source: branches/fc15-dev/server/doc/ @ 1973

Last change on this file since 1973 was 1973, checked in by ezyang, 13 years ago
Merge r1947-r1972 from trunk to branches/fc15-dev
File size: 18.5 KB
1# This document is a how-to for installing a Fedora server.
2# It is semi-vaguely in the form of a shell script, but is not really
3# runnable as it stands.
5# Notation
6# [PRODUCTION] Production server that will be put into the pool
7# [WIZARD]     Semi-production server that will only have
8#              daemon.scripts-security-upd bits, among other
9#              restricted permissions bits, among other
10#              restricted permissions bits, among other
11#              restricted permissions bits, among other
12#              restricted permissions
13# [TESTSERVER] Completely untrusted server
15set -e -x
17# Some commands should be run as the scripts-build user, not root.
19alias asbuild="sudo -u scripts-build"
21# Old versions of this install document advised setting
22# NSS_NONLOCAL_IGNORE=1 anytime you're setting up anything, e.g. using
23# yum, warning that useradd will query LDAP in a stupid way that makes
24# it hang forever.  As of Fedora 13, this does not seem to be a problem,
25# so it's been removed from the instructions.  If an install is hanging,
26# though, try adding NSS_NONLOCAL_IGNORE.
28# This is actually just "pick an active scripts server".  It can't be
29# because our networking config points that domain
30# at localhost, and if our server is not setup at that point things
31# will break.
34# 'branch' is the current svn branch you are on.  You want to
35# use trunk if your just installing a new server, and branches/fcXX-dev
36# if your preparing a server on a new Fedora release.
39# 'server' is the public hostname of your server, for SCP'ing files
40# to and from.
43# Start with a Scripts kickstarted install of Fedora (install-fedora)
45# Take updates, reboot if there's a kernel update.
46    yum update -y
48# Get rid of network manager
49    yum remove NetworkManager
51# Copy over root's dotfiles from one of the other machines.
52# Perhaps a useful change is to remove the default aliases
53    cd /root
54    ls -l .bashrc
55    ls -l .screenrc
56    ls -l .ssh
57    ls -l .vimrc
58    ls -l .k5login
59    # [PRODUCTION] This rc file has sensitive data on it and should only
60    # be pushed onto production servers.
61    ls -l .ldapvirc
62    # Trying to scp from server to server won't work, as scp
63    # will attempt to negotiate a server-to-server connection.
64    # Instead, scp to your trusted machine as a temporary file,
65    # and then push to the other server
66scp -r root@$source_server:~/{.bashrc,.screenrc,.ssh,.vimrc,.k5login} .
67scp -r {.bashrc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~
69scp root@$source_server:~/.ldapvirc .
70scp .ldapvirc root@$server:~
72# Install the initial set of credentials (to get Kerberized logins once
73# krb5 is installed).  Otherwise, SCP'ing things in will be annoying.
74#   o Install the machine keytab.
75    ls -l /etc/krb5.keytab
76#     Use ktutil to combine the host/ and
77#     host/ keys with host/ in
78#     the keytab.  Do not use 'k5srvutil change' on the combined keytab
79#     or you'll break the other servers. (real servers only).  Be
80#     careful about writing out the keytab: if you write it to an
81#     existing file the keys will just get appended.  The correct
82#     credential list should look like:
83#       ktutil:  l
84#       slot KVNO Principal
85#       ---- ---- ---------------------------------------------------------------------
86#          1    5 host/
87#          2    3 host/
88#          3    2      host/
89#   o [PRODUCTION] Replace the ssh host keys with the ones common to all
90#     scripts servers (real servers only)
91    ls -l /etc/ssh/*key*
92#     You can do that with:
93scp root@$source_server:/etc/ssh/*key* .
94scp *key* root@$server:/etc/ssh/
95    service sshd reload
97# Check out the scripts /etc configuration
98    # backslash to make us not use the alias
99    cd /root
100    \cp -a etc /
101    chmod 0440 /etc/sudoers
103# [PRODUCTION] If this is the first time you've installed this hostname,
104# you will need to update a bunch of files to add support for it. These
105# include:
106#   o Adding all aliases to /etc/httpd/conf.d/scripts-vhost-names.conf
107#     (usually this is hostname,, h-n,,
108#     scriptsN,, and the IP address.)
