Changeset 1672
- Timestamp:
- Sep 26, 2010, 1:44:07 PM (14 years ago)
- Location:
- branches/fc13-dev/server/doc
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/fc13-dev/server/doc/install-howto.sh
r1668 r1672 27 27 branch="trunk" 28 28 29 # 'server' is the public hostname of your server, for SCP'ing files 30 # to and from. 31 server=YOUR-SERVER-NAME-HERE 32 29 33 # Start with a Scripts kickstarted install of Fedora (install-fedora) 30 34 … … 35 39 # Check out the scripts.mit.edu svn repository. Configure svn not to cache 36 40 # credentials. 37 38 cd /srv39 # We must use an explicit source_server while setting up the Scripts40 # server, because once we load the Scripts /etc configuration,41 # scripts.mit.edu will start resolving to localhost and42 # updates/commits will stop working. This will be switched to43 # scripts.mit.edu at the end of the install process.44 svn co svn://$source_server/$branch repository45 46 sed -i 's/^\(# *\)?store-passwords.*/store-passwords = no/' /root/.subversion/config47 sed -i 's/^\(# *\)?store-auth-creds.*/store-auth-creds = no/' /root/.subversion/config48 49 chown -R scripts-build /srv/repository50 51 asbuild svn up # generate the config file52 asbuild sed -i 's/^\(# *\)?store-passwords.*/store-passwords = no/' /home/scripts-build/.subversion/config53 asbuild sed -i 's/^\(# *\)?store-auth-creds.*/store-auth-creds = no/' /home/scripts-build/.subversion/config54 55 # cd to server/fedora in the svn repository.56 cd /srv/repository/server/fedora57 58 # Run "make install-deps" to install various prereqs. Nonstandard59 # deps are in /mit/scripts/rpm.60 make install-deps61 # You should pay close attention to the output of this command, and62 # note if packages you think should exist don't exist anymore.63 41 64 42 # Copy over root's dotfiles from one of the other machines. … … 70 48 ls -l .ssh 71 49 ls -l .vimrc 50 ls -l .k5login 72 51 # Trying to scp from server to server won't work, as scp 73 52 # will attempt to negotiate a server-to-server connection. 74 53 # Instead, scp to your trusted machine as a temporary file, 75 54 # and then push to the other server 55 scp -r root@$source_server:~/{.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} . 56 scp -r {.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~ 57 58 # Install the initial set of credentials (to get Kerberized logins once 59 # krb5 is installed). Otherwise, SCP'ing things in will be annoying. 60 # o You probably installed the machine keytab long ago 61 ls -l /etc/krb5.keytab 62 # Use ktutil to combine the host/scripts.mit.edu and 63 # host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in 64 # the keytab. Do not use 'k5srvutil change' on the combined keytab 65 # or you'll break the other servers. (real servers only). Be 66 # careful about writing out the keytab: if you write it to an 67 # existing file the keys will just get appended. The correct 68 # credential list should look like: 69 # ktutil: l 70 # slot KVNO Principal 71 # ---- ---- --------------------------------------------------------------------- 72 # 1 5 host/old-faithful.mit.edu@ATHENA.MIT.EDU 73 # 2 3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU 74 # 3 2 host/scripts.mit.edu@ATHENA.MIT.EDU 75 # o Replace the ssh host keys with the ones common to all scripts servers (real servers only) 76 ls -l /etc/ssh/*key* 77 # You can do that with: 78 scp root@$source_server:/etc/ssh/*key* . 79 scp *key* root@$server:/etc/ssh/ 80 service sshd reload 76 81 77 82 # Check out the scripts /etc configuration 83 # backslash to make us not use the alias 78 84 cd /root 79 svn co svn://$source_server/$branch/server/fedora/config/etc etc80 # backslash to make us not use the alias81 85 \cp -a etc / 82 86 … … 87 91 # you have named. 88 92 89 # You can get password SSH back by editing /etc/ssh/sshd_config (allow93 # NOTE: You can get password SSH back by editing /etc/ssh/sshd_config (allow 90 94 # password auth) and /etc/pam.d/sshd (comment out the first three auth 91 # lines). However, you can also temporarily install krb5 and setup the 92 # keytabs and k5login to get Kerberized authentication. 95 # lines). However, you should have the Kerberos credentials in place 96 # so as soon as you install the full set of Scripts packages, you'll get 97 # Kerberized logins. 