Changeset 1661
- Timestamp:
- Sep 18, 2010, 11:33:08 PM (14 years ago)
- Location:
- branches/fc13-dev/server/doc
- Files:
-
- 2 edited
- 1 moved
Legend:
- Unmodified
- Added
- Removed
-
branches/fc13-dev/server/doc/install-howto.sh
r1645 r1661 3 3 set -e -x 4 4 5 # Some commands should be run as the scripts-build user, not root. 6 7 alias asbuild="sudo -u scripts-build" 8 9 # Old versions of this install document advised setting 10 # NSS_NONLOCAL_IGNORE=1 anytime you're setting up anything, e.g. using 11 # yum, warning that useradd will query LDAP in a stupid way that makes 12 # it hang forever. As of Fedora 13, this does not seem to be a problem, 13 # so it's been removed from the instructions. If an install is hanging, 14 # though, try adding NSS_NONLOCAL_IGNORE. 15 5 16 [ -e /scripts-boot-count ] || echo 0 > /scripts-boot-count 6 17 7 # This is actually just "pick an active scripts server" 18 # This is actually just "pick an active scripts server". It can't be 19 # scripts.mit.edu because our networking config points that domain 20 # at localhost, and if our server is not setup at that point things 21 # will break. 8 22 source_server="cats-whiskers.mit.edu" 9 23 … … 19 33 } 20 34 21 YUM() {22 NSS_NONLOCAL_IGNORE=1 yum "$@"23 }24 25 35 # Helper files for the install are located in server/fedora/config. 26 36 27 # Start with a normal install of Fedora.37 # Start with a minimal install of Fedora. 28 38 29 39 # Take updates 30 YUMupdate40 yum update 31 41 32 42 if [ $boot = 0 ]; then 33 # When the initial configuration screen comes up, under "Firewall 34 # configuration", disable the firewall, and under "System services", leave 35 # enabled (as of Fedora 9) acpid, anacron, atd, cpuspeed, crond, 36 # firstboot, fuse, haldaemon, ip6tables, iptables, irqbalance, 37 # kerneloops, mdmonitor, messagebus, microcode_ctl, netfs, network, nscd, ntpd, 38 # sshd, udev-post, and nothing else. 39 40 # If you did a minimal install, these won't be installed, so you'll 41 # need to do this step later in the process. 42 echo "--disabled" > /etc/sysconfig/system-config-firewall 43 for i in NetworkManager avahi-daemon bluetooth cups isdn nfslock nfs pcscd restorecond rpcbind rpcgssd rpcidmapd sendmail; do 44 chkconfig "$i" off 45 done 43 44 echo "--disabled" > /etc/sysconfig/system-config-firewall 46 45 47 46 # Turn on network, so we can connect at boot … … 64 63 # credentials. 65 64 66 YUMinstall -y subversion65 yum install -y subversion 67 66 68 67 cd /srv … … 74 73 svn co svn://$source_server/$branch repository 75 74 76 # XXX These sed scripts don't work 77 sed -i 's/^(# *)*store-passwords.*/store-passwords = no/' /root/.subversion/config 78 sed -i 's/^(# *)*store-auth-creds.*/store-auth-creds = no/' /root/.subversion/config 79 # The same tweaks should be made on /home/scripts-build/.subversion/config 80 # once it exists (do something with svn as scripts-build) 75 sed -i 's/^\(# *\)?store-passwords.*/store-passwords = no/' /root/.subversion/config 76 sed -i 's/^\(# *\)?store-auth-creds.*/store-auth-creds = no/' /root/.subversion/config 81 77 82 78 chown -R scripts-build /srv/repository 79 80 asbuild svn up # generate the config file 81 asbuild sed -i 's/^\(# *\)?store-passwords.*/store-passwords = no/' /home/scripts-build/.subversion/config 82 asbuild sed -i 's/^\(# *\)?store-auth-creds.*/store-auth-creds = no/' /home/scripts-build/.subversion/config 83 83 84 84 # cd to server/fedora in the svn repository. … … 87 87 # Run "make install-deps" to install various prereqs. Nonstandard 88 88 # deps are in /mit/scripts/rpm. 89 YUMinstall -y make89 yum install -y make 90 90 make install-deps 91 91 # You should pay close attention to the output of this command, and 92 # note if packages you think should exist don't exist anymore. In 93 # particular, if Fedora changes an architecture designation those 94 # won't work. 92 # note if packages you think should exist don't exist anymore. 95 93 96 94 # Get some packages necessary for OpenAFS 97 YUM install -y redhat-lsb 98 YUM install -y autofs 95 yum install -y redhat-lsb 96 yum install -y autofs 97 98 # Copy over root's dotfiles from one of the other machines. 99 # Perhaps a useful change is to remove the default aliases 100 cd /root 101 ls -l .bashrc 102 ls -l .ldapvirc 103 ls -l .screenrc 104 ls -l .ssh 105 ls -l .vimrc 106 # Trying to scp from server to server won't work, as scp 107 # will attempt to negotiate a server-to-server connection. 