source: trunk/server/doc/ @ 1693

Last change on this file since 1693 was 1693, checked in by ezyang, 14 years ago
Merge Fedora 13 development back to trunk.
File size: 15.3 KB
1# This document is a how-to for installing a Fedora server.
2# It is semi-vaguely in the form of a shell script, but is not really
3# runnable as it stands.
5set -e -x
7# Some commands should be run as the scripts-build user, not root.
9alias asbuild="sudo -u scripts-build"
11# Old versions of this install document advised setting
12# NSS_NONLOCAL_IGNORE=1 anytime you're setting up anything, e.g. using
13# yum, warning that useradd will query LDAP in a stupid way that makes
14# it hang forever.  As of Fedora 13, this does not seem to be a problem,
15# so it's been removed from the instructions.  If an install is hanging,
16# though, try adding NSS_NONLOCAL_IGNORE.
18# This is actually just "pick an active scripts server".  It can't be
19# because our networking config points that domain
20# at localhost, and if our server is not setup at that point things
21# will break.
24# 'branch' is the current svn branch you are on.  You want to
25# use trunk if your just installing a new server, and branches/fcXX-dev
26# if your preparing a server on a new Fedora release.
29# 'server' is the public hostname of your server, for SCP'ing files
30# to and from.
33# Start with a Scripts kickstarted install of Fedora (install-fedora)
35# Take updates, reboot if there's a kernel update.
37    yum update
39# Get rid of network manager
40    yum remove NetworkManager
42# Check out the svn repository. Configure svn not to cache
43# credentials.
45# Copy over root's dotfiles from one of the other machines.
46# Perhaps a useful change is to remove the default aliases
47    cd /root
48    ls -l .bashrc
49    ls -l .ldapvirc
50    ls -l .screenrc
51    ls -l .ssh
52    ls -l .vimrc
53    ls -l .k5login
54    # Trying to scp from server to server won't work, as scp
55    # will attempt to negotiate a server-to-server connection.
56    # Instead, scp to your trusted machine as a temporary file,
57    # and then push to the other server
58scp -r root@$source_server:~/{.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} .
59scp -r {.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~
61# Install the initial set of credentials (to get Kerberized logins once
62# krb5 is installed).  Otherwise, SCP'ing things in will be annoying.
63#   o You probably installed the machine keytab long ago
64    ls -l /etc/krb5.keytab
65#     Use ktutil to combine the host/ and
66#     host/ keys with host/ in
67#     the keytab.  Do not use 'k5srvutil change' on the combined keytab
68#     or you'll break the other servers. (real servers only).  Be
69#     careful about writing out the keytab: if you write it to an
70#     existing file the keys will just get appended.  The correct
71#     credential list should look like:
72#       ktutil:  l
73#       slot KVNO Principal
74#       ---- ---- ---------------------------------------------------------------------
75#          1    5 host/
76#          2    3 host/
77#          3    2      host/
78#   o Replace the ssh host keys with the ones common to all scripts servers (real servers only)
79    ls -l /etc/ssh/*key*
80#     You can do that with:
81scp root@$source_server:/etc/ssh/*key* .
82scp *key* root@$server:/etc/ssh/
83    service sshd reload
85# Check out the scripts /etc configuration
86    # backslash to make us not use the alias
87    cd /root
88    \cp -a etc /
89    chmod 0440 /etc/sudoers
91# NOTE: You will have just lost DNS resolution and the ability
92# to do password SSH in.  If you managed to botch this step without
93# having named setup, you can do a quick fix by frobbing /etc/resolv.conf
94# with a non address for the DNS server.  Be sure to revert it once
95# you have named.
97# NOTE: You can get password SSH back by editing /etc/ssh/sshd_config (allow
98# password auth) and /etc/pam.d/sshd (comment out the first three auth
99# lines).  However, you should have the Kerberos credentials in place
100# so as soon as you install the full set of Scripts packages, you'll get
101# Kerberized logins.
103# Make sure network is working.  If this is a new server name, you'll
104# need to add it to /etc/hosts and
105# /etc/sysconfig/network-scripts/route-eth1.  Kickstart should have
106# configured eth0 and eth1 correctly; use service network restart
107# to add the new routes in route-eth1.
108    service network restart
109    route
110    ifconfig
111    cat /etc/hosts
112    cat /etc/sysconfig/network-scripts/route-eth1
114# This is the point at which you should start updating scriptsified
115# packages for a new Fedora release.  Consult 'upgrade-tips' for more
116# information.
117    yum install -y scripts-base
118    # Some of these packages are naughty and clobber some of our files
119    cd /etc
120    svn revert resolv.conf hosts sysconfig/openafs
122# Replace rsyslog with syslog-ng by doing:
123    rpm -e --nodeps rsyslog
124    yum install -y syslog-ng
125    chkconfig syslog-ng on
127# Fix the openafs /usr/vice/etc <-> /etc/openafs mapping.
