Changeset 1693 for trunk/server/doc

Timestamp:

Oct 23, 2010, 8:07:08 AM (14 years ago)

Author:

ezyang

Message:

Merge Fedora 13 development back to trunk.

Location:

trunk

Files:

• . (modified) (1 prop)
• server/doc/389-ds-enable-ssl-and-kerberos.diff (deleted)
• server/doc/HOWTO-SETUP-LDAP (deleted)
• server/doc/install-fedora (modified) (1 diff)
• server/doc/install-howto.sh (modified) (11 diffs)
• server/doc/install-ldap (copied) (copied from branches/fc13-dev/server/doc/install-ldap)
• server/doc/install-xen (modified) (1 diff)
• server/doc/install-xvm (copied) (copied from branches/fc13-dev/server/doc/install-xvm)
• server/doc/kernel-build-howto (modified) (1 diff)
• server/doc/ldap-kerberos-replication.txt (copied) (copied from branches/fc13-dev/server/doc/ldap-kerberos-replication.txt)
• server/doc/package-build-howto (modified) (1 diff)
• server/doc/upgrade-tips (copied) (copied from branches/fc13-dev/server/doc/upgrade-tips)

trunk/server/doc/install-fedora

@@ -2 +2 @@
 ----------------------------------------
 
-1. Create the LVS partitions that the Scripts guest will use.
+We use Kickstart to to initial Fedora configuration.  Installing a new
+vanilla machine is as easy as:
 
-Our classic setup is 50GB for the main, root partition (/) and
-10GB for our swap.  You can consult what things look like
-by using `lvdisplay`.  Our naming convention is server-name-root
-and server-name-swap.
+    xm create scripts-server machine_name=$MACHINE install=fXX && console $MACHINE
 
-Creating new LVS partitions is done with `lvcreate`:
+The only prompt (near the beginning of the install process) should be
+for the root password, and at the end, when it asks you to reboot.
+Say yes, and the machine will power down, and then restart without
+the install parameter:
 
