Changeset 2066 for trunk/server/doc


Ignore:
Timestamp:
Nov 22, 2011, 12:45:17 AM (12 years ago)
Author:
achernya
Message:
Merge branches/fc15-dev to trunk
Location:
trunk
Files:
6 edited
1 copied

Legend:

Unmodified
Added
Removed
  • trunk

  • trunk/server/doc/install-fedora

    r1698 r2066  
    66    lvcreate -n $MACHINE-root --size 50.00G $HOST
    77    lvcreate -n $MACHINE-swap --size 10.00G $HOST
     8    lvcreate -n $MACHINE-cache --size 11.00G $HOST
     9
     10/-------------------------------------------------------------------\
     11    Note: If you need to manually format the the swap and cache
     12    partitions (for example, you are migrating a host from 'migrate'),
     13    these commands should work.  If in doubt, consult the kickstart.
     14
     15        # Use fdisk to generate a DOS partition table, and a single
     16        # partition extending the entire volume.
     17        fdisk /dev/$HOST/$MACHINE-swap
     18        fdisk /dev/$HOST/$MACHINE-cache
     19        # Figure out what kpartx is going to make the devices as
     20        # (e.g. $SWAP_DEV and $CACHE_DEV)
     21        kpartx -l /dev/$HOST/$MACHINE-swap
     22        kpartx -l /dev/$HOST/$MACHINE-cache
     23        # Read out the partition tables
     24        kpartx -a /dev/$HOST/$MACHINE-swap
     25        kpartx -a /dev/$HOST/$MACHINE-cache
     26
     27        # FORMAT!
     28        mkswap $SWAP_DEV
     29        mkfs.ext4 -O ^has_journal -m 0 -N 1000000 $CACHE_DEV
     30
     31        # Remove the devices
     32        kpartx -d /dev/$HOST/$MACHINE-swap
     33        kpartx -d /dev/$HOST/$MACHINE-cache
     34\-------------------------------------------------------------------/
     35
     36Make sure that the console has an entry for this host:
     37
     38    vim /etc/conserver/conserver.cf
     39
     40If it doesn't, add:
     41
     42    console $MACHINE {
     43        master $HOST;
     44        include xen;
     45    }
    846
    947We use Kickstart to to initial Fedora configuration.  Installing a new
  • trunk/server/doc/install-howto.sh

    r1961 r2066  
    77# [WIZARD]     Semi-production server that will only have
    88#              daemon.scripts-security-upd bits, among other
    9 #              restricted permissions bits, among other
    10 #              restricted permissions bits, among other
    11 #              restricted permissions bits, among other
    129#              restricted permissions
    1310# [TESTSERVER] Completely untrusted server
    14 
    15 set -e -x
    16 
    17 # Some commands should be run as the scripts-build user, not root.
    18 
    19 alias asbuild="sudo -u scripts-build"
    20 
    21 # Old versions of this install document advised setting
    22 # NSS_NONLOCAL_IGNORE=1 anytime you're setting up anything, e.g. using
    23 # yum, warning that useradd will query LDAP in a stupid way that makes
    24 # it hang forever.  As of Fedora 13, this does not seem to be a problem,
    25 # so it's been removed from the instructions.  If an install is hanging,
    26 # though, try adding NSS_NONLOCAL_IGNORE.
    2711
    2812# This is actually just "pick an active scripts server".  It can't be
     
