Changeset 1661


Ignore:
Timestamp:
Sep 18, 2010, 11:33:08 PM (14 years ago)
Author:
ezyang
Message:
Mass documentation update.
Location:
branches/fc13-dev/server/doc
Files:
2 edited
1 moved

Legend:

Unmodified
Added
Removed
  • branches/fc13-dev/server/doc/install-howto.sh

    r1645 r1661  
    33set -e -x
    44
     5# Some commands should be run as the scripts-build user, not root.
     6
     7alias asbuild="sudo -u scripts-build"
     8
     9# Old versions of this install document advised setting
     10# NSS_NONLOCAL_IGNORE=1 anytime you're setting up anything, e.g. using
     11# yum, warning that useradd will query LDAP in a stupid way that makes
     12# it hang forever.  As of Fedora 13, this does not seem to be a problem,
     13# so it's been removed from the instructions.  If an install is hanging,
     14# though, try adding NSS_NONLOCAL_IGNORE.
     15
    516[ -e /scripts-boot-count ] || echo 0 > /scripts-boot-count
    617
    7 # This is actually just "pick an active scripts server"
     18# This is actually just "pick an active scripts server".  It can't be
     19# scripts.mit.edu because our networking config points that domain
     20# at localhost, and if our server is not setup at that point things
     21# will break.
    822source_server="cats-whiskers.mit.edu"
    923
     
    1933}
    2034
    21 YUM() {
    22     NSS_NONLOCAL_IGNORE=1 yum "$@"
    23 }
    24 
    2535# Helper files for the install are located in server/fedora/config.
    2636
    27 # Start with a normal install of Fedora.
     37# Start with a minimal install of Fedora.
    2838
    2939# Take updates
    30     YUM update
     40    yum update
    3141
    3242if [ $boot = 0 ]; then
    33 # When the initial configuration screen comes up, under "Firewall
    34 # configuration", disable the firewall, and under "System services", leave
    35 # enabled (as of Fedora 9) acpid, anacron, atd, cpuspeed, crond,
    36 # firstboot, fuse, haldaemon, ip6tables, iptables, irqbalance,
    37 # kerneloops, mdmonitor, messagebus, microcode_ctl, netfs, network, nscd, ntpd,
    38 # sshd, udev-post, and nothing else.
    39 
    40 # If you did a minimal install, these won't be installed, so you'll
    41 # need to do this step later in the process.
    42     echo "--disabled" > /etc/sysconfig/system-config-firewall
    43     for i in NetworkManager avahi-daemon bluetooth cups isdn nfslock nfs pcscd restorecond rpcbind rpcgssd rpcidmapd sendmail; do
    44         chkconfig "$i" off
    45     done
     43
     44echo "--disabled" > /etc/sysconfig/system-config-firewall
    4645
    4746# Turn on network, so we can connect at boot
     
    6463# credentials.
    6564
    66     YUM install -y subversion
     65    yum install -y subversion
    6766
    6867    cd /srv
     
    7473    svn co svn://$source_server/$branch repository
    7574
    76     # XXX These sed scripts don't work
    77     sed -i 's/^(# *)*store-passwords.*/store-passwords = no/' /root/.subversion/config
    78     sed -i 's/^(# *)*store-auth-creds.*/store-auth-creds = no/' /root/.subversion/config
    79 # The same tweaks should be made on /home/scripts-build/.subversion/config
    80 # once it exists (do something with svn as scripts-build)
     75    sed -i 's/^\(# *\)?store-passwords.*/store-passwords = no/' /root/.subversion/config
     76    sed -i 's/^\(# *\)?store-auth-creds.*/store-auth-creds = no/' /root/.subversion/config
    8177
    8278    chown -R scripts-build /srv/repository
     79
     80    asbuild svn up # generate the config file
     81    asbuild sed -i 's/^\(# *\)?store-passwords.*/store-passwords = no/' /home/scripts-build/.subversion/config
     82    asbuild sed -i 's/^\(# *\)?store-auth-creds.*/store-auth-creds = no/' /home/scripts-build/.subversion/config
    8383
    8484# cd to server/fedora in the svn repository.
     
