Changeset 1961 for trunk/server/doc


Ignore:
Timestamp:
Sep 4, 2011, 4:24:33 PM (13 years ago)
Author:
ezyang
Message:
Split up install instructions for different types.
File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/server/doc/install-howto.sh

    r1704 r1961  
    22# It is semi-vaguely in the form of a shell script, but is not really
    33# runnable as it stands.
     4
     5# Notation
     6# [PRODUCTION] Production server that will be put into the pool
     7# [WIZARD]     Semi-production server that will only have
     8#              daemon.scripts-security-upd bits, among other
     9#              restricted permissions bits, among other
     10#              restricted permissions bits, among other
     11#              restricted permissions bits, among other
     12#              restricted permissions
     13# [TESTSERVER] Completely untrusted server
    414
    515set -e -x
     
    2030# at localhost, and if our server is not setup at that point things
    2131# will break.
    22 source_server="cats-whiskers.mit.edu"
     32source_server="shining-armor.mit.edu"
    2333
    2434# 'branch' is the current svn branch you are on.  You want to
     
    4353    cd /root
    4454    ls -l .bashrc
    45     ls -l .ldapvirc
    4655    ls -l .screenrc
    4756    ls -l .ssh
    4857    ls -l .vimrc
    4958    ls -l .k5login
     59    # [PRODUCTION] This rc file has sensitive data on it and should only
     60    # be pushed onto production servers.
     61    ls -l .ldapvirc
    5062    # Trying to scp from server to server won't work, as scp
    5163    # will attempt to negotiate a server-to-server connection.
    5264    # Instead, scp to your trusted machine as a temporary file,
    5365    # and then push to the other server
    54 scp -r root@$source_server:~/{.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} .
    55 scp -r {.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~
     66scp -r root@$source_server:~/{.bashrc,.screenrc,.ssh,.vimrc,.k5login} .
     67scp -r {.bashrc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~
     68# [PRODUCTION]
     69scp root@$source_server:~/.ldapvirc .
     70scp .ldapvirc root@$server:~
    5671
    5772# Install the initial set of credentials (to get Kerberized logins once
    5873# krb5 is installed).  Otherwise, SCP'ing things in will be annoying.
    59 #   o You probably installed the machine keytab long ago
     74#   o Install the machine keytab.
    6075    ls -l /etc/krb5.keytab
    6176#     Use ktutil to combine the host/scripts.mit.edu and
     
    7287#          2    3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU
    7388#          3    2      host/scripts.mit.edu@ATHENA.MIT.EDU
    74 #   o Replace the ssh host keys with the ones common to all scripts servers (real servers only)
     89#   o [PRODUCTION] Replace the ssh host keys with the ones common to all
     90#     scripts servers (real servers only)
    7591    ls -l /etc/ssh/*key*
    7692#     You can do that with:
     
    85101    chmod 0440 /etc/sudoers
    86102
    87 # If this is the first time you've installed this hostname, you will
    88 # need to update a bunch of files to add support for it. These include:
     103# [PRODUCTION] If this is the first time you've installed this hostname,
     104# you will need to update a bunch of files to add support for it. These
     105# include:
    89106#   o Adding all aliases to /etc/httpd/conf.d/scripts-vhost-names.conf
    90107#     (usually this is hostname, hostname.mit.edu, h-n, h-n.mit.edu,
     
    141158    chkconfig syslog-ng on
    142159
    143 # Fix the openafs /usr/vice/etc <-> /etc/openafs mapping.
     160# [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs
     161# mapping.
    144162    echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo
    145163    echo "athena.mit.edu" > /usr/vice/etc/ThisCell
    146164
    147 # [TEST SERVER] If you're installing a test server, this needs to be
     165# [TESTSERVER] If you're installing a test server, this needs to be
    148166# much smaller; the max filesize on XVM is 10GB.  Pick something like
    149167# 500000. Also, some of the AFS parameters are kind of retarded (and if
    150168# you're low on disk space, will actually exhaust our inodes).  Edit
    151169# these parameters in /etc/sysconfig/openafs
     170    echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo
     171    XXX TODO COMMANDS
    152172
    153173# Test that zephyr is working
     