-    # Example values:
-    # SERVERNAME=whole-enchilada
-    # HOSTNAME=jay-leno
-    lvcreate -n $SERVERNAME-root $HOSTNAME --size 50.00G
-    lvcreate -n $SERVERNAME-swap $HOSTNAME --size 10.00G
-
-2. Acquire the network installation media for Fedora.
-
-Normally, you would download an ISO and kick off an installation
-by burning it to a CD and booting off of that.  Since we would like
-to make as minimal a Fedora install as possible, we use a different
-method. [XXX: Why do we actually do it this way?  It seems kind
-of convoluted]
-
-First, we need to create an appropriate installation directory,
-which contains the necessary kernel images and bootstrapping code.
-Navigate to a Fedora mirrors website, and find the correct release
-from the linux/releases directory, then grab the contents of
-Fedora/x86_64/os/isolinux.  For example, getting the Fedora 13 installer
-from mirrors.mit.edu would be:
-
-    mkdir ~/f13-install
-    cd ~/f13-install
-    wget -r -nd ftp://mirrors.mit.edu/fedora/linux/releases/13/Fedora/x86_64/os/isolinux/
-
-You can then spin up a Xen image for installation with:
-
-    xm create scripts-server machine_name=$HOSTNAME install=f13
-
-Note that the -install suffix was dropped.  Get a console with `xm
-console`.
-
-3. Tell Fedora where to get the real installer.
-
-You will now be in a curses installer interface.  Since you are doing
-a network install, you will need to configure your network and specify
-the URL to install.  Find the static hostname that you are planning
-to install to and get its information with:
-
-    stella $HOSTNAME
-
-Manually configure its IP, disabling IPv6 for now [XXX I don't know how
-to configure that].  The network mask is 16, and you can check
-'/etc/resolv.conf' if you don't remember what MIT's DNS servers are.
-
-It will then ask you for an installation image.  Continuing with our
-F13 mirrors.mit.edu, the URL will look something like:
-
-    ftp://mirrors.mit.edu/fedora/linux/releases/13/Fedora/x86_64/os
-
-4. Use VNC
-
-At this point, Fedora will ask you whether or not you want to use VNC
-to continue the installation.  Because Scripts has an unusual disk
-image setup, you will want to answer yes. [XXX: Unfortunately, this puts
-the VNC session on MITnet, so make sure you use a good password, and
-we should figure out to make it not do that].  Grab your favorite
-VNC client and login to $HOSTNAME:1
-
-5. Installation in VNC
-
-5.1. Disks to use
-
-We don't have any exotic devices (we did that at the host level,
-recall), so you can use normal configuration.  The scripts-server Xen
-configuration will have automatically selected the LVS partitions you
-created in Step 1, and you want both of them.
-
-5.2. Host
-
-The default hostname is all caps: we use lower-case, so lower-case the
-name before proceeding.
-
-5.3. Timezone
-
-Self explanatory
-
-5.4. Root password
-
-Use Scripts root password for a real install, and fake password
-otherwise. [XXX: Insecure over VNC? Argh!]
-
-5.5 Formatting the disks
-
-You can find out what our existing setup looks like by consulting
-'/etc/fstab'.
-
-Select Custom, and select both disks for formatting.  Setup the larger
-disk as the boot partition.  Configure the partitions as follows:
-
-    50GB
-        Standard Partition
-        Mount Point: /
-        File System Type: ext3 (the default as of F13 is ext4, which
-            cannot be mounted by the hosts and thus should not be used!)
-        Additional Size Options: Fill to maximum allowable size (the
-            Size parameter will not do anything in that case)
-        Force to be primary partition
-    10GB
-        Standard Partition
-        File System Type: swap
-        Additional Size Options: Fill to maximum allowable size
-
-5.6 Bootloader
-
-Defaults are fine.
-
-5.7 Installation
-
-Do a minimal install (we will proceed to install the packages we care
-about), and add the normal F13 repository (testing and updates will be
-added when we bring in our /etc configuration).  Similarly, we will
-install the software we want later, so there is no need to do that now.
-
-5.8 Reboot
-
-When the install finishes, it will ask you to reboot.  This is fine, but
-since we created the VM image with install, upon reboot it will ask us
-to install again.  Let it reboot, then destroy the virtual machine.
-
-    xm destroy $SERVERNAME
-
-6. New World Order
-
-Start up the VM without the install flag:
-
-    xm create scripts-server machine_name=$SERVERNAME
-
-Use xm console to get a terminal, and proceed with the official install
-instructions.
-
-    xm console $SERVERNAME
+    xm create scripts-server machine_name=$MACHINE && console $MACHINE

trunk/server/doc/install-howto.sh

@@ -1 +1 @@
 # This document is a how-to for installing a Fedora scripts.mit.edu server.
+# It is semi-vaguely in the form of a shell script, but is not really
+# runnable as it stands.
 
