Ignore:
Timestamp:
Sep 6, 2011, 4:30:47 PM (13 years ago)
Author:
ezyang
Message:
Merge r1947-r1972 from trunk to branches/fc15-dev
Location:
branches/fc15-dev
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/fc15-dev

  • branches/fc15-dev/server/doc/install-howto.sh

    r1880 r1973  
    22# It is semi-vaguely in the form of a shell script, but is not really
    33# runnable as it stands.
     4
     5# Notation
     6# [PRODUCTION] Production server that will be put into the pool
     7# [WIZARD]     Semi-production server that will only have
     8#              daemon.scripts-security-upd bits, among other
     9#              restricted permissions bits, among other
     10#              restricted permissions bits, among other
     11#              restricted permissions bits, among other
     12#              restricted permissions
     13# [TESTSERVER] Completely untrusted server
    414
    515set -e -x
     
    2030# at localhost, and if our server is not setup at that point things
    2131# will break.
    22 source_server="cats-whiskers.mit.edu"
     32source_server="shining-armor.mit.edu"
    2333
    2434# 'branch' is the current svn branch you are on.  You want to
     
    4353    cd /root
    4454    ls -l .bashrc
    45     ls -l .ldapvirc
    4655    ls -l .screenrc
    4756    ls -l .ssh
    4857    ls -l .vimrc
    4958    ls -l .k5login
     59    # [PRODUCTION] This rc file has sensitive data on it and should only
     60    # be pushed onto production servers.
     61    ls -l .ldapvirc
    5062    # Trying to scp from server to server won't work, as scp
    5163    # will attempt to negotiate a server-to-server connection.
    5264    # Instead, scp to your trusted machine as a temporary file,
    5365    # and then push to the other server
    54 scp -r root@$source_server:~/{.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} .
    55 scp -r {.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~
     66scp -r root@$source_server:~/{.bashrc,.screenrc,.ssh,.vimrc,.k5login} .
     67scp -r {.bashrc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~
     68# [PRODUCTION]
     69scp root@$source_server:~/.ldapvirc .
     70scp .ldapvirc root@$server:~
    5671
    5772# Install the initial set of credentials (to get Kerberized logins once
    5873# krb5 is installed).  Otherwise, SCP'ing things in will be annoying.
    59 #   o You probably installed the machine keytab long ago
     74#   o Install the machine keytab.
    6075    ls -l /etc/krb5.keytab
    6176#     Use ktutil to combine the host/scripts.mit.edu and
     
    7287#          2    3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU
    7388#          3    2      host/scripts.mit.edu@ATHENA.MIT.EDU
    74 #   o Replace the ssh host keys with the ones common to all scripts servers (real servers only)
     89#   o [PRODUCTION] Replace the ssh host keys with the ones common to all
     90#     scripts servers (real servers only)
    7591    ls -l /etc/ssh/*key*
    7692#     You can do that with:
     
    85101    chmod 0440 /etc/sudoers
    86102
    87 # If this is the first time you've installed this hostname, you will
    88 # need to update a bunch of files to add support for it. These include:
     103# [PRODUCTION] If this is the first time you've installed this hostname,
     104# you will need to update a bunch of files to add support for it. These
     105# include:
    89106#   o Adding all aliases to /etc/httpd/conf.d/scripts-vhost-names.conf
    90107#     (usually this is hostname, hostname.mit.edu, h-n, h-n.mit.edu,
     
    141158    chkconfig syslog-ng on
    142159
    143 # Fix the openafs /usr/vice/etc <-> /etc/openafs mapping.
     160# [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs
     161# mapping.
    144162    echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo
    145163    echo "athena.mit.edu" > /usr/vice/etc/ThisCell
    146164
    147 # [TEST SERVER] If you're installing a test server, this needs to be
     165# [TESTSERVER] If you're installing a test server, this needs to be
    148166# much smaller; the max filesize on XVM is 10GB.  Pick something like
    149167# 500000. Also, some of the AFS parameters are kind of retarded (and if
    150168# you're low on disk space, will actually exhaust our inodes).  Edit
    151169# these parameters in /etc/sysconfig/openafs
     170    echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo
     171    XXX TODO COMMANDS
    152172
    153173# Test that zephyr is working
     