108 # Instead, scp to your trusted machine as a temporary file, 109 # and then push to the other server 99 110 100 111 # Add scripts-build to the group 'mock' … … 102 113 103 114 # Install bind 104 YUMinstall -y bind115 yum install -y bind 105 116 106 117 # Check out the scripts /etc configuration 107 118 cd /root 108 svn co svn:// scripts.mit.edu/$branch/server/fedora/config/etc etc119 svn co svn://$source_server/$branch/server/fedora/config/etc etc 109 120 # backslash to make us not use the alias 110 121 \cp -a etc / … … 128 139 # information. 129 140 130 # env NSS_NONLOCAL_IGNORE=1 yum install scripts-base 131 YUM install -y scripts-base 132 133 # Remember to set NSS_NONLOCAL_IGNORE=1 anytime you're setting up 134 # anything, e.g. using yum. Otherwise useradd will query LDAP in a stupid way 135 # that makes it hang forever. (This is why we're using YUM, not yum) 141 yum install -y scripts-base 136 142 137 143 # Reload the iptables config to take down the restrictive firewall 138 144 service iptables restart 139 145 140 # Copy over root's dotfiles from one of the other machines. 141 # Perhaps a useful change is to remove the default aliases 142 # On 2009-07-01, the dotfiles to transfer where: 143 # .bashrc .ldapvirc (<- HAS PRIVILEDGED DATA) 144 # .screenrc .ssh (<- directory) .vimrc 145 # Trying to scp from server to server won't work, as scp 146 # will attempt to negotiate a server-to-server connection. 147 # Instead, scp to your trusted machine as a temporary file, 148 # and then push to the other server 149 # You'll need some way to authenticate to the server, and since 150 # password logins are disabled, you'll need some way of 151 # temporarily giving yourself credentials. On a test server, 152 # reenabling password authentication is ok: frob /etc/pam.d/sshd 153 # and reverse apply r1068. 146 # Check that fs sysname is correct. You should see, among others, 147 # 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you 148 # probably did a distro upgrade and should update /etc/sysconfig/openafs. 149 fs sysname 154 150 155 151 # Replace rsyslog with syslog-ng by doing: 156 152 rpm -e --nodeps rsyslog 157 YUMinstall -y syslog-ng153 yum install -y syslog-ng 158 154 chkconfig syslog-ng on 159 155 … … 161 157 # glibc-devel.i586 (ezyang: already installed for me), 162 158 # python-twisted-core (ditto), mod_fcgid, nrpe, nagios-plugins-all. 163 YUM install -y mod_fcgid 164 YUM install -y nrpe 165 YUM install -y nagios-plugins-all 166 YUM install -y fprintd-pam 167 168 # Disable NetworkManager with chkconfig NetworkManager off. Configure 169 # networking on the front end and back end, and the routing table to send 170 # traffic over the back end. Make sure that chkconfig reports "network" on, so 171 # that the network will still be configured at next boot. 172 # ezyang: For me, NetworkManager was not installed at this point, and 173 # we had already done the basic config for networking front end and 174 # back end (because I wanted ssh access, and not just conserver access) 175 176 # Fix the openafs /usr/vice/etc <-> /etc/openafs mapping by changing 177 # /usr/vice/etc/cacheinfo to contain: 178 # /afs:/usr/vice/cache:10000000 179 # Also fix ThisCell to contain athena.mit.edu in both directories 180 # WARNING: if you're installing a test server, this needs to be much 181 # smaller; the max filesize on XVM is 10GB. Pick something like 182 # 500000 159 yum install -y mod_fcgid 160 yum install -y nrpe 161 yum install -y nagios-plugins-all 162 yum install -y fprintd-pam 163 164 # Fix the openafs /usr/vice/etc <-> /etc/openafs mapping. 183 165 echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo 184 # ezyang: ThisCell on b-k and c-w don't have anything special 185 # written here 186 # If you're making a test server, some of the AFS parameters are 187 # kind of retarded (and if you're low on disk space, will actually 188 # exhaust our inodes). 189 # Edit the parameters in /etc/sysconfig/openafs 166 echo "athena.mit.edu" > /usr/vice/etc/ThisCell 167 168 # [TEST SERVER] If you're installing a test server, this needs to be 169 # much smaller; the max filesize on XVM is 10GB. Pick something like 170 # 500000. Also, some of the AFS parameters are kind of retarded (and if 171 # you're low on disk space, will actually exhaust our inodes). Edit 172 # these parameters in /etc/sysconfig/openafs 190 173 191 174 # Test that zephyr is working … … 194 177 echo 'Test!' | zwrite -d -c scripts -i test 195 178 196 # Install the athena-base, athena-lprng, and athena-lprng-misc RPMs197 # from the Athena 9 build (these are present in our yum repo). Note198 # that you will have to use --nodeps for at least one of