128    echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo
129    echo "" > /usr/vice/etc/ThisCell
131# [TEST SERVER] If you're installing a test server, this needs to be
132# much smaller; the max filesize on XVM is 10GB.  Pick something like
133# 500000. Also, some of the AFS parameters are kind of retarded (and if
134# you're low on disk space, will actually exhaust our inodes).  Edit
135# these parameters in /etc/sysconfig/openafs
137# Test that zephyr is working
138    chkconfig zhm on
139    service zhm start
140    echo 'Test!' | zwrite -d -c scripts -i test
142# Install the full list of RPMs that users expect to be on the
143# servers.
144rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > packages.txt
145# arrange for packages.txt to be passed to the server, then run:
146# --skip-broken will (usually) prevent you from having to sit through
147# several minutes of dependency resolution until it decides that
148# it can't install /one/ package.
149    yum install -y --skip-broken $(cat packages.txt)
151# Check which packages are installed on your new server that are not
152# in the snapshot, and remove ones that aren't needed for some reason
153# on the new machine.  Otherwise, aside from bloat, you may end up
154# with undesirable things for security, like sendmail.
155    rpm -qa --queryformat "%{Name}.%{Arch}\n" | grep -v kernel | sort > newpackages.txt
156    diff -u packages.txt newpackages.txt | grep -v kernel | less
157    # here's a cute script that removes all extra packages
158    yum erase -y $(grep -Fxvf packages.txt newpackages.txt)
160# We need an upstream version of cgi which we've packaged ourselves, but
161# it doesn't work with the haskell-platform package which expects
162# explicit versions.  So temporarily rpm -e the package, and then
163# install it again after you install haskell-platform.  [Note: You
164# probably won't need this in Fedora 15 or something, when the Haskell
165# Platform gets updated.]
166    rpm -e ghc-cgi-devel ghc-cgi
167    yum install -y haskell-platform
168    yumdownloader ghc-cgi
169    yumdownloader ghc-cgi-devel
170    rpm -i ghc-cgi*1.8.1*.rpm
172# Check out the scripts /usr/vice/etc configuration
173    cd /root/vice
174    \cp -a etc /usr/vice
176# Install the full list of perl modules that users expect to be on the
177# servers.
178    cd /root
179    export PERL_MM_USE_DEFAULT=1
180    cpan # this is interactive, enter the next two lines
181        o conf prerequisites_policy follow
182        o conf commit
183# on a reference server
184perldoc -u perllocal | grep head2 | cut -f 3 -d '<' | cut -f 1 -d '|' | sort -u | perl -ne 'chomp; print "notest install $_\n" if system("rpm -q --whatprovides \"perl($_)\" >/dev/null 2>/dev/null")' > perl-packages.txt
185# arrange for perl-packages.txt to be transferred to server
186    cat perl-packages.txt | perl -MCPAN -e shell
188# Install the Python eggs and Ruby gems and PEAR/PECL doohickeys that are on
189# the other servers and do not have RPMs.
190# The general mode of operation will be to run the "list" command
191# on both servers, see what the differences are, check if those diffs
192# are packaged up as rpms, and install them (rpm if possible, native otherwise)
193# - Look at /usr/lib/python2.6/site-packages and
194#           /usr/lib64/python2.6/site-packages for Python eggs and modules.
195#   There will be a lot of gunk that was installed from packages;
196#   easy-install.pth in /usr/lib/ will tell you what was easy_installed.
197#   First use 'yum search' to see if the relevant package is now available
198#   as an RPM, and install that if it is.  If not, then use easy_install.
199#   Pass -Z to easy_install to install them unzipped, as some zipped eggs
200#   want to be able to write to ~/.python-eggs.  (Also makes sourcediving
201#   easier.)
202    cat /usr/lib/python2.6/site-packages/easy-install.pth
203# - Look at `gem list` for Ruby gems.
204#   Again, use 'yum search' and prefer RPMs, but failing that, 'gem install'.
205#       ezyang: rspec-rails depends on rspec, and will override the Yum
206#       package, so... don't use that RPM yet
207gem list --no-version > gem.txt
208    gem install $(gem list --no-version | grep -Fxvf - gem.txt)
209# - Look at `pear list` for Pear fruits (or whatever they're called).
210#   Yet again, 'yum search' for RPMs before resorting to 'pear install'.  Note
211#   that for things in the beta repo, you'll need 'pear install package-beta'.
212#   (you might get complaints about the php_scripts module; ignore them)
213pear list | tail -n +4 | cut -f 1 -d " " > pear.txt
214    pear config-set preferred_state beta
215    pear channel-update
216    pear install $(pear list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pear.txt)
217# - Look at `pecl list` for PECL things.  'yum search', and if you must,
218#   'pecl install' needed items. If it doesn't work, try 'pear install
219#   pecl/foo' or 'pecl install foo-beta' or those two combined.
220pecl list | tail -n +4 | cut -f 1 -d " " > pecl.txt
221    pecl install --nodeps $(pecl list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pecl.txt)
223# Setup some Python config
224    echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth
226# Install the credentials.  There are a lot of things to remember here.
227# Be sure to make sure the permissions match up (ls -l on an existing
228# server!).
229scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,daemon.keytab,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} .