 set -e -x
 
-[ -e /scripts-boot-count ] || echo 0 > /scripts-boot-count
-
-source_server="old-faithful.mit.edu"
-
-boot=${1:$(cat /scripts-boot-count)}
-
-# XXX: let 'branch' be the current svn branch you are on
-
-doreboot() {
-    echo $(( $boot + 1 )) > /scripts-boot-count;
-    shutdown -r now "Rebooting for step $(cat /scripts-boot-count)"
-}
-
-YUM() {
-    NSS_NONLOCAL_IGNORE=1 yum "$@"
-}
-
-# Helper files for the install are located in server/fedora/config.
-
-# Start with a normal install of Fedora.
-
-if [ $boot = 0 ]; then
-# When the initial configuration screen comes up, under "Firewall
-# configuration", disable the firewall, and under "System services", leave
-# enabled (as of Fedora 9) acpid, anacron, atd, cpuspeed, crond,
-# firstboot, fuse, haldaemon, ip6tables, iptables, irqbalance,
-# kerneloops, mdmonitor, messagebus, microcode_ctl, netfs, network, nscd, ntpd,
-# sshd, udev-post, and nothing else.
-    echo "--disabled" > /etc/sysconfig/system-config-firewall
-    for i in NetworkManager avahi-daemon bluetooth cups isdn nfslock nfs pcscd restorecond rpcbind rpcgssd rpcidmapd sendmail; do
-        chkconfig "$i" off
-    done
-
-# Turn on network, so we can connect at boot
-chkconfig network on
-
-# Edit /etc/selinux/config so it has SELINUX=disabled and reboot.
-    sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
-    doreboot
-fi
-
-if [ $boot = 1 ]; then
-# Create a scripts-build user account, and set up rpm to build in 
-# $HOME by doing a 
-# cp config/home/scripts-build/.rpmmacros /home/scripts-build/
-# (If you just use the default setup, it will generate packages 
-# in /usr/src/redhat.)
-    adduser scripts-build
+# Some commands should be run as the scripts-build user, not root.
+
+alias asbuild="sudo -u scripts-build"
+
+# Old versions of this install document advised setting
+# NSS_NONLOCAL_IGNORE=1 anytime you're setting up anything, e.g. using
+# yum, warning that useradd will query LDAP in a stupid way that makes
+# it hang forever.  As of Fedora 13, this does not seem to be a problem,
+# so it's been removed from the instructions.  If an install is hanging,
+# though, try adding NSS_NONLOCAL_IGNORE.
+
+# This is actually just "pick an active scripts server".  It can't be
+# scripts.mit.edu because our networking config points that domain
+# at localhost, and if our server is not setup at that point things
+# will break.
+source_server="cats-whiskers.mit.edu"
+
+# 'branch' is the current svn branch you are on.  You want to
+# use trunk if your just installing a new server, and branches/fcXX-dev
+# if your preparing a server on a new Fedora release.
+branch="trunk"
+
+# 'server' is the public hostname of your server, for SCP'ing files
+# to and from.
+server=YOUR-SERVER-NAME-HERE
+
+# Start with a Scripts kickstarted install of Fedora (install-fedora)
+
+# Take updates, reboot if there's a kernel update.
+
+    yum update
+
+# Get rid of network manager
+    yum remove NetworkManager
 
 # Check out the scripts.mit.edu svn repository. Configure svn not to cache
 # credentials.
 
-    YUM install -y subversion
-
-    cd /srv
-    svn co svn://$source_server/$branch repository
-
-    sed -i 's/^(# *)*store-passwords.*/store-passwords = no/' /root/.subversion/config
-    sed -i 's/^(# *)*store-auth-creds.*/store-auth-creds = no/' /root/.subversion/config
-# The same tweaks should be made on /home/scripts-build/.subversion/config
-# once it exists (do something with svn as scripts-build)
-
-    chown -R scripts-build /srv/repository
-
-# cd to server/fedora in the svn repository.
-    cd /srv/repository/server/fedora
-
-# Run "make install-deps" to install various prereqs.  Nonstandard
-# deps are in /mit/scripts/rpm.
-    YUM install -y make
-    make install-deps
-
-# Install bind
-    YUM install -y bind
+# Copy over root's dotfiles from one of the other machines.
+# Perhaps a useful change is to remove the default aliases
+    cd /root
+    ls -l .bashrc
+    ls -l .ldapvirc
+    ls -l .screenrc
+    ls -l .ssh
+    ls -l .vimrc
+    ls -l .k5login
+    # Trying to scp from server to server won't work, as scp
+    # will attempt to negotiate a server-to-server connection.
+    # Instead, scp to your trusted machine as a temporary file,
+    # and then push to the other server
+scp -r root@$source_server:~/{.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} .
+scp -r {.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~
+
+# Install the initial set of credentials (to get Kerberized logins once
+# krb5 is installed).  Otherwise, SCP'ing things in will be annoying.
+#   o You probably installed the machine keytab long ago
+    ls -l /etc/krb5.keytab
+#     Use ktutil to combine the host/scripts.mit.edu and
+#     host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in
+#     the keytab.  Do not use 'k5srvutil change' on the combined keytab
+#     or you'll break the other servers. (real servers only).  Be
+#     careful about writing out the keytab: if you write it to an
+#     existing file the keys will just get appended.  The correct
+#     credential list should look like:
+#       ktutil:  l
+#       slot KVNO Principal
+#       ---- ---- ---------------------------------------------------------------------
+#          1    5 host/old-faithful.mit.edu@ATHENA.MIT.EDU
+#          2    3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU
+#          3    2      host/scripts.mit.edu@ATHENA.MIT.EDU
+#   o Replace the ssh host keys with the ones common to all scripts servers (real servers only)
+    ls -l /etc/ssh/*key*
+#     You can do that with:
+scp root@$source_server:/etc/ssh/*key* .
+scp *key* root@$server:/etc/ssh/
+    service sshd reload
 
