source: branches/fc20-dev/server/doc/ @ 2549

Last change on this file since 2549 was 2549, checked in by achernya, 10 years ago
Correct /var/log/httpd permissions
File size: 21.2 KB
[1058]1# This document is a how-to for installing a Fedora server.
[1693]2# It is semi-vaguely in the form of a shell script, but is not really
3# runnable as it stands.
[1961]5# Notation
6# [PRODUCTION] Production server that will be put into the pool
7# [WIZARD]     Semi-production server that will only have
8#              daemon.scripts-security-upd bits, among other
9#              restricted permissions
10# [TESTSERVER] Completely untrusted server
[1693]12# 'branch' is the current svn branch you are on.  You want to
13# use trunk if your just installing a new server, and branches/fcXX-dev
14# if your preparing a server on a new Fedora release.
[1693]17# 'server' is the public hostname of your server, for SCP'ing files
18# to and from.
[2066]21# ----------------------------->8--------------------------------------
22#                       FIRST TIME INSTRUCTIONS
[1961]24# [PRODUCTION] If this is the first time you've installed this hostname,
25# you will need to update a bunch of files to add support for it. These
26# include:
[1696]27#   o Adding all aliases to /etc/httpd/conf.d/scripts-vhost-names.conf
28#     (usually this is hostname,, h-n,,
29#     scriptsN,, and the IP address.)
30#   o Adding routing rules for the static IP in
31#     /etc/sysconfig/network-scripts/route-eth1
32#   o Adding the IP address to the hosts file (same hosts as for
33#     scripts-vhost-names)
[1704]34#   o Update SSH config at
35#       - server/fedora/config/etc/ssh/shosts.equiv
36#       - server/fedora/config/etc/ssh/ssh_known_hosts
37#       - server/fedora/config/etc/ssh/sshd_config : DenyUsers
38#     (the last part is critical to ensure that rooting one server
39#     doesn't give you root to all the other servers)
[1696]40#   o Put the hostname information in LDAP so SVN and Git work
41#   o Set up Nagios monitoring on sipb-noc for the host
42#   o Set up the host as in the pool on r-b/r-b /etc/heartbeat/
[2066]43#   o Update locker/etc/known_hosts
[2068]44#   o Update website files:
45#       /mit/scripts/web_scripts/home/server.css.cgi
46#       /mit/scripts/web_scripts/heartbeat/heartbeat.php
48# You will also need to prepare the keytabs for credit-card.  In particular,
49# use ktutil to combine the host/ and
50# host/ keys with host/ in
51# the keytab.  Do not use 'k5srvutil change' on the combined keytab
52# or you'll break the other servers. (real servers only).  Be
53# careful about writing out the keytab: if you write it to an
54# existing file the keys will just get appended.  The correct
55# credential list should look like:
56#   ktutil:  l
57#   slot KVNO Principal
58#   ---- ---- ---------------------------------------------------------------------
59#      1    5 host/
60#      2    3 host/
[2068]61#      3    2 host/
62#      4    8 host/
64# The LDAP keytab should be by itself, so be sure to delete it and
65# put it in its own file.
[2066]67# ----------------------------->8--------------------------------------
68#                      INFINITE INSTALLATION
[2066]70# Start with a Scripts kickstarted install of Fedora (install-fedora)
[2079]72# IMPORTANT: If you are installing a server without the benefit of
73# Kickstart (for example, you are installing on XVM, it is VITALLY
74# IMPORTANT that you go through the kickstart and apply all of the
75# necessary changes--for example, disabling selinux or enabling
76# network.)
77#   XXX We should make Kickstart work for test servers too
[2246]79# Make sure selinux is disabled
80    selinuxenabled || echo "selinux not enabled"
[2066]82# Take updates, reboot if there's a kernel update.
83    yum update -y
85# Get rid of network manager (XXX figure out to make kickstarter do
86# this for us)
87    yum remove NetworkManager
[2111]89# Make sure sendmail isn't installed, replace it with postfix
[2316]90    yum shell -y <<EOF
[2111]91remove sendmail
92install postfix
97# Check out the scripts /etc configuration
98    cd /root
99    \cp -a etc /
100    chmod 0440 /etc/sudoers
[2246]101    grub2-mkconfig -o /boot/grub2/grub.cfg
[2080]103# [TEST] You'll need to fix some config now.  See bottom of document.