    4125server=YOUR-SERVER-NAME-HERE
    4226
    43 # Start with a Scripts kickstarted install of Fedora (install-fedora)
    44 
    45 # Take updates, reboot if there's a kernel update.
    46     yum update -y
    47 
    48 # Get rid of network manager
    49     yum remove NetworkManager
    50 
    51 # Copy over root's dotfiles from one of the other machines.
    52 # Perhaps a useful change is to remove the default aliases
    53     cd /root
    54     ls -l .bashrc
    55     ls -l .screenrc
    56     ls -l .ssh
    57     ls -l .vimrc
    58     ls -l .k5login
    59     # [PRODUCTION] This rc file has sensitive data on it and should only
    60     # be pushed onto production servers.
    61     ls -l .ldapvirc
    62     # Trying to scp from server to server won't work, as scp
    63     # will attempt to negotiate a server-to-server connection.
    64     # Instead, scp to your trusted machine as a temporary file,
    65     # and then push to the other server
    66 scp -r root@$source_server:~/{.bashrc,.screenrc,.ssh,.vimrc,.k5login} .
    67 scp -r {.bashrc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~
    68 # [PRODUCTION]
    69 scp root@$source_server:~/.ldapvirc .
    70 scp .ldapvirc root@$server:~
    71 
    72 # Install the initial set of credentials (to get Kerberized logins once
    73 # krb5 is installed).  Otherwise, SCP'ing things in will be annoying.
    74 #   o Install the machine keytab.
    75     ls -l /etc/krb5.keytab
    76 #     Use ktutil to combine the host/scripts.mit.edu and
    77 #     host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in
    78 #     the keytab.  Do not use 'k5srvutil change' on the combined keytab
    79 #     or you'll break the other servers. (real servers only).  Be
    80 #     careful about writing out the keytab: if you write it to an
    81 #     existing file the keys will just get appended.  The correct
    82 #     credential list should look like:
    83 #       ktutil:  l
    84 #       slot KVNO Principal
    85 #       ---- ---- ---------------------------------------------------------------------
    86 #          1    5 host/old-faithful.mit.edu@ATHENA.MIT.EDU
    87 #          2    3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU
    88 #          3    2      host/scripts.mit.edu@ATHENA.MIT.EDU
    89 #   o [PRODUCTION] Replace the ssh host keys with the ones common to all
    90 #     scripts servers (real servers only)
    91     ls -l /etc/ssh/*key*
    92 #     You can do that with:
    93 scp root@$source_server:/etc/ssh/*key* .
    94 scp *key* root@$server:/etc/ssh/
    95     service sshd reload
    96 
    97 # Check out the scripts /etc configuration
    98     # backslash to make us not use the alias
    99     cd /root
    100     \cp -a etc /
    101     chmod 0440 /etc/sudoers
    102 
     27# ----------------------------->8--------------------------------------
     28#                       FIRST TIME INSTRUCTIONS
     29#
    10330# [PRODUCTION] If this is the first time you've installed this hostname,
    10431# you will need to update a bunch of files to add support for it. These
     
    12047#   o Set up Nagios monitoring on sipb-noc for the host
    12148#   o Set up the host as in the pool on r-b/r-b /etc/heartbeat/ldirectord.cf
    122     XXX TODO COMMANDS
    123 
    124 # NOTE: You will have just lost DNS resolution and the ability
    125 # to do password SSH in.  If you managed to botch this step without
    126 # having named setup, you can do a quick fix by frobbing /etc/resolv.conf
    127 # with a non 127.0.0.1 address for the DNS server.  Be sure to revert it once
    128 # you have named.
    129 
    130 # NOTE: You can get password SSH back by editing /etc/ssh/sshd_config (allow
    131 # password auth) and /etc/pam.d/sshd (comment out the first three auth
    132 # lines).  However, you should have the Kerberos credentials in place
    133 # so as soon as you install the full set of Scripts packages, you'll get
    134 # Kerberized logins.
    135 
    136 # Make sure network is working.  If this is a new server name, you'll
    137 # need to add it to /etc/hosts and
    138 # /etc/sysconfig/network-scripts/route-eth1.  Kickstart should have
     49#   o Update locker/etc/known_hosts
     50#
     51# You will also need to prepare the keytabs for credit-card.  In particular,
     52# use ktutil to combine the host/scripts.mit.edu and
     53# host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in
     54# the keytab.  Do not use 'k5srvutil change' on the combined keytab
     55# or you'll break the other servers. (real servers only).  Be
     56# careful about writing out the keytab: if you write it to an
     57# existing file the keys will just get appended.  The correct
     58# credential list should look like:
     59#   ktutil:  l
     60#   slot KVNO Principal
     61#   ---- ---- ---------------------------------------------------------------------
     62#      1    5 host/old-faithful.mit.edu@ATHENA.MIT.EDU
     63#      2    3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU
     64#      3    2      host/scripts.mit.edu@ATHENA.MIT.EDU
     65#
     66# The LDAP keytab should be by itself, so be sure to delete it and
     67# put it in its own file.
     68
     69# ----------------------------->8--------------------------------------
     70#                      INFINITE INSTALLATION
     71
     72# Start with a Scripts kickstarted install of Fedora (install-fedora)
     73
     74# Take updates, reboot if there's a kernel update.
     75    yum update -y
     76
     77# Get rid of network manager (XXX figure out to make kickstarter do
     78# this for us)
     79    yum remove NetworkManager
     80
     81# Make sure sendmail isn't installed
     82    yum remove sendmail
     83
     84# Check out the scripts /etc configuration
     85    cd /root
     86    \cp -a etc /
     87    chmod 0440 /etc/sudoers
     88
     89# Make sure network is working.  Kickstart should have
    13990# configured eth0 and eth1 correctly; use service network restart
    140 # to add the new routes in route-eth1.
    141     service network restart
     91# to add the new routes from etc in route-eth1.
     92    systemctl restart network.service
     93    # Check everything worked:
    14294    route
    14395    ifconfig
     