 # Check out the scripts /etc configuration
+    # backslash to make us not use the alias
     cd /root
-    svn co svn://scripts.mit.edu/$branch/server/fedora/config/etc etc
-    # backslash to make us not use the alias
     \cp -a etc /
+    chmod 0440 /etc/sudoers
 
 # NOTE: You will have just lost DNS resolution and the ability
@@ -90 +95 @@
 # you have named.
 
-    service named start
-    chkconfig named on
-
-# In the case of the Kerberos libraries, you'll be told that
-# there are conflicting files with the 64-bit versions of the packages,
-# which we scriptsify.  You'll have to use --force to install those
-# rpms despite the conflicts.  After doing that, you may want to
-# install the corresponding 64-bit scriptsified versions again, just
-# to be safe in case the 32-bit versions overwrite files that differ.
-# When you try this, it will complain that you already have the same
-# version installed; again, you'll need to use --force to do it anyway.
-
-# We need yumdownloader to force some RPMs
-    # XXX: This might be wrong. Sanity check what packages ou
-    # have when done
-    YUM install -y yum-utils
-    yumdownloader krb5-libs
-    # XXX: These version numbers are hardcoded, need some cli-fu to generalize
-    rpm -i krb5-libs-*.i586.rpm
-    rpm -U --force krb5-libs-*.scripts.1138.x86_64.rpm
-
-# env NSS_NONLOCAL_IGNORE=1 yum install scripts-base
-    YUM install -y scripts-base
-
-# Remember to set NSS_NONLOCAL_IGNORE=1 anytime you're setting up
-# anything, e.g. using yum. Otherwise useradd will query LDAP in a stupid way
-# that makes it hang forever. (This is why we're using YUM, not yum)
-
-# Reload the iptables config to take down the restrictive firewall 
-    service iptables restart
-
-# Copy over root's dotfiles from one of the other machines.
-# Perhaps a useful change is to remove the default aliases
-    # On 2009-07-01, the dotfiles to transfer where:
-    #   .bashrc .ldapvirc (<- HAS PRIVILEDGED DATA)
-    #   .screenrc .ssh (<- directory) .vimrc
-    # Trying to scp from server to server won't work, as scp
-    # will attempt to negotiate a server-to-server connection.
-    # Instead, scp to your trusted machine as a temporary file,
-    # and then push to the other server
-    # You'll need some way to authenticate to the server, and since
-    # password logins are disabled, you'll need some way of
-    # temporarily giving yourself credentials.  On a test server,
-    # reenabling password authentication is ok: frob /etc/pam.d/sshd
-    # and reverse apply r1068.
+# NOTE: You can get password SSH back by editing /etc/ssh/sshd_config (allow
+# password auth) and /etc/pam.d/sshd (comment out the first three auth
+# lines).  However, you should have the Kerberos credentials in place
+# so as soon as you install the full set of Scripts packages, you'll get
+# Kerberized logins.
+
+# Make sure network is working.  If this is a new server name, you'll
+# need to add it to /etc/hosts and
+# /etc/sysconfig/network-scripts/route-eth1.  Kickstart should have
+# configured eth0 and eth1 correctly; use service network restart
+# to add the new routes in route-eth1.
+    service network restart
+    route
+    ifconfig
+    cat /etc/hosts
+    cat /etc/sysconfig/network-scripts/route-eth1
+
+# This is the point at which you should start updating scriptsified
+# packages for a new Fedora release.  Consult 'upgrade-tips' for more
+# information.
+    yum install -y scripts-base
+    # Some of these packages are naughty and clobber some of our files
+    cd /etc
+    svn revert resolv.conf hosts sysconfig/openafs
 