[2246]105# Stop /etc/resolv.conf from getting repeatedly overwritten by
106# purging DNS servers from ifcfg-eth0 and ifcfg-eth1
107    vim /etc/sysconfig/network-scripts/ifcfg-eth0
108    vim /etc/sysconfig/network-scripts/ifcfg-eth1
[2066]110# Make sure network is working.  Kickstart should have
[1693]111# configured eth0 and eth1 correctly; use service network restart
[2066]112# to add the new routes from etc in route-eth1.
113    systemctl restart network.service
114    # Check everything worked:
[1693]115    route
116    ifconfig
117    cat /etc/hosts
118    cat /etc/sysconfig/network-scripts/route-eth1
[1693]120# This is the point at which you should start updating scriptsified
121# packages for a new Fedora release.  Consult 'upgrade-tips' for more
122# information.
123    yum install -y scripts-base
124    # Some of these packages are naughty and clobber some of our files
125    cd /etc
[2066]126    svn revert resolv.conf hosts sysconfig/openafs nsswitch.conf
[2079]127    # Troubleshooting: if accountadm, tokensys and nscd fail to install
128    # you probably forgot to turn off selinux
[1058]130# Replace rsyslog with syslog-ng by doing:
[2316]131    yum shell -y <<EOF
[2111]132remove rsyslog
133install syslog-ng
[2066]137    systemctl enable syslog-ng.service
[2316]138    systemctl start syslog-ng.service
[1058]140# Install the full list of RPMs that users expect to be on the
[1259]141# servers.
142rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > packages.txt
143# arrange for packages.txt to be passed to the server, then run:
[2111]144    cd /tmp
145    yumdownloader --disablerepo=scripts ghc-cgi ghc-cgi-devel
146    yum localinstall ghc-cgi*.x86_64.rpm
147    yum install -y $(cat packages.txt)
148# The reason this works is that ghc-cgi is marked as installonlypkgs
149# in yum.conf, telling yum to install them side-by-side rather than
150# updating them. If it doesn't work, use --skip-broken on the yum
151# command line.
[1190]153# Check which packages are installed on your new server that are not
154# in the snapshot, and remove ones that aren't needed for some reason
155# on the new machine.  Otherwise, aside from bloat, you may end up
156# with undesirable things for security, like sendmail.
[1693]157    rpm -qa --queryformat "%{Name}.%{Arch}\n" | grep -v kernel | sort > newpackages.txt
158    diff -u packages.txt newpackages.txt | grep -v kernel | less
[1382]159    # here's a cute script that removes all extra packages
[1693]160    yum erase -y $(grep -Fxvf packages.txt newpackages.txt)
[1961]161    # 20101208 - Mysteriously we manage to get these extra packages
162    # from kickstart: mcelog mobile-broadband-provider-info
163    # ModemManager PackageKit
[2066]165# ----------------------------->8--------------------------------------
166#                      SPHEROID SHENANIGANS
[2112]168# Install the Python eggs and Ruby gems and PEAR/PECL doohickeys that are on
169# the other servers and do not have RPMs.
170# The general mode of operation will be to run the "list" command
171# on both servers, see what the differences are, check if those diffs
172# are packaged up as rpms, and install them (rpm if possible, native otherwise)
[2066]174# Note: Since ultimately we'd like to move away from using per-language
175# package manager and all of these be RPMs, it is of questionable
176# importance how much /good/ automation for these is necessary.
178# Warning: For a new release, we're supposed to check if Fedora has
179# packaged up the RPM.  Unfortunately we don't really have good incants
180# for this.
[2112]182# Warning: If you're installing a new server mid-lifecycle (or even if
183# this is the start of a cycle, but you've been staggering the
184# installation of servers), upstream may have moved on.  Because we
185# don't normally upgrade spheroid projects, that means executing these
186# instructions directly means that you will have mismatched versions
187# (the new servers will have newer versions.)  Please follow the
188# UPGRADE commentary attached to each of these.
190# Warning: The package lists that are generated are inconsistent on
191# the question of whether or not they contain all packages (locally
192# installed as well as distro packaged), or if they just contain locally
193# installed packages.  Check this carefully; many of the install incants
194# filter out already installed packages.
197# ---------
[1058]199# Install the full list of perl modules that users expect to be on the
[1108]200# servers.
[1693]201    cd /root
[1259]202    export PERL_MM_USE_DEFAULT=1
[1693]203    cpan # this is interactive, enter the next two lines
[1259]204        o conf prerequisites_policy follow
205        o conf commit
206# on a reference server
207perldoc -u perllocal | grep head2 | cut -f 3 -d '<' | cut -f 1 -d '|' | sort -u | perl -ne 'chomp; print "notest install $_\n" if system("rpm -q --whatprovides \"perl($_)\" >/dev/null 2>/dev/null")' > perl-packages.txt
208# arrange for perl-packages.txt to be transferred to server
[2112]209    # Package list only contains new packages
[1259]210    cat perl-packages.txt | perl -MCPAN -e shell
[2112]211# These are in /usr/local
[2112]213# UPGRADE: Installing old versions of CPAN modules requires you to
214# specify the full path of a module, e.g.