    151103    # Some of these packages are naughty and clobber some of our files
    152104    cd /etc
    153     svn revert resolv.conf hosts sysconfig/openafs
     105    svn revert resolv.conf hosts sysconfig/openafs nsswitch.conf
    154106
    155107# Replace rsyslog with syslog-ng by doing:
    156108    rpm -e --nodeps rsyslog
    157109    yum install -y syslog-ng
    158     chkconfig syslog-ng on
    159 
    160 # [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs
    161 # mapping.
    162     echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo
    163     echo "athena.mit.edu" > /usr/vice/etc/ThisCell
    164 
    165 # [TESTSERVER] If you're installing a test server, this needs to be
    166 # much smaller; the max filesize on XVM is 10GB.  Pick something like
    167 # 500000. Also, some of the AFS parameters are kind of retarded (and if
    168 # you're low on disk space, will actually exhaust our inodes).  Edit
    169 # these parameters in /etc/sysconfig/openafs
    170     echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo
    171     XXX TODO COMMANDS
    172 
    173 # Test that zephyr is working
    174     chkconfig zhm on
    175     service zhm start
    176     echo 'Test!' | zwrite -d -c scripts -i test
     110    systemctl enable syslog-ng.service
    177111
    178112# Install the full list of RPMs that users expect to be on the
     
    184118# it can't install /one/ package.
    185119    yum install -y --skip-broken $(cat packages.txt)
    186 
    187 # Make sure sendmail isn't installed
    188     yum remove sendmail
    189120
    190121# Check which packages are installed on your new server that are not
     
    204135# explicit versions.  So temporarily rpm -e the package, and then
    205136# install it again after you install haskell-platform.  [Note: You
    206 # probably won't need this in Fedora 15 or something, when the Haskell
     137# probably won't need this in Fedora 17 or something, when the Haskell
    207138# Platform gets updated.]
    208139    rpm -e ghc-cgi-devel ghc-cgi
     
    212143    rpm -i ghc-cgi*1.8.1*.rpm
    213144
    214 # Check out the scripts /usr/vice/etc configuration
    215     cd /root/vice
    216     \cp -a etc /usr/vice
     145# ----------------------------->8--------------------------------------
     146#                      SPHEROID SHENANIGANS
     147
     148# Note: Since ultimately we'd like to move away from using per-language
     149# package manager and all of these be RPMs, it is of questionable
     150# importance how much /good/ automation for these is necessary.
     151
     152# Warning: For a new release, we're supposed to check if Fedora has
     153# packaged up the RPM.  Unfortunately we don't really have good incants
     154# for this.
    217155
    218156# Install the full list of perl modules that users expect to be on the
     
