Changeset 1259 for trunk/server/doc


Ignore:
Timestamp:
Jul 9, 2009, 3:48:21 PM (13 years ago)
Author:
mitchb
Message:
Reintegrate branches/fc11-dev (r1121:1258) to trunk
Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk

  • trunk/server/doc/install-howto.sh

    r1237 r1259  
    88
    99boot=${1:$(cat /scripts-boot-count)}
     10
     11# XXX: let 'branch' be the current svn branch you are on
    1012
    1113doreboot() {
     
    5355
    5456    cd /srv
    55     svn co svn://$source_server/trunk repository
     57    svn co svn://$source_server/$branch repository
    5658
    5759    sed -i 's/^(# *)*store-passwords.*/store-passwords = no/' /root/.subversion/config
     
    6769# Run "make install-deps" to install various prereqs.  Nonstandard
    6870# deps are in /mit/scripts/rpm.
     71    YUM install -y make
    6972    make install-deps
    7073
     
    7477# Check out the scripts /etc configuration
    7578    cd /root
    76     svn co svn://scripts.mit.edu/trunk/server/fedora/config/etc etc
     79    svn co svn://scripts.mit.edu/$branch/server/fedora/config/etc etc
     80    # backslash to make us not use the alias
    7781    \cp -a etc /
    7882
     83# NOTE: You will have just lost DNS resolution and the abilit
     84# to do password SSH in
     85
     86    service named start
     87    chkconfig named on
     88
     89# XXX: This sometimes doesn't exist, but it really sucks if it
     90# does exist. So check for it.
    7991# yum remove nss_ldap, because nss-ldapd conflicts with it
     92
     93# In the case of the Kerberos libraries, you'll be told that
     94# there are conflicting files with the 64-bit versions of the packages,
     95# which we scriptsify.  You'll have to use --force to install those
     96# rpms despite the conflicts.  After doing that, you may want to
     97# install the corresponding 64-bit scriptsified versions again, just
     98# to be safe in case the 32-bit versions overwrite files that differ.
     99# When you try this, it will complain that you already have the same
     100# version installed; again, you'll need to use --force to do it anyway.
     101
     102# We need yumdownloader to force some RPMs
     103    # XXX: This might be wrong. Sanity check what packages ou
     104    # have when done
     105    YUM install -y yum-utils
     106    yumdownloader krb5-libs
     107    # XXX: These version numbers are hardcoded, need some cli-fu to generalize
     108    rpm -i krb5-libs-*.i586.rpm
     109    rpm -U --force krb5-libs-*.scripts.1138.x86_64.rpm
    80110
    81111# env NSS_NONLOCAL_IGNORE=1 yum install scripts-base
    82112    YUM install -y scripts-base
    83113
    84 # Rebuild mit-zephyr on a 32-bit machine, like the one at Joe's home.
     114# Install mit-zephyr
     115    YUM install -y mit-zephyr
    85116
    86117# Remember to set NSS_NONLOCAL_IGNORE=1 anytime you're setting up
    87118# anything, e.g. using yum. Otherwise useradd will query LDAP in a stupid way
    88 # that makes it hang forever.
    89 
    90 # Install and configure bind
    91 # - env NSS_NONLOCAL_IGNORE=1 yum install bind
    92 # - chkconfig named on
    93 # - service named start
     119# that makes it hang forever. (This is why we're using YUM, not yum)
    94120
    95121# Reload the iptables config to take down the restrictive firewall
    96 # service iptables restart
     122    service iptables restart
    97123
    98124# Copy over root's dotfiles from one of the other machines.
     125# Perhaps a useful change is to remove the default aliases
     126    # On 2009-07-01, the dotfiles to transfer where:
     127    #   .bashrc .ldapvirc .screenrc .ssh (<- directory) .vimrc
     128    # Trying to scp from server to server won't work, as scp
     129    # will attempt to negotiate a server-to-server connection.
     130    # Instead, scp to your trusted machine as a temporary file,
     131    # and then push to the other server
    99132
    100133# Replace rsyslog with syslog-ng by doing:
    101 # # rpm -e --nodeps rsyslog
    102 # # yum install syslog-ng
    103 
    104 # Install various dependencies of the scripts system, including syslog-ng,
    105 # glibc-devel.i586, python-twisted-core, mod_fcgid, nrpe, nagios-plugins-all.
     134    rpm -e --nodeps rsyslog
     135    YUM install -y syslog-ng
     136    chkconfig syslog-ng on
     137
     138# Install various dependencies of the scripts system, including
     139# glibc-devel.i586 (ezyang: already installed for me),
     140# python-twisted-core (ditto), mod_fcgid, nrpe, nagios-plugins-all.
     141    YUM install -y mod_fcgid
     142    YUM install -y nrpe
     143    YUM install -y nagios-plugins-all
    106144
    107145# Disable NetworkManager with chkconfig NetworkManager off. Configure
     