215# M/MS/MSCHWERN/Test-Simple-0.62.tar.gz.  It is not currently clear how
216# to get this information programatically.  Furthermore, we have a lot
217# of CPAN managed modules.  Since CPAN is the only thing
218# placed in /usr/local at this point, it may be easier to simple tar and
219# cp the Perl modules from one server to another, to keep them
220# consistent.  But doing this is fiddly XXX
223# -----------
[2111]225# - Look at /usr/lib/python2.7/site-packages and
226#           /usr/lib64/python2.7/site-packages for Python eggs and modules.
[1259]227#   There will be a lot of gunk that was installed from packages;
[1693]228#   easy-install.pth in /usr/lib/ will tell you what was easy_installed.
[1178]229#   First use 'yum search' to see if the relevant package is now available
230#   as an RPM, and install that if it is.  If not, then use easy_install.
[1432]231#   Pass -Z to easy_install to install them unzipped, as some zipped eggs
232#   want to be able to write to ~/.python-eggs.  (Also makes sourcediving
233#   easier.)
[2066]234# 'easy_install AuthKit jsonlib2 pygit'
235cat /usr/lib/python2.7/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt
[2112]236    # Package list only contains new packages
[1698]237    cat egg.txt | xargs easy_install -Z
[2112]238# These are in /usr
[2112]240# UPGRADE: Use 'easy_install -n' to see what new versions are installed, and if there
241# are updates validate them and upgrade them on the old servers.  Since
242# we have a really small package list (around 4) checking these manually
243# should be fine.  Note that dry run is slightly buggy and may fail
244# midway processing files on account of a missing build directory.
247# ---------
[1058]249# - Look at `gem list` for Ruby gems.
[1178]250#   Again, use 'yum search' and prefer RPMs, but failing that, 'gem install'.
[1259]251#       ezyang: rspec-rails depends on rspec, and will override the Yum
252#       package, so... don't use that RPM yet
[2066]253# XXX This doesn't do the right thing for old version gems
[1693]254gem list --no-version > gem.txt
[2112]255    # Package list contains distro gems too
[1693]256    gem install $(gem list --no-version | grep -Fxvf - gem.txt)
[2066]257    # Also, we need to install the old rails version
[2246]258    gem install -v=2.3.14 rails
[2112]259# These are in /usr
[2112]261# UPGRADE:  You can either upgrade out-of-date gems, or leave them at
262# the old version.  We recommend the latter (see below for the
263# rationale), but note that the install script described here doesn't
264# pin against version, so you'll need to supply the -v parameters
265# manually (the gems we install manually don't move too quickly, so this
266# is fairly tractable if you check 'gem outdated'.)
268# If you want to upgrade, do NOT use wildcard 'gem update'; use 'gem
269# outdated' to find out all gems that are out of date, and verify this
270# against our locally installed gems (there will be a lot of out of date
271# gems, but this is simply because Fedora packaging lags behind the
272# canonical versions (this is a good thing).  Manually upgrade just
273# those gems.  Note that this doesn't save you from having to install
274# old gems on the servers that are being installed out-of-cycle,
275# because Ruby supports pinning against old versions, and if those gems
276# then mysteriously disappear, things will be sad (note that this isn't
277# a *huge* problem, because usually when you pin gems it's in
278# conjunction with rvm, so they have their local copy of the gem.)
281# --------
[1058]283# - Look at `pear list` for Pear fruits (or whatever they're called).
[1178]284#   Yet again, 'yum search' for RPMs before resorting to 'pear install'.  Note
285#   that for things in the beta repo, you'll need 'pear install package-beta'.
[1259]286#   (you might get complaints about the php_scripts module; ignore them)
[1693]287pear list | tail -n +4 | cut -f 1 -d " " > pear.txt
[2112]288    # Package list contains distro packages
[1693]289    pear config-set preferred_state beta
290    pear channel-update
291    pear install $(pear list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pear.txt)
[2112]292# These are in /usr
[2112]294# PHP PECL
295# --------
[1190]297# - Look at `pecl list` for PECL things.  'yum search', and if you must,
[1462]298#   'pecl install' needed items. If it doesn't work, try 'pear install
[1544]299#   pecl/foo' or 'pecl install foo-beta' or those two combined.