    242180#   want to be able to write to ~/.python-eggs.  (Also makes sourcediving
    243181#   easier.)
    244 cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt
     182# 'easy_install AuthKit jsonlib2 pygit'
     183cat /usr/lib/python2.7/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt
    245184    cat egg.txt | xargs easy_install -Z
     185
    246186# - Look at `gem list` for Ruby gems.
    247187#   Again, use 'yum search' and prefer RPMs, but failing that, 'gem install'.
    248188#       ezyang: rspec-rails depends on rspec, and will override the Yum
    249189#       package, so... don't use that RPM yet
     190# XXX This doesn't do the right thing for old version gems
    250191gem list --no-version > gem.txt
    251192    gem install $(gem list --no-version | grep -Fxvf - gem.txt)
     193    # Also, we need to install the old rails version
     194    gem install -v=2.3.5 rails
     195
    252196# - Look at `pear list` for Pear fruits (or whatever they're called).
    253197#   Yet again, 'yum search' for RPMs before resorting to 'pear install'.  Note
     
    258202    pear channel-update pear.php.net
    259203    pear install $(pear list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pear.txt)
     204
    260205# - Look at `pecl list` for PECL things.  'yum search', and if you must,
    261206#   'pecl install' needed items. If it doesn't work, try 'pear install
     
