source: branches/fc15-dev/server/doc/ @ 2031

Last change on this file since 2031 was 1985, checked in by ezyang, 13 years ago
Remove vestigial install-deps step.
File size: 18.6 KB
1# This document is a how-to for installing a Fedora server.
2# It is semi-vaguely in the form of a shell script, but is not really
3# runnable as it stands.
5# Notation
6# [PRODUCTION] Production server that will be put into the pool
7# [WIZARD]     Semi-production server that will only have
8#              daemon.scripts-security-upd bits, among other
9#              restricted permissions bits, among other
10#              restricted permissions bits, among other
11#              restricted permissions bits, among other
12#              restricted permissions
13# [TESTSERVER] Completely untrusted server
15set -e -x
17# Some commands should be run as the scripts-build user, not root.
19alias asbuild="sudo -u scripts-build"
21# Old versions of this install document advised setting
22# NSS_NONLOCAL_IGNORE=1 anytime you're setting up anything, e.g. using
23# yum, warning that useradd will query LDAP in a stupid way that makes
24# it hang forever.  As of Fedora 13, this does not seem to be a problem,
25# so it's been removed from the instructions.  If an install is hanging,
26# though, try adding NSS_NONLOCAL_IGNORE.
28# This is actually just "pick an active scripts server".  It can't be
29# because our networking config points that domain
30# at localhost, and if our server is not setup at that point things
31# will break.
34# 'branch' is the current svn branch you are on.  You want to
35# use trunk if your just installing a new server, and branches/fcXX-dev
36# if your preparing a server on a new Fedora release.
39# 'server' is the public hostname of your server, for SCP'ing files
40# to and from.
43# Start with a Scripts kickstarted install of Fedora (install-fedora)
45# Take updates, reboot if there's a kernel update.
46    yum update -y
48# Get rid of network manager
49    yum remove NetworkManager
51# Copy over root's dotfiles from one of the other machines.
52# Perhaps a useful change is to remove the default aliases
53    cd /root
54    ls -l .bashrc
55    ls -l .screenrc
56    ls -l .ssh
57    ls -l .vimrc
58    ls -l .k5login
59    # [PRODUCTION] This rc file has sensitive data on it and should only
60    # be pushed onto production servers.
61    ls -l .ldapvirc
62    # Trying to scp from server to server won't work, as scp
63    # will attempt to negotiate a server-to-server connection.
64    # Instead, scp to your trusted machine as a temporary file,
65    # and then push to the other server
66scp -r root@$source_server:~/{.bashrc,.screenrc,.ssh,.vimrc,.k5login} .
67scp -r {.bashrc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~
69scp root@$source_server:~/.ldapvirc .
70scp .ldapvirc root@$server:~
72# Install the initial set of credentials (to get Kerberized logins once
73# krb5 is installed).  Otherwise, SCP'ing things in will be annoying.
74# Note that if you don't feel like forcefully ignoring "public key
75# changed" errors, all you need to transfer is /etc/ssh/ssh_host_rsa_key
76# initially.
77#   o Install the machine keytab.
78    ls -l /etc/krb5.keytab
79#     Use ktutil to combine the host/ and
80#     host/ keys with host/ in
81#     the keytab.  Do not use 'k5srvutil change' on the combined keytab
82#     or you'll break the other servers. (real servers only).  Be
83#     careful about writing out the keytab: if you write it to an
84#     existing file the keys will just get appended.  The correct
85#     credential list should look like:
86#       ktutil:  l
87#       slot KVNO Principal
88#       ---- ---- ---------------------------------------------------------------------
89#          1    5 host/
90#          2    3 host/
91#          3    2      host/
92#   o [PRODUCTION] Replace the ssh host keys with the ones common to all
93#     scripts servers (real servers only)
94    ls -l /etc/ssh/*key*
95#     You can do that with:
96scp root@$source_server:/etc/ssh/*key* .
97scp *key* root@$server:/etc/ssh/
98    # Actually, this appears to be unnecessary
99    service sshd reload
101# Check out the scripts /etc configuration
102    # backslash to make us not use the alias
103    cd /root
104    \cp -a etc /
105    chmod 0440 /etc/sudoers
107# [PRODUCTION] If this is the first time you've installed this hostname,
108# you will need to update a bunch of files to add support for it. These
109# include:
110#   o Adding all aliases to /etc/httpd/conf.d/scripts-vhost-names.conf
111#     (usually this is hostname,, h-n,,
112#     scriptsN,, and the IP address.)