[1693]300pecl list | tail -n +4 | cut -f 1 -d " " > pecl.txt
[2112]301    # Package list contains distro packages
[1693]302    pecl install --nodeps $(pecl list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pecl.txt)
[2112]303# These are in /usr
[2066]305# ----------------------------->8--------------------------------------
306#                       INFINITE CONFIGURATION
[2112]308# [PROD] Create fedora-ds user (needed for credit-card)
[2318]309# [TEST] too if you want to run a local dirsrv instance
[2214]310useradd -r -d /var/lib/dirsrv fedora-ds
[2066]312# Run credit-card to clone in credentials and make things runabble
[2112]313# NOTE: You may be tempted to run credit-card earlier in the install
314# process in order, for example, to be able to SSH in to the servers
315# with Kerberos.  However, it is better to install the credentials
316# *after* we have run a boatload untrusted code as part of the
317# spheroids objects process.  So don't move this step earlier!
[2066]318python push $server
[2298]320# This is superseded by credit-card, which works for [PRODUCTION] and
321# [WIZARD].  We don't have an easy way of running credit-card for XVM...
324#   # All types of servers will have an /etc/daemon.keytab file, however,
325#   # different types of server will have different credentials in this
326#   # keytab.
327#   #   [PRODUCTION] daemon.scripts
328#   #   [WIZARD]     daemon.scripts-security-upd
329#   #   [TESTSERVER] daemon.scripts-test
[2066]331# Test that zephyr is working
332    systemctl enable zhm.service
333    systemctl start zhm.service
334    echo 'Test!' | zwrite -d -c scripts -i test
[2066]336# Check out the scripts /usr/vice/etc configuration
337    cd /root/vice
338    \cp -a etc /usr/vice
[2112]339# [TESTSERVER] If you're installing a test server, this needs to be
340# much smaller; the max filesize on XVM is 10GB.  Pick something like
[2487]341# 500000. Also, some of the AFS parameters are kind of silly (and if
[2112]342# you're low on disk space, will actually exhaust our inodes).  Edit
343# these parameters in /etc/sysconfig/openafs (I just chopped a zero
344# off of all of our parameters)
345    echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo
346    vim /etc/sysconfig/openafs
[1961]348# [PRODUCTION] Set up replication (see ./install-ldap).
[1693]349# You'll need the LDAP keytab for this server: be sure to chown it
350# fedora-ds after you create the fedora-ds user
351    ls -l /etc/dirsrv/keytab
352    cat install-ldap
[2549]354# Allow Apache to write the suexec log
355    chown apache:apache /var/log/httpd
[2246]357# Enable lots of services (currently in /etc checkout)
[2066]358    systemctl enable openafs-client.service
[2246]359    systemctl enable
[2066]360    systemctl enable nslcd.service
361    systemctl enable nscd.service
362    systemctl enable postfix.service
[2246]363    systemctl enable nrpe.service # chkconfig'd
[2066]364    systemctl enable httpd.service # not for [WIZARD]
[2066]366    systemctl start openafs-client.service
[2246]367    systemctl start
[2066]368    systemctl start nslcd.service
369    systemctl start nscd.service
370    systemctl start postfix.service
371    systemctl start nrpe.service
372    systemctl start httpd.service # not for [WIZARD]
[2066]374# Note about OpenAFS: Check that fs sysname is correct.  You should see,
375# among others, 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's
376# not, you probably did a distro upgrade and should update
[2246]377# tokensys (server/common/oursrc/tokensys/
[2066]378    fs sysname
[1259]380# Postfix doesn't actually deliver mail; fix this
381    cd /etc/postfix
382    postmap virtual
[1451]384# Munin might not be monitoring packages that were installed after it
385    munin-node-configure --suggest --shell | sh
[1058]387# Run fmtutil-sys --all, which does something that makes TeX work.
[1693]388# (Note: this errors on XeTeX which is ok.)
[1259]389    fmtutil-sys --all
[2246]391# Check for unwanted setuid/setgid binaries
[2298]392    find / -xdev -not -perm -o=x -prune -o -type f -perm /ug=s -print | grep -Fxvf /etc/scripts/allowed-setugid.list
393    find / -xdev -not -perm -o=x -prune -o -type f -print0 | xargs -0r /usr/sbin/getcap | cut -d' ' -f1 | grep -Fxvf /etc/scripts/allowed-filecaps.list
[2318]394    # You can prune the first set of binaries using 'chmod u-s' and 'chmod g-s'
395    # and remove capabilities using 'setcap -r'
[2318]397# XXX check for selinux gunk
[1259]399# Fix etc by making sure none of our config files got overwritten
400    cd /etc
[1693]401    svn status -q
[2066]402    # Some usual candidates for clobbering include nsswitch.conf,
403    # resolv.conf and sysconfig/openafs
[1961]404    # [WIZARD/TEST] Remember that changes you made should not get
405    # reverted!