93 98 94 99 # Make sure network is working. If this is a new server name, you'll … … 97 102 # configured eth0 and eth1 correctly; use service network restart 98 103 # to add the new routes in route-eth1. 104 service network restart 99 105 route 100 106 ifconfig 101 107 cat /etc/hosts 102 108 cat /etc/sysconfig/network-scripts/route-eth1 103 service network restart104 109 105 110 # This is the point at which you should start updating scriptsified 106 111 # packages for a new Fedora release. Consult 'upgrade-tips' for more 107 112 # information. 108 109 113 yum install -y scripts-base 110 111 # Check that fs sysname is correct. You should see, among others, 112 # 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you 113 # probably did a distro upgrade and should update /etc/sysconfig/openafs. 114 fs sysname 114 # Some of these packages are naughty and clobber some of our files 115 cd /etc 116 svn revert resolv.conf hosts sysconfig/openafs 115 117 116 118 # Replace rsyslog with syslog-ng by doing: … … 159 161 # Platform gets updated.] 160 162 rpm -e ghc-cgi-devel ghc-cgi 161 yum install haskell-platform163 yum install -y haskell-platform 162 164 yumdownloader ghc-cgi 163 165 yumdownloader ghc-cgi-devel 164 rpm -i ghc-cgi*.rpm 165 rpm -i ghc-cgi-devel*.rpm 166 rpm -i ghc-cgi*1.8.1*.rpm 166 167 167 168 # Check out the scripts /usr/vice/etc configuration 168 cd /root 169 mkdir vice 170 cd vice 171 svn co svn://scripts.mit.edu/$branch/server/fedora/config/usr/vice/etc etc 169 cd /root/vice 172 170 \cp -a etc /usr/vice 173 171 174 172 # Install the full list of perl modules that users expect to be on the 175 173 # scripts.mit.edu servers. 174 cd /root 176 175 export PERL_MM_USE_DEFAULT=1 177 176 cpan # this is interactive, enter the next two lines … … 202 201 # ezyang: rspec-rails depends on rspec, and will override the Yum 203 202 # package, so... don't use that RPM yet 204 gem list 203 gem list --no-version > gem.txt 204 gem list --no-version | diff gem.txt - | grep "<" | cut -c3- | xargs gem install 205 205 # - Look at `pear list` for Pear fruits (or whatever they're called). 206 206 # Yet again, 'yum search' for RPMs before resorting to 'pear install'. Note 207 207 # that for things in the beta repo, you'll need 'pear install package-beta'. 208 208 # (you might get complaints about the php_scripts module; ignore them) 209 pear list 209 pear list | tail -n +4 | cut -f 1 -d " " > pear.txt 210 pear config-set preferred_state beta 211 pear channel-update pear.php.net 212 pear list | tail -n +4 | cut -f 1 -d " " | diff pear.txt - | grep "<" | cut -c3- | xargs pear install 210 213 # - Look at `pecl list` for PECL things. 'yum search', and if you must, 211 214 # 'pecl install' needed items. If it doesn't work, try 'pear install 212 215 # pecl/foo' or 'pecl install foo-beta' or those two combined. 213 pecl list 214 # Automating this... will require a lot of batonning between 215 # the servers. Probably best way to do it is to write an actual 216 # script. 216 pecl list | tail -n +4 | cut -f 1 -d " " > pecl.txt 217 pecl list | tail -n +4 | cut -f 1 -d " " | diff pecl.txt - | grep "<" | cut -c3- | xargs pecl install --nodeps 217 218 218 219 # Setup some Python config … … 222 223 # Be sure to make sure the permissions match up (ls -l on an existing 223 224 # server!). 224 # o This will be different if you're setting up our build/update server. 225 # o You probably installed the machine keytab long ago 226 ls -l /etc/krb5.keytab 227 # Use ktutil to combine the host/scripts.mit.edu and 228 # host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in 229 # the keytab. Do not use 'k5srvutil change' on the combined keytab 230 # or you'll break the other servers. (real servers only). Be 231 # careful about writing out the keytab: if you write it to an 232 # existing file the keys will just get appended 233 # o The daemon.scripts keytab 225 scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,daemon.keytab,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} . 