Ignore:
Timestamp:
Sep 5, 2012, 11:41:51 PM (10 years ago)
Author:
ezyang
Message:
Notes for setting up XVM test server.
File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/server/doc/install-howto.sh

    r2316 r2318  
    307307
    308308# [PROD] Create fedora-ds user (needed for credit-card)
     309# [TEST] too if you want to run a local dirsrv instance
    309310useradd -r -d /var/lib/dirsrv fedora-ds
    310311
     
    319320# This is superseded by credit-card, which works for [PRODUCTION] and
    320321# [WIZARD].  We don't have an easy way of running credit-card for XVM...
     322#b
    321323#
    322324#   # All types of servers will have an /etc/daemon.keytab file, however,
     
    387389    find / -xdev -not -perm -o=x -prune -o -type f -perm /ug=s -print | grep -Fxvf /etc/scripts/allowed-setugid.list
    388390    find / -xdev -not -perm -o=x -prune -o -type f -print0 | xargs -0r /usr/sbin/getcap | cut -d' ' -f1 | grep -Fxvf /etc/scripts/allowed-filecaps.list
    389     # You can prune binaries using 'chmod u-s' and 'chmod g-s'
     391    # You can prune the first set of binaries using 'chmod u-s' and 'chmod g-s'
     392    # and remove capabilities using 'setcap -r'
     393
     394# XXX check for selinux gunk
    390395
    391396# Fix etc by making sure none of our config files got overwritten
     
    430435# XXX: Someone should write sed scripts to do this
    431436# This involves editing the following files:
    432         \rm /etc/sysconfig/network-scripts/ifcfg-lo:{0,1,2,3}
    433         \rm /etc/sysconfig/network-scripts/route-eth1 # [TESTSERVER] only
     437        svn rm /etc/sysconfig/network-scripts/ifcfg-lo:{0,1,2,3}
     438        svn rm /etc/sysconfig/network-scripts/route-eth1 # [TESTSERVER] only
    434439#   o /etc/nslcd.conf
    435440#       replace: uri ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
     
    454459# [TESTSERVER]
    455460#   - You need a self-signed SSL cert or Apache will refuse to start
    456 #     or do SSL.  Generate with:
    457     openssl req -new -x509 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts.cert -nodes
     461#     or do SSL.  Generate with: (XXX recommended CN?)
     462    openssl req -new -x509 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts-cert.pem -nodes
    458463    ln -s /etc/pki/tls/private/scripts.key /etc/pki/tls/private/scripts-1024.key
    459 #     Also make /etc/pki/tls/certs/ca.pem match up
    460     openssl rsa -in /etc/pki/tls/private/scripts.key -pubout > /etc/pki/tls/certs/ca.pem
     464#     Also make the various public keys match up
     465    openssl rsa -in /etc/pki/tls/private/scripts.key -pubout > /etc/pki/tls/certs/star.scripts.pem
     466    openssl rsa -in /etc/pki/tls/private/scripts.key -pubout > /etc/pki/tls/certs/scripts.pem
     467    openssl rsa -in /etc/pki/tls/private/scripts.key -pubout > /etc/pki/tls/certs/scripts-cert.pem
     468#     Nuke the CSRs since they will all mismatch
     469#     XXX alternate strategy replace all the pem's as above
     470    cd /etc/httpd/vhosts.d
     471    svn rm *.conf
     472
     473# [TESTSERVER]
     474#   Remove vhosts.d which we don't have rights for XXX
    461475
    462476# [TESTSERVER] More stuff for test servers
Note: See TracChangeset for help on using the changeset viewer.