Ignore:
Timestamp:
Nov 22, 2011, 12:45:17 AM (11 years ago)
Author:
achernya
Message:
Merge branches/fc15-dev to trunk
Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk

  • trunk/server/doc/install-howto.sh

    r1961 r2066  
    77# [WIZARD]     Semi-production server that will only have
    88#              daemon.scripts-security-upd bits, among other
    9 #              restricted permissions bits, among other
    10 #              restricted permissions bits, among other
    11 #              restricted permissions bits, among other
    129#              restricted permissions
    1310# [TESTSERVER] Completely untrusted server
    14 
    15 set -e -x
    16 
    17 # Some commands should be run as the scripts-build user, not root.
    18 
    19 alias asbuild="sudo -u scripts-build"
    20 
    21 # Old versions of this install document advised setting
    22 # NSS_NONLOCAL_IGNORE=1 anytime you're setting up anything, e.g. using
    23 # yum, warning that useradd will query LDAP in a stupid way that makes
    24 # it hang forever.  As of Fedora 13, this does not seem to be a problem,
    25 # so it's been removed from the instructions.  If an install is hanging,
    26 # though, try adding NSS_NONLOCAL_IGNORE.
    2711
    2812# This is actually just "pick an active scripts server".  It can't be
     
    4125server=YOUR-SERVER-NAME-HERE
    4226
    43 # Start with a Scripts kickstarted install of Fedora (install-fedora)
    44 
    45 # Take updates, reboot if there's a kernel update.
    46     yum update -y
    47 
    48 # Get rid of network manager
    49     yum remove NetworkManager
    50 
    51 # Copy over root's dotfiles from one of the other machines.
    52 # Perhaps a useful change is to remove the default aliases
    53     cd /root
    54     ls -l .bashrc
    55     ls -l .screenrc
    56     ls -l .ssh
    57     ls -l .vimrc
    58     ls -l .k5login
    59     # [PRODUCTION] This rc file has sensitive data on it and should only
    60     # be pushed onto production servers.
    61     ls -l .ldapvirc
    62     # Trying to scp from server to server won't work, as scp
    63     # will attempt to negotiate a server-to-server connection.
    64     # Instead, scp to your trusted machine as a temporary file,
    65     # and then push to the other server
    66 scp -r root@$source_server:~/{.bashrc,.screenrc,.ssh,.vimrc,.k5login} .
    67 scp -r {.bashrc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~
    68 # [PRODUCTION]
    69 scp root@$source_server:~/.ldapvirc .
    70 scp .ldapvirc root@$server:~
    71 
    72 # Install the initial set of credentials (to get Kerberized logins once
    73 # krb5 is installed).  Otherwise, SCP'ing things in will be annoying.
    74 #   o Install the machine keytab.
    75     ls -l /etc/krb5.keytab
    76 #     Use ktutil to combine the host/scripts.mit.edu and
    77 #     host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in
    78 #     the keytab.  Do not use 'k5srvutil change' on the combined keytab
    79 #     or you'll break the other servers. (real servers only).  Be
    80 #     careful about writing out the keytab: if you write it to an
    81 #     existing file the keys will just get appended.  The correct
    82 #     credential list should look like:
    83 #       ktutil:  l
    84 #       slot KVNO Principal
    85 #       ---- ---- ---------------------------------------------------------------------
    86 #          1    5 host/old-faithful.mit.edu@ATHENA.MIT.EDU
    87 #          2    3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU
    88 #          3    2      host/scripts.mit.edu@ATHENA.MIT.EDU
    89 #   o [PRODUCTION] Replace the ssh host keys with the ones common to all
    90 #     scripts servers (real servers only)
    91     ls -l /etc/ssh/*key*
    92 #     You can do that with:
    93 scp root@$source_server:/etc/ssh/*key* .
    94 scp *key* root@$server:/etc/ssh/
    95     service sshd reload
    96 
    97 # Check out the scripts /etc configuration
    98     # backslash to make us not use the alias
    99     cd /root
    100     \cp -a etc /
    101     chmod 0440 /etc/sudoers
    102 
     27# ----------------------------->8--------------------------------------
     28#                       FIRST TIME INSTRUCTIONS
     29#
    10330# [PRODUCTION] If this is the first time you've installed this hostname,
    10431# you will need to update a bunch of files to add support for it. These
     