109#   o Adding routing rules for the static IP in
110#     /etc/sysconfig/network-scripts/route-eth1
111#   o Adding the IP address to the hosts file (same hosts as for
112#     scripts-vhost-names)
113#   o Update SSH config at
114#       - server/fedora/config/etc/ssh/shosts.equiv
115#       - server/fedora/config/etc/ssh/ssh_known_hosts
116#       - server/fedora/config/etc/ssh/sshd_config : DenyUsers
117#     (the last part is critical to ensure that rooting one server
118#     doesn't give you root to all the other servers)
119#   o Put the hostname information in LDAP so SVN and Git work
120#   o Set up Nagios monitoring on sipb-noc for the host
121#   o Set up the host as in the pool on r-b/r-b /etc/heartbeat/
124# NOTE: You will have just lost DNS resolution and the ability
125# to do password SSH in.  If you managed to botch this step without
126# having named setup, you can do a quick fix by frobbing /etc/resolv.conf
127# with a non address for the DNS server.  Be sure to revert it once
128# you have named.
130# NOTE: You can get password SSH back by editing /etc/ssh/sshd_config (allow
131# password auth) and /etc/pam.d/sshd (comment out the first three auth
132# lines).  However, you should have the Kerberos credentials in place
133# so as soon as you install the full set of Scripts packages, you'll get
134# Kerberized logins.
136# Make sure network is working.  If this is a new server name, you'll
137# need to add it to /etc/hosts and
138# /etc/sysconfig/network-scripts/route-eth1.  Kickstart should have
139# configured eth0 and eth1 correctly; use service network restart
140# to add the new routes in route-eth1.
141    service network restart
142    route
143    ifconfig
144    cat /etc/hosts
145    cat /etc/sysconfig/network-scripts/route-eth1
147# This is the point at which you should start updating scriptsified
148# packages for a new Fedora release.  Consult 'upgrade-tips' for more
149# information.
150    yum install -y scripts-base
151    # Some of these packages are naughty and clobber some of our files
152    cd /etc
153    svn revert resolv.conf hosts sysconfig/openafs
155# Replace rsyslog with syslog-ng by doing:
156    rpm -e --nodeps rsyslog
157    yum install -y syslog-ng
158    chkconfig syslog-ng on
160# [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs
161# mapping.
162    echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo
163    echo "" > /usr/vice/etc/ThisCell
165# [TESTSERVER] If you're installing a test server, this needs to be
166# much smaller; the max filesize on XVM is 10GB.  Pick something like
167# 500000. Also, some of the AFS parameters are kind of retarded (and if
168# you're low on disk space, will actually exhaust our inodes).  Edit
169# these parameters in /etc/sysconfig/openafs
170    echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo
173# Test that zephyr is working
174    chkconfig zhm on
175    service zhm start
176    echo 'Test!' | zwrite -d -c scripts -i test
178# Install the full list of RPMs that users expect to be on the
179# servers.
180rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > packages.txt
181# arrange for packages.txt to be passed to the server, then run:
182# --skip-broken will (usually) prevent you from having to sit through
183# several minutes of dependency resolution until it decides that
184# it can't install /one/ package.
185    yum install -y --skip-broken $(cat packages.txt)
187# Make sure sendmail isn't installed
188    yum remove sendmail
190# Check which packages are installed on your new server that are not
191# in the snapshot, and remove ones that aren't needed for some reason
192# on the new machine.  Otherwise, aside from bloat, you may end up
193# with undesirable things for security, like sendmail.
194    rpm -qa --queryformat "%{Name}.%{Arch}\n" | grep -v kernel | sort > newpackages.txt
195    diff -u packages.txt newpackages.txt | grep -v kernel | less
196    # here's a cute script that removes all extra packages
197    yum erase -y $(grep -Fxvf packages.txt newpackages.txt)
198    # 20101208 - Mysteriously we manage to get these extra packages
199    # from kickstart: mcelog mobile-broadband-provider-info
200    # ModemManager PackageKit
202# We need an upstream version of cgi which we've packaged ourselves, but
203# it doesn't work with the haskell-platform package which expects
204# explicit versions.  So temporarily rpm -e the package, and then
205# install it again after you install haskell-platform.  [Note: You
206# probably won't need this in Fedora 15 or something, when the Haskell
207# Platform gets updated.]
208    rpm -e ghc-cgi-devel ghc-cgi
209    yum install -y haskell-platform
210    yumdownloader ghc-cgi
211    yumdownloader ghc-cgi-devel
212    rpm -i ghc-cgi*1.8.1*.rpm
214# Check out the scripts /usr/vice/etc configuration
215    cd /root/vice
216    \cp -a etc /usr/vice
218# Install the full list of perl modules that users expect to be on the
219# servers.
