Changeset 1259 for trunk/server/doc
- Timestamp:
- Jul 9, 2009, 3:48:21 PM (15 years ago)
- Location:
- trunk
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk
-
Property
svn:mergeinfo
set to
False
/branches/fc11-dev merged eligible
-
Property
svn:mergeinfo
set to
False
-
trunk/server/doc/install-howto.sh
r1237 r1259 8 8 9 9 boot=${1:$(cat /scripts-boot-count)} 10 11 # XXX: let 'branch' be the current svn branch you are on 10 12 11 13 doreboot() { … … 53 55 54 56 cd /srv 55 svn co svn://$source_server/ trunkrepository57 svn co svn://$source_server/$branch repository 56 58 57 59 sed -i 's/^(# *)*store-passwords.*/store-passwords = no/' /root/.subversion/config … … 67 69 # Run "make install-deps" to install various prereqs. Nonstandard 68 70 # deps are in /mit/scripts/rpm. 71 YUM install -y make 69 72 make install-deps 70 73 … … 74 77 # Check out the scripts /etc configuration 75 78 cd /root 76 svn co svn://scripts.mit.edu/trunk/server/fedora/config/etc etc 79 svn co svn://scripts.mit.edu/$branch/server/fedora/config/etc etc 80 # backslash to make us not use the alias 77 81 \cp -a etc / 78 82 83 # NOTE: You will have just lost DNS resolution and the abilit 84 # to do password SSH in 85 86 service named start 87 chkconfig named on 88 89 # XXX: This sometimes doesn't exist, but it really sucks if it 90 # does exist. So check for it. 79 91 # yum remove nss_ldap, because nss-ldapd conflicts with it 92 93 # In the case of the Kerberos libraries, you'll be told that 94 # there are conflicting files with the 64-bit versions of the packages, 95 # which we scriptsify. You'll have to use --force to install those 96 # rpms despite the conflicts. After doing that, you may want to 97 # install the corresponding 64-bit scriptsified versions again, just 98 # to be safe in case the 32-bit versions overwrite files that differ. 99 # When you try this, it will complain that you already have the same 100 # version installed; again, you'll need to use --force to do it anyway. 101 102 # We need yumdownloader to force some RPMs 103 # XXX: This might be wrong. Sanity check what packages ou 104 # have when done 105 YUM install -y yum-utils 106 yumdownloader krb5-libs 107 # XXX: These version numbers are hardcoded, need some cli-fu to generalize 108 rpm -i krb5-libs-*.i586.rpm 109 rpm -U --force krb5-libs-*.scripts.1138.x86_64.rpm 80 110 81 111 # env NSS_NONLOCAL_IGNORE=1 yum install scripts-base 82 112 YUM install -y scripts-base 83 113 84 # Rebuild mit-zephyr on a 32-bit machine, like the one at Joe's home. 114 # Install mit-zephyr 115 YUM install -y mit-zephyr 85 116 86 117 # Remember to set NSS_NONLOCAL_IGNORE=1 anytime you're setting up 87 118 # anything, e.g. using yum. Otherwise useradd will query LDAP in a stupid way 88 # that makes it hang forever. 89 90 # Install and configure bind 91 # - env NSS_NONLOCAL_IGNORE=1 yum install bind 92 # - chkconfig named on 93 # - service named start 119 # that makes it hang forever. (This is why we're using YUM, not yum) 94 120 95 121 # Reload the iptables config to take down the restrictive firewall 96 #service iptables restart122 service iptables restart 97 123 98 124 # Copy over root's dotfiles from one of the other machines. 125 # Perhaps a useful change is to remove the default aliases 126 # On 2009-07-01, the dotfiles to transfer where: 127 # .bashrc .ldapvirc .screenrc .ssh (<- directory) .vimrc 128 # Trying to scp from server to server won't work, as scp 129 # will attempt to negotiate a server-to-server connection. 