    8787# Run "make install-deps" to install various prereqs.  Nonstandard
    8888# deps are in /mit/scripts/rpm.
    89     YUM install -y make
     89    yum install -y make
    9090    make install-deps
    9191    # You should pay close attention to the output of this command, and
    92     # note if packages you think should exist don't exist anymore.  In
    93     # particular, if Fedora changes an architecture designation those
    94     # won't work.
     92    # note if packages you think should exist don't exist anymore.
    9593
    9694# Get some packages necessary for OpenAFS
    97     YUM install -y redhat-lsb
    98     YUM install -y autofs
     95    yum install -y redhat-lsb
     96    yum install -y autofs
     97
     98# Copy over root's dotfiles from one of the other machines.
     99# Perhaps a useful change is to remove the default aliases
     100    cd /root
     101    ls -l .bashrc
     102    ls -l .ldapvirc
     103    ls -l .screenrc
     104    ls -l .ssh
     105    ls -l .vimrc
     106    # Trying to scp from server to server won't work, as scp
     107    # will attempt to negotiate a server-to-server connection.
     108    # Instead, scp to your trusted machine as a temporary file,
     109    # and then push to the other server
    99110
    100111# Add scripts-build to the group 'mock'
     
    102113
    103114# Install bind
    104     YUM install -y bind
     115    yum install -y bind
    105116
    106117# Check out the scripts /etc configuration
    107118    cd /root
    108     svn co svn://scripts.mit.edu/$branch/server/fedora/config/etc etc
     119    svn co svn://$source_server/$branch/server/fedora/config/etc etc
    109120    # backslash to make us not use the alias
    110121    \cp -a etc /
     
    128139# information.
    129140
    130 # env NSS_NONLOCAL_IGNORE=1 yum install scripts-base
    131     YUM install -y scripts-base
    132 
    133 # Remember to set NSS_NONLOCAL_IGNORE=1 anytime you're setting up
    134 # anything, e.g. using yum. Otherwise useradd will query LDAP in a stupid way
    135 # that makes it hang forever. (This is why we're using YUM, not yum)
     141    yum install -y scripts-base
    136142
    137143# Reload the iptables config to take down the restrictive firewall
    138144    service iptables restart
    139145
    140 # Copy over root's dotfiles from one of the other machines.
    141 # Perhaps a useful change is to remove the default aliases
    142     # On 2009-07-01, the dotfiles to transfer where:
    143     #   .bashrc .ldapvirc (<- HAS PRIVILEDGED DATA)
    144     #   .screenrc .ssh (<- directory) .vimrc
    145     # Trying to scp from server to server won't work, as scp
    146     # will attempt to negotiate a server-to-server connection.
    147     # Instead, scp to your trusted machine as a temporary file,
    148     # and then push to the other server
    149     # You'll need some way to authenticate to the server, and since
    150     # password logins are disabled, you'll need some way of
    151     # temporarily giving yourself credentials.  On a test server,
    152     # reenabling password authentication is ok: frob /etc/pam.d/sshd
    153     # and reverse apply r1068.
     146# Check that fs sysname is correct.  You should see, among others,
     147# 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you
     148# probably did a distro upgrade and should update /etc/sysconfig/openafs.
     149    fs sysname
    154150
    155151# Replace rsyslog with syslog-ng by doing:
    156152    rpm -e --nodeps rsyslog
    157     YUM install -y syslog-ng
     153    yum install -y syslog-ng
    158154    chkconfig syslog-ng on
    159155
     
