Changeset 1672 for branches

Sep 26, 2010, 1:44:07 PM (14 years ago)
More updates from installing b-m and o-f.
2 edited


  • branches/fc13-dev/server/doc/

    r1668 r1672  
     29# 'server' is the public hostname of your server, for SCP'ing files
     30# to and from.
    2933# Start with a Scripts kickstarted install of Fedora (install-fedora)
    3539# Check out the svn repository. Configure svn not to cache
    3640# credentials.
    38     cd /srv
    39     # We must use an explicit source_server while setting up the Scripts
    40     # server, because once we load the Scripts /etc configuration,
    41     # will start resolving to localhost and
    42     # updates/commits will stop working.  This will be switched to
    43     # at the end of the install process.
    44     svn co svn://$source_server/$branch repository
    46     sed -i 's/^\(# *\)?store-passwords.*/store-passwords = no/' /root/.subversion/config
    47     sed -i 's/^\(# *\)?store-auth-creds.*/store-auth-creds = no/' /root/.subversion/config
    49     chown -R scripts-build /srv/repository
    51     asbuild svn up # generate the config file
    52     asbuild sed -i 's/^\(# *\)?store-passwords.*/store-passwords = no/' /home/scripts-build/.subversion/config
    53     asbuild sed -i 's/^\(# *\)?store-auth-creds.*/store-auth-creds = no/' /home/scripts-build/.subversion/config
    55 # cd to server/fedora in the svn repository.
    56     cd /srv/repository/server/fedora
    58 # Run "make install-deps" to install various prereqs.  Nonstandard
    59 # deps are in /mit/scripts/rpm.
    60     make install-deps
    61     # You should pay close attention to the output of this command, and
    62     # note if packages you think should exist don't exist anymore.
    6442# Copy over root's dotfiles from one of the other machines.
    7048    ls -l .ssh
    7149    ls -l .vimrc
     50    ls -l .k5login
    7251    # Trying to scp from server to server won't work, as scp
    7352    # will attempt to negotiate a server-to-server connection.
    7453    # Instead, scp to your trusted machine as a temporary file,
    7554    # and then push to the other server
     55scp -r root@$source_server:~/{.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} .
     56scp -r {.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~
     58# Install the initial set of credentials (to get Kerberized logins once
     59# krb5 is installed).  Otherwise, SCP'ing things in will be annoying.
     60#   o You probably installed the machine keytab long ago
     61    ls -l /etc/krb5.keytab
     62#     Use ktutil to combine the host/ and
     63#     host/ keys with host/ in
     64#     the keytab.  Do not use 'k5srvutil change' on the combined keytab
     65#     or you'll break the other servers. (real servers only).  Be
     66#     careful about writing out the keytab: if you write it to an
     67#     existing file the keys will just get appended.  The correct
     68#     credential list should look like:
     69#       ktutil:  l
     70#       slot KVNO Principal
     71#       ---- ---- ---------------------------------------------------------------------
     72#          1    5 host/
     73#          2    3 host/
     74#          3    2      host/
     75#   o Replace the ssh host keys with the ones common to all scripts servers (real servers only)
     76    ls -l /etc/ssh/*key*
     77#     You can do that with:
     78scp root@$source_server:/etc/ssh/*key* .
     79scp *key* root@$server:/etc/ssh/
     80    service sshd reload
    7782# Check out the scripts /etc configuration
     83    # backslash to make us not use the alias
    7884    cd /root
    79     svn co svn://$source_server/$branch/server/fedora/config/etc etc
    80     # backslash to make us not use the alias
    8185    \cp -a etc /
    8791# you have named.
    89 # You can get password SSH back by editing /etc/ssh/sshd_config (allow
     93# NOTE: You can get password SSH back by editing /etc/ssh/sshd_config (allow
    9094# password auth) and /etc/pam.d/sshd (comment out the first three auth
    91 # lines).  However, you can also temporarily install krb5 and setup the
    92 # keytabs and k5login to get Kerberized authentication.
     95# lines).  However, you should have the Kerberos credentials in place
     96# so as soon as you install the full set of Scripts packages, you'll get
     97# Kerberized logins.