    264209    pecl install --nodeps $(pecl list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pecl.txt)
    265210
    266 # Setup some Python config
    267     echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth
    268 
    269 # [PRODUCTION] Install the credentials.  There are a lot of things to
    270 # remember here.  Be sure to make sure the permissions match up (ls -l
    271 # on an existing server!).
    272 scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} .
    273 scp signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc
    274 scp scripts.key root@$server:/etc/pki/tls/private
    275 scp .k5login root@$server:/home/logview
    276 #   o The SSL cert private key (real servers only)
    277     ls -l /etc/pki/tls/private/scripts.key
    278 #   o The LDAP password for the signup process (real servers only)
    279     ls -l /etc/signup-ldap-pw
    280 #   o The whoisd password (real servers only)
    281     ls -l /etc/whoisd-password
    282 #   o Make sure logview's .k5login is correct (real servers only)
    283     cat /home/logview/.k5login
    284 
    285 # All types of servers will have an /etc/daemon.keytab file, however,
    286 # different types of server will have different credentials in this
    287 # keytab.
    288 #   [PRODUCTION] daemon.scripts
    289 #   [WIZARD]     daemon.scripts-security-upd
    290 #   [TESTSERVER] daemon.scripts-test
    291 k5srvutil list -f daemon.keytab
    292 scp daemon.keytab root@$server:/etc
    293     chown afsagent:afsagent /etc/daemon.keytab
    294 #   o The daemon.scripts keytab (will be daemon.scripts-test for test)
    295     ls -l /etc/daemon.keytab
    296 
    297 # Spin up OpenAFS.  This will fail if there's been a new kernel since
    298 # when you last tried.  In that case, you can hold on till later to
    299 # start OpenAFS.  This will take a little bit of time;
    300     service openafs-client start
    301 # Then, check that fs sysname is correct.  You should see, among others,
    302 # 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you
    303 # probably did a distro upgrade and should update /etc/sysconfig/openafs.
     211# ----------------------------->8--------------------------------------
     212#                       INFINITE CONFIGURATION
     213
     214# Create fedora-ds user (needed for credit-card)
     215useradd -u 103 -r -d /var/lib/dirsrv fedora-ds
     216
     217# Run credit-card to clone in credentials and make things runabble
     218python host.py push $server
     219
     220# This is superseded by credit-card, but only for [PRODUCTION]
     221# Don't use credit-card on [WIZARD]: it will put in the wrong creds!
     222#
     223#   # All types of servers will have an /etc/daemon.keytab file, however,
     224#   # different types of server will have different credentials in this
     225#   # keytab.
     226#   #   [PRODUCTION] daemon.scripts
     227#   #   [WIZARD]     daemon.scripts-security-upd
     228#   #   [TESTSERVER] daemon.scripts-test
     229
     230# [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs
     231# mapping.
     232    echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo
     233    echo "athena.mit.edu" > /usr/vice/etc/ThisCell
     234# [TESTSERVER] If you're installing a test server, this needs to be
     235# much smaller; the max filesize on XVM is 10GB.  Pick something like
     236# 500000. Also, some of the AFS parameters are kind of retarded (and if
     237# you're low on disk space, will actually exhaust our inodes).  Edit
     238# these parameters in /etc/sysconfig/openafs (but wait, that won't
     239# work, will it...)
     240    echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo
     241    vim /etc/sysconfig/openafs
     242
     243# Test that zephyr is working
     244    systemctl enable zhm.service
     245    systemctl start zhm.service
     246    echo 'Test!' | zwrite -d -c scripts -i test
     247
     248# Check out the scripts /usr/vice/etc configuration
     249    cd /root/vice
     250    \cp -a etc /usr/vice
     251
     252# [PRODUCTION] Set up replication (see ./install-ldap).
     253# You'll need the LDAP keytab for this server: be sure to chown it
     254# fedora-ds after you create the fedora-ds user
     255    ls -l /etc/dirsrv/keytab
     256    cat install-ldap
     257
     258# Enable lots of services
     259    systemctl enable openafs-client.service
     260    systemctl enable dirsrv.service
     261    systemctl enable nslcd.service
     262    systemctl enable nscd.service
     263    systemctl enable postfix.service
     264    systemctl enable nrpe.service
     265    systemctl enable httpd.service # not for [WIZARD]
     266
     267    systemctl start openafs-client.service
     268    systemctl start dirsrv.service
     269    systemctl start nslcd.service
     270    systemctl start nscd.service
     271    systemctl start postfix.service
     272    systemctl start nrpe.service
     273    systemctl start httpd.service # not for [WIZARD]
     274
     275# Note about OpenAFS: Check that fs sysname is correct.  You should see,
     276# among others, 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's
     277# not, you probably did a distro upgrade and should update
     278# /etc/sysconfig/openafs (XXX this is wrong: figuring out new
     279# systemd world order).
    304280    fs sysname
     281
     282# Postfix doesn't actually deliver mail; fix this
     283    cd /etc/postfix
     284    postmap virtual
     285
     286# Munin might not be monitoring packages that were installed after it
     287    munin-node-configure --suggest --shell | sh
     288
     289# Run fmtutil-sys --all, which does something that makes TeX work.
     290# (Note: this errors on XeTeX which is ok.)
     291    fmtutil-sys --all
     292
     293# Ensure that PHP isn't broken:
     294    mkdir /tmp/sessions
     295    chmod 01777 /tmp/sessions
     296    # XXX: this seems to get deleted if tmp gets cleaned up, so we
     297    # might need something a little better (maybe init script.)
     298
     299# Fix etc by making sure none of our config files got overwritten
     300    cd /etc
     301    svn status -q
     302    # Some usual candidates for clobbering include nsswitch.conf,
     303    # resolv.conf and sysconfig/openafs
     304    # [WIZARD/TEST] Remember that changes you made should not get
     305    # reverted!
     306
     307# Reboot the machine to restore a consistent state, in case you
     308# changed anything. (Note: Starting kdump fails (this is ok))
     309
     310# When all is said and done, fix up the Subversion checkouts
     311    cd /etc
     312    svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
     313    cd /usr/vice/etc
     314    svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
     315    cd /srv/repository
     316    # Some commands should be run as the scripts-build user, not root.
     317    alias asbuild="sudo -u scripts-build"
     318    asbuild svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
     319    asbuild svn up # verify scripts.mit.edu works
     320
     321# ------------------------------->8-------------------------------
     322#                ADDENDA AND MISCELLANEOUS THINGS
     323
     324# [OPTIONAL] Your machine's hostname is baked in at install time;
     325# in the rare case you need to change it: it appears to be in:
     326#   o /etc/sysconfig/network
     327#   o your lvm thingies; probably don't need to edit
    305328
    306329# [WIZARD/TESTSERVER] If you are setting up a non-production server,
     