113#   o Adding routing rules for the static IP in
114#     /etc/sysconfig/network-scripts/route-eth1
115#   o Adding the IP address to the hosts file (same hosts as for
116#     scripts-vhost-names)
117#   o Update SSH config at
118#       - server/fedora/config/etc/ssh/shosts.equiv
119#       - server/fedora/config/etc/ssh/ssh_known_hosts
120#       - server/fedora/config/etc/ssh/sshd_config : DenyUsers
121#     (the last part is critical to ensure that rooting one server
122#     doesn't give you root to all the other servers)
123#   o Put the hostname information in LDAP so SVN and Git work
124#   o Set up Nagios monitoring on sipb-noc for the host
125#   o Set up the host as in the pool on r-b/r-b /etc/heartbeat/
128# NOTE: You will have just lost DNS resolution and the ability
129# to do password SSH in.  If you managed to botch this step without
130# having named setup, you can do a quick fix by frobbing /etc/resolv.conf
131# with a non address for the DNS server.  Be sure to revert it once
132# you have named.
134# NOTE: You can get password SSH back by editing /etc/ssh/sshd_config (allow
135# password auth) and /etc/pam.d/sshd (comment out the first three auth
136# lines).  However, you should have the Kerberos credentials in place
137# so as soon as you install the full set of Scripts packages, you'll get
138# Kerberized logins.
140# Make sure network is working.  If this is a new server name, you'll
141# need to add it to /etc/hosts and
142# /etc/sysconfig/network-scripts/route-eth1.  Kickstart should have
143# configured eth0 and eth1 correctly; use service network restart
144# to add the new routes in route-eth1.
145    service network restart
146    route
147    ifconfig
148    cat /etc/hosts
149    cat /etc/sysconfig/network-scripts/route-eth1
151# This is the point at which you should start updating scriptsified
152# packages for a new Fedora release.  Consult 'upgrade-tips' for more
153# information.
154    yum install -y scripts-base
155    # Some of these packages are naughty and clobber some of our files
156    cd /etc
157    svn revert resolv.conf hosts sysconfig/openafs
159# Replace rsyslog with syslog-ng by doing:
160    rpm -e --nodeps rsyslog
161    yum install -y syslog-ng
162    chkconfig syslog-ng on
164# [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs
165# mapping.
166    echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo
167    echo "" > /usr/vice/etc/ThisCell
169# [TESTSERVER] If you're installing a test server, this needs to be
170# much smaller; the max filesize on XVM is 10GB.  Pick something like
171# 500000. Also, some of the AFS parameters are kind of retarded (and if
172# you're low on disk space, will actually exhaust our inodes).  Edit
173# these parameters in /etc/sysconfig/openafs
174    echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo
177# Test that zephyr is working
178    chkconfig zhm on
179    service zhm start
180    echo 'Test!' | zwrite -d -c scripts -i test
182# Install the full list of RPMs that users expect to be on the
183# servers.
184rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > packages.txt
185# arrange for packages.txt to be passed to the server, then run:
186# --skip-broken will (usually) prevent you from having to sit through
187# several minutes of dependency resolution until it decides that
188# it can't install /one/ package.
189    yum install -y --skip-broken $(cat packages.txt)
191# Make sure sendmail isn't installed
192    yum remove sendmail
194# Check which packages are installed on your new server that are not
195# in the snapshot, and remove ones that aren't needed for some reason
196# on the new machine.  Otherwise, aside from bloat, you may end up
197# with undesirable things for security, like sendmail.
198    rpm -qa --queryformat "%{Name}.%{Arch}\n" | grep -v kernel | sort > newpackages.txt
199    diff -u packages.txt newpackages.txt | grep -v kernel | less
200    # here's a cute script that removes all extra packages
201    yum erase -y $(grep -Fxvf packages.txt newpackages.txt)
202    # 20101208 - Mysteriously we manage to get these extra packages
203    # from kickstart: mcelog mobile-broadband-provider-info
204    # ModemManager PackageKit
206# We need an upstream version of cgi which we've packaged ourselves, but
207# it doesn't work with the haskell-platform package which expects
208# explicit versions.  So temporarily rpm -e the package, and then
209# install it again after you install haskell-platform.  [Note: You
210# probably won't need this in Fedora 15 or something, when the Haskell
211# Platform gets updated.]
212    rpm -e ghc-cgi-devel ghc-cgi
213    yum install -y haskell-platform
214    yumdownloader ghc-cgi
215    yumdownloader ghc-cgi-devel
216    rpm -i ghc-cgi*1.8.1*.rpm
218# Check out the scripts /usr/vice/etc configuration
219    cd /root/vice
220    \cp -a etc /usr/vice
222# Install the full list of perl modules that users expect to be on the
223# servers.