the lprng199 # ones because it thinks it needs the Athena hesiod RPM. It doesn't200 # really. Before doing this, run it without --nodeps and arrange to201 # install the rest of the things it really does depend on. This will202 # include a bunch of 32-bit rpms; go ahead and install the .i586 versions203 # of them.204 YUM install -y athena-base205 YUM install -y athena-lprng206 yumdownloader athena-lprng-misc207 # ezyang: I couldn't find any deps for this that existed in the repos208 # You might get a "find: `/usr/athena/info': No such file or directory"209 # error; this is fine210 rpm -i --nodeps athena-lprng-misc-9.4-0.i386.rpm211 212 179 # Install the full list of RPMs that users expect to be on the 213 180 # scripts.mit.edu servers. 214 215 # on another server, run:216 181 rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > packages.txt 217 182 # arrange for packages.txt to be passed to the server, then run: 218 # notice that yum is not capitalized 219 # Also notice skip-broken 220 cat packages.txt | NSS_NONLOCAL_IGNORE=1 xargs yum install -y --skip-broken 183 # --skip-broken will (usually) prevent you from having to sit through 184 # several minutes of dependency resolution until it decides that 185 # it can't install /one/ package. 186 cat packages.txt | xargs yum install -y --skip-broken 221 187 222 188 # Check which packages are installed on your new server that are not … … 224 190 # on the new machine. Otherwise, aside from bloat, you may end up 225 191 # with undesirable things for security, like sendmail. 226 rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > newpackages.txt 227 diff -u packages.txt newpackages.txt | less 228 # if all went well, you'll probably see multiple kernel versions 229 # as the only diff 230 # ezyang: I got exim installed as another package 192 rpm -qa --queryformat "%{Name}.%{Arch}\n" | grep -v kernel | sort > newpackages.txt 193 diff -u packages.txt newpackages.txt | grep -v kernel | less 231 194 # here's a cute script that removes all extra packages 232 diff -u packages.txt newpackages.txt | grep '+' | cut -c2- | grep -v "@" | grep -v "++" | xargs yum erase -y 195 diff -u packages.txt newpackages.txt | grep -v kernel | grep '+' | cut -c2- | grep -v "@" | grep -v "++" | xargs yum erase -y 196 197 # We need an upstream version of cgi which we've packaged ourselves, but 198 # it doesn't work with the haskell-platform package which expects 199 # explicit versions. So temporarily rpm -e the package, and then 200 # install it again after you install haskell-platform. [Note: You 201 # probably won't need this in Fedora 15 or something, when the Haskell 202 # Platform gets updated.] 203 rpm -e ghc-cgi-devel ghc-cgi 204 yum install haskell-platform 205 yumdownloader ghc-cgi 206 yumdownloader ghc-cgi-devel 207 rpm -i ghc-cgi*.rpm 208 rpm -i ghc-cgi-devel*.rpm 233 209 234 210 # Check out the scripts /usr/vice/etc configuration … … 241 217 # Install the full list of perl modules that users expect to be on the 242 218 # scripts.mit.edu servers. 243 # - export PERL_MM_USE_DEFAULT=1244 # - Run 'cpan', accept the default configuration, and do 'o conf245 # prerequisites_policy follow'.246 # - Parse the output of perldoc -u perllocal | grep head2 on an existing247 # server, and "notest install" them from the cpan prompt.248 # TO DO THIS:249 # On another server, run:250 # perldoc -u perllocal | grep head2 | cut -f 3 -d '<' | cut -f 1 -d '|' | sort -u | perl -ne 'chomp; print "notest install $_\n" if system("rpm -q --whatprovides \"perl($_)\" >/dev/null 2>/dev/null")' > /mit/scripts/config/perl-packages.txt251 # Then on the server you're installing,252 # cat perl-packages.txt | perl -MCPAN -e shell253 219 export PERL_MM_USE_DEFAULT=1 254 # XXX: Some interactive gobbeldygook 255 cpan 220 cpan # this is interactive, enter the next two lines 256 221 o conf prerequisites_policy follow 257 222 o conf commit … … 269 234 # /usr/lib64/python2.6/site-packages for Python eggs and modules. 270 235 # There will be a lot of gunk that was installed from packages; 271 # easy-install.pth will tell you what was easy_installed.236 # easy-install.pth in /usr/lib/ will tell you what was easy_installed. 