source: trunk/server/doc/install-howto.sh @ 2754

Last change on this file since 2754 was 2685, checked in by mitchb, 10 years ago
Let's not create self-signed CAs You know, while we're fixing that command in the fear that someone will end up using this file as guidelines for something other than our test server.
File size: 14.4 KB
Line 
1# This document is a how-to for installing a Fedora scripts.mit.edu server.
2# It is semi-vaguely in the form of a shell script, but is not really
3# runnable as it stands.
4
5# Notation
6# [PRODUCTION] Production server that will be put into the pool
7# [WIZARD]     Semi-production server that will only have
8#              daemon.scripts-security-upd bits, among other
9#              restricted permissions
10# [TESTSERVER] Completely untrusted server
11
12# 'branch' is the current svn branch you are on.  You want to
13# use trunk if your just installing a new server, and branches/fcXX-dev
14# if your preparing a server on a new Fedora release.
15branch="trunk"
16
17# 'server' is the public hostname of your server, for SCP'ing files
18# to and from.
19server=YOUR-SERVER-NAME-HERE
20
21# ----------------------------->8--------------------------------------
22#                       FIRST TIME INSTRUCTIONS
23#
24# [PRODUCTION] If this is the first time you've installed this hostname,
25# you will need to update a bunch of files to add support for it. These
26# include:
27#   o Adding all aliases to /etc/httpd/conf.d/scripts-vhost-names.conf
28#     (usually this is hostname, hostname.mit.edu, h-n, h-n.mit.edu,
29#     scriptsN, scriptsN.mit.edu, and the IP address.)
30#   o Adding routing rules for the static IP in
31#     /etc/sysconfig/network-scripts/route-eth1
32#   o Adding the IP address to the hosts file (same hosts as for
33#     scripts-vhost-names)
34#   o Update SSH config at
35#       - server/fedora/config/etc/ssh/shosts.equiv
36#       - server/fedora/config/etc/ssh/ssh_known_hosts
37#       - server/fedora/config/etc/ssh/sshd_config : DenyUsers
38#     (the last part is critical to ensure that rooting one server
39#     doesn't give you root to all the other servers)
40#   o Put the hostname information in LDAP so SVN and Git work
41#   o Set up Nagios monitoring on sipb-noc for the host
42#   o Set up the host as in the pool on r-b/r-b /etc/heartbeat/ldirectord.cf
43#   o Update locker/etc/known_hosts
44#   o Update website files:
45#       /mit/scripts/web_scripts/home/server.css.cgi
46#       /mit/scripts/web_scripts/heartbeat/heartbeat.php
47#
48# You will also need to prepare the keytabs for credit-card.  In particular,
49# use ktutil to combine the host/scripts.mit.edu and
50# host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in
51# the keytab.  Do not use 'k5srvutil change' on the combined keytab
52# or you'll break the other servers. (real servers only).  Be
53# careful about writing out the keytab: if you write it to an
54# existing file the keys will just get appended.  The correct
55# credential list should look like:
56#   ktutil:  l
57#   slot KVNO Principal
58#   ---- ---- ---------------------------------------------------------------------
59#      1    5 host/old-faithful.mit.edu@ATHENA.MIT.EDU
60#      2    3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU
61#      3    2 host/scripts.mit.edu@ATHENA.MIT.EDU
62#      4    8 host/scripts-test.mit.edu@ATHENA.MIT.EDU
63#
64# The LDAP keytab should be by itself, so be sure to delete it and
65# put it in its own file.
66
67# ----------------------------->8--------------------------------------
68#                      INFINITE INSTALLATION
69
70# Start with a Scripts kickstarted install of Fedora (install-fedora)
71
72# IMPORTANT: If you are installing a server without the benefit of
73# Kickstart (for example, you are installing on XVM, it is VITALLY
74# IMPORTANT that you go through the kickstart and apply all of the
75# necessary changes--for example, disabling selinux or enabling
76# network.)
77#   XXX We should make Kickstart work for test servers too
78
79# Make sure selinux is disabled
80    selinuxenabled || echo "selinux not enabled"
81
82# Take updates, reboot if there's a kernel update.