    161157# glibc-devel.i586 (ezyang: already installed for me),
    162158# python-twisted-core (ditto), mod_fcgid, nrpe, nagios-plugins-all.
    163     YUM install -y mod_fcgid
    164     YUM install -y nrpe
    165     YUM install -y nagios-plugins-all
    166     YUM install -y fprintd-pam
    167 
    168 # Disable NetworkManager with chkconfig NetworkManager off. Configure
    169 # networking on the front end and back end, and the routing table to send
    170 # traffic over the back end. Make sure that chkconfig reports "network" on, so
    171 # that the network will still be configured at next boot.
    172 # ezyang: For me, NetworkManager was not installed at this point, and
    173 # we had already done the basic config for networking front end and
    174 # back end (because I wanted ssh access, and not just conserver access)
    175 
    176 # Fix the openafs /usr/vice/etc <-> /etc/openafs mapping by changing
    177 #  /usr/vice/etc/cacheinfo to contain:
    178 #       /afs:/usr/vice/cache:10000000
    179 # Also fix ThisCell to contain athena.mit.edu in both directories
    180 # WARNING: if you're installing a test server, this needs to be much
    181 # smaller; the max filesize on XVM is 10GB.  Pick something like
    182 # 500000
     159    yum install -y mod_fcgid
     160    yum install -y nrpe
     161    yum install -y nagios-plugins-all
     162    yum install -y fprintd-pam
     163
     164# Fix the openafs /usr/vice/etc <-> /etc/openafs mapping.
    183165    echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo
    184     # ezyang: ThisCell on b-k and c-w don't have anything special
    185     # written here
    186 # If you're making a test server, some of the AFS parameters are
    187 # kind of retarded (and if you're low on disk space, will actually
    188 # exhaust our inodes).
    189 # Edit the parameters in /etc/sysconfig/openafs
     166    echo "athena.mit.edu" > /usr/vice/etc/ThisCell
     167
     168# [TEST SERVER] If you're installing a test server, this needs to be
     169# much smaller; the max filesize on XVM is 10GB.  Pick something like
     170# 500000. Also, some of the AFS parameters are kind of retarded (and if
     171# you're low on disk space, will actually exhaust our inodes).  Edit
     172# these parameters in /etc/sysconfig/openafs
    190173
    191174# Test that zephyr is working
     
    194177    echo 'Test!' | zwrite -d -c scripts -i test
    195178
    196 # Install the athena-base, athena-lprng, and athena-lprng-misc RPMs
    197 # from the Athena 9 build (these are present in our yum repo).  Note
    198 # that you will have to use --nodeps for at least one of the lprng
    199 # ones because it thinks it needs the Athena hesiod RPM.  It doesn't
    200 # really.  Before doing this, run it without --nodeps and arrange to
    201 # install the rest of the things it really does depend on.  This will
    202 # include a bunch of 32-bit rpms; go ahead and install the .i586 versions
    203 # of them.
    204     YUM install -y athena-base
    205     YUM install -y athena-lprng
    206     yumdownloader athena-lprng-misc
    207     # ezyang: I couldn't find any deps for this that existed in the repos
    208     # You might get a "find: `/usr/athena/info': No such file or directory"
    209     # error; this is fine
    210     rpm -i --nodeps athena-lprng-misc-9.4-0.i386.rpm
    211 
    212179# Install the full list of RPMs that users expect to be on the
    213180# scripts.mit.edu servers.
    214 
    215 # on another server, run:
    216181rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > packages.txt
    217182# arrange for packages.txt to be passed to the server, then run:
    218     # notice that yum is not capitalized
    219     # Also notice skip-broken
    220     cat packages.txt | NSS_NONLOCAL_IGNORE=1 xargs yum install -y --skip-broken
     183# --skip-broken will (usually) prevent you from having to sit through
     184# several minutes of dependency resolution until it decides that
     185# it can't install /one/ package.
     186    cat packages.txt | xargs yum install -y --skip-broken
    221187
    222188# Check which packages are installed on your new server that are not
     