    337360    vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu
    338361
    339 # [PRODUCTION] Set up replication (see ./install-ldap).
    340 # You'll need the LDAP keytab for this server: be sure to chown it
    341 # fedora-ds after you create the fedora-ds user
    342     ls -l /etc/dirsrv/keytab
    343     cat install-ldap
    344 
    345 # Make the services dirsrv, nslcd, nscd, postfix, and httpd start at
    346 # boot. Run chkconfig to make sure the set of services to be run is
    347 # correct.
    348     service nslcd start
    349     service nscd start
    350     service postfix start
    351     chkconfig nslcd on
    352     chkconfig nscd on
    353     chkconfig postfix on
    354 
    355 # [PRODUCTION]
    356     chkconfig dirsrv on
    357 
    358 # [PRODUCTION/TESTSERVER]
    359 # (Maybe WIZARD too once we start doing strange things to autoupgrade
    360 # installs behind firewalls.)
    361     service httpd start # will fail if AFS is not running
    362     chkconfig httpd on
    363 
    364 # nrpe is required for nagios alerts
    365     chkconfig nrpe on
    366 
    367 # [PRODUCTION] Check sql user credentials (needs to be done after LDAP
    368 # is setup)
    369     chown sql /etc/sql-mit-edu.cfg.php
    370 
    371 # Postfix doesn't actually deliver mail; fix this
    372     cd /etc/postfix
    373     postmap virtual
    374 
    375 # Munin might not be monitoring packages that were installed after it
    376     munin-node-configure --suggest --shell | sh
    377 
    378 # Run fmtutil-sys --all, which does something that makes TeX work.
    379 # (Note: this errors on XeTeX which is ok.)
    380     fmtutil-sys --all
    381 
    382 # Ensure that PHP isn't broken:
    383     mkdir /tmp/sessions
    384     chmod 01777 /tmp/sessions
    385     # XXX: this seems to get deleted if tmp gets cleaned up, so we
    386     # might need something a little better (maybe init script.)
    387 
    388 # Ensure fcgid isn't broken (should be 755)
    389     ls -ld /var/run/mod_fcgid
    390 
    391 # Fix etc by making sure none of our config files got overwritten
    392     cd /etc
    393     svn status -q
    394     # Some usual candidates for clobbering include nsswitch.conf and
    395     # sysconfig/openafs
    396     # [WIZARD/TEST] Remember that changes you made should not get
    397     # reverted!
    398 
    399 # ThisCell got clobbered, replace it with athena.mit.edu
    400     echo "athena.mit.edu" > /usr/vice/etc/ThisCell
    401 
    402 # Reboot the machine to restore a consistent state, in case you
    403 # changed anything. (Note: Starting kdump fails (this is ok))
    404 
    405 # [OPTIONAL] Your machine's hostname is baked in at install time;
    406 # in the rare case you need to change it: it appears to be in:
    407 #   o /etc/sysconfig/network
    408 #   o your lvm thingies; probably don't need to edit
    409 
    410362# [TESTERVER]
    411363#   - You need a self-signed SSL cert or Apache will refuse to start
     
    420372#     be an accepted vhost name
    421373#   - Look at the old test server and see what config changes are floating around
    422 
    423 # XXX: our SVN checkout should be updated to use scripts.mit.edu
    424 # (repository and etc) once serving actually works.
    425     cd /etc
    426     svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
    427     cd /usr/vice/etc
    428     svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
    429     cd /srv/repository
    430     asbuild svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
    431     asbuild svn up # verify scripts.mit.edu works
  • trunk/server/doc/install-ldap