 # Replace rsyslog with syslog-ng by doing:
     rpm -e --nodeps rsyslog
-    YUM install -y syslog-ng
+    yum install -y syslog-ng
     chkconfig syslog-ng on
 
-# Install various dependencies of the scripts system, including
-# glibc-devel.i586 (ezyang: already installed for me),
-# python-twisted-core (ditto), mod_fcgid, nrpe, nagios-plugins-all.
-    YUM install -y mod_fcgid
-    YUM install -y nrpe
-    YUM install -y nagios-plugins-all
-
-# Disable NetworkManager with chkconfig NetworkManager off. Configure
-# networking on the front end and back end, and the routing table to send
-# traffic over the back end. Make sure that chkconfig reports "network" on, so
-# that the network will still be configured at next boot.
-# ezyang: For me, NetworkManager was not installed at this point, and
-# we had already done the basic config for networking front end and
-# back end (because I wanted ssh access, and not just conserver access)
-
-# Fix the openafs /usr/vice/etc <-> /etc/openafs mapping by changing
-#  /usr/vice/etc/cacheinfo to contain:
-#       /afs:/usr/vice/cache:10000000
-# Also fix ThisCell to contain athena.mit.edu in both directories
-# WARNING: if you're installing a test server, this needs to be much
-# smaller; the max filesize on XVM is 10GB.  Pick something like
-# 500000
+# Fix the openafs /usr/vice/etc <-> /etc/openafs mapping.
     echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo
-    # ezyang: ThisCell on b-k and c-w don't have anything special
-    # written here
-# If you're making a test server, some of the AFS parameters are
-# kind of retarded (and if you're low on disk space, will actually
-# exhaust our inodes).
-# Edit the parameters in /etc/sysconfig/openafs
-
-# Figure out why Zephyr isn't working. Most recently, it was because there
-# was a 64-bit RPM installed; remove it and install Joe's 32-bit one
-    YUM erase -y mit-zephyr
-    # mit-zephyr has a spurious dependency on mit-krb-config
-    yumdownloader mit-zephyr.i386
-    # if deps change, this breaks
-    YUM install -y libXaw.i586 libXext.i586 libXmu.i586 ncurses-libs.i586 readline.i586
-    rpm -i --nodeps mit-zephyr-2.1-6-linux.i386.rpm
-    # test if it worked by sending an un-authed message
-    zwrite -d -c scripts -i test
-
-# Install the athena-base, athena-lprng, and athena-lprng-misc RPMs
-# from the Athena 9 build (these are present in our yum repo).  Note
-# that you will have to use --nodeps for at least one of the lprng
-# ones because it thinks it needs the Athena hesiod RPM.  It doesn't
-# really.  Before doing this, run it without --nodeps and arrange to
-# install the rest of the things it really does depend on.  This will
-# include a bunch of 32-bit rpms; go ahead and install the .i586 versions
-# of them.
-    YUM install -y athena-base
-    YUM install -y athena-lprng
-    yumdownloader athena-lprng-misc
-    # ezyang: I couldn't find any deps for this that existed in the repos
-    # You might get a "find: `/usr/athena/info': No such file or directory"
-    # error; this is fine
-    rpm -i --nodeps athena-lprng-misc-9.4-0.i386.rpm
+    echo "athena.mit.edu" > /usr/vice/etc/ThisCell
+
+# [TEST SERVER] If you're installing a test server, this needs to be
+# much smaller; the max filesize on XVM is 10GB.  Pick something like
+# 500000. Also, some of the AFS parameters are kind of retarded (and if
+# you're low on disk space, will actually exhaust our inodes).  Edit
+# these parameters in /etc/sysconfig/openafs
+
+# Test that zephyr is working
+    chkconfig zhm on
+    service zhm start
+    echo 'Test!' | zwrite -d -c scripts -i test
 