    12047#   o Set up Nagios monitoring on sipb-noc for the host
    12148#   o Set up the host as in the pool on r-b/r-b /etc/heartbeat/ldirectord.cf
    122     XXX TODO COMMANDS
    123 
    124 # NOTE: You will have just lost DNS resolution and the ability
    125 # to do password SSH in.  If you managed to botch this step without
    126 # having named setup, you can do a quick fix by frobbing /etc/resolv.conf
    127 # with a non 127.0.0.1 address for the DNS server.  Be sure to revert it once
    128 # you have named.
    129 
    130 # NOTE: You can get password SSH back by editing /etc/ssh/sshd_config (allow
    131 # password auth) and /etc/pam.d/sshd (comment out the first three auth
    132 # lines).  However, you should have the Kerberos credentials in place
    133 # so as soon as you install the full set of Scripts packages, you'll get
    134 # Kerberized logins.
    135 
    136 # Make sure network is working.  If this is a new server name, you'll
    137 # need to add it to /etc/hosts and
    138 # /etc/sysconfig/network-scripts/route-eth1.  Kickstart should have
     49#   o Update locker/etc/known_hosts
     50#
     51# You will also need to prepare the keytabs for credit-card.  In particular,
     52# use ktutil to combine the host/scripts.mit.edu and
     53# host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in
     54# the keytab.  Do not use 'k5srvutil change' on the combined keytab
     55# or you'll break the other servers. (real servers only).  Be
     56# careful about writing out the keytab: if you write it to an
     57# existing file the keys will just get appended.  The correct
     58# credential list should look like:
     59#   ktutil:  l
     60#   slot KVNO Principal
     61#   ---- ---- ---------------------------------------------------------------------
     62#      1    5 host/old-faithful.mit.edu@ATHENA.MIT.EDU
     63#      2    3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU
     64#      3    2      host/scripts.mit.edu@ATHENA.MIT.EDU
     65#
     66# The LDAP keytab should be by itself, so be sure to delete it and
     67# put it in its own file.
     68
     69# ----------------------------->8--------------------------------------
     70#                      INFINITE INSTALLATION
     71
     72# Start with a Scripts kickstarted install of Fedora (install-fedora)
     73
     74# Take updates, reboot if there's a kernel update.
     75    yum update -y
     76
     77# Get rid of network manager (XXX figure out to make kickstarter do
     78# this for us)
     79    yum remove NetworkManager
     80
     81# Make sure sendmail isn't installed
     82    yum remove sendmail
     83
     84# Check out the scripts /etc configuration
     85    cd /root
     86    \cp -a etc /
     87    chmod 0440 /etc/sudoers
     88
     89# Make sure network is working.  Kickstart should have
    13990# configured eth0 and eth1 correctly; use service network restart
    140 # to add the new routes in route-eth1.
    141     service network restart
     91# to add the new routes from etc in route-eth1.
     92    systemctl restart network.service
     93    # Check everything worked:
    14294    route
    14395    ifconfig
     
    151103    # Some of these packages are naughty and clobber some of our files
    152104    cd /etc
    153     svn revert resolv.conf hosts sysconfig/openafs
     105    svn revert resolv.conf hosts sysconfig/openafs nsswitch.conf
    154106
    155107# Replace rsyslog with syslog-ng by doing:
    156108    rpm -e --nodeps rsyslog
    157109    yum install -y syslog-ng
    158     chkconfig syslog-ng on
    159 
    160 # [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs
    161 # mapping.
    162     echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo
    163     echo "athena.mit.edu" > /usr/vice/etc/ThisCell
    164 
    165 # [TESTSERVER] If you're installing a test server, this needs to be
    166 # much smaller; the max filesize on XVM is 10GB.  Pick something like
    167 # 500000. Also, some of the AFS parameters are kind of retarded (and if
    168 # you're low on disk space, will actually exhaust our inodes).  Edit
    169 # these parameters in /etc/sysconfig/openafs
    170     echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo
    171     XXX TODO COMMANDS
    172 
    173 # Test that zephyr is working
    174     chkconfig zhm on
    175     service zhm start
    176     echo 'Test!' | zwrite -d -c scripts -i test
     110    systemctl enable syslog-ng.service
    177111
    178112# Install the full list of RPMs that users expect to be on the
     