224    cd /root
225    export PERL_MM_USE_DEFAULT=1
226    cpan # this is interactive, enter the next two lines
227        o conf prerequisites_policy follow
228        o conf commit
229# on a reference server
230perldoc -u perllocal | grep head2 | cut -f 3 -d '<' | cut -f 1 -d '|' | sort -u | perl -ne 'chomp; print "notest install $_\n" if system("rpm -q --whatprovides \"perl($_)\" >/dev/null 2>/dev/null")' > perl-packages.txt
231# arrange for perl-packages.txt to be transferred to server
232    cat perl-packages.txt | perl -MCPAN -e shell
234# Install the Python eggs and Ruby gems and PEAR/PECL doohickeys that are on
235# the other servers and do not have RPMs.
236# The general mode of operation will be to run the "list" command
237# on both servers, see what the differences are, check if those diffs
238# are packaged up as rpms, and install them (rpm if possible, native otherwise)
239# - Look at /usr/lib/python2.6/site-packages and
240#           /usr/lib64/python2.6/site-packages for Python eggs and modules.
241#   There will be a lot of gunk that was installed from packages;
242#   easy-install.pth in /usr/lib/ will tell you what was easy_installed.
243#   First use 'yum search' to see if the relevant package is now available
244#   as an RPM, and install that if it is.  If not, then use easy_install.
245#   Pass -Z to easy_install to install them unzipped, as some zipped eggs
246#   want to be able to write to ~/.python-eggs.  (Also makes sourcediving
247#   easier.)
248cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt
249    cat egg.txt | xargs easy_install -Z
250# - Look at `gem list` for Ruby gems.
251#   Again, use 'yum search' and prefer RPMs, but failing that, 'gem install'.
252#       ezyang: rspec-rails depends on rspec, and will override the Yum
253#       package, so... don't use that RPM yet
254gem list --no-version > gem.txt
255    gem install $(gem list --no-version | grep -Fxvf - gem.txt)
256# - Look at `pear list` for Pear fruits (or whatever they're called).
257#   Yet again, 'yum search' for RPMs before resorting to 'pear install'.  Note
258#   that for things in the beta repo, you'll need 'pear install package-beta'.
259#   (you might get complaints about the php_scripts module; ignore them)
260pear list | tail -n +4 | cut -f 1 -d " " > pear.txt
261    pear config-set preferred_state beta
262    pear channel-update
263    pear install $(pear list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pear.txt)
264# - Look at `pecl list` for PECL things.  'yum search', and if you must,
265#   'pecl install' needed items. If it doesn't work, try 'pear install
266#   pecl/foo' or 'pecl install foo-beta' or those two combined.
267pecl list | tail -n +4 | cut -f 1 -d " " > pecl.txt
268    pecl install --nodeps $(pecl list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pecl.txt)
270# [PRODUCTION] Install the credentials.  There are a lot of things to
271# remember here.  Be sure to make sure the permissions match up (ls -l
272# on an existing server!).
273scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} .
274scp signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc
275scp scripts.key root@$server:/etc/pki/tls/private
276scp .k5login root@$server:/home/logview
277#   o The SSL cert private key (real servers only)
278    ls -l /etc/pki/tls/private/scripts.key
279#   o The LDAP password for the signup process (real servers only)
280    ls -l /etc/signup-ldap-pw
281#   o The whoisd password (real servers only)
282    ls -l /etc/whoisd-password
283#   o Make sure logview's .k5login is correct (real servers only)
284    cat /home/logview/.k5login
286# All types of servers will have an /etc/daemon.keytab file, however,
287# different types of server will have different credentials in this
288# keytab.
289#   [PRODUCTION] daemon.scripts
290#   [WIZARD]     daemon.scripts-security-upd
291#   [TESTSERVER] daemon.scripts-test
292k5srvutil list -f daemon.keytab
293scp daemon.keytab root@$server:/etc
294    chown afsagent:afsagent /etc/daemon.keytab
295#   o The daemon.scripts keytab (will be daemon.scripts-test for test)
296    ls -l /etc/daemon.keytab
298# Spin up OpenAFS.  This will fail if there's been a new kernel since
299# when you last tried.  In that case, you can hold on till later to
300# start OpenAFS.  This will take a little bit of time;
301    service openafs-client start
302# Then, check that fs sysname is correct.  You should see, among others,
303# 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you
304# probably did a distro upgrade and should update /etc/sysconfig/openafs.