226 scp daemon.keytab signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc 227 scp scripts.key root@$server:/etc/pki/tls/private 228 scp .k5login root@$server:/home/logview 229 chown afsagent:afsagent /etc/daemon.keytab 230 # o The daemon.scripts keytab (will be daemon.scripts-test for test) 234 231 ls -l /etc/daemon.keytab 235 232 # o The SSL cert private key (real servers only) … … 237 234 # o The LDAP password for the signup process (real servers only) 238 235 ls -l /etc/signup-ldap-pw 239 # o The SQL password for the signup process (real servers only) (you240 # only need one, chown as sql user)241 ls -l /usr/local/etc/sql-mit-edu.cfg.php242 ls -l /etc/sql-mit-edu.cfg.php243 236 # o The whoisd password (real servers only) 244 237 ls -l /etc/whoisd-password 245 # o The LDAP keytab for this server, which will be used later (real246 # servers only).247 ls -l /etc/dirsrv/keytab248 # o Replace the ssh host keys with the ones common to all scripts servers (real servers only)249 ls -l /etc/ssh/*key*250 # o Make sure root's .k5login is correct251 cat /root/.k5login252 238 # o Make sure logview's .k5login is correct (real servers only) 253 239 cat /home/logview/.k5login 240 241 # Spin up OpenAFS. This will fail if there's been a new kernel since 242 # when you last tried. In that case, you can hold on till later to 243 # start OpenAFS. This will take a little bit of time; 244 service openafs-client start 245 246 # Check that fs sysname is correct. You should see, among others, 247 # 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you 248 # probably did a distro upgrade and should update /etc/sysconfig/openafs. 249 fs sysname 254 250 255 251 # [TEST SERVER] If you are setting up a test server, pay attention to … … 279 275 280 276 # Set up replication (see ./install-ldap). 277 # You'll need the LDAP keytab for this server: be sure to chown it 278 # fedora-ds after you create the fedora-ds user 279 ls -l /etc/dirsrv/keytab 281 280 cat install-ldap 282 281 … … 289 288 chkconfig postfix on 290 289 chkconfig httpd on 290 291 # Check sql user credentials (needs to be done after LDAP is setup) 292 chown sql /etc/sql-mit-edu.cfg.php 291 293 292 294 # Postfix doesn't actually deliver mail; fix this -
branches/fc13-dev/server/doc/install-ldap
r1661 r1672 282 282 then try again. 283 283 284 [XXX: Do we need the referrals?] 284 Troubleshooting 285 =============== 286 287 LDAP multimaster replication can fail in a number of colorful ways. 288 If the failure is local to a single master, usually you can recover 289 by asking another master to refresh that master with: 290 291 nsDS5BeginReplicaRefresh: start 292 293 In practice, we've also had problems with this technique. Some of them 294 include: 295 296 * Something like https://bugzilla.redhat.com/show_bug.cgi?id=547503 297 on Fedora 11 ns-slapd, where replication is turned off to do the 298 replication, but then it wedges and you need to forcibly kill the 299 process. 300 301 * Failed LDAP authentication because another master attempted to do 302 an incremental update. 303 304 * Repropagation of the error because the corrupt master thinks it still 305 should push updates. 306 307 So the extremely safe method to bring up a crashed master is as follows: 308 309 1. Disable all incoming and outgoing replication agreements by editing 310 /etc/dirsrv/slapd-scripts/dse.ldif. You'll need to munge: 311 312 nsDS5ReplicaBindDN in cn=replica,cn=dc\3Dscripts\2Cdc\3Dmit\2Cdc\3Dedu,cn=mapping tree,cn=config 313 314 and all of the push agreements. Deleting them outright works, but 315 means you'll have to reconstruct all of the agreements from scratch. 316 317 2. Bring up the server. 318 319 3. Accept incoming replication data from a single server. 320 321 4. Initiate a full update from that server. 322 323 5. Finish setting up replication as described above. 324 325 If your database gets extremely fucked, other servers may not be able 326 to authenticate because your authentication information has gone missing. 327 In that case, the minimal set of entries you need is: 328 329 add dc=scripts,dc=mit,dc=edu 330 objectClass: top 331 objectClass: domain 332 dc: scripts 333 334 add ou=People,dc=scripts,dc=mit,dc=edu 335 objectClass: top 336 objectClass: organizationalunit 337 ou: People 338 339 add uid=ldap/real-mccoy.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 340 objectClass: account 341 objectClass: top 342 uid: ldap/real-mccoy.mit.edu
Note: See TracChangeset
for help on using the changeset viewer.