    109147# traffic over the back end. Make sure that chkconfig reports "network" on, so
    110148# that the network will still be configured at next boot.
     149# ezyang: For me, NetworkManager was not installed at this point, and
     150# we had already done the basic config for networking front end and
     151# back end (because I wanted ssh access, and not just conserver access)
    111152
    112153# Fix the openafs /usr/vice/etc <-> /etc/openafs mapping by changing
     
    114155#       /afs:/usr/vice/cache:10000000
    115156# Also fix ThisCell to contain athena.mit.edu in both directories
     157    echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo
     158    # ezyang: ThisCell on b-k and c-w don't have anything special
     159    # written here
    116160
    117161# Figure out why Zephyr isn't working. Most recently, it was because there
    118162# was a 64-bit RPM installed; remove it and install Joe's 32-bit one
     163    YUM erase -y mit-zephyr
     164    # mit-zephyr has a spurious dependency on mit-krb-config
     165    yumdownloader mit-zephyr.i386
     166    # if deps change, this breaks
     167    YUM install -y libXaw.i586 libXext.i586 libXmu.i586 ncurses-libs.i586 readline.i58
     168    rpm -i --nodeps mit-zephyr-2.1-6-linux.i386.rpm
    119169
    120170# Install the athena-base, athena-lprng, and athena-lprng-misc RPMs
     
    125175# install the rest of the things it really does depend on.  This will
    126176# include a bunch of 32-bit rpms; go ahead and install the .i586 versions
    127 # of them.  In the case of the Kerberos libraries, you'll be told that
    128 # there are conflicting files with the 64-bit versions of the packages,
    129 # which we scriptsify.  You'll have to use --force to install those
    130 # rpms despite the conflicts.  After doing that, you may want to
    131 # install the corresponding 64-bit scriptsified versions again, just
    132 # to be safe in case the 32-bit versions overwrite files that differ.
    133 # When you try this, it will complain that you already have the same
    134 # version installed; again, you'll need to use --force to do it anyway.
    135 # Yuck.
     177# of them.
     178    YUM install -y athena-base
     179    YUM install -y athena-lprng
     180    yumdownloader athena-lprng-misc
     181    # ezyang: I couldn't find any deps for this that existed in the repos
     182    # You might get a "find: `/usr/athena/info': No such file or directory"
     183    # error; this is fine
     184    rpm -i --nodeps athena-lprng-misc-9.4-0.i386.rpm
    136185
    137186# Install the full list of RPMs that users expect to be on the
    138 # scripts.mit.edu servers.  See server/doc/rpm and
    139 # server/doc/rpm_snapshot.  (Note that this is only a snapshot, and not
    140 # all packages may in fact be in use.)
     187# scripts.mit.edu servers.
     188
     189# ezyang: Running the below I got file conflicts. To fix (since I had
     190# botched steps above), I manually compared package lists and installed
     191# them.  If you've done the krb5 setup originally correctly, then
     192# write down what you had to do here.
     193    yumdownloader krb5-devel
     194    rpm -i --force krb5-devel-*.i586.rpm
     195    rpm -U --force krb5-devel-*.scripts.1138.x86_64.rpm
     196    yumdownloader krb5-server
     197    rpm -i --force krb5-server-*.scripts.1138.x86_64.rpm
     198
     199
     200# on another server, run:
     201rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > packages.txt
     202# arrange for packages.txt to be passed to the server, then run:
     203    # notice that yum is not capitalized
     204    # Also notice skip-broken
     205    cat packages.txt | NSS_NONLOCAL_IGNORE=1 xargs yum install -y --skip-broken
    141206
    142207# Check which packages are installed on your new server that are not
     