    184118# it can't install /one/ package.
    185119    yum install -y --skip-broken $(cat packages.txt)
    186 
    187 # Make sure sendmail isn't installed
    188     yum remove sendmail
    189120
    190121# Check which packages are installed on your new server that are not
     
    204135# explicit versions.  So temporarily rpm -e the package, and then
    205136# install it again after you install haskell-platform.  [Note: You
    206 # probably won't need this in Fedora 15 or something, when the Haskell
     137# probably won't need this in Fedora 17 or something, when the Haskell
    207138# Platform gets updated.]
    208139    rpm -e ghc-cgi-devel ghc-cgi
     
    212143    rpm -i ghc-cgi*1.8.1*.rpm
    213144
    214 # Check out the scripts /usr/vice/etc configuration
    215     cd /root/vice
    216     \cp -a etc /usr/vice
     145# ----------------------------->8--------------------------------------
     146#                      SPHEROID SHENANIGANS
     147
     148# Note: Since ultimately we'd like to move away from using per-language
     149# package manager and all of these be RPMs, it is of questionable
     150# importance how much /good/ automation for these is necessary.
     151
     152# Warning: For a new release, we're supposed to check if Fedora has
     153# packaged up the RPM.  Unfortunately we don't really have good incants
     154# for this.
    217155
    218156# Install the full list of perl modules that users expect to be on the
     
    242180#   want to be able to write to ~/.python-eggs.  (Also makes sourcediving
    243181#   easier.)
    244 cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt
     182# 'easy_install AuthKit jsonlib2 pygit'
     183cat /usr/lib/python2.7/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt
    245184    cat egg.txt | xargs easy_install -Z
     185
    246186# - Look at `gem list` for Ruby gems.
    247187#   Again, use 'yum search' and prefer RPMs, but failing that, 'gem install'.
    248188#       ezyang: rspec-rails depends on rspec, and will override the Yum
    249189#       package, so... don't use that RPM yet
     190# XXX This doesn't do the right thing for old version gems
    250191gem list --no-version > gem.txt
    251192    gem install $(gem list --no-version | grep -Fxvf - gem.txt)
     193    # Also, we need to install the old rails version
     194    gem install -v=2.3.5 rails
     195
    252196# - Look at `pear list` for Pear fruits (or whatever they're called).
    253197#   Yet again, 'yum search' for RPMs before resorting to 'pear install'.  Note
     
    258202    pear channel-update pear.php.net
    259203    pear install $(pear list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pear.txt)
     204
    260205# - Look at `pecl list` for PECL things.  'yum search', and if you must,
    261206#   'pecl install' needed items. If it doesn't work, try 'pear install
     