[2530]407# Make sure the suexec logging directory is owned by Apache and can be written to
408    chown apache:root /var/log/httpd/
[1058]410# Reboot the machine to restore a consistent state, in case you
[1693]411# changed anything. (Note: Starting kdump fails (this is ok))
[2066]413# ------------------------------->8-------------------------------
[1693]416# [OPTIONAL] Your machine's hostname is baked in at install time;
417# in the rare case you need to change it: it appears to be in:
[1259]418#   o /etc/sysconfig/network
419#   o your lvm thingies; probably don't need to edit
[2080]421# [TESTSERVER] Enable password log in
422        vim /etc/ssh/sshd_config
423        service sshd reload
424        vim /etc/pam.d/sshd
425# Replace the first auth block with:
426#           # If they're not root, but their user exists (success),
427#           auth    [success=ignore ignore=ignore default=1] uid > 0
428#           # print the "You don't have tickets" error:
429#           auth    [success=die ignore=reset default=die] file=/etc/
430#           # If !(they are root),
431#           auth    [success=1 ignore=ignore default=ignore] uid eq 0
432#           # print the "your account doesn't exist" error:
433#           auth    [success=die ignore=reset default=die] file=/etc/
[2066]436# [WIZARD/TESTSERVER] If you are setting up a non-production server,
437# there are some services that it won't provide, and you will need to
438# make it talk to a real server instead.  In particular:
439#   - We don't serve the web, so don't bind
440#   - We don't serve LDAP, so use another server
[2298]441# XXX: Someone should write sed scripts to do this
[2066]442# This involves editing the following files:
[2318]443        svn rm /etc/sysconfig/network-scripts/ifcfg-lo:{0,1,2,3}
444        svn rm /etc/sysconfig/network-scripts/route-eth1 # [TESTSERVER] only
[2079]445#   o /etc/nslcd.conf
[2066]446#       replace: uri ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
447#       with: uri ldap://
[2079]448#           (what happened to nss-ldapd?)
[2066]449#   o /etc/openldap/ldap.conf
450#       add: URI ldap://
451#            BASE dc=scripts,dc=mit,dc=edu
452#   o /etc/httpd/conf.d/vhost_ldap.conf
453#       replace: VhostLDAPUrl "ldap://,dc=scripts,dc=mit,dc=edu"
454#       with: VhostLDAPUrl "ldap://,dc=scripts,dc=mit,dc=edu"
455#   o /etc/postfix/virtual-alias-{domains,maps}
456#       replace: server_host ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
457#       with: server_host = ldap://
458# to use instead of localhost.
460# [WIZARD/TESTSERVER] If you are setting up a non-production server,
461# afsagent's cronjob will attempt to be renewing with the wrong
462# credentials (daemon.scripts). Change this:
463    vim /home/afsagent/renew # replace all mentions of
[2298]465# [TESTSERVER]
[1961]466#   - You need a self-signed SSL cert or Apache will refuse to start
[2318]467#     or do SSL.  Generate with: (XXX recommended CN?)
468    openssl req -new -x509 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts-cert.pem -nodes
[2112]469    ln -s /etc/pki/tls/private/scripts.key /etc/pki/tls/private/scripts-1024.key
[2318]470#     Also make the various public keys match up
471    openssl rsa -in /etc/pki/tls/private/scripts.key -pubout > /etc/pki/tls/certs/star.scripts.pem
472    openssl rsa -in /etc/pki/tls/private/scripts.key -pubout > /etc/pki/tls/certs/scripts.pem
473    openssl rsa -in /etc/pki/tls/private/scripts.key -pubout > /etc/pki/tls/certs/scripts-cert.pem
474#     Nuke the CSRs since they will all mismatch
475#     XXX alternate strategy replace all the pem's as above
476    cd /etc/httpd/vhosts.d
477    svn rm *.conf
[2318]479# [TESTSERVER]
480#   Remove vhosts.d which we don't have rights for XXX
[1961]482# [TESTSERVER] More stuff for test servers
[1382]483#   - Make (/etc/aliases) root mail go to /dev/null, so we don't spam people
484#   - Edit /etc/httpd/conf.d/scripts-vhost-names.conf to have
485#     be an accepted vhost name
486#   - Look at the old test server and see what config changes are floating around
Note: See TracBrowser for help on using the repository browser.