220    cd /root
221    export PERL_MM_USE_DEFAULT=1
222    cpan # this is interactive, enter the next two lines
223        o conf prerequisites_policy follow
224        o conf commit
225# on a reference server
226perldoc -u perllocal | grep head2 | cut -f 3 -d '<' | cut -f 1 -d '|' | sort -u | perl -ne 'chomp; print "notest install $_\n" if system("rpm -q --whatprovides \"perl($_)\" >/dev/null 2>/dev/null")' > perl-packages.txt
227# arrange for perl-packages.txt to be transferred to server
228    cat perl-packages.txt | perl -MCPAN -e shell
230# Install the Python eggs and Ruby gems and PEAR/PECL doohickeys that are on
231# the other servers and do not have RPMs.
232# The general mode of operation will be to run the "list" command
233# on both servers, see what the differences are, check if those diffs
234# are packaged up as rpms, and install them (rpm if possible, native otherwise)
235# - Look at /usr/lib/python2.6/site-packages and
236#           /usr/lib64/python2.6/site-packages for Python eggs and modules.
237#   There will be a lot of gunk that was installed from packages;
238#   easy-install.pth in /usr/lib/ will tell you what was easy_installed.
239#   First use 'yum search' to see if the relevant package is now available
240#   as an RPM, and install that if it is.  If not, then use easy_install.
241#   Pass -Z to easy_install to install them unzipped, as some zipped eggs
242#   want to be able to write to ~/.python-eggs.  (Also makes sourcediving
243#   easier.)
244cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt
245    cat egg.txt | xargs easy_install -Z
246# - Look at `gem list` for Ruby gems.
247#   Again, use 'yum search' and prefer RPMs, but failing that, 'gem install'.
248#       ezyang: rspec-rails depends on rspec, and will override the Yum
249#       package, so... don't use that RPM yet
250gem list --no-version > gem.txt
251    gem install $(gem list --no-version | grep -Fxvf - gem.txt)
252# - Look at `pear list` for Pear fruits (or whatever they're called).
253#   Yet again, 'yum search' for RPMs before resorting to 'pear install'.  Note
254#   that for things in the beta repo, you'll need 'pear install package-beta'.
255#   (you might get complaints about the php_scripts module; ignore them)
256pear list | tail -n +4 | cut -f 1 -d " " > pear.txt
257    pear config-set preferred_state beta
258    pear channel-update
259    pear install $(pear list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pear.txt)
260# - Look at `pecl list` for PECL things.  'yum search', and if you must,
261#   'pecl install' needed items. If it doesn't work, try 'pear install
262#   pecl/foo' or 'pecl install foo-beta' or those two combined.
263pecl list | tail -n +4 | cut -f 1 -d " " > pecl.txt
264    pecl install --nodeps $(pecl list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pecl.txt)
266# [PRODUCTION] Install the credentials.  There are a lot of things to
267# remember here.  Be sure to make sure the permissions match up (ls -l
268# on an existing server!).
269scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} .
270scp signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc
271scp scripts.key root@$server:/etc/pki/tls/private
272scp .k5login root@$server:/home/logview
273#   o The SSL cert private key (real servers only)
274    ls -l /etc/pki/tls/private/scripts.key
275#   o The LDAP password for the signup process (real servers only)
276    ls -l /etc/signup-ldap-pw
277#   o The whoisd password (real servers only)
278    ls -l /etc/whoisd-password
279#   o Make sure logview's .k5login is correct (real servers only)
280    cat /home/logview/.k5login
282# All types of servers will have an /etc/daemon.keytab file, however,
283# different types of server will have different credentials in this
284# keytab.
285#   [PRODUCTION] daemon.scripts
286#   [WIZARD]     daemon.scripts-security-upd
287#   [TESTSERVER] daemon.scripts-test
288k5srvutil list -f daemon.keytab
289scp daemon.keytab root@$server:/etc
290    chown afsagent:afsagent /etc/daemon.keytab
291#   o The daemon.scripts keytab (will be daemon.scripts-test for test)
292    ls -l /etc/daemon.keytab
294# Spin up OpenAFS.  This will fail if there's been a new kernel since
295# when you last tried.  In that case, you can hold on till later to
296# start OpenAFS.  This will take a little bit of time;
297    service openafs-client start
298# Then, check that fs sysname is correct.  You should see, among others,
299# 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you
300# probably did a distro upgrade and should update /etc/sysconfig/openafs.