    264209    pecl install --nodeps $(pecl list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pecl.txt)
    265210
    266 # Setup some Python config
    267     echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth
    268 
    269 # [PRODUCTION] Install the credentials.  There are a lot of things to
    270 # remember here.  Be sure to make sure the permissions match up (ls -l
    271 # on an existing server!).
    272 scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} .
    273 scp signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc
    274 scp scripts.key root@$server:/etc/pki/tls/private
    275 scp .k5login root@$server:/home/logview
    276 #   o The SSL cert private key (real servers only)
    277     ls -l /etc/pki/tls/private/scripts.key
    278 #   o The LDAP password for the signup process (real servers only)
    279     ls -l /etc/signup-ldap-pw
    280 #   o The whoisd password (real servers only)
    281     ls -l /etc/whoisd-password
    282 #   o Make sure logview's .k5login is correct (real servers only)
    283     cat /home/logview/.k5login
    284 
    285 # All types of servers will have an /etc/daemon.keytab file, however,
    286 # different types of server will have different credentials in this
    287 # keytab.
    288 #   [PRODUCTION] daemon.scripts
    289 #   [WIZARD]     daemon.scripts-security-upd
    290 #   [TESTSERVER] daemon.scripts-test
    291 k5srvutil list -f daemon.keytab
    292 scp daemon.keytab root@$server:/etc
    293     chown afsagent:afsagent /etc/daemon.keytab
    294 #   o The daemon.scripts keytab (will be daemon.scripts-test for test)
    295     ls -l /etc/daemon.keytab
    296 
    297 # Spin up OpenAFS.  This will fail if there's been a new kernel since
    298 # when you last tried.  In that case, you can hold on till later to
    299 # start OpenAFS.  This will take a little bit of time;
    300     service openafs-client start
    301 # Then, check that fs sysname is correct.  You should see, among others,
    302 # 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you
    303 # probably did a distro upgrade and should update /etc/sysconfig/openafs.
     211# ----------------------------->8--------------------------------------
     212#                       INFINITE CONFIGURATION
     213
     214# Create fedora-ds user (needed for credit-card)
     215useradd -u 103 -r -d /var/lib/dirsrv fedora-ds
     216
     217# Run credit-card to clone in credentials and make things runabble
     218python host.py push $server
     219
     220# This is superseded by credit-card, but only for [PRODUCTION]
     221# Don't use credit-card on [WIZARD]: it will put in the wrong creds!
     222#
     223#   # All types of servers will have an /etc/daemon.keytab file, however,
     224#   # different types of server will have different credentials in this
     225#   # keytab.
     226#   #   [PRODUCTION] daemon.scripts
     227#   #   [WIZARD]     daemon.scripts-security-upd
     228#   #   [TESTSERVER] daemon.scripts-test
     229
     230# [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs
     231# mapping.
     232    echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo
     233    echo "athena.mit.edu" > /usr/vice/etc/ThisCell
     234# [TESTSERVER] If you're installing a test server, this needs to be
     235# much smaller; the max filesize on XVM is 10GB.  Pick something like
     236# 500000. Also, some of the AFS parameters are kind of retarded (and if
     237# you're low on disk space, will actually exhaust our inodes).  Edit
     238# these parameters in /etc/sysconfig/openafs (but wait, that won't
     239# work, will it...)
     240    echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo
     241    vim /etc/sysconfig/openafs
     242
     243# Test that zephyr is working
     244    systemctl enable zhm.service
     245    systemctl start zhm.service
     246    echo 'Test!' | zwrite -d -c scripts -i test
     247
     248# Check out the scripts /usr/vice/etc configuration
     249    cd /root/vice
     250    \cp -a etc /usr/vice
     251
     252# [PRODUCTION] Set up replication (see ./install-ldap).
     253# You'll need the LDAP keytab for this server: be sure to chown it
     254# fedora-ds after you create the fedora-ds user
     255    ls -l /etc/dirsrv/keytab
     256    cat install-ldap
     257
     258# Enable lots of services
     259    systemctl enable openafs-client.service
     260    systemctl enable dirsrv.service
     261    systemctl enable nslcd.service
     262    systemctl enable nscd.service
     263    systemctl enable postfix.service
     264    systemctl enable nrpe.service
     265    systemctl enable httpd.service # not for [WIZARD]
     266
     267    systemctl start openafs-client.service
     268    systemctl start dirsrv.service
     269    systemctl start nslcd.service
     270    systemctl start nscd.service
     271    systemctl start postfix.service
     272    systemctl start nrpe.service
     273    systemctl start httpd.service # not for [WIZARD]
     274
     275# Note about OpenAFS: Check that fs sysname is correct.  You should see,
     276# among others, 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's
     277# not, you probably did a distro upgrade and should update
     278# /etc/sysconfig/openafs (XXX this is wrong: figuring out new
     279# systemd world order).
    304280    fs sysname
     281
     282# Postfix doesn't actually deliver mail; fix this
     283    cd /etc/postfix
     284    postmap virtual
     285
     286# Munin might not be monitoring packages that were installed after it
     287    munin-node-configure --suggest --shell | sh
     288
     289# Run fmtutil-sys --all, which does something that makes TeX work.
     290# (Note: this errors on XeTeX which is ok.)
     291    fmtutil-sys --all
     292
     293# Ensure that PHP isn't broken:
     294    mkdir /tmp/sessions
     295    chmod 01777 /tmp/sessions
     296    # XXX: this seems to get deleted if tmp gets cleaned up, so we
     297    # might need something a little better (maybe init script.)
     298
     299# Fix etc by making sure none of our config files got overwritten
     300    cd /etc
     301    svn status -q
     302    # Some usual candidates for clobbering include nsswitch.conf,
     303    # resolv.conf and sysconfig/openafs
     304    # [WIZARD/TEST] Remember that changes you made should not get
     305    # reverted!
     306
     307# Reboot the machine to restore a consistent state, in case you
     308# changed anything. (Note: Starting kdump fails (this is ok))
     309
     310# When all is said and done, fix up the Subversion checkouts
     311    cd /etc
     312    svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
     313    cd /usr/vice/etc
     314    svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
     315    cd /srv/repository
     316    # Some commands should be run as the scripts-build user, not root.
     317    alias asbuild="sudo -u scripts-build"
     318    asbuild svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
     319    asbuild svn up # verify scripts.mit.edu works
     320
     321# ------------------------------->8-------------------------------
     322#                ADDENDA AND MISCELLANEOUS THINGS
     323
     324# [OPTIONAL] Your machine's hostname is baked in at install time;
     325# in the rare case you need to change it: it appears to be in:
     326#   o /etc/sysconfig/network
     327#   o your lvm thingies; probably don't need to edit
    305328
    306329# [WIZARD/TESTSERVER] If you are setting up a non-production server,
     
