Changeset 1961 for trunk/server/doc
- Timestamp:
- Sep 4, 2011, 4:24:33 PM (13 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/server/doc/install-howto.sh
r1704 r1961 2 2 # It is semi-vaguely in the form of a shell script, but is not really 3 3 # runnable as it stands. 4 5 # Notation 6 # [PRODUCTION] Production server that will be put into the pool 7 # [WIZARD] Semi-production server that will only have 8 # daemon.scripts-security-upd bits, among other 9 # restricted permissions bits, among other 10 # restricted permissions bits, among other 11 # restricted permissions bits, among other 12 # restricted permissions 13 # [TESTSERVER] Completely untrusted server 4 14 5 15 set -e -x … … 20 30 # at localhost, and if our server is not setup at that point things 21 31 # will break. 22 source_server=" cats-whiskers.mit.edu"32 source_server="shining-armor.mit.edu" 23 33 24 34 # 'branch' is the current svn branch you are on. You want to … … 43 53 cd /root 44 54 ls -l .bashrc 45 ls -l .ldapvirc46 55 ls -l .screenrc 47 56 ls -l .ssh 48 57 ls -l .vimrc 49 58 ls -l .k5login 59 # [PRODUCTION] This rc file has sensitive data on it and should only 60 # be pushed onto production servers. 61 ls -l .ldapvirc 50 62 # Trying to scp from server to server won't work, as scp 51 63 # will attempt to negotiate a server-to-server connection. 52 64 # Instead, scp to your trusted machine as a temporary file, 53 65 # and then push to the other server 54 scp -r root@$source_server:~/{.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} . 55 scp -r {.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~ 66 scp -r root@$source_server:~/{.bashrc,.screenrc,.ssh,.vimrc,.k5login} . 67 scp -r {.bashrc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~ 68 # [PRODUCTION] 69 scp root@$source_server:~/.ldapvirc . 70 scp .ldapvirc root@$server:~ 56 71 57 72 # Install the initial set of credentials (to get Kerberized logins once 58 73 # krb5 is installed). Otherwise, SCP'ing things in will be annoying. 59 # o You probably installed the machine keytab long ago74 # o Install the machine keytab. 60 75 ls -l /etc/krb5.keytab 61 76 # Use ktutil to combine the host/scripts.mit.edu and … … 72 87 # 2 3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU 73 88 # 3 2 host/scripts.mit.edu@ATHENA.MIT.EDU 74 # o Replace the ssh host keys with the ones common to all scripts servers (real servers only) 89 # o [PRODUCTION] Replace the ssh host keys with the ones common to all 90 # scripts servers (real servers only) 75 91 ls -l /etc/ssh/*key* 76 92 # You can do that with: … … 85 101 chmod 0440 /etc/sudoers 86 102 87 # If this is the first time you've installed this hostname, you will 88 # need to update a bunch of files to add support for it. These include: 103 # [PRODUCTION] If this is the first time you've installed this hostname, 104 # you will need to update a bunch of files to add support for it. These 105 # include: 89 106 # o Adding all aliases to /etc/httpd/conf.d/scripts-vhost-names.conf 90 107 # (usually this is hostname, hostname.mit.edu, h-n, h-n.mit.edu, … … 141 158 chkconfig syslog-ng on 142 159 143 # Fix the openafs /usr/vice/etc <-> /etc/openafs mapping. 160 # [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs 161 # mapping. 144 162 echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo 145 163 echo "athena.mit.edu" > /usr/vice/etc/ThisCell 146 164 147 # [TEST 165 # [TESTSERVER] If you're installing a test server, this needs to be 148 166 # much smaller; the max filesize on XVM is 10GB. Pick something like 149 167 # 500000. Also, some of the AFS parameters are kind of retarded (and if 150 168 # you're low on disk space, will actually exhaust our inodes). Edit 151 169 # these parameters in /etc/sysconfig/openafs 170 echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo 171 XXX TODO COMMANDS 152 172 153 173 # Test that zephyr is working … … 176 196 # here's a cute script that removes all extra packages 177 197 yum erase -y $(grep -Fxvf packages.txt newpackages.txt) 198 # 20101208 - Mysteriously we manage to get these extra packages 199 # from kickstart: mcelog mobile-broadband-provider-info 200 # ModemManager PackageKit 178 201 179 202 # We need an upstream version of cgi which we've packaged ourselves, but … … 219 242 # want to be able to write to ~/.python-eggs. (Also makes sourcediving 220 243 # easier.) 221 cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- .egg.txt244 cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt 222 245 cat egg.txt | xargs easy_install -Z 223 246 # - Look at `gem list` for Ruby gems. … … 244 267 echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth 245 268 246 # Install the credentials. There are a lot of things to remember here.247 # Be sure to make sure the permissions match up (ls -l on an existing248 # server!).249 scp root@$source_server:{/etc/{sql-mit-edu.cfg.php, daemon.keytab,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} .250 scp daemon.keytabsignup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc269 # [PRODUCTION] Install the credentials. There are a lot of things to 270 # remember here. Be sure to make sure the permissions match up (ls -l 271 # on an existing server!). 272 scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} . 