    224190# on the new machine.  Otherwise, aside from bloat, you may end up
    225191# with undesirable things for security, like sendmail.
    226     rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > newpackages.txt
    227     diff -u packages.txt newpackages.txt  | less
    228     # if all went well, you'll probably see multiple kernel versions
    229     # as the only diff
    230     # ezyang: I got exim installed as another package
     192    rpm -qa --queryformat "%{Name}.%{Arch}\n" | grep -v kernel | sort > newpackages.txt
     193    diff -u packages.txt newpackages.txt | grep -v kernel | less
    231194    # here's a cute script that removes all extra packages
    232     diff -u packages.txt newpackages.txt  | grep '+' | cut -c2- | grep -v "@" | grep -v "++" | xargs yum erase -y
     195    diff -u packages.txt newpackages.txt | grep -v kernel | grep '+' | cut -c2- | grep -v "@" | grep -v "++" | xargs yum erase -y
     196
     197# We need an upstream version of cgi which we've packaged ourselves, but
     198# it doesn't work with the haskell-platform package which expects
     199# explicit versions.  So temporarily rpm -e the package, and then
     200# install it again after you install haskell-platform.  [Note: You
     201# probably won't need this in Fedora 15 or something, when the Haskell
     202# Platform gets updated.]
     203    rpm -e ghc-cgi-devel ghc-cgi
     204    yum install haskell-platform
     205    yumdownloader ghc-cgi
     206    yumdownloader ghc-cgi-devel
     207    rpm -i ghc-cgi*.rpm
     208    rpm -i ghc-cgi-devel*.rpm
    233209
    234210# Check out the scripts /usr/vice/etc configuration
     
    241217# Install the full list of perl modules that users expect to be on the
    242218# scripts.mit.edu servers.
    243 # - export PERL_MM_USE_DEFAULT=1
    244 # - Run 'cpan', accept the default configuration, and do 'o conf
    245 #   prerequisites_policy follow'.
    246 # - Parse the output of perldoc -u perllocal | grep head2 on an existing
    247 #   server, and "notest install" them from the cpan prompt.
    248 # TO DO THIS:
    249 # On another server, run:
    250 # perldoc -u perllocal | grep head2 | cut -f 3 -d '<' | cut -f 1 -d '|' | sort -u | perl -ne 'chomp; print "notest install $_\n" if system("rpm -q --whatprovides \"perl($_)\" >/dev/null 2>/dev/null")' > /mit/scripts/config/perl-packages.txt
    251 # Then on the server you're installing,
    252 #    cat perl-packages.txt | perl -MCPAN -e shell
    253219    export PERL_MM_USE_DEFAULT=1
    254     # XXX: Some interactive gobbeldygook
    255     cpan
     220    cpan # this is interactive, enter the next two lines
    256221        o conf prerequisites_policy follow
    257222        o conf commit
     
    269234#           /usr/lib64/python2.6/site-packages for Python eggs and modules.
    270235#   There will be a lot of gunk that was installed from packages;
    271 #   easy-install.pth will tell you what was easy_installed.
     236#   easy-install.pth in /usr/lib/ will tell you what was easy_installed.
    272237#   First use 'yum search' to see if the relevant package is now available
    273238#   as an RPM, and install that if it is.  If not, then use easy_install.
     
    312277    ls -l /etc/signup-ldap-pw
    313278#   o The SQL password for the signup process (real servers only) (you
    314 #     only need one)
     279#     only need one, chown as sql user)
    315280    ls -l /usr/local/etc/sql-mit-edu.cfg.php
    316281    ls -l /etc/sql-mit-edu.cfg.php
    317282#   o The whoisd password (real servers only)
     283    ls -l /etc/whoisd-password
    318284#   o The LDAP keytab for this server, which will be used later (real
    319285#     servers only).
     