    9499# Make sure network is working.  If this is a new server name, you'll
    97102# configured eth0 and eth1 correctly; use service network restart
    98103# to add the new routes in route-eth1.
     104    service network restart
    99105    route
    100106    ifconfig
    101107    cat /etc/hosts
    102108    cat /etc/sysconfig/network-scripts/route-eth1
    103     service network restart
    105110# This is the point at which you should start updating scriptsified
    106111# packages for a new Fedora release.  Consult 'upgrade-tips' for more
    107112# information.
    109113    yum install -y scripts-base
    111 # Check that fs sysname is correct.  You should see, among others,
    112 # 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you
    113 # probably did a distro upgrade and should update /etc/sysconfig/openafs.
    114     fs sysname
     114    # Some of these packages are naughty and clobber some of our files
     115    cd /etc
     116    svn revert resolv.conf hosts sysconfig/openafs
    116118# Replace rsyslog with syslog-ng by doing:
    159161# Platform gets updated.]
    160162    rpm -e ghc-cgi-devel ghc-cgi
    161     yum install haskell-platform
     163    yum install -y haskell-platform
    162164    yumdownloader ghc-cgi
    163165    yumdownloader ghc-cgi-devel
    164     rpm -i ghc-cgi*.rpm
    165     rpm -i ghc-cgi-devel*.rpm
     166    rpm -i ghc-cgi*1.8.1*.rpm
    167168# Check out the scripts /usr/vice/etc configuration
    168     cd /root
    169     mkdir vice
    170     cd vice
    171     svn co svn://$branch/server/fedora/config/usr/vice/etc etc
     169    cd /root/vice
    172170    \cp -a etc /usr/vice
    174172# Install the full list of perl modules that users expect to be on the
    175173# servers.
     174    cd /root
    176175    export PERL_MM_USE_DEFAULT=1
    177176    cpan # this is interactive, enter the next two lines
    202201#       ezyang: rspec-rails depends on rspec, and will override the Yum
    203202#       package, so... don't use that RPM yet
    204     gem list
     203gem list --no-version > gem.txt
     204    gem list --no-version | diff gem.txt - | grep "<" | cut -c3- | xargs gem install
    205205# - Look at `pear list` for Pear fruits (or whatever they're called).
    206206#   Yet again, 'yum search' for RPMs before resorting to 'pear install'.  Note
    207207#   that for things in the beta repo, you'll need 'pear install package-beta'.
    208208#   (you might get complaints about the php_scripts module; ignore them)
    209     pear list
     209pear list | tail -n +4 | cut -f 1 -d " " > pear.txt
     210    pear config-set preferred_state beta
     211    pear channel-update
     212    pear list | tail -n +4 | cut -f 1 -d " " | diff pear.txt - | grep "<" | cut -c3- | xargs pear install
    210213# - Look at `pecl list` for PECL things.  'yum search', and if you must,
    211214#   'pecl install' needed items. If it doesn't work, try 'pear install
    212215#   pecl/foo' or 'pecl install foo-beta' or those two combined.
    213     pecl list
    214 # Automating this... will require a lot of batonning between
    215 # the servers. Probably best way to do it is to write an actual
    216 # script.
     216pecl list | tail -n +4 | cut -f 1 -d " " > pecl.txt
     217    pecl list | tail -n +4 | cut -f 1 -d " " | diff pecl.txt - | grep "<" | cut -c3- | xargs pecl install --nodeps
    218219# Setup some Python config
    222223# Be sure to make sure the permissions match up (ls -l on an existing
    223224# server!).
    224 #   o This will be different if you're setting up our build/update server.
    225 #   o You probably installed the machine keytab long ago
    226     ls -l /etc/krb5.keytab
    227 #     Use ktutil to combine the host/ and
    228 #     host/ keys with host/ in
    229 #     the keytab.  Do not use 'k5srvutil change' on the combined keytab
    230 #     or you'll break the other servers. (real servers only).  Be
    231 #     careful about writing out the keytab: if you write it to an
    232 #     existing file the keys will just get appended
    233 #   o The daemon.scripts keytab
     225scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,daemon.keytab,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} .