83    yum update -y
84
85# Get rid of network manager (XXX figure out to make kickstarter do
86# this for us)
87    yum remove NetworkManager
88
89# Make sure sendmail isn't installed, replace it with postfix
90    yum shell -y <<EOF
91remove sendmail
92install postfix
93run
94exit
95EOF
96
97# Check out the scripts /etc configuration
98    cd /root
99    \cp -a etc /
100    chmod 0440 /etc/sudoers
101    grub2-mkconfig -o /boot/grub2/grub.cfg
102
103# [TEST] You'll need to fix some config now.  See bottom of document.
104
105# Stop /etc/resolv.conf from getting repeatedly overwritten by
106# purging DNS servers from ifcfg-eth0 and ifcfg-eth1
107    vim /etc/sysconfig/network-scripts/ifcfg-eth0
108    vim /etc/sysconfig/network-scripts/ifcfg-eth1
109
110# Make sure network is working.  Kickstart should have
111# configured eth0 and eth1 correctly; use service network restart
112# to add the new routes from etc in route-eth1.
113    systemctl restart network.service
114    # Check everything worked:
115    route
116    ifconfig
117    cat /etc/hosts
118    cat /etc/sysconfig/network-scripts/route-eth1
119
120# This is the point at which you should start updating scriptsified
121# packages for a new Fedora release.  Consult 'upgrade-tips' for more
122# information.
123    yum install -y scripts-base
124    # Some of these packages are naughty and clobber some of our files
125    cd /etc
126    svn revert resolv.conf hosts sysconfig/openafs nsswitch.conf
127    # Troubleshooting: if accountadm, tokensys and nscd fail to install
128    # you probably forgot to turn off selinux
129
130# Replace rsyslog with syslog-ng by doing:
131    yum shell -y <<EOF
132remove rsyslog
133install syslog-ng
134run
135exit
136EOF
137    systemctl enable syslog-ng.service
138    systemctl start syslog-ng.service
139
140# Install the full list of RPMs that users expect to be on the
141# scripts.mit.edu servers.
142rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > packages.txt
143# arrange for packages.txt to be passed to the server, then run:
144    cd /tmp
145    yumdownloader --disablerepo=scripts ghc-cgi ghc-cgi-devel
146    yum localinstall ghc-cgi*.x86_64.rpm
147    yum install -y $(cat packages.txt)
148# The reason this works is that ghc-cgi is marked as installonlypkgs
149# in yum.conf, telling yum to install them side-by-side rather than
150# updating them. If it doesn't work, use --skip-broken on the yum
151# command line.
152
153# Check which packages are installed on your new server that are not
154# in the snapshot, and remove ones that aren't needed for some reason
155# on the new machine.  Otherwise, aside from bloat, you may end up
156# with undesirable things for security, like sendmail.
157    rpm -qa --queryformat "%{Name}.%{Arch}\n" | grep -v kernel | sort > newpackages.txt
158    diff -u packages.txt newpackages.txt | grep -v kernel | less
159    # here's a cute script that removes all extra packages
160    yum erase -y $(grep -Fxvf packages.txt newpackages.txt)
161    # 20101208 - Mysteriously we manage to get these extra packages
162    # from kickstart: mcelog mobile-broadband-provider-info
163    # ModemManager PackageKit
164
165# ----------------------------->8--------------------------------------
166#                       INFINITE CONFIGURATION
167
168# [PROD] Create fedora-ds user (needed for credit-card)
169# [TEST] too if you want to run a local dirsrv instance
170useradd -r -d /var/lib/dirsrv fedora-ds
171
172# Run credit-card to clone in credentials and make things runabble
173# NOTE: You may be tempted to run credit-card earlier in the install
174# process in order, for example, to be able to SSH in to the servers
175# with Kerberos.  However, it is better to install the credentials
176# *after* we have run a boatload untrusted code as part of the
177# spheroids objects process.  So don't move this step earlier!