    326292    cat /home/logview/.k5login
    327293
    328 # If you are setting up a test server, pay attention to
     294# [TEST SERVER] If you are setting up a test server, pay attention to
    329295# /etc/sysconfig/network-scripts and do not bind scripts' IP address.
    330296# You will also need to modify:
     
    346312# XXX: someone should write sed scripts to do this
    347313
    348 # If you are setting up a test server, afsagent's cronjob will attempt
    349 # to be renewing with the wrong credentials (daemon.scripts). Change this:
     314# [TEST SERVER] If you are setting up a test server, afsagent's cronjob
     315# will attempt to be renewing with the wrong credentials
     316# (daemon.scripts). Change this:
    350317    vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu
    351318
    352 # Install 389-ds-base and set up replication (see ./HOWTO-SETUP-LDAP).
     319# Install 389-ds-base and set up replication (see ./install-ldap).
     320    yum install 389-ds-base
     321    # [complicated procedure here]
    353322
    354323# Make the services dirsrv, nslcd, nscd, postfix, and httpd start at
     
    369338
    370339# Run fmtutil-sys --all, which does something that makes TeX work.
     340# (Note: this errors on XeTeX which is ok.)
    371341    fmtutil-sys --all
    372     # ezyang: I got errors on xetex
    373342
    374343# Ensure that PHP isn't broken:
     
    376345    chmod 01777 /tmp/sessions
    377346
    378 # Ensure fcgid isn't broken
    379     chmod 755 /var/run/mod_fcgid # ezyang: I suspect this is no longer necessary
     347# Ensure fcgid isn't broken (should be 755)
     348    ls -l /var/run/mod_fcgid
    380349
    381350# Fix etc by making sure none of our config files got overwritten
    382351    cd /etc
    383     svn status | grep M
    384     # ezyang: I had to revert krb5.conf (not with latest), nsswitch.conf and sysconfig/openafs
     352    svn status -q
     353    # Some usual candidates for clobbering include nsswitch.conf and
     354    # sysconfig/openafs
    385355
    386356# ThisCell got clobbered, replace it with athena.mit.edu
    387357    echo "athena.mit.edu" > /usr/vice/etc/ThisCell
    388358
     359# Kill unnecessary services. (It's probably good form to look through
     360# `chkconfig | grep on` manually)
     361    for i in avahi-daemon isdn nfslock pcscd rpcbind rpcgssd rpcidmapd; do
     362        chkconfig "$i" off
     363    done
     364
    389365# Reboot the machine to restore a consistent state, in case you
    390 # changed anything.
    391     # ezyang: When I rebooted, the following things happened:
    392     #   o Starting kdump failed (this is ok)
    393     #   o postfix mailbombed us
    394     #   o firstboot configuration screen popped up (ignored; manually will do
    395     #     chkconfig after the fact)
    396 
    397 # (Optional) Beat your head against a wall.
    398 
    399 # Possibly perform other steps that I've neglected to put in this
    400 # document.
    401 #   o For some reason, syslog-ng wasn't turning on automatically, so we weren't
    402 #     getting spew
    403 
    404 # Some info about changing hostnames: it appears to be in:
     366# changed anything. (Note: Starting kdump fails (this is ok))
     367
     368# [OPTIONAL] Your machine's hostname is baked in at install time;
     369# in the rare case you need to change it: it appears to be in:
    405370#   o /etc/sysconfig/network
    406371#   o your lvm thingies; probably don't need to edit
    407372
    408 # More stuff for test servers
     373# [TEST SERVER] More stuff for test servers
    409374#   - You need a self-signed SSL cert.  Generate with:
    410375    openssl req -new -x509 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts.cert -nodes
     
    417382# XXX: our SVN checkout should be updated to use scripts.mit.edu
    418383# (repository and etc) once serving actually works.
     384    cd /etc
     385    svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
     386    cd /usr/vice/etc
     387    svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
     388    cd /srv/repository
     389    asbuild svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
     390    asbuild svn up # verify scripts.mit.edu works
  • branches/fc13-dev/server/doc/upgrade-tips

    r1644 r1661  
    169169version.
    170170
    171 5. Extra stuff
     1715. Update fs sysname
     172--------------------
     173
     174Update /etc/sysconfig/openafs with an extra amd64_fedoraX_scripts and
     175amd64_fedoraX sysname.  The format should be evident from the existing
     176entries.  [XXX There might be other things you want]
     177
     1786. Extra stuff
    172179--------------
    173180
Note: See TracChangeset for help on using the changeset viewer.