230scp daemon.keytab signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc
231scp scripts.key root@$server:/etc/pki/tls/private
232scp .k5login root@$server:/home/logview
233    chown afsagent:afsagent /etc/daemon.keytab
234#   o The daemon.scripts keytab (will be daemon.scripts-test for test)
235    ls -l /etc/daemon.keytab
236#   o The SSL cert private key (real servers only)
237    ls -l /etc/pki/tls/private/scripts.key
238#   o The LDAP password for the signup process (real servers only)
239    ls -l /etc/signup-ldap-pw
240#   o The whoisd password (real servers only)
241    ls -l /etc/whoisd-password
242#   o Make sure logview's .k5login is correct (real servers only)
243    cat /home/logview/.k5login
245# Spin up OpenAFS.  This will fail if there's been a new kernel since
246# when you last tried.  In that case, you can hold on till later to
247# start OpenAFS.  This will take a little bit of time;
248    service openafs-client start
250# Check that fs sysname is correct.  You should see, among others,
251# 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you
252# probably did a distro upgrade and should update /etc/sysconfig/openafs.
253    fs sysname
255# [TEST SERVER] If you are setting up a test server, pay attention to
256# /etc/sysconfig/network-scripts and do not bind scripts' IP address.
257# You will also need to modify:
258#   o /etc/ldap.conf
259#       add: host
260#   o /etc/nss-ldapd.conf
261#       replace: uri *****
262#       with: uri ldap://
263#   o /etc/openldap/ldap.conf
264#       add: URI ldap://
265#            BASE dc=scripts,dc=mit,dc=edu
266#   o /etc/httpd/conf.d/vhost_ldap.conf
267#       replace: VhostLDAPUrl ****
268#       with: VhostLDAPUrl "ldap://,dc=scripts,dc=mit,dc=edu"
269#   o /etc/postfix/virtual-alias-{domains,maps}
270#       replace: server_host *****
271#       with: server_host = ldap://
272# to use instead of localhost.
273# XXX: someone should write sed scripts to do this
275# [TEST SERVER] If you are setting up a test server, afsagent's cronjob
276# will attempt to be renewing with the wrong credentials
277# (daemon.scripts). Change this:
278    vim /home/afsagent/renew # replace all mentions of
280# Set up replication (see ./install-ldap).
281# You'll need the LDAP keytab for this server: be sure to chown it
282# fedora-ds after you create the fedora-ds user
283    ls -l /etc/dirsrv/keytab
284    cat install-ldap
286# Make the services dirsrv, nslcd, nscd, postfix, and httpd start at
287# boot. Run chkconfig to make sure the set of services to be run is
288# correct.
289    service nslcd start
290    service nscd start
291    service postfix start
292    service httpd start
293    chkconfig dirsrv on
294    chkconfig nslcd on
295    chkconfig nscd on
296    chkconfig postfix on
297    chkconfig httpd on
299# nrpe is required for nagios alerts
300    chkconfig nrpe on
302# Check sql user credentials (needs to be done after LDAP is setup)
303    chown sql /etc/sql-mit-edu.cfg.php
305# Postfix doesn't actually deliver mail; fix this
306    cd /etc/postfix
307    postmap virtual
309# Munin might not be monitoring packages that were installed after it
310    munin-node-configure --suggest --shell | sh
312# Run fmtutil-sys --all, which does something that makes TeX work.
313# (Note: this errors on XeTeX which is ok.)
314    fmtutil-sys --all
316# Ensure that PHP isn't broken:
317    mkdir /tmp/sessions
318    chmod 01777 /tmp/sessions
320# Ensure fcgid isn't broken (should be 755)
321    ls -ld /var/run/mod_fcgid
323# Fix etc by making sure none of our config files got overwritten
324    cd /etc
325    svn status -q
326    # Some usual candidates for clobbering include nsswitch.conf and
327    # sysconfig/openafs
329# ThisCell got clobbered, replace it with
330    echo "" > /usr/vice/etc/ThisCell
332# Reboot the machine to restore a consistent state, in case you
333# changed anything. (Note: Starting kdump fails (this is ok))
335# [OPTIONAL] Your machine's hostname is baked in at install time;
336# in the rare case you need to change it: it appears to be in:
337#   o /etc/sysconfig/network
338#   o your lvm thingies; probably don't need to edit
340# [TEST SERVER] More stuff for test servers
341#   - You need a self-signed SSL cert.  Generate with:
342    openssl req -new -x509 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts.cert -nodes
343#     Also make /etc/pki/tls/certs/ca.pem match up
344#   - Make (/etc/aliases) root mail go to /dev/null, so we don't spam people
345#   - Edit /etc/httpd/conf.d/scripts-vhost-names.conf to have
346#     be an accepted vhost name
347#   - Look at the old test server and see what config changes are floating around
349# XXX: our SVN checkout should be updated to use
350# (repository and etc) once serving actually works.
351    cd /etc
352    svn switch --relocate svn://$source_server/ svn://
353    cd /usr/vice/etc
354    svn switch --relocate svn://$source_server/ svn://
355    cd /srv/repository
356    asbuild svn switch --relocate svn://$source_server/ svn://
357    asbuild svn up # verify works
Note: See TracBrowser for help on using the repository browser.