    r1986 r2066  
    1 To set up a new LDAP server:
    2 
    3 - Install the RPM 389-ds-base with yum (these are installed by kickstart
    4   these days, so these two steps are probably not necessary)
    5   root# yum install -y 389-ds-base
    6   root# yum install -y policycoreutils-python
    7   root# yum install -y ldapvi
    8 - We want to run the directory server as its own user, so create fedora-ds
    9   root# useradd -r -d /var/lib/dirsrv fedora-ds
    10 - Temporarily move away the existing slapd-scripts folder
    11   root# mv /etc/dirsrv/slapd-scripts{,.bak}
    12 - root# /usr/sbin/setup-ds.pl
    13     - Choose a typical install
    14     - Tell it to use the fedora-ds user and group
    15     - Directory server identifier: scripts
    16         Needed to remove this from the config file first
    17     - Suffix: dc=scripts,dc=mit,dc=edu
    18     - Input directory manager password
    19       (this can be found in  ~/.ldapvirc)
    20 - Move the schema back
    21   root# cp -R /etc/dirsrv/slapd-scripts.bak/{.svn,*} /etc/dirsrv/slapd-scripts
    22   root# rm -Rf /etc/dirsrv/slapd-scripts.bak
    23 - Turn dirsrv off: service dirsrv stop
    24 - Apply the following configuration changes.  If you're editing
    25   dse.ldif, you don't want dirsrv to be on, otherwise it will
    26   overwrite your changes. [XXX: show how to do these changes with
    27   dsconf, which is the "blessed" method]
     1# To set up a new LDAP server:
     2
     3# Temporarily move away the existing slapd-scripts folder
     4mv /etc/dirsrv/slapd-scripts{,.bak}
     5
     6# Setup directory server
     7/usr/sbin/setup-ds.pl
     8#   - Choose a typical install
     9#   - Tell it to use the fedora-ds user and group
     10#   - Directory server identifier: scripts
     11#   - Suffix: dc=scripts,dc=mit,dc=edu
     12#   - Input directory manager password
     13#     (this can be found in  ~/.ldapvirc)
     14
     15# Move the schema back
     16cp -R /etc/dirsrv/slapd-scripts.bak/{.svn,*} /etc/dirsrv/slapd-scripts
     17rm -Rf /etc/dirsrv/slapd-scripts.bak
     18
     19# Turn dirsrv off:
     20systemctl stop dirsrv.service
     21
     22# Apply the following configuration changes.  If you're editing
     23# dse.ldif, you don't want dirsrv to be on, otherwise it will
     24# overwrite your changes. [XXX: show how to do these changes with
     25# dsconf, which is the "blessed" method, although it seems
     26# dsconf only exists for Red Hat]
     27
     28vim /etc/dirsrv/slapd-scripts/dse.ldif
     29<<<EOF
    2830
    2931# Inside cn=config.  These changes definitely require a restart.
    30 nsslapd-ldapifilepath: /var/run/slapd-scripts.socket
    3132nsslapd-ldapilisten: on
    3233nsslapd-syntaxcheck: off
     34
     35# We need to turn off syntax check because our schema is wrong and too
     36# restrictive on some value. This should get fixed.
    3337
    3438# Add these blocks
     
    4650nsSaslMapFilterTemplate: (objectClass=posixAccount)
    4751
    48 - Put LDAP keytab (ldap/hostname.mit.edu) in /etc/dirsrv/keytab.  Make
    49   sure you chown/chgrp it to be readable by fedora-ds
    50 - Uncomment and modify in /etc/sysconfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME
    51 - chown fedora-ds:fedora-ds /var/run/dirsrv
    52 - chown fedora-ds /etc/dirsrv/keytab
    53 - /sbin/service dirsrv start
    54 - Use ldapvi -b cn=config to add these indexes (8 of them):
     52EOF;
     53
     54systemctl start dirsrv.service
     55
     56ldapvi -b cn=config
     57# Add these indexes (8 of them):
     58
     59<<<EOF
    5560
    5661add cn=apacheServerName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
     
    117122nsIndexType: eq
    118123nsIndexType: pres
     124
     125EOF;
    119126
    120127- Build the indexes for all the fields:
     
    181188
    182189  Here's how you do it.
     190
     191  NOTE: There's this spiffy new tool MMR hammer which automates some of
     192  this process.  Check the "MMR Hammer" sections to see how.  Install it
     193  here:  https://github.com/ezyang/mmr-hammer
    183194
    184195    0. Tell -c scripts not to go off and reboot servers until you're
     
    209220nsDS5ReplicaBindDN: uid=ldap/old-faithful.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
    210221nsDS5ReplicaBindDN: uid=ldap/shining-armor.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
     222nsDS5ReplicaBindDN: uid=ldap/golden-egg.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu
    211223nsds5ReplicaPurgeDelay: 604800
    212224nsds5ReplicaLegacyConsumer: off
     