     226scp daemon.keytab signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc
     227scp scripts.key root@$server:/etc/pki/tls/private
     228scp .k5login root@$server:/home/logview
     229    chown afsagent:afsagent /etc/daemon.keytab
     230#   o The daemon.scripts keytab (will be daemon.scripts-test for test)
    234231    ls -l /etc/daemon.keytab
    235232#   o The SSL cert private key (real servers only)
    237234#   o The LDAP password for the signup process (real servers only)
    238235    ls -l /etc/signup-ldap-pw
    239 #   o The SQL password for the signup process (real servers only) (you
    240 #     only need one, chown as sql user)
    241     ls -l /usr/local/etc/sql-mit-edu.cfg.php
    242     ls -l /etc/sql-mit-edu.cfg.php
    243236#   o The whoisd password (real servers only)
    244237    ls -l /etc/whoisd-password
    245 #   o The LDAP keytab for this server, which will be used later (real
    246 #     servers only).
    247     ls -l /etc/dirsrv/keytab
    248 #   o Replace the ssh host keys with the ones common to all scripts servers (real servers only)
    249     ls -l /etc/ssh/*key*
    250 #   o Make sure root's .k5login is correct
    251     cat /root/.k5login
    252238#   o Make sure logview's .k5login is correct (real servers only)
    253239    cat /home/logview/.k5login
     241# Spin up OpenAFS.  This will fail if there's been a new kernel since
     242# when you last tried.  In that case, you can hold on till later to
     243# start OpenAFS.  This will take a little bit of time;
     244    service openafs-client start
     246# Check that fs sysname is correct.  You should see, among others,
     247# 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you
     248# probably did a distro upgrade and should update /etc/sysconfig/openafs.
     249    fs sysname
    255251# [TEST SERVER] If you are setting up a test server, pay attention to
    280276# Set up replication (see ./install-ldap).
     277# You'll need the LDAP keytab for this server: be sure to chown it
     278# fedora-ds after you create the fedora-ds user
     279    ls -l /etc/dirsrv/keytab
    281280    cat install-ldap
    289288    chkconfig postfix on
    290289    chkconfig httpd on
     291# Check sql user credentials (needs to be done after LDAP is setup)
     292    chown sql /etc/sql-mit-edu.cfg.php
    292294# Postfix doesn't actually deliver mail; fix this
  • branches/fc13-dev/server/doc/install-ldap

    r1661 r1672  
    282282    then try again.
    284 [XXX: Do we need the referrals?]
     287LDAP multimaster replication can fail in a number of colorful ways.
     288If the failure is local to a single master, usually you can recover
     289by asking another master to refresh that master with:
     291nsDS5BeginReplicaRefresh: start
     293In practice, we've also had problems with this technique.  Some of them
     296* Something like
     297  on Fedora 11 ns-slapd, where replication is turned off to do the
     298  replication, but then it wedges and you need to forcibly kill the
     299  process.
     301* Failed LDAP authentication because another master attempted to do
     302  an incremental update.
     304* Repropagation of the error because the corrupt master thinks it still
     305  should push updates.
     307So the extremely safe method to bring up a crashed master is as follows:
     3091. Disable all incoming and outgoing replication agreements by editing
     310   /etc/dirsrv/slapd-scripts/dse.ldif. You'll need to munge:
     312   nsDS5ReplicaBindDN in cn=replica,cn=dc\3Dscripts\2Cdc\3Dmit\2Cdc\3Dedu,cn=mapping tree,cn=config
     314   and all of the push agreements.  Deleting them outright works, but
     315   means you'll have to reconstruct all of the agreements from scratch.
     3172. Bring up the server.
     3193. Accept incoming replication data from a single server.
     3214. Initiate a full update from that server.
     3235. Finish setting up replication as described above.
     325If your database gets extremely fucked, other servers may not be able
     326to authenticate because your authentication information has gone missing.
     327In that case, the minimal set of entries you need is:
     329add dc=scripts,dc=mit,dc=edu
     330objectClass: top
     331objectClass: domain
     332dc: scripts
     334add ou=People,dc=scripts,dc=mit,dc=edu
     335objectClass: top
     336objectClass: organizationalunit
     337ou: People
     339add uid=ldap/,ou=People,dc=scripts,dc=mit,dc=edu
     340objectClass: account
     341objectClass: top
     342uid: ldap/
Note: See TracChangeset for help on using the changeset viewer.