130 # Instead, scp to your trusted machine as a temporary file, 131 # and then push to the other server 99 132 100 133 # Replace rsyslog with syslog-ng by doing: 101 # # rpm -e --nodeps rsyslog 102 # # yum install syslog-ng 103 104 # Install various dependencies of the scripts system, including syslog-ng, 105 # glibc-devel.i586, python-twisted-core, mod_fcgid, nrpe, nagios-plugins-all. 134 rpm -e --nodeps rsyslog 135 YUM install -y syslog-ng 136 chkconfig syslog-ng on 137 138 # Install various dependencies of the scripts system, including 139 # glibc-devel.i586 (ezyang: already installed for me), 140 # python-twisted-core (ditto), mod_fcgid, nrpe, nagios-plugins-all. 141 YUM install -y mod_fcgid 142 YUM install -y nrpe 143 YUM install -y nagios-plugins-all 106 144 107 145 # Disable NetworkManager with chkconfig NetworkManager off. Configure … … 109 147 # traffic over the back end. Make sure that chkconfig reports "network" on, so 110 148 # that the network will still be configured at next boot. 149 # ezyang: For me, NetworkManager was not installed at this point, and 150 # we had already done the basic config for networking front end and 151 # back end (because I wanted ssh access, and not just conserver access) 111 152 112 153 # Fix the openafs /usr/vice/etc <-> /etc/openafs mapping by changing … … 114 155 # /afs:/usr/vice/cache:10000000 115 156 # Also fix ThisCell to contain athena.mit.edu in both directories 157 echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo 158 # ezyang: ThisCell on b-k and c-w don't have anything special 159 # written here 116 160 117 161 # Figure out why Zephyr isn't working. Most recently, it was because there 118 162 # was a 64-bit RPM installed; remove it and install Joe's 32-bit one 163 YUM erase -y mit-zephyr 164 # mit-zephyr has a spurious dependency on mit-krb-config 165 yumdownloader mit-zephyr.i386 166 # if deps change, this breaks 167 YUM install -y libXaw.i586 libXext.i586 libXmu.i586 ncurses-libs.i586 readline.i58 168 rpm -i --nodeps mit-zephyr-2.1-6-linux.i386.rpm 119 169 120 170 # Install the athena-base, athena-lprng, and athena-lprng-misc RPMs … … 125 175 # install the rest of the things it really does depend on. This will 126 176 # include a bunch of 32-bit rpms; go ahead and install the .i586 versions 127 # of them. In the case of the Kerberos libraries, you'll be told that 128 # there are conflicting files with the 64-bit versions of the packages, 129 # which we scriptsify. You'll have to use --force to install those 130 # rpms despite the conflicts. After doing that, you may want to 131 # install the corresponding 64-bit scriptsified versions again, just 132 # to be safe in case the 32-bit versions overwrite files that differ. 133 # When you try this, it will complain that you already have the same 134 # version installed; again, you'll need to use --force to do it anyway. 135 # Yuck. 177 # of them. 178 YUM install -y athena-base 179 YUM install -y athena-lprng 180 yumdownloader athena-lprng-misc 181 # ezyang: I couldn't find any deps for this that existed in the repos 182 # You might get a "find: `/usr/athena/info': No such file or directory" 183 # error; this is fine 184 rpm -i --nodeps athena-lprng-misc-9.4-0.i386.rpm 136 185 137 186 # Install the full list of RPMs that users expect to be on the 138 # scripts.mit.edu servers. See server/doc/rpm and 139 # server/doc/rpm_snapshot. (Note that this is only a snapshot, and not 140 # all packages may in fact be in use.) 187 # scripts.mit.edu servers. 188 189 # ezyang: Running the below I got file conflicts. To fix (since I had 190 # botched steps above), I manually compared package lists and installed 191 # them. If you've done the krb5 setup originally correctly, then 192 # write down what you had to do here. 193 yumdownloader krb5-devel 194 rpm -i --force krb5-devel-*.i586.rpm 195 rpm -U --force krb5-devel-*.scripts.1138.x86_64.rpm 196 yumdownloader krb5-server 197 rpm -i --force krb5-server-*.scripts.1138.x86_64.rpm 198 199 200 # on another server, run: 201 rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > packages.txt 202 # arrange for packages.txt to be passed to the server, then run: 203 # notice that yum is not capitalized 204 # Also notice skip-broken 205 cat packages.txt | NSS_NONLOCAL_IGNORE=1 xargs yum install -y --skip-broken 141 206 142 207 # Check which packages are installed on your new server that are not … … 144 209 # on the new machine. Otherwise, aside from bloat, you may end up 145 210 # with undesirable things for security, like sendmail. 