305    fs sysname
307# [WIZARD/TESTSERVER] If you are setting up a non-production server,
308# there are some services that it won't provide, and you will need to
309# make it talk to a real server instead.  In particular:
310#   - We don't serve the web, so don't bind
311#   - We don't serve LDAP, so use another server
312# This involves editing the following files:
313#   o /etc/sysconfig/network-scripts/ifcfg-lo:0
314#   o /etc/sysconfig/network-scripts/ifcfg-lo:1
315#   o /etc/sysconfig/network-scripts/ifcfg-lo:2
316#   o /etc/sysconfig/network-scripts/ifcfg-lo:3
317       \rm /etc/sysconfig/network-scripts/ifcfg-lo:{0,1,2,3}
318#   o /etc/ldap.conf
319#       add: host
320#   o /etc/{nss-ldapd,nslcd}.conf
321#       replace: uri ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
322#       with: uri ldap://
323#   o /etc/openldap/ldap.conf
324#       add: URI ldap://
325#            BASE dc=scripts,dc=mit,dc=edu
326#   o /etc/httpd/conf.d/vhost_ldap.conf
327#       replace: VhostLDAPUrl "ldap://,dc=scripts,dc=mit,dc=edu"
328#       with: VhostLDAPUrl "ldap://,dc=scripts,dc=mit,dc=edu"
329#   o /etc/postfix/virtual-alias-{domains,maps}
330#       replace: server_host ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
331#       with: server_host = ldap://
332# to use instead of localhost.
333# XXX: someone should write sed scripts to do this
335# [WIZARD/TESTSERVER] If you are setting up a non-production server,
336# afsagent's cronjob will attempt to be renewing with the wrong
337# credentials (daemon.scripts). Change this:
338    vim /home/afsagent/renew # replace all mentions of
340# [PRODUCTION] Set up replication (see ./install-ldap).
341# You'll need the LDAP keytab for this server: be sure to chown it
342# fedora-ds after you create the fedora-ds user
343    ls -l /etc/dirsrv/keytab
344    cat install-ldap
346# Make the services dirsrv, nslcd, nscd, postfix, and httpd start at
347# boot. Run chkconfig to make sure the set of services to be run is
348# correct.
349    service nslcd start
350    service nscd start
351    service postfix start
352    chkconfig nslcd on
353    chkconfig nscd on
354    chkconfig postfix on
357    chkconfig dirsrv on
360# (Maybe WIZARD too once we start doing strange things to autoupgrade
361# installs behind firewalls.)
362    service httpd start # will fail if AFS is not running
363    chkconfig httpd on
365# nrpe is required for nagios alerts
366    chkconfig nrpe on
368# [PRODUCTION] Check sql user credentials (needs to be done after LDAP
369# is setup)
370    chown sql /etc/sql-mit-edu.cfg.php
372# Postfix doesn't actually deliver mail; fix this
373    cd /etc/postfix
374    postmap virtual
376# Munin might not be monitoring packages that were installed after it
377    munin-node-configure --suggest --shell | sh
379# Run fmtutil-sys --all, which does something that makes TeX work.
380# (Note: this errors on XeTeX which is ok.)
381    fmtutil-sys --all
383# Ensure that PHP isn't broken:
384    mkdir /tmp/sessions
385    chmod 01777 /tmp/sessions
386    # XXX: this seems to get deleted if tmp gets cleaned up, so we
387    # might need something a little better (maybe init script.)
389# Ensure fcgid isn't broken (should be 755)
390    ls -ld /var/run/mod_fcgid
392# Fix etc by making sure none of our config files got overwritten
393    cd /etc
394    svn status -q
395    # Some usual candidates for clobbering include nsswitch.conf and
396    # sysconfig/openafs
397    # [WIZARD/TEST] Remember that changes you made should not get
398    # reverted!
400# ThisCell got clobbered, replace it with
401    echo "" > /usr/vice/etc/ThisCell
403# Reboot the machine to restore a consistent state, in case you
404# changed anything. (Note: Starting kdump fails (this is ok))
406# [OPTIONAL] Your machine's hostname is baked in at install time;
407# in the rare case you need to change it: it appears to be in:
408#   o /etc/sysconfig/network
409#   o your lvm thingies; probably don't need to edit
412#   - You need a self-signed SSL cert or Apache will refuse to start
413#     or do SSL.  Generate with:
414    openssl req -new -x509 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts.cert -nodes
415#     Also make /etc/pki/tls/certs/ca.pem match up (XXX what's the
416#     incant for that?)
418# [TESTSERVER] More stuff for test servers
419#   - Make (/etc/aliases) root mail go to /dev/null, so we don't spam people
420#   - Edit /etc/httpd/conf.d/scripts-vhost-names.conf to have
421#     be an accepted vhost name
422#   - Look at the old test server and see what config changes are floating around
424# XXX: our SVN checkout should be updated to use
425# (repository and etc) once serving actually works.
426    cd /etc
427    svn switch --relocate svn://$source_server/ svn://
428    cd /usr/vice/etc
429    svn switch --relocate svn://$source_server/ svn://
430    cd /srv/repository
431    asbuild svn switch --relocate svn://$source_server/ svn://
432    asbuild svn up # verify works
Note: See TracBrowser for help on using the repository browser.