273 scp signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc 251 274 scp scripts.key root@$server:/etc/pki/tls/private 252 275 scp .k5login root@$server:/home/logview 253 chown afsagent:afsagent /etc/daemon.keytab254 # o The daemon.scripts keytab (will be daemon.scripts-test for test)255 ls -l /etc/daemon.keytab256 276 # o The SSL cert private key (real servers only) 257 277 ls -l /etc/pki/tls/private/scripts.key … … 263 283 cat /home/logview/.k5login 264 284 285 # All types of servers will have an /etc/daemon.keytab file, however, 286 # different types of server will have different credentials in this 287 # keytab. 288 # [PRODUCTION] daemon.scripts 289 # [WIZARD] daemon.scripts-security-upd 290 # [TESTSERVER] daemon.scripts-test 291 k5srvutil list -f daemon.keytab 292 scp daemon.keytab root@$server:/etc 293 chown afsagent:afsagent /etc/daemon.keytab 294 # o The daemon.scripts keytab (will be daemon.scripts-test for test) 295 ls -l /etc/daemon.keytab 296 265 297 # Spin up OpenAFS. This will fail if there's been a new kernel since 266 298 # when you last tried. In that case, you can hold on till later to 267 299 # start OpenAFS. This will take a little bit of time; 268 300 service openafs-client start 269 270 # Check that fs sysname is correct. You should see, among others, 301 # Then, check that fs sysname is correct. You should see, among others, 271 302 # 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you 272 303 # probably did a distro upgrade and should update /etc/sysconfig/openafs. 273 304 fs sysname 274 305 275 # [TEST SERVER] If you are setting up a test server, pay attention to 276 # /etc/sysconfig/network-scripts and do not bind scripts' IP address. 277 # You will also need to modify: 306 # [WIZARD/TESTSERVER] If you are setting up a non-production server, 307 # there are some services that it won't provide, and you will need to 308 # make it talk to a real server instead. In particular: 309 # - We don't serve the web, so don't bind scripts.mit.edu 310 # - We don't serve LDAP, so use another server 311 # This involves editing the following files: 312 # o /etc/sysconfig/network-scripts/ifcfg-lo:0 313 # o /etc/sysconfig/network-scripts/ifcfg-lo:1 314 # o /etc/sysconfig/network-scripts/ifcfg-lo:2 315 # o /etc/sysconfig/network-scripts/ifcfg-lo:3 316 \rm /etc/sysconfig/network-scripts/ifcfg-lo:{0,1,2,3} 278 317 # o /etc/ldap.conf 279 318 # add: host scripts.mit.edu 280 # o /etc/ nss-ldapd.conf281 # replace: uri *****319 # o /etc/{nss-ldapd,nslcd}.conf 320 # replace: uri ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/ 282 321 # with: uri ldap://scripts.mit.edu/ 283 322 # o /etc/openldap/ldap.conf … … 285 324 # BASE dc=scripts,dc=mit,dc=edu 286 325 # o /etc/httpd/conf.d/vhost_ldap.conf 287 # replace: VhostLDAPUrl ****326 # replace: VhostLDAPUrl "ldap://127.0.0.1/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu" 288 327 # with: VhostLDAPUrl "ldap://scripts.mit.edu/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu" 289 328 # o /etc/postfix/virtual-alias-{domains,maps}-ldap.cf 290 # replace: server_host *****329 # replace: server_host ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/ 291 330 # with: server_host = ldap://scripts.mit.edu 292 331 # to use scripts.mit.edu instead of localhost. 293 332 # XXX: someone should write sed scripts to do this 294 333 295 # [ TEST SERVER] If you are setting up a test server, afsagent's cronjob296 # will attempt to be renewing with the wrong credentials297 # (daemon.scripts). Change this:334 # [WIZARD/TESTSERVER] If you are setting up a non-production server, 335 # afsagent's cronjob will attempt to be renewing with the wrong 336 # credentials (daemon.scripts). Change this: 298 337 vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu 299 338 300 # Set up replication (see ./install-ldap).339 # [PRODUCTION] Set up replication (see ./install-ldap). 301 340 # You'll need the LDAP keytab for this server: be sure to chown it 302 341 # fedora-ds after you create the fedora-ds user … … 310 349 service nscd start 311 350 service postfix start 312 service httpd start313 chkconfig dirsrv on314 351 chkconfig nslcd on 315 352 chkconfig nscd on 316 353 chkconfig postfix on 354 355 # [PRODUCTION] 356 chkconfig dirsrv on 357 358 # [PRODUCTION/TESTSERVER] 359 # (Maybe WIZARD too once we start doing strange things to autoupgrade 360 # installs behind firewalls.) 361 service httpd start # will fail if AFS is not running 317 362 chkconfig httpd on 318 363 … … 320 365 chkconfig nrpe on 321 366 322 # Check sql user credentials (needs to be done after LDAP is setup) 367 # [PRODUCTION] Check sql user credentials (needs to be done after LDAP 368 # is setup) 323 369 chown sql /etc/sql-mit-edu.cfg.php 324 370 … … 348 394 # Some usual candidates for clobbering include nsswitch.conf and 349 395 # sysconfig/openafs 396 # [WIZARD/TEST] Remember that changes you made should not get 397 # reverted! 350 398 351 399 # ThisCell got clobbered, replace it with athena.mit.edu … … 360 408 # o your lvm thingies; probably don't need to edit 361 409 362 # [TEST SERVER] More stuff for test servers 363 # - You need a self-signed SSL cert. Generate with: 410 # [TESTERVER] 411 # - You need a self-signed SSL cert or Apache will refuse to start 412 # or do SSL. Generate with: 364 413 openssl req -new -x509 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts.cert -nodes 365 # Also make /etc/pki/tls/certs/ca.pem match up 414 # Also make /etc/pki/tls/certs/ca.pem match up (XXX what's the 415 # incant for that?) 416 417 # [TESTSERVER] More stuff for test servers 366 418 # - Make (/etc/aliases) root mail go to /dev/null, so we don't spam people 367 419 # - Edit /etc/httpd/conf.d/scripts-vhost-names.conf to have scripts-fX-test.xvm.mit.edu
Note: See TracChangeset
for help on using the changeset viewer.