211 rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > newpackages.txt 212 diff -u packages.txt newpackages.txt | less 213 # if all went well, you'll probably see multiple kernel versions 214 # as the only diff 215 # ezyang: I got exim installed as another package 146 216 147 217 # Check out the scripts /usr/vice/etc configuration … … 164 234 # Then on the server you're installing, 165 235 # cat perl-packages.txt | perl -MCPAN -e shell 236 export PERL_MM_USE_DEFAULT=1 237 # XXX: Some interactive gobbeldygook 238 cpan 239 o conf prerequisites_policy follow 240 o conf commit 241 # on a reference server 242 perldoc -u perllocal | grep head2 | cut -f 3 -d '<' | cut -f 1 -d '|' | sort -u | perl -ne 'chomp; print "notest install $_\n" if system("rpm -q --whatprovides \"perl($_)\" >/dev/null 2>/dev/null")' > perl-packages.txt 243 # arrange for perl-packages.txt to be transferred to server 244 cat perl-packages.txt | perl -MCPAN -e shell 166 245 167 246 # Install the Python eggs and Ruby gems and PEAR/PECL doohickeys that are on 168 247 # the other scripts.mit.edu servers and do not have RPMs. 248 # The general mode of operation will be to run the "list" command 249 # on both servers, see what the differences are, check if those diffs 250 # are packaged up as rpms, and install them (rpm if possible, native otherwise) 169 251 # - Look at /usr/lib/python2.6/site-packages and 170 252 # /usr/lib64/python2.6/site-packages for Python eggs and modules. 253 # There will be a lot of gunk that was installed from packages; 254 # easy-install.pth will tell you what was easy_installed. 171 255 # First use 'yum search' to see if the relevant package is now available 172 256 # as an RPM, and install that if it is. If not, then use easy_install. 173 257 # - Look at `gem list` for Ruby gems. 174 258 # Again, use 'yum search' and prefer RPMs, but failing that, 'gem install'. 259 # ezyang: rspec-rails depends on rspec, and will override the Yum 260 # package, so... don't use that RPM yet 175 261 # - Look at `pear list` for Pear fruits (or whatever they're called). 176 262 # Yet again, 'yum search' for RPMs before resorting to 'pear install'. Note 177 263 # that for things in the beta repo, you'll need 'pear install package-beta'. 264 # (you might get complaints about the php_scripts module; ignore them) 178 265 # - Look at `pecl list` for PECL things. 'yum search', and if you must, 179 266 # 'pecl install' needed items. 180 181 # echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth 267 # Automating this... will require a lot of batonning between 268 # the servers. Probably best way to do it is to write an actual 269 # script. 270 271 # Setup some Python config 272 echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth 182 273 183 274 # Install the credentials. There are a lot of things to remember here: 275 # o This will be different if you're setting up our build/update server. 184 276 # o You probably installed the machine keytab long ago 277 ls -l /etc/krb5.keytab 185 278 # o Use ktutil to combine the host/scripts.mit.edu and 186 279 # host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in 187 280 # the keytab. Do not use 'k5srvutil change' on the combined keytab 188 # or you'll break the other servers. 