    176196    # here's a cute script that removes all extra packages
    177197    yum erase -y $(grep -Fxvf packages.txt newpackages.txt)
     198    # 20101208 - Mysteriously we manage to get these extra packages
     199    # from kickstart: mcelog mobile-broadband-provider-info
     200    # ModemManager PackageKit
    178201
    179202# We need an upstream version of cgi which we've packaged ourselves, but
     
    219242#   want to be able to write to ~/.python-eggs.  (Also makes sourcediving
    220243#   easier.)
    221 cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- . egg.txt
     244cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt
    222245    cat egg.txt | xargs easy_install -Z
    223246# - Look at `gem list` for Ruby gems.
     
    244267    echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth
    245268
    246 # Install the credentials.  There are a lot of things to remember here.
    247 # Be sure to make sure the permissions match up (ls -l on an existing
    248 # server!).
    249 scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,daemon.keytab,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} .
    250 scp daemon.keytab signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc
     269# [PRODUCTION] Install the credentials.  There are a lot of things to
     270# remember here.  Be sure to make sure the permissions match up (ls -l
     271# on an existing server!).
     272scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} .
     273scp signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc
    251274scp scripts.key root@$server:/etc/pki/tls/private
    252275scp .k5login root@$server:/home/logview
    253     chown afsagent:afsagent /etc/daemon.keytab
    254 #   o The daemon.scripts keytab (will be daemon.scripts-test for test)
    255     ls -l /etc/daemon.keytab
    256276#   o The SSL cert private key (real servers only)
    257277    ls -l /etc/pki/tls/private/scripts.key
     
    263283    cat /home/logview/.k5login
    264284
     285# All types of servers will have an /etc/daemon.keytab file, however,
     286# different types of server will have different credentials in this
     287# keytab.
     288#   [PRODUCTION] daemon.scripts
     289#   [WIZARD]     daemon.scripts-security-upd
     290#   [TESTSERVER] daemon.scripts-test
     291k5srvutil list -f daemon.keytab
     292scp daemon.keytab root@$server:/etc
     293    chown afsagent:afsagent /etc/daemon.keytab
     294#   o The daemon.scripts keytab (will be daemon.scripts-test for test)
     295    ls -l /etc/daemon.keytab
     296
    265297# Spin up OpenAFS.  This will fail if there's been a new kernel since
    266298# when you last tried.  In that case, you can hold on till later to
    267299# start OpenAFS.  This will take a little bit of time;
    268300    service openafs-client start
    269 
    270 # Check that fs sysname is correct.  You should see, among others,
     301# Then, check that fs sysname is correct.  You should see, among others,
    271302# 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you
    272303# probably did a distro upgrade and should update /etc/sysconfig/openafs.
    273304    fs sysname
    274305
    275 # [TEST SERVER] If you are setting up a test server, pay attention to
    276 # /etc/sysconfig/network-scripts and do not bind scripts' IP address.
    277 # You will also need to modify:
     306# [WIZARD/TESTSERVER] If you are setting up a non-production server,
     307# there are some services that it won't provide, and you will need to
     308# make it talk to a real server instead.  In particular:
     309#   - We don't serve the web, so don't bind scripts.mit.edu
     310#   - We don't serve LDAP, so use another server
     311# This involves editing the following files:
     312#   o /etc/sysconfig/network-scripts/ifcfg-lo:0
     313#   o /etc/sysconfig/network-scripts/ifcfg-lo:1
     314#   o /etc/sysconfig/network-scripts/ifcfg-lo:2
     315#   o /etc/sysconfig/network-scripts/ifcfg-lo:3
     316       \rm /etc/sysconfig/network-scripts/ifcfg-lo:{0,1,2,3}
    278317#   o /etc/ldap.conf
    279318#       add: host scripts.mit.edu
    280 #   o /etc/nss-ldapd.conf
    281 #       replace: uri *****
     319#   o /etc/{nss-ldapd,nslcd}.conf
     320#       replace: uri ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
    282321#       with: uri ldap://scripts.mit.edu/
    283322#   o /etc/openldap/ldap.conf
     