272 237 # First use 'yum search' to see if the relevant package is now available 273 238 # as an RPM, and install that if it is. If not, then use easy_install. … … 312 277 ls -l /etc/signup-ldap-pw 313 278 # o The SQL password for the signup process (real servers only) (you 314 # only need one )279 # only need one, chown as sql user) 315 280 ls -l /usr/local/etc/sql-mit-edu.cfg.php 316 281 ls -l /etc/sql-mit-edu.cfg.php 317 282 # o The whoisd password (real servers only) 283 ls -l /etc/whoisd-password 318 284 # o The LDAP keytab for this server, which will be used later (real 319 285 # servers only). … … 326 292 cat /home/logview/.k5login 327 293 328 # If you are setting up a test server, pay attention to294 # [TEST SERVER] If you are setting up a test server, pay attention to 329 295 # /etc/sysconfig/network-scripts and do not bind scripts' IP address. 330 296 # You will also need to modify: … … 346 312 # XXX: someone should write sed scripts to do this 347 313 348 # If you are setting up a test server, afsagent's cronjob will attempt 349 # to be renewing with the wrong credentials (daemon.scripts). Change this: 314 # [TEST SERVER] If you are setting up a test server, afsagent's cronjob 315 # will attempt to be renewing with the wrong credentials 316 # (daemon.scripts). Change this: 350 317 vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu 351 318 352 # Install 389-ds-base and set up replication (see ./HOWTO-SETUP-LDAP). 319 # Install 389-ds-base and set up replication (see ./install-ldap). 320 yum install 389-ds-base 321 # [complicated procedure here] 353 322 354 323 # Make the services dirsrv, nslcd, nscd, postfix, and httpd start at … … 369 338 370 339 # Run fmtutil-sys --all, which does something that makes TeX work. 340 # (Note: this errors on XeTeX which is ok.) 371 341 fmtutil-sys --all 372 # ezyang: I got errors on xetex373 342 374 343 # Ensure that PHP isn't broken: … … 376 345 chmod 01777 /tmp/sessions 377 346 378 # Ensure fcgid isn't broken 379 chmod 755 /var/run/mod_fcgid # ezyang: I suspect this is no longer necessary347 # Ensure fcgid isn't broken (should be 755) 348 ls -l /var/run/mod_fcgid 380 349 381 350 # Fix etc by making sure none of our config files got overwritten 382 351 cd /etc 383 svn status | grep M 384 # ezyang: I had to revert krb5.conf (not with latest), nsswitch.conf and sysconfig/openafs 352 svn status -q 353 # Some usual candidates for clobbering include nsswitch.conf and 354 # sysconfig/openafs 385 355 386 356 # ThisCell got clobbered, replace it with athena.mit.edu 387 357 echo "athena.mit.edu" > /usr/vice/etc/ThisCell 388 358 359 # Kill unnecessary services. (It's probably good form to look through 360 # `chkconfig | grep on` manually) 361 for i in avahi-daemon isdn nfslock pcscd rpcbind rpcgssd rpcidmapd; do 362 chkconfig "$i" off 363 done 364 389 365 # Reboot the machine to restore a consistent state, in case you 390 # changed anything. 391 # ezyang: When I rebooted, the following things happened: 392 # o Starting kdump failed (this is ok) 393 # o postfix mailbombed us 394 # o firstboot configuration screen popped up (ignored; manually will do 395 # chkconfig after the fact) 396 397 # (Optional) Beat your head against a wall. 398 399 # Possibly perform other steps that I've neglected to put in this 400 # document. 401 # o For some reason, syslog-ng wasn't turning on automatically, so we weren't 402 # getting spew 403 404 # Some info about changing hostnames: it appears to be in: 366 # changed anything. (Note: Starting kdump fails (this is ok)) 367 368 # [OPTIONAL] Your machine's hostname is baked in at install time; 369 # in the rare case you need to change it: it appears to be in: 405 370 # o /etc/sysconfig/network 406 371 # o your lvm thingies; probably don't need to edit 407 372 408 # More stuff for test servers373 # [TEST SERVER] More stuff for test servers 409 374 # - You need a self-signed SSL cert. Generate with: 410 375 openssl req -new -x509 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts.cert -nodes … … 417 382 # XXX: our SVN checkout should be updated to use scripts.mit.edu 418 383 # (repository and etc) once serving actually works. 384 cd /etc 385 svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ 386 cd /usr/vice/etc 387 svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ 388 cd /srv/repository 389 asbuild svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ 390 asbuild svn up # verify scripts.mit.edu works -
branches/fc13-dev/server/doc/upgrade-tips
r1644 r1661 169 169 version. 170 170 171 5. Extra stuff 171 5. Update fs sysname 172 -------------------- 173 174 Update /etc/sysconfig/openafs with an extra amd64_fedoraX_scripts and 175 amd64_fedoraX sysname. The format should be evident from the existing 176 entries. [XXX There might be other things you want] 177 178 6. Extra stuff 172 179 -------------- 173 180
Note: See TracChangeset
for help on using the changeset viewer.