178python host.py push $server
179
180# This is superseded by credit-card, which works for [PRODUCTION] and
181# [WIZARD].  We don't have an easy way of running credit-card for XVM...
182#b
183#
184#   # All types of servers will have an /etc/daemon.keytab file, however,
185#   # different types of server will have different credentials in this
186#   # keytab.
187#   #   [PRODUCTION] daemon.scripts
188#   #   [WIZARD]     daemon.scripts-security-upd
189#   #   [TESTSERVER] daemon.scripts-test
190
191# Test that zephyr is working
192    systemctl enable zhm.service
193    systemctl start zhm.service
194    echo 'Test!' | zwrite -d -c scripts -i test
195
196# Check out the scripts /usr/vice/etc configuration
197    cd /root/vice
198    \cp -a etc /usr/vice
199# [TESTSERVER] If you're installing a test server, this needs to be
200# much smaller; the max filesize on XVM is 10GB.  Pick something like
201# 500000. Also, some of the AFS parameters are kind of silly (and if
202# you're low on disk space, will actually exhaust our inodes).  Edit
203# these parameters in /etc/sysconfig/openafs (I just chopped a zero
204# off of all of our parameters)
205    echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo
206    vim /etc/sysconfig/openafs
207
208# [PRODUCTION] Set up replication (see ./install-ldap).
209# You'll need the LDAP keytab for this server: be sure to chown it
210# fedora-ds after you create the fedora-ds user
211    ls -l /etc/dirsrv/keytab
212    cat install-ldap
213
214# Enable lots of services (currently in /etc checkout)
215    systemctl enable openafs-client.service
216    systemctl enable dirsrv.target
217    systemctl enable nslcd.service
218    systemctl enable nscd.service
219    systemctl enable postfix.service
220    systemctl enable nrpe.service # chkconfig'd
221    systemctl enable httpd.service # not for [WIZARD]
222
223    systemctl start openafs-client.service
224    systemctl start dirsrv.target
225    systemctl start nslcd.service
226    systemctl start nscd.service
227    systemctl start postfix.service
228    systemctl start nrpe.service
229    systemctl start httpd.service # not for [WIZARD]
230
231# Note about OpenAFS: Check that fs sysname is correct.  You should see,
232# among others, 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's
233# not, you probably did a distro upgrade and should update
234# tokensys (server/common/oursrc/tokensys/scripts-afsagent-startup.in)
235    fs sysname
236
237# Postfix doesn't actually deliver mail; fix this
238    cd /etc/postfix
239    postmap virtual
240
241# Munin might not be monitoring packages that were installed after it
242    munin-node-configure --suggest --shell | sh
243
244# Run fmtutil-sys --all, which does something that makes TeX work.
245# (Note: this errors on XeTeX which is ok.)
246    fmtutil-sys --all
247
248# Check for unwanted setuid/setgid binaries
249    find / -xdev -not -perm -o=x -prune -o -type f -perm /ug=s -print | grep -Fxvf /etc/scripts/allowed-setugid.list
250    find / -xdev -not -perm -o=x -prune -o -type f -print0 | xargs -0r /usr/sbin/getcap | cut -d' ' -f1 | grep -Fxvf /etc/scripts/allowed-filecaps.list
251    # You can prune the first set of binaries using 'chmod u-s' and 'chmod g-s'
252    # and remove capabilities using 'setcap -r'
253
254# XXX check for selinux gunk
255
256# Fix etc by making sure none of our config files got overwritten
257    cd /etc
258    svn status -q
259    # Some usual candidates for clobbering include nsswitch.conf,
260    # resolv.conf and sysconfig/openafs
261    # [WIZARD/TEST] Remember that changes you made should not get
262    # reverted!