    337360    vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu
    338361
    339 # [PRODUCTION] Set up replication (see ./install-ldap).
    340 # You'll need the LDAP keytab for this server: be sure to chown it
    341 # fedora-ds after you create the fedora-ds user
    342     ls -l /etc/dirsrv/keytab
    343     cat install-ldap
    344 
    345 # Make the services dirsrv, nslcd, nscd, postfix, and httpd start at
    346 # boot. Run chkconfig to make sure the set of services to be run is
    347 # correct.
    348     service nslcd start
    349     service nscd start
    350     service postfix start
    351     chkconfig nslcd on
    352     chkconfig nscd on
    353     chkconfig postfix on
    354 
    355 # [PRODUCTION]
    356     chkconfig dirsrv on
    357 
    358 # [PRODUCTION/TESTSERVER]
    359 # (Maybe WIZARD too once we start doing strange things to autoupgrade
    360 # installs behind firewalls.)
    361     service httpd start # will fail if AFS is not running
    362     chkconfig httpd on
    363 
    364 # nrpe is required for nagios alerts
    365     chkconfig nrpe on
    366 
    367 # [PRODUCTION] Check sql user credentials (needs to be done after LDAP
    368 # is setup)
    369     chown sql /etc/sql-mit-edu.cfg.php
    370 
    371 # Postfix doesn't actually deliver mail; fix this
    372     cd /etc/postfix
    373     postmap virtual
    374 
    375 # Munin might not be monitoring packages that were installed after it
    376     munin-node-configure --suggest --shell | sh
    377 
    378 # Run fmtutil-sys --all, which does something that makes TeX work.
    379 # (Note: this errors on XeTeX which is ok.)
    380     fmtutil-sys --all
    381 
    382 # Ensure that PHP isn't broken:
    383     mkdir /tmp/sessions
    384     chmod 01777 /tmp/sessions
    385     # XXX: this seems to get deleted if tmp gets cleaned up, so we
    386     # might need something a little better (maybe init script.)
    387 
    388 # Ensure fcgid isn't broken (should be 755)
    389     ls -ld /var/run/mod_fcgid
    390 
    391 # Fix etc by making sure none of our config files got overwritten
    392     cd /etc
    393     svn status -q
    394     # Some usual candidates for clobbering include nsswitch.conf and
    395     # sysconfig/openafs
    396     # [WIZARD/TEST] Remember that changes you made should not get
    397     # reverted!
    398 
    399 # ThisCell got clobbered, replace it with athena.mit.edu
    400     echo "athena.mit.edu" > /usr/vice/etc/ThisCell
    401 
    402 # Reboot the machine to restore a consistent state, in case you
    403 # changed anything. (Note: Starting kdump fails (this is ok))
    404 
    405 # [OPTIONAL] Your machine's hostname is baked in at install time;
    406 # in the rare case you need to change it: it appears to be in:
    407 #   o /etc/sysconfig/network
    408 #   o your lvm thingies; probably don't need to edit
    409 
    410362# [TESTERVER]
    411363#   - You need a self-signed SSL cert or Apache will refuse to start
     
    420372#     be an accepted vhost name
    421373#   - Look at the old test server and see what config changes are floating around
    422 
    423 # XXX: our SVN checkout should be updated to use scripts.mit.edu
    424 # (repository and etc) once serving actually works.
    425     cd /etc
    426     svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
    427     cd /usr/vice/etc
    428     svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
    429     cd /srv/repository
    430     asbuild svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
    431     asbuild svn up # verify scripts.mit.edu works
Note: See TracChangeset for help on using the changeset viewer.