301    fs sysname
303# [WIZARD/TESTSERVER] If you are setting up a non-production server,
304# there are some services that it won't provide, and you will need to
305# make it talk to a real server instead.  In particular:
306#   - We don't serve the web, so don't bind
307#   - We don't serve LDAP, so use another server
308# This involves editing the following files:
309#   o /etc/sysconfig/network-scripts/ifcfg-lo:0
310#   o /etc/sysconfig/network-scripts/ifcfg-lo:1
311#   o /etc/sysconfig/network-scripts/ifcfg-lo:2
312#   o /etc/sysconfig/network-scripts/ifcfg-lo:3
313       \rm /etc/sysconfig/network-scripts/ifcfg-lo:{0,1,2,3}
314#   o /etc/ldap.conf
315#       add: host
316#   o /etc/{nss-ldapd,nslcd}.conf
317#       replace: uri ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
318#       with: uri ldap://
319#   o /etc/openldap/ldap.conf
320#       add: URI ldap://
321#            BASE dc=scripts,dc=mit,dc=edu
322#   o /etc/httpd/conf.d/vhost_ldap.conf
323#       replace: VhostLDAPUrl "ldap://,dc=scripts,dc=mit,dc=edu"
324#       with: VhostLDAPUrl "ldap://,dc=scripts,dc=mit,dc=edu"
325#   o /etc/postfix/virtual-alias-{domains,maps}
326#       replace: server_host ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
327#       with: server_host = ldap://
328# to use instead of localhost.
329# XXX: someone should write sed scripts to do this
331# [WIZARD/TESTSERVER] If you are setting up a non-production server,
332# afsagent's cronjob will attempt to be renewing with the wrong
333# credentials (daemon.scripts). Change this:
334    vim /home/afsagent/renew # replace all mentions of
336# [PRODUCTION] Set up replication (see ./install-ldap).
337# You'll need the LDAP keytab for this server: be sure to chown it
338# fedora-ds after you create the fedora-ds user
339    ls -l /etc/dirsrv/keytab
340    cat install-ldap
342# Make the services dirsrv, nslcd, nscd, postfix, and httpd start at
343# boot. Run chkconfig to make sure the set of services to be run is
344# correct.
345    service nslcd start
346    service nscd start
347    service postfix start
348    chkconfig nslcd on
349    chkconfig nscd on
350    chkconfig postfix on
353    chkconfig dirsrv on
356# (Maybe WIZARD too once we start doing strange things to autoupgrade
357# installs behind firewalls.)
358    service httpd start # will fail if AFS is not running
359    chkconfig httpd on
361# nrpe is required for nagios alerts
362    chkconfig nrpe on
364# [PRODUCTION] Check sql user credentials (needs to be done after LDAP
365# is setup)
366    chown sql /etc/sql-mit-edu.cfg.php
368# Postfix doesn't actually deliver mail; fix this
369    cd /etc/postfix
370    postmap virtual
372# Munin might not be monitoring packages that were installed after it
373    munin-node-configure --suggest --shell | sh
375# Run fmtutil-sys --all, which does something that makes TeX work.
376# (Note: this errors on XeTeX which is ok.)
377    fmtutil-sys --all
379# Ensure that PHP isn't broken:
380    mkdir /tmp/sessions
381    chmod 01777 /tmp/sessions
382    # XXX: this seems to get deleted if tmp gets cleaned up, so we
383    # might need something a little better (maybe init script.)
385# Ensure fcgid isn't broken (should be 755)
386    ls -ld /var/run/mod_fcgid
388# Fix etc by making sure none of our config files got overwritten
389    cd /etc
390    svn status -q
391    # Some usual candidates for clobbering include nsswitch.conf and
392    # sysconfig/openafs
393    # [WIZARD/TEST] Remember that changes you made should not get
394    # reverted!
396# ThisCell got clobbered, replace it with
397    echo "" > /usr/vice/etc/ThisCell
399# Reboot the machine to restore a consistent state, in case you
400# changed anything. (Note: Starting kdump fails (this is ok))
402# [OPTIONAL] Your machine's hostname is baked in at install time;
403# in the rare case you need to change it: it appears to be in:
404#   o /etc/sysconfig/network
405#   o your lvm thingies; probably don't need to edit
408#   - You need a self-signed SSL cert or Apache will refuse to start
409#     or do SSL.  Generate with:
410    openssl req -new -x509 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts.cert -nodes
411#     Also make /etc/pki/tls/certs/ca.pem match up (XXX what's the
412#     incant for that?)
414# [TESTSERVER] More stuff for test servers
415#   - Make (/etc/aliases) root mail go to /dev/null, so we don't spam people
416#   - Edit /etc/httpd/conf.d/scripts-vhost-names.conf to have
417#     be an accepted vhost name
418#   - Look at the old test server and see what config changes are floating around
420# XXX: our SVN checkout should be updated to use
421# (repository and etc) once serving actually works.
422    cd /etc
423    svn switch --relocate svn://$source_server/ svn://
424    cd /usr/vice/etc
425    svn switch --relocate svn://$source_server/ svn://
426    cd /srv/repository
427    asbuild svn switch --relocate svn://$source_server/ svn://
428    asbuild svn up # verify works
Note: See TracBrowser for help on using the repository browser.