 # Install the full list of RPMs that users expect to be on the
 # scripts.mit.edu servers.
-
-# on another server, run:
 rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > packages.txt
 # arrange for packages.txt to be passed to the server, then run:
-    # notice that yum is not capitalized
-    # Also notice skip-broken
-    cat packages.txt | NSS_NONLOCAL_IGNORE=1 xargs yum install -y --skip-broken
+# --skip-broken will (usually) prevent you from having to sit through
+# several minutes of dependency resolution until it decides that
+# it can't install /one/ package.
+    yum install -y --skip-broken $(cat packages.txt)
 
 # Check which packages are installed on your new server that are not
@@ -212 +153 @@
 # on the new machine.  Otherwise, aside from bloat, you may end up
 # with undesirable things for security, like sendmail.
-    rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > newpackages.txt
-    diff -u packages.txt newpackages.txt  | less
-    # if all went well, you'll probably see multiple kernel versions
-    # as the only diff
-    # ezyang: I got exim installed as another package
+    rpm -qa --queryformat "%{Name}.%{Arch}\n" | grep -v kernel | sort > newpackages.txt
+    diff -u packages.txt newpackages.txt | grep -v kernel | less
     # here's a cute script that removes all extra packages
-    diff -u packages.txt newpackages.txt  | grep '+' | cut -c2- | grep -v "@" | grep -v "++" | xargs yum erase -y
+    yum erase -y $(grep -Fxvf packages.txt newpackages.txt)
+
+# We need an upstream version of cgi which we've packaged ourselves, but
+# it doesn't work with the haskell-platform package which expects
+# explicit versions.  So temporarily rpm -e the package, and then
+# install it again after you install haskell-platform.  [Note: You
+# probably won't need this in Fedora 15 or something, when the Haskell
+# Platform gets updated.]
+    rpm -e ghc-cgi-devel ghc-cgi
+    yum install -y haskell-platform
+    yumdownloader ghc-cgi
+    yumdownloader ghc-cgi-devel
+    rpm -i ghc-cgi*1.8.1*.rpm
 
 # Check out the scripts /usr/vice/etc configuration
-    cd /root
-    mkdir vice
-    cd vice
-    svn co svn://scripts.mit.edu/trunk/server/fedora/config/usr/vice/etc etc
+    cd /root/vice
     \cp -a etc /usr/vice
 
 # Install the full list of perl modules that users expect to be on the
 # scripts.mit.edu servers.
-# - export PERL_MM_USE_DEFAULT=1
-# - Run 'cpan', accept the default configuration, and do 'o conf
-#   prerequisites_policy follow'.
-# - Parse the output of perldoc -u perllocal | grep head2 on an existing
-#   server, and "notest install" them from the cpan prompt.
-# TO DO THIS:
-# On another server, run:
-# perldoc -u perllocal | grep head2 | cut -f 3 -d '<' | cut -f 1 -d '|' | sort -u | perl -ne 'chomp; print "notest install $_\n" if system("rpm -q --whatprovides \"perl($_)\" >/dev/null 2>/dev/null")' > /mit/scripts/config/perl-packages.txt
-# Then on the server you're installing,
-#    cat perl-packages.txt | perl -MCPAN -e shell
+    cd /root
     export PERL_MM_USE_DEFAULT=1
-    # XXX: Some interactive gobbeldygook
-    cpan
+    cpan # this is interactive, enter the next two lines
         o conf prerequisites_policy follow
         o conf commit
@@ -257 +194 @@
 #           /usr/lib64/python2.6/site-packages for Python eggs and modules.
 #   There will be a lot of gunk that was installed from packages;
-#   easy-install.pth will tell you what was easy_installed.
+#   easy-install.pth in /usr/lib/ will tell you what was easy_installed.
 #   First use 'yum search' to see if the relevant package is now available
 #   as an RPM, and install that if it is.  If not, then use easy_install.
@@ -263 +200 @@
 #   want to be able to write to ~/.python-eggs.  (Also makes sourcediving
 #   easier.)
+    cat /usr/lib/python2.6/site-packages/easy-install.pth
 # - Look at `gem list` for Ruby gems.
 #   Again, use 'yum search' and prefer RPMs, but failing that, 'gem install'.
 #       ezyang: rspec-rails depends on rspec, and will override the Yum
 #       package, so... don't use that RPM yet
+gem list --no-version > gem.txt
+    gem install $(gem list --no-version | grep -Fxvf - gem.txt)
 # - Look at `pear list` for Pear fruits (or whatever they're called).
 #   Yet again, 'yum search' for RPMs before resorting to 'pear install'.  Note
 #   that for things in the beta repo, you'll need 'pear install package-beta'.
 #   (you might get complaints about the php_scripts module; ignore them)
+pear list | tail -n +4 | cut -f 1 -d " " > pear.txt
+    pear config-set preferred_state beta
+    pear channel-update pear.php.net
+    pear install $(pear list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pear.txt)
 # - Look at `pecl list` for PECL things.  'yum search', and if you must,
 #   'pecl install' needed items. If it doesn't work, try 'pear install
 #   pecl/foo' or 'pecl install foo-beta' or those two combined.
-    # Automating this... will require a lot of batonning between
-    # the servers. Probably best way to do it is to write an actual
-    # script.
+pecl list | tail -n +4 | cut -f 1 -d " " > pecl.txt
+    pecl install --nodeps $(pecl list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pecl.txt)
 
