source: server/doc/install-howto @ 906

This document is a how-to for installing a Fedora scripts.mit.edu server.

Helper files for the install are located in server/fedora/config.

* Start with a normal install of Fedora.

* Edit /etc/selinux/config so it has SELINUX=disabled and reboot.

* Check out the scripts.mit.edu svn repository. Configure svn not to cache
  credentials.

* cd to server/fedora in the svn repository.

* Run "make install-deps" to install various prereqs.  Nonstandard
  deps are in /mit/scripts/rpm.

* Create a scripts-build user account, and set up rpm to build in 
  $HOME by doing a 
  cp config/home/scripts-build/.rpmmacros /home/scripts-build/
  (If you just use the default setup, it will generate packages 
  in /usr/src/redhat.)

* su scripts-build -

* Make sure that server/fedora (where you currently are) is writable
  by user scripts-build.

* Use the Makefile to build the scripts.mit.edu-specific Fedora
  packages.
  - export PATH=$PATH:/usr/sbin
  - make download
  - make setup
  - make all
  - openafs-devel is a build-dependency of accountadm, so you'll need to
    install the openafs-devel package you just built by hand when that fails.

* Then install the packages you just built as root:
   - yum localinstall --nogpgcheck accountadm-0.00-0.x86_64.rpm \
       execsys-0.00-0.x86_64.rpm httpd* \
       kmod-openafs-1.4.7-1.1.2.6.25_14.fc9.x86_64.rpm \
       krb5-{debuginfo,devel,libs,pki,workstation-1}* \
       logview-0.00-0.x86_64.rpm mit-zephyr-2.1-6-linux.x86_64.rpm \
       mod_ssl-2.2.8-3.x86_64.rpm nss_nonlocal-* \
       openafs-1.4.7-1.1.1.x86_64.rpm \
       openafs-{authlibs,client,debuginfo,devel,docs,krb5}* openssh* \
       sql-signup-0.00-0.x86_64.rpm tokensys-0.00-0.x86_64.rpm \
       whoisd-0.00-0.x86_64.rpm

* Rebuild mit-zephyr on a 32-bit machine, like the one at Joe's home.

* Run "make suexec" and "make install-suexec" to overwrite
  /usr/sbin/suexec with one that works. The one installed by the
  newly-built Apache RPM is misconfigured.
  ... Except Anders claims he fixed this.

* Remember to set NSS_NONLOCAL_IGNORE=1 anytime you're setting up
  anything, e.g. using yum. Otherwise useradd will query LDAP in a stupid way
  that makes it hang forever.

* Install and configure bind
  - env NSS_NONLOCAL_IGNORE=1 yum install bind
  - chkconfig named on
  - service named start

* Check out the scripts /etc configuration, which is done most easily by
  $ svn co svn://scripts.mit.edu/server/fedora/config/etc
  # \cp -a etc /

* Reload the iptables config to take down the restrictive firewall 
  service iptables restart

* Copy over root's dotfiles from one of the other machines.

* Replace rsyslog with syslog-ng by doing:
  # rpm -e --nodeps rsyslog
  # yum install syslog-ng

* Install various dependencies of the scripts system, including syslog-ng,
  glibc-devel.i386, python-twisted-core, mod_fcgid, nrpe, nagios-plugins-all.

* Disable NetworkManager with chkconfig NetworkManager off. Configure
  networking on the front end and back end, and the routing table to send
  traffic over the back end. Make sure that chkconfig reports "network" on, so
  that the network will still be configured at next boot.

* Fix the openafs /usr/vice/etc <-> /etc/openafs mapping by changing
   /usr/vice/etc/cacheinfo to contain:
        /afs:/usr/vice/cache:10000000

* Figure out why Zephyr isn't working. Most recently, it was because there
  was a 64-bit RPM installed; remove it and install Joe's 32-bit one

* Install the full list of RPMs that users expect to be on the
  scripts.mit.edu servers.  See server/doc/rpm and
  server/doc/rpm_snapshot.  (Note that this is only a snapshot, and not
  all packages may in fact be in use.)

* Install the full list of perl modules that users expect to be on the
  scripts.mit.edu servers.  See server/doc/perl and
  server/doc/perl_snapshot.

  - export PERL_MM_USE_DEFAULT=1
  - Run 'cpan', accept the default configuration, and do 'o conf
    prerequisites_policy follow'.
  - Parse the output of perldoc -u perllocal | grep head2 on an existing
    server, and "notest install" them from the cpan prompt.

* Install the Python eggs and Ruby gems and PEAR/PECL doohickeys that are on
  the other scripts.mit.edu servers and do not have RPMs.
  - Look at /usr/lib/python2.5/site-packages for Python eggs and modules.
  - Look at `gem list` for Ruby gems.
  - Look at `pear list` for Pear fruits (or whatever they're called).

* echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.5/site-packages"))' > /usr/lib/python2.5/site-packages/00scripts-home.pth

* Install the credentials (machine keytab, daemon.scripts keytab, SSL
  certs).

*  If you are setting up a test server, pay attention to
  /etc/sysconfig/network-scripts and do not bind scripts' IP address.
  You will also need to modify /etc/ldap.conf, /etc/openldap/ldap.conf, and
  /etc/httpd/conf.d/vhost_ldap.conf to use scripts.mit.edu instead of
  localhost.

* Install fedora-ds-base and set up replication (see ./HOWTO-SETUP-LDAP
    and ./fedora-ds-enable-ssl-and-kerberos.diff).

* Install nslcd / nss-ldapd, which, unlike nss-ldap, doesn't crash every few
  hours. Add /sbin/service dirsrv start and /sbin/nslcd to /etc/rc.local, or
  better yet package nss-ldapd properly.

* Make the services dirsrv, postfix, and httpd start at boot. Run
  chkconfig to make sure the set of services to be run is correct.

* Run fmtutil-sys --all, which does something that makes TeX work.

* Reboot the machine to restore a consistent state, in case you
  changed anything.

* (Optional) Beat your head against a wall.

* Possibly perform other steps that I've neglected to put in this
  document.