    144209# on the new machine.  Otherwise, aside from bloat, you may end up
    145210# with undesirable things for security, like sendmail.
     211    rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > newpackages.txt
     212    diff -u packages.txt newpackages.txt  | less
     213    # if all went well, you'll probably see multiple kernel versions
     214    # as the only diff
     215    # ezyang: I got exim installed as another package
    146216
    147217# Check out the scripts /usr/vice/etc configuration
     
    164234# Then on the server you're installing,
    165235#    cat perl-packages.txt | perl -MCPAN -e shell
     236    export PERL_MM_USE_DEFAULT=1
     237    # XXX: Some interactive gobbeldygook
     238    cpan
     239        o conf prerequisites_policy follow
     240        o conf commit
     241# on a reference server
     242perldoc -u perllocal | grep head2 | cut -f 3 -d '<' | cut -f 1 -d '|' | sort -u | perl -ne 'chomp; print "notest install $_\n" if system("rpm -q --whatprovides \"perl($_)\" >/dev/null 2>/dev/null")' > perl-packages.txt
     243# arrange for perl-packages.txt to be transferred to server
     244    cat perl-packages.txt | perl -MCPAN -e shell
    166245
    167246# Install the Python eggs and Ruby gems and PEAR/PECL doohickeys that are on
    168247# the other scripts.mit.edu servers and do not have RPMs.
     248# The general mode of operation will be to run the "list" command
     249# on both servers, see what the differences are, check if those diffs
     250# are packaged up as rpms, and install them (rpm if possible, native otherwise)
    169251# - Look at /usr/lib/python2.6/site-packages and
    170252#           /usr/lib64/python2.6/site-packages for Python eggs and modules.
     253#   There will be a lot of gunk that was installed from packages;
     254#   easy-install.pth will tell you what was easy_installed.
    171255#   First use 'yum search' to see if the relevant package is now available
    172256#   as an RPM, and install that if it is.  If not, then use easy_install.
    173257# - Look at `gem list` for Ruby gems.
    174258#   Again, use 'yum search' and prefer RPMs, but failing that, 'gem install'.
     259#       ezyang: rspec-rails depends on rspec, and will override the Yum
     260#       package, so... don't use that RPM yet
    175261# - Look at `pear list` for Pear fruits (or whatever they're called).
    176262#   Yet again, 'yum search' for RPMs before resorting to 'pear install'.  Note
    177263#   that for things in the beta repo, you'll need 'pear install package-beta'.
     264#   (you might get complaints about the php_scripts module; ignore them)
    178265# - Look at `pecl list` for PECL things.  'yum search', and if you must,
    179266#   'pecl install' needed items.
    180 
    181 # echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth
     267    # Automating this... will require a lot of batonning between
     268    # the servers. Probably best way to do it is to write an actual
     269    # script.
     270
     271# Setup some Python config
     272    echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth
    182273
    183274# Install the credentials.  There are a lot of things to remember here:
     275#   o This will be different if you're setting up our build/update server.
    184276#   o You probably installed the machine keytab long ago
     277    ls -l /etc/krb5.keytab
    185278#   o Use ktutil to combine the host/scripts.mit.edu and
    186279#     host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in
    187280#     the keytab.  Do not use 'k5srvutil change' on the combined keytab
    188 #     or you'll break the other servers.
     281#     or you'll break the other servers. (real servers only)
    189282#   o The daemon.scripts keytab
    190 #   o The SSL cert private key
    191 #   o The LDAP password for the signup process
    192 #   o The SQL password for the signup process
    193 #   o The LDAP keytab for this server, which will be used later
    194 #   o Replace the ssh host keys with the ones common to all scripts servers
    195 #   o You'll install an LDAP certificate signed by the scripts CA later
     283    ls -l /etc/daemon.keytab
     284#   o The SSL cert private key (real servers only)
     285#   o The LDAP password for the signup process (real servers only)
     286#   o The SQL password for the signup process (real servers only)
     287#   o The LDAP keytab for this server, which will be used later (real servers only)
     288#   o Replace the ssh host keys with the ones common to all scripts servers (real servers only)
     289#   o You'll install an LDAP certificate signed by the scripts CA later (real servers only)
    196290#   o Make sure root's .k5login is correct
    197 #   o Make sure logview's .k5login is correct
     291    cat /root/.k5login
     292#   o Make sure logview's .k5login is correct (real servers only)
    198293
    199294# If you are setting up a test server, pay attention to
    200295# /etc/sysconfig/network-scripts and do not bind scripts' IP address.
    201 # You will also need to modify /etc/ldap.conf, /etc/nss-ldapd.conf,
    202 # /etc/openldap/ldap.conf, and /etc/httpd/conf.d/vhost_ldap.conf to
    203 # use scripts.mit.edu instead of localhost.
     296# You will also need to modify:
     297#   o /etc/ldap.conf
     298#       add: host scripts.mit.edu
     299#   o /etc/nss-ldapd.conf
     300#       replace: uri *****
     301#       with: uri ldap://scripts.mit.edu/
     302#   o /etc/openldap/ldap.conf
     303#       add: URI ldap://scripts.mit.edu/
     304#            BASE dc=scripts,dc=mit,dc=edu
     305#   o /etc/httpd/conf.d/vhost_ldap.conf
     306#       replace: VhostLDAPUrl ****
     307#       with: VhostLDAPUrl "ldap://scripts.mit.edu/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu"
     308# to use scripts.mit.edu instead of localhost.
     309# XXX: someone should write sed scripts to do this
     310
     311# If you are setting up a test server, afsagent's cronjob will attempt
     312# to be renewing with the wrong credentials (daemon.scripts). Change this:
     313    vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu
    204314
    205315# Install fedora-ds-base and set up replication (see ./HOWTO-SETUP-LDAP
     