 # Setup some Python config
     echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth
 
-# Install the credentials.  There are a lot of things to remember here:
-#   o This will be different if you're setting up our build/update server.
-#   o You probably installed the machine keytab long ago
-    ls -l /etc/krb5.keytab
-#   o Use ktutil to combine the host/scripts.mit.edu and
-#     host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in
-#     the keytab.  Do not use 'k5srvutil change' on the combined keytab
-#     or you'll break the other servers. (real servers only)
-#   o The daemon.scripts keytab
+# Install the credentials.  There are a lot of things to remember here.
+# Be sure to make sure the permissions match up (ls -l on an existing
+# server!).
+scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,daemon.keytab,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} .
+scp daemon.keytab signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc
+scp scripts.key root@$server:/etc/pki/tls/private
+scp .k5login root@$server:/home/logview
+    chown afsagent:afsagent /etc/daemon.keytab
+#   o The daemon.scripts keytab (will be daemon.scripts-test for test)
     ls -l /etc/daemon.keytab
 #   o The SSL cert private key (real servers only)
+    ls -l /etc/pki/tls/private/scripts.key
 #   o The LDAP password for the signup process (real servers only)
-#   o The SQL password for the signup process (real servers only)
+    ls -l /etc/signup-ldap-pw
 #   o The whoisd password (real servers only)
-#   o The LDAP keytab for this server, which will be used later (real servers only)
-#   o Replace the ssh host keys with the ones common to all scripts servers (real servers only)
-#   o You'll install an LDAP certificate signed by the scripts CA later (real servers only)
-#   o Make sure root's .k5login is correct
-    cat /root/.k5login
+    ls -l /etc/whoisd-password
 #   o Make sure logview's .k5login is correct (real servers only)
-
-# If you are setting up a test server, pay attention to
+    cat /home/logview/.k5login
+
+# Spin up OpenAFS.  This will fail if there's been a new kernel since
+# when you last tried.  In that case, you can hold on till later to
+# start OpenAFS.  This will take a little bit of time; 
+    service openafs-client start
+
+# Check that fs sysname is correct.  You should see, among others,
+# 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you
+# probably did a distro upgrade and should update /etc/sysconfig/openafs.
+    fs sysname
+
+# [TEST SERVER] If you are setting up a test server, pay attention to
 # /etc/sysconfig/network-scripts and do not bind scripts' IP address.
 # You will also need to modify:
@@ -322 +273 @@
 # XXX: someone should write sed scripts to do this
 
-# If you are setting up a test server, afsagent's cronjob will attempt
-# to be renewing with the wrong credentials (daemon.scripts). Change this:
+# [TEST SERVER] If you are setting up a test server, afsagent's cronjob
+# will attempt to be renewing with the wrong credentials
+# (daemon.scripts). Change this:
     vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu
 