263
264# Reboot the machine to restore a consistent state, in case you
265# changed anything. (Note: Starting kdump fails (this is ok))
266
267# ------------------------------->8-------------------------------
268#                ADDENDA AND MISCELLANEOUS THINGS
269
270# [OPTIONAL] Your machine's hostname is baked in at install time;
271# in the rare case you need to change it: it appears to be in:
272#   o /etc/sysconfig/network
273#   o your lvm thingies; probably don't need to edit
274
275# [TESTSERVER] Enable password log in
276        vim /etc/ssh/sshd_config
277        service sshd reload
278        vim /etc/pam.d/sshd
279# Replace the first auth block with:
280#           # If they're not root, but their user exists (success),
281#           auth    [success=ignore ignore=ignore default=1]        pam_succeed_if.so uid > 0
282#           # print the "You don't have tickets" error:
283#           auth    [success=die ignore=reset default=die]  pam_echo.so file=/etc/issue.net.no_tkt
284#           # If !(they are root),
285#           auth    [success=1 ignore=ignore default=ignore]        pam_succeed_if.so uid eq 0
286#           # print the "your account doesn't exist" error:
287#           auth    [success=die ignore=reset default=die]  pam_echo.so file=/etc/issue.net.no_user
288
289
290# [WIZARD/TESTSERVER] If you are setting up a non-production server,
291# there are some services that it won't provide, and you will need to
292# make it talk to a real server instead.  In particular:
293#   - We don't serve the web, so don't bind scripts.mit.edu
294#   - We don't serve LDAP, so use another server
295# XXX: Someone should write sed scripts to do this
296# This involves editing the following files:
297        svn rm /etc/sysconfig/network-scripts/ifcfg-lo:{0,1,2,3}
298        svn rm /etc/sysconfig/network-scripts/route-eth1 # [TESTSERVER] only
299#   o /etc/nslcd.conf
300#       replace: uri ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
301#       with: uri ldap://scripts.mit.edu/
302#           (what happened to nss-ldapd?)
303#   o /etc/openldap/ldap.conf
304#       add: URI ldap://scripts.mit.edu/
305#            BASE dc=scripts,dc=mit,dc=edu
306#   o /etc/httpd/conf.d/vhost_ldap.conf
307#       replace: VhostLDAPUrl "ldap://127.0.0.1/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu"
308#       with: VhostLDAPUrl "ldap://scripts.mit.edu/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu"
309#   o /etc/postfix/virtual-alias-{domains,maps}-ldap.cf
310#       replace: server_host ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
311#       with: server_host = ldap://scripts.mit.edu
312# to use scripts.mit.edu instead of localhost.
313
314# [WIZARD/TESTSERVER] If you are setting up a non-production server,
315# afsagent's cronjob will attempt to be renewing with the wrong
316# credentials (daemon.scripts). Change this:
317    vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu
318
319# [TESTSERVER]
320#   - You need a self-signed SSL cert or Apache will refuse to start
321#     or do SSL.  Generate with: (XXX recommended CN?)
322    openssl req -new -x509 -sha256 -newkey rsa:2048 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts-cert.pem -nodes -extensions v3_req
323    ln -s /etc/pki/tls/private/scripts.key /etc/pki/tls/private/scripts-2048.key
324#     Also make the various public keys match up
325    openssl rsa -in /etc/pki/tls/private/scripts.key -pubout > /etc/pki/tls/certs/star.scripts.pem
326    openssl rsa -in /etc/pki/tls/private/scripts.key -pubout > /etc/pki/tls/certs/scripts.pem
327    openssl rsa -in /etc/pki/tls/private/scripts.key -pubout > /etc/pki/tls/certs/scripts-cert.pem
328#     Nuke the CSRs since they will all mismatch
329#     XXX alternate strategy replace all the pem's as above
330    cd /etc/httpd/vhosts.d
331    svn rm *.conf
332
333# [TESTSERVER]
334#   Remove vhosts.d which we don't have rights for XXX
335
336# [TESTSERVER] More stuff for test servers
337#   - Make (/etc/aliases) root mail go to /dev/null, so we don't spam people
338#   - Edit /etc/httpd/conf.d/scripts-vhost-names.conf to have scripts-fX-test.xvm.mit.edu
339#     be an accepted vhost name
340#   - Look at the old test server and see what config changes are floating around
Note: See TracBrowser for help on using the repository browser.