    223235       for just $MASTER.
    224236
     237       REMEMBER: You need to use FOO.mit.edu for the names!  Otherwise you will get
     238       unauthorized errors.
     239
    225240add uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu
    226241uid: ldap/$MASTER
     
    245260       risky step of the process; see below for help debugging problems.
    246261
    247        WARNING: There is a known bug doing full updates from 1.2.6 to
    248        1.2.6, see https://bugzilla.redhat.com/show_bug.cgi?id=637852
     262       MMR Hammer: mmr-hammer -h $MASTER init agreements $SLAVE
     263
     264        ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config
    249265
    250266add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
     
    268284    If it fails with LDAP Error 49, check /var/log/dirsrv on $MASTER
    269285    for more information.  It might be because fedora-ds can't read
    270     /etc/dirsrv/keytab
     286    /etc/dirsrv/keytab or because you setup the account on the SLAVE
     287    incorrectly.
    271288
    272289    6. Replicate in the other direction.  On $MASTER, add $SLAVE
    273290    as a nsDS5ReplicaBindDN in cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config
    274     Also, add an account for $SLAVE
     291    Also, add an account for $SLAVE if it doesn't exist already.
    275292
    276293add uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu
     
    280297
    281298    On $SLAVE,
     299
     300       MMR Hammer: mmr-hammer -h $SLAVE init agreements $MASTER
    282301
    283302add cn="GSSAPI Replication to $MASTER", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config
     
    308327    new server.
    309328
     329    With MMR hammer, that's something like:
     330
     331        for i in $SERVER_NAMES; do mmr-hammer -h $i init agreements $SERVER_NAMES; done
     332
    310333    8. If at this point you look at the new server's changelog with
    311334    cl-dump (preferably /mit/scripts/admin/cl-dump.pl, to not prompt you
     
    316339    also good for making sure the replication agreements actually work.
    317340
     341    With MMR hammer, that's something like:
     342
     343        for i in $SERVER_NAMES; do mmr-hammer -h $i test; sleep 20; done
     344
    318345Troubleshooting
    319346===============
  • trunk/server/doc/package-build-howto

    r1712 r2066  
    5050
    5151  * # Rebuild the repo metadata to include the new packages.
    52     cd /mit/scripts/rpm-fc[RELEASE]
     52    cd /mit/scripts/yum-repos/rpm-fc[RELEASE]
    5353    # If you have a trusted machine:
    54     createrepo .
     54    createrepo -d .
    5555    # Otherwise, on a scripts server, as root:
    5656    mkdir /root/repodata-YYYYMMDD # Or any suitable temp directory
    57     createrepo -o /root/repodata-YYYYMMDD .
     57    createrepo -d -o /root/repodata-YYYYMMDD .
    5858    # Then from your trusted machine
    5959    krootscp -r root@[BUILD-SERVER]:/root/repodata-YYYYMMDD /mit/scripts/rpm-fc[RELEASE]
  • trunk/server/doc/upgrade-tips

    r1695 r2066  
    159159/mit/scripts/rpm-fcXX-testing) needs to be made.  It's quite simple;
    160160all you need to do is copy the RPMs from the build server to there
    161 (probably going through a trusted machine, since you don't want to
    162 put your root tickets on a server.)  When you're done, run `createrepo`
     161(probably going through a trusted machine, since you don't want to put
     162your root tickets on a server.)  When you're done, run `createrepo -d`
    163163on the directory.
    164164
     
    197197hysterical raisins we still refer to our 32-bit builds as i386.
    198198[XXX: Maybe this should change]
     199
     200Until we decide that the performance impact is negligible, any new PHP
     201extensions other than the few we’ve whitelisted should be disabled by
     202emptying their .ini files in /etc/php.d.
     203
     2048. Sending announcements
     205------------------------
     206
     207Once development work has finished, we need to allow users to test
     208their websites on the new servers.
     209
     210    SIPB Internal Testing: Send an email to scripts-team@mit.edu
     211    and -c sipb notifying them of testing procedure and known
     212    issues.
     213
     214    General Testing:
Note: See TracChangeset for help on using the changeset viewer.