281 # or you'll break the other servers. (real servers only) 189 282 # o The daemon.scripts keytab 190 # o The SSL cert private key 191 # o The LDAP password for the signup process 192 # o The SQL password for the signup process 193 # o The LDAP keytab for this server, which will be used later 194 # o Replace the ssh host keys with the ones common to all scripts servers 195 # o You'll install an LDAP certificate signed by the scripts CA later 283 ls -l /etc/daemon.keytab 284 # o The SSL cert private key (real servers only) 285 # o The LDAP password for the signup process (real servers only) 286 # o The SQL password for the signup process (real servers only) 287 # o The LDAP keytab for this server, which will be used later (real servers only) 288 # o Replace the ssh host keys with the ones common to all scripts servers (real servers only) 289 # o You'll install an LDAP certificate signed by the scripts CA later (real servers only) 196 290 # o Make sure root's .k5login is correct 197 # o Make sure logview's .k5login is correct 291 cat /root/.k5login 292 # o Make sure logview's .k5login is correct (real servers only) 198 293 199 294 # If you are setting up a test server, pay attention to 200 295 # /etc/sysconfig/network-scripts and do not bind scripts' IP address. 201 # You will also need to modify /etc/ldap.conf, /etc/nss-ldapd.conf, 202 # /etc/openldap/ldap.conf, and /etc/httpd/conf.d/vhost_ldap.conf to 203 # use scripts.mit.edu instead of localhost. 296 # You will also need to modify: 297 # o /etc/ldap.conf 298 # add: host scripts.mit.edu 299 # o /etc/nss-ldapd.conf 300 # replace: uri ***** 301 # with: uri ldap://scripts.mit.edu/ 302 # o /etc/openldap/ldap.conf 303 # add: URI ldap://scripts.mit.edu/ 304 # BASE dc=scripts,dc=mit,dc=edu 305 # o /etc/httpd/conf.d/vhost_ldap.conf 306 # replace: VhostLDAPUrl **** 307 # with: VhostLDAPUrl "ldap://scripts.mit.edu/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu" 308 # to use scripts.mit.edu instead of localhost. 309 # XXX: someone should write sed scripts to do this 310 311 # If you are setting up a test server, afsagent's cronjob will attempt 312 # to be renewing with the wrong credentials (daemon.scripts). Change this: 313 vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu 204 314 205 315 # Install fedora-ds-base and set up replication (see ./HOWTO-SETUP-LDAP … … 209 319 # boot. Run chkconfig to make sure the set of services to be run is 210 320 # correct. 211 212 # cd /etc/postfix; postmap virtual 213 # Otherwise postfix will appear to work, but actually not deliver mail 321 chkconfig dirsrv on 322 chkconfig nslcd on 323 chkconfig nscd on 324 chkconfig postfix on 325 chkconfig httpd on 326 327 # Postfix doesn't actually deliver mail; fix this 328 cd /etc/postfix 329 postmap virtual 214 330 215 331 # Run fmtutil-sys --all, which does something that makes TeX work. 332 fmtutil-sys --all 333 # ezyang: I got errors on xetex 216 334 217 335 # Ensure that PHP isn't broken: 218 # # mkdir /tmp/sessions 219 # # chmod 01777 /tmp/sessions 336 mkdir /tmp/sessions 337 chmod 01777 /tmp/sessions 338 339 # Ensure that fcgid isn't broken: 340 chmod 755 /var/run/httpd 341 # ezyang: The below didn't exist for me 342 chmod 755 /var/run/httpd/mod_fcgid 343 chmod 755 /var/run/mod_fcgid 344 345 # Fix etc by making sure none of our config files got overwritten 346 cd /etc 347 svn status | grep M 348 # ezyang: I had to revert krb5.conf, nsswitch.conf and sysconfig/openafs 220 349 221 350 # Reboot the machine to restore a consistent state, in case you 222 351 # changed anything. 352 # ezyang: When I rebooted, the following things happened: 353 # o Starting kdump failed (this is ok) 354 # o postfix mailbombed us 355 # o firstboot configuration screen popped up (ignored; manually will do 356 # chkconfig after the fact) 223 357 224 358 # (Optional) Beat your head against a wall. … … 226 360 # Possibly perform other steps that I've neglected to put in this 227 361 # document. 362 # o In the first install of not-backward, ThisCell got clobbered, resulting 363 # in trying to get tickets from openafs.org. Not sure when it got 364 # clobbered -- ezyang 365 # o For some reason, syslog-ng wasn't turning on automatically, so we weren't 366 # getting spew 367 368 # Some info about changing hostnames: it appears to be in: 369 # o /etc/sysconfig/network 370 # o your lvm thingies; probably don't need to edit
Note: See TracChangeset
for help on using the changeset viewer.