    209319# boot. Run chkconfig to make sure the set of services to be run is
    210320# correct.
    211 
    212 # cd /etc/postfix; postmap virtual
    213 # Otherwise postfix will appear to work, but actually not deliver mail
     321    chkconfig dirsrv on
     322    chkconfig nslcd on
     323    chkconfig nscd on
     324    chkconfig postfix on
     325    chkconfig httpd on
     326
     327# Postfix doesn't actually deliver mail; fix this
     328    cd /etc/postfix
     329    postmap virtual
    214330
    215331# Run fmtutil-sys --all, which does something that makes TeX work.
     332    fmtutil-sys --all
     333    # ezyang: I got errors on xetex
    216334
    217335# Ensure that PHP isn't broken:
    218 # # mkdir /tmp/sessions
    219 # # chmod 01777 /tmp/sessions
     336    mkdir /tmp/sessions
     337    chmod 01777 /tmp/sessions
     338
     339# Ensure that fcgid isn't broken:
     340    chmod 755 /var/run/httpd
     341    # ezyang: The below didn't exist for me
     342    chmod 755 /var/run/httpd/mod_fcgid
     343    chmod 755 /var/run/mod_fcgid
     344
     345# Fix etc by making sure none of our config files got overwritten
     346    cd /etc
     347    svn status | grep M
     348    # ezyang: I had to revert krb5.conf, nsswitch.conf and sysconfig/openafs
    220349
    221350# Reboot the machine to restore a consistent state, in case you
    222351# changed anything.
     352    # ezyang: When I rebooted, the following things happened:
     353    #   o Starting kdump failed (this is ok)
     354    #   o postfix mailbombed us
     355    #   o firstboot configuration screen popped up (ignored; manually will do
     356    #     chkconfig after the fact)
    223357
    224358# (Optional) Beat your head against a wall.
     
    226360# Possibly perform other steps that I've neglected to put in this
    227361# document.
     362#   o In the first install of not-backward, ThisCell got clobbered, resulting
     363#     in trying to get tickets from openafs.org. Not sure when it got
     364#     clobbered -- ezyang
     365#   o For some reason, syslog-ng wasn't turning on automatically, so we weren't
     366#     getting spew
     367
     368# Some info about changing hostnames: it appears to be in:
     369#   o /etc/sysconfig/network
     370#   o your lvm thingies; probably don't need to edit
Note: See TracChangeset for help on using the changeset viewer.