rpms, and install them (rpm if possible, native otherwise)
212# - Look at /usr/lib/python2.6/site-packages and
213#           /usr/lib64/python2.6/site-packages for Python eggs and modules.
214#   There will be a lot of gunk that was installed from packages;
215#   easy-install.pth in /usr/lib/ will tell you what was easy_installed.
216#   First use 'yum search' to see if the relevant package is now available
217#   as an RPM, and install that if it is.  If not, then use easy_install.
218#   Pass -Z to easy_install to install them unzipped, as some zipped eggs
219#   want to be able to write to ~/.python-eggs.  (Also makes sourcediving
220#   easier.)
221cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- . egg.txt
222    cat egg.txt | xargs easy_install -Z
223# - Look at `gem list` for Ruby gems.
224#   Again, use 'yum search' and prefer RPMs, but failing that, 'gem install'.
225#       ezyang: rspec-rails depends on rspec, and will override the Yum
226#       package, so... don't use that RPM yet
227gem list --no-version > gem.txt
228    gem install $(gem list --no-version | grep -Fxvf - gem.txt)
229# - Look at `pear list` for Pear fruits (or whatever they're called).
230#   Yet again, 'yum search' for RPMs before resorting to 'pear install'.  Note
231#   that for things in the beta repo, you'll need 'pear install package-beta'.
232#   (you might get complaints about the php_scripts module; ignore them)
233pear list | tail -n +4 | cut -f 1 -d " " > pear.txt
234    pear config-set preferred_state beta
235    pear channel-update pear.php.net
236    pear install $(pear list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pear.txt)
237# - Look at `pecl list` for PECL things.  'yum search', and if you must,
238#   'pecl install' needed items. If it doesn't work, try 'pear install
239#   pecl/foo' or 'pecl install foo-beta' or those two combined.
240pecl list | tail -n +4 | cut -f 1 -d " " > pecl.txt
241    pecl install --nodeps $(pecl list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pecl.txt)
242
243# Install the credentials.  There are a lot of things to remember here.
244# Be sure to make sure the permissions match up (ls -l on an existing
245# server!).
246scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,daemon.keytab,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} .
247scp daemon.keytab signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc
248scp scripts.key root@$server:/etc/pki/tls/private
249scp .k5login root@$server:/home/logview
250    chown afsagent:afsagent /etc/daemon.keytab
251#   o The daemon.scripts keytab (will be daemon.scripts-test for test)
252    ls -l /etc/daemon.keytab
253#   o The SSL cert private key (real servers only)
254    ls -l /etc/pki/tls/private/scripts.key
255#   o The LDAP password for the signup process (real servers only)
256    ls -l /etc/signup-ldap-pw
257#   o The whoisd password (real servers only)
258    ls -l /etc/whoisd-password
259#   o Make sure logview's .k5login is correct (real servers only)
260    cat /home/logview/.k5login
261
262# Spin up OpenAFS.  This will fail if there's been a new kernel since
263# when you last tried.  In that case, you can hold on till later to
264# start OpenAFS.  This will take a little bit of time;
265    service openafs-client start
266
267# Check that fs sysname is correct.  You should see, among others,
268# 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you
269# probably did a distro upgrade and should update /etc/sysconfig/openafs.
270    fs sysname
271
272# [TEST SERVER] If you are setting up a test server, pay attention to
273# /etc/sysconfig/network-scripts and do not bind scripts' IP address.
274# You will also need to modify:
275#   o /etc/ldap.conf
276#       add: host scripts.mit.edu
277#   o /etc/nss-ldapd.conf
278#       replace: uri *****
279#       with: uri ldap://scripts.mit.edu/
280#   o /etc/openldap/ldap.conf
281#       add: URI ldap://scripts.mit.edu/
282#            BASE dc=scripts,dc=mit,dc=edu
283#   o /etc/httpd/conf.d/vhost_ldap.conf
284#       replace: VhostLDAPUrl ****
285#       with: VhostLDAPUrl "ldap://scripts.mit.edu/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu"
286#   o /etc/postfix/virtual-alias-{domains,maps}-ldap.cf
287#       replace: server_host *****
288#       with: server_host = ldap://scripts.mit.edu
289# to use scripts.mit.edu instead of localhost.
290# XXX: someone should write sed scripts to do this
291
292# [TEST SERVER] If you are setting up a test server, afsagent's cronjob
293# will attempt to be renewing with the wrong credentials
294# (daemon.scripts). Change this:
295    vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu
296
297# Set up replication (see ./install-ldap).
298# You'll need the LDAP keytab for this server: be sure to chown it
299# fedora-ds after you create the fedora-ds user
300    ls -l /etc/dirsrv/keytab
301    cat install-ldap
302
303# Make the services dirsrv, nslcd, nscd, postfix, and httpd start at
304# boot. Run chkconfig to make sure the set of services to be run is
305# correct.
306    service nslcd start
307    service nscd start
308    service postfix start
309    service httpd start
310    chkconfig dirsrv on
311    chkconfig nslcd on
312    chkconfig nscd on
313    chkconfig postfix on
314    chkconfig httpd on
315
316# nrpe is required for nagios alerts
317    chkconfig nrpe on
318
319# Check sql user credentials (needs to be done after LDAP is setup)
320    chown sql /etc/sql-mit-edu.cfg.php
321
322# Postfix doesn't actually deliver mail; fix this
323    cd /etc/postfix
324    postmap virtual
325
326# Munin might not be monitoring packages that were installed after it
327    munin-node-configure --suggest --shell | sh
328
329# Run fmtutil-sys --all, which does something that makes TeX work.
330# (Note: this errors on XeTeX which is ok.)
331    fmtutil-sys --all
332
333# Ensure that PHP isn't broken:
334    mkdir /tmp/sessions
335    chmod 01777 /tmp/sessions
336    # XXX: this seems to get deleted if tmp gets cleaned up, so we
337    # might need something a little better (maybe init script.)
338
339# Ensure fcgid isn't broken (should be 755)
340    ls -ld /var/run/mod_fcgid
341
342# Fix etc by making sure none of our config files got overwritten
343    cd /etc
344    svn status -q
345    # Some usual candidates for clobbering include nsswitch.conf and
346    # sysconfig/openafs
347
348# ThisCell got clobbered, replace it with athena.mit.edu
349    echo "athena.mit.edu" > /usr/vice/etc/ThisCell
350
351# Reboot the machine to restore a consistent state, in case you
352# changed anything. (Note: Starting kdump fails (this is ok))
353
354# [OPTIONAL] Your machine's hostname is baked in at install time;
355# in the rare case you need to change it: it appears to be in:
356#   o /etc/sysconfig/network
357#   o your lvm thingies; probably don't need to edit
358
359# [TEST SERVER] More stuff for test servers
360#   - You need a self-signed SSL cert.  Generate with:
361    openssl req -new -x509 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts.cert -nodes
362#     Also make /etc/pki/tls/certs/ca.pem match up
363#   - Make (/etc/aliases) root mail go to /dev/null, so we don't spam people
364#   - Edit /etc/httpd/conf.d/scripts-vhost-names.conf to have scripts-fX-test.xvm.mit.edu
365#     be an accepted vhost name
366#   - Look at the old test server and see what config changes are floating around
367
368# XXX: our SVN checkout should be updated to use scripts.mit.edu
369# (repository and etc) once serving actually works.
370    cd /etc
371    svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
372    cd /usr/vice/etc
373    svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
374    cd /srv/repository
375    asbuild svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
376    asbuild svn up # verify scripts.mit.edu works
Note: See TracBrowser for help on using the repository browser.