    285324#            BASE dc=scripts,dc=mit,dc=edu
    286325#   o /etc/httpd/conf.d/vhost_ldap.conf
    287 #       replace: VhostLDAPUrl ****
     326#       replace: VhostLDAPUrl "ldap://127.0.0.1/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu"
    288327#       with: VhostLDAPUrl "ldap://scripts.mit.edu/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu"
    289328#   o /etc/postfix/virtual-alias-{domains,maps}-ldap.cf
    290 #       replace: server_host *****
     329#       replace: server_host ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
    291330#       with: server_host = ldap://scripts.mit.edu
    292331# to use scripts.mit.edu instead of localhost.
    293332# XXX: someone should write sed scripts to do this
    294333
    295 # [TEST SERVER] If you are setting up a test server, afsagent's cronjob
    296 # will attempt to be renewing with the wrong credentials
    297 # (daemon.scripts). Change this:
     334# [WIZARD/TESTSERVER] If you are setting up a non-production server,
     335# afsagent's cronjob will attempt to be renewing with the wrong
     336# credentials (daemon.scripts). Change this:
    298337    vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu
    299338
    300 # Set up replication (see ./install-ldap).
     339# [PRODUCTION] Set up replication (see ./install-ldap).
    301340# You'll need the LDAP keytab for this server: be sure to chown it
    302341# fedora-ds after you create the fedora-ds user
     
    310349    service nscd start
    311350    service postfix start
    312     service httpd start
    313     chkconfig dirsrv on
    314351    chkconfig nslcd on
    315352    chkconfig nscd on
    316353    chkconfig postfix on
     354
     355# [PRODUCTION]
     356    chkconfig dirsrv on
     357
     358# [PRODUCTION/TESTSERVER]
     359# (Maybe WIZARD too once we start doing strange things to autoupgrade
     360# installs behind firewalls.)
     361    service httpd start # will fail if AFS is not running
    317362    chkconfig httpd on
    318363
     
    320365    chkconfig nrpe on
    321366
    322 # Check sql user credentials (needs to be done after LDAP is setup)
     367# [PRODUCTION] Check sql user credentials (needs to be done after LDAP
     368# is setup)
    323369    chown sql /etc/sql-mit-edu.cfg.php
    324370
     
    348394    # Some usual candidates for clobbering include nsswitch.conf and
    349395    # sysconfig/openafs
     396    # [WIZARD/TEST] Remember that changes you made should not get
     397    # reverted!
    350398
    351399# ThisCell got clobbered, replace it with athena.mit.edu
     
    360408#   o your lvm thingies; probably don't need to edit
    361409
    362 # [TEST SERVER] More stuff for test servers
    363 #   - You need a self-signed SSL cert.  Generate with:
     410# [TESTERVER]
     411#   - You need a self-signed SSL cert or Apache will refuse to start
     412#     or do SSL.  Generate with:
    364413    openssl req -new -x509 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts.cert -nodes
    365 #     Also make /etc/pki/tls/certs/ca.pem match up
     414#     Also make /etc/pki/tls/certs/ca.pem match up (XXX what's the
     415#     incant for that?)
     416
     417# [TESTSERVER] More stuff for test servers
    366418#   - Make (/etc/aliases) root mail go to /dev/null, so we don't spam people
    367419#   - Edit /etc/httpd/conf.d/scripts-vhost-names.conf to have scripts-fX-test.xvm.mit.edu
Note: See TracChangeset for help on using the changeset viewer.