    176196    # here's a cute script that removes all extra packages
    177197    yum erase -y $(grep -Fxvf packages.txt newpackages.txt)
     198    # 20101208 - Mysteriously we manage to get these extra packages
     199    # from kickstart: mcelog mobile-broadband-provider-info
     200    # ModemManager PackageKit
    178201
    179202# We need an upstream version of cgi which we've packaged ourselves, but
     
    219242#   want to be able to write to ~/.python-eggs.  (Also makes sourcediving
    220243#   easier.)
    221 cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- . egg.txt
     244cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt
    222245    cat egg.txt | xargs easy_install -Z
    223246# - Look at `gem list` for Ruby gems.
     
    241264    pecl install --nodeps $(pecl list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pecl.txt)
    242265
    243 # Install the credentials.  There are a lot of things to remember here.
    244 # Be sure to make sure the permissions match up (ls -l on an existing
    245 # server!).
    246 scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,daemon.keytab,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} .
    247 scp daemon.keytab signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc
     266# [PRODUCTION] Install the credentials.  There are a lot of things to
     267# remember here.  Be sure to make sure the permissions match up (ls -l
     268# on an existing server!).
     269scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} .
     270scp signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc
    248271scp scripts.key root@$server:/etc/pki/tls/private
    249272scp .k5login root@$server:/home/logview
    250     chown afsagent:afsagent /etc/daemon.keytab
    251 #   o The daemon.scripts keytab (will be daemon.scripts-test for test)
    252     ls -l /etc/daemon.keytab
    253273#   o The SSL cert private key (real servers only)
    254274    ls -l /etc/pki/tls/private/scripts.key
     
    260280    cat /home/logview/.k5login
    261281
     282# All types of servers will have an /etc/daemon.keytab file, however,
     283# different types of server will have different credentials in this
     284# keytab.
     285#   [PRODUCTION] daemon.scripts
     286#   [WIZARD]     daemon.scripts-security-upd
     287#   [TESTSERVER] daemon.scripts-test
     288k5srvutil list -f daemon.keytab
     289scp daemon.keytab root@$server:/etc
     290    chown afsagent:afsagent /etc/daemon.keytab
     291#   o The daemon.scripts keytab (will be daemon.scripts-test for test)
     292    ls -l /etc/daemon.keytab
     293
    262294# Spin up OpenAFS.  This will fail if there's been a new kernel since
    263295# when you last tried.  In that case, you can hold on till later to
    264296# start OpenAFS.  This will take a little bit of time;
    265297    service openafs-client start
    266 
    267 # Check that fs sysname is correct.  You should see, among others,
     298# Then, check that fs sysname is correct.  You should see, among others,
    268299# 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you
    269300# probably did a distro upgrade and should update /etc/sysconfig/openafs.
    270301    fs sysname
    271302
    272 # [TEST SERVER] If you are setting up a test server, pay attention to
    273 # /etc/sysconfig/network-scripts and do not bind scripts' IP address.
    274 # You will also need to modify:
     303# [WIZARD/TESTSERVER] If you are setting up a non-production server,
     304# there are some services that it won't provide, and you will need to
     305# make it talk to a real server instead.  In particular:
     306#   - We don't serve the web, so don't bind scripts.mit.edu
     307#   - We don't serve LDAP, so use another server
     308# This involves editing the following files:
     309#   o /etc/sysconfig/network-scripts/ifcfg-lo:0
     310#   o /etc/sysconfig/network-scripts/ifcfg-lo:1
     311#   o /etc/sysconfig/network-scripts/ifcfg-lo:2
     312#   o /etc/sysconfig/network-scripts/ifcfg-lo:3
     313       \rm /etc/sysconfig/network-scripts/ifcfg-lo:{0,1,2,3}
    275314#   o /etc/ldap.conf
    276315#       add: host scripts.mit.edu
    277 #   o /etc/nss-ldapd.conf
    278 #       replace: uri *****
     316#   o /etc/{nss-ldapd,nslcd}.conf
     317#       replace: uri ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
    279318#       with: uri ldap://scripts.mit.edu/
    280319#   o /etc/openldap/ldap.conf
     
    282321#            BASE dc=scripts,dc=mit,dc=edu
    283322#   o /etc/httpd/conf.d/vhost_ldap.conf
    284 #       replace: VhostLDAPUrl ****
     323#       replace: VhostLDAPUrl "ldap://127.0.0.1/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu"
    285324#       with: VhostLDAPUrl "ldap://scripts.mit.edu/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu"
    286325#   o /etc/postfix/virtual-alias-{domains,maps}-ldap.cf
    287 #       replace: server_host *****
     326#       replace: server_host ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
    288327#       with: server_host = ldap://scripts.mit.edu
    289328# to use scripts.mit.edu instead of localhost.
    290329# XXX: someone should write sed scripts to do this
    291330
    292 # [TEST SERVER] If you are setting up a test server, afsagent's cronjob
    293 # will attempt to be renewing with the wrong credentials
    294 # (daemon.scripts). Change this:
     331# [WIZARD/TESTSERVER] If you are setting up a non-production server,
     332# afsagent's cronjob will attempt to be renewing with the wrong
     333# credentials (daemon.scripts). Change this:
    295334    vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu
    296335
    297 # Set up replication (see ./install-ldap).
     336# [PRODUCTION] Set up replication (see ./install-ldap).
    298337# You'll need the LDAP keytab for this server: be sure to chown it
    299338# fedora-ds after you create the fedora-ds user
     
    307346    service nscd start
    308347    service postfix start
    309     service httpd start
    310     chkconfig dirsrv on
    311348    chkconfig nslcd on
    312349    chkconfig nscd on
    313350    chkconfig postfix on
     351
     352# [PRODUCTION]
     353    chkconfig dirsrv on
     354
     355# [PRODUCTION/TESTSERVER]
     356# (Maybe WIZARD too once we start doing strange things to autoupgrade
     357# installs behind firewalls.)
     358    service httpd start # will fail if AFS is not running
    314359    chkconfig httpd on
    315360
     
    317362    chkconfig nrpe on
    318363
    319 # Check sql user credentials (needs to be done after LDAP is setup)
     364# [PRODUCTION] Check sql user credentials (needs to be done after LDAP
     365# is setup)
    320366    chown sql /etc/sql-mit-edu.cfg.php
    321367
     
    345391    # Some usual candidates for clobbering include nsswitch.conf and
    346392    # sysconfig/openafs
     393    # [WIZARD/TEST] Remember that changes you made should not get
     394    # reverted!
    347395
    348396# ThisCell got clobbered, replace it with athena.mit.edu
     
    357405#   o your lvm thingies; probably don't need to edit
    358406
    359 # [TEST SERVER] More stuff for test servers
    360 #   - You need a self-signed SSL cert.  Generate with:
     407# [TESTERVER]
     408#   - You need a self-signed SSL cert or Apache will refuse to start
     409#     or do SSL.  Generate with:
    361410    openssl req -new -x509 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts.cert -nodes
    362 #     Also make /etc/pki/tls/certs/ca.pem match up
     411#     Also make /etc/pki/tls/certs/ca.pem match up (XXX what's the
     412#     incant for that?)
     413
     414# [TESTSERVER] More stuff for test servers
    363415#   - Make (/etc/aliases) root mail go to /dev/null, so we don't spam people
    364416#   - Edit /etc/httpd/conf.d/scripts-vhost-names.conf to have scripts-fX-test.xvm.mit.edu
Note: See TracChangeset for help on using the changeset viewer.