-# Install 389-ds-base and set up replication (see ./HOWTO-SETUP-LDAP
-#   and ./389-ds-enable-ssl-and-kerberos.diff).
+# Set up replication (see ./install-ldap).
+# You'll need the LDAP keytab for this server: be sure to chown it
+# fedora-ds after you create the fedora-ds user
+    ls -l /etc/dirsrv/keytab
+    cat install-ldap
 
 # Make the services dirsrv, nslcd, nscd, postfix, and httpd start at
 # boot. Run chkconfig to make sure the set of services to be run is
 # correct.
+    service nslcd start
+    service nscd start
+    service postfix start
+    service httpd start
     chkconfig dirsrv on
     chkconfig nslcd on
@@ -341 +300 @@
     chkconfig nrpe on
 
+# Check sql user credentials (needs to be done after LDAP is setup)
+    chown sql /etc/sql-mit-edu.cfg.php
+
 # Postfix doesn't actually deliver mail; fix this
     cd /etc/postfix
@@ -349 +311 @@
 
 # Run fmtutil-sys --all, which does something that makes TeX work.
+# (Note: this errors on XeTeX which is ok.)
     fmtutil-sys --all
-    # ezyang: I got errors on xetex
 
 # Ensure that PHP isn't broken:
@@ -356 +318 @@
     chmod 01777 /tmp/sessions
 
-# Ensure fcgid isn't broken
-    chmod 755 /var/run/mod_fcgid # ezyang: I suspect this is no longer necessary
+# Ensure fcgid isn't broken (should be 755)
+    ls -ld /var/run/mod_fcgid
 
 # Fix etc by making sure none of our config files got overwritten
     cd /etc
-    svn status | grep M
-    # ezyang: I had to revert krb5.conf (not with latest), nsswitch.conf and sysconfig/openafs
+    svn status -q
+    # Some usual candidates for clobbering include nsswitch.conf and
+    # sysconfig/openafs
 
 # ThisCell got clobbered, replace it with athena.mit.edu
@@ -368 +331 @@
 
 # Reboot the machine to restore a consistent state, in case you
-# changed anything.
-    # ezyang: When I rebooted, the following things happened:
-    #   o Starting kdump failed (this is ok)
-    #   o postfix mailbombed us
-    #   o firstboot configuration screen popped up (ignored; manually will do
-    #     chkconfig after the fact)
-
-# (Optional) Beat your head against a wall.
-
-# Possibly perform other steps that I've neglected to put in this
-# document.
-#   o For some reason, syslog-ng wasn't turning on automatically, so we weren't
-#     getting spew
-
-# Some info about changing hostnames: it appears to be in:
+# changed anything. (Note: Starting kdump fails (this is ok))
+
+# [OPTIONAL] Your machine's hostname is baked in at install time;
+# in the rare case you need to change it: it appears to be in:
 #   o /etc/sysconfig/network
 #   o your lvm thingies; probably don't need to edit
 
-# More stuff for test servers
+# [TEST SERVER] More stuff for test servers
 #   - You need a self-signed SSL cert.  Generate with:
     openssl req -new -x509 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts.cert -nodes
@@ -394 +346 @@
 #     be an accepted vhost name
 #   - Look at the old test server and see what config changes are floating around
+
+# XXX: our SVN checkout should be updated to use scripts.mit.edu
+# (repository and etc) once serving actually works.
+    cd /etc
+    svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
+    cd /usr/vice/etc
+    svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
+    cd /srv/repository
+    asbuild svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/
+    asbuild svn up # verify scripts.mit.edu works

trunk/server/doc/install-xen

@@ -43 +43 @@
     git clone ssh://scripts@scripts.mit.edu/mit/scripts/git/xen.git /etc/xen
 
+# setup conserver
+    cat /etc/conserver/console.cf # add the correct entires here
+    visudo # add conservr to sudoers list with:
+        conservr ALL=(ALL) NOPASSWD: /usr/sbin/xm console *

trunk/server/doc/kernel-build-howto

@@ -19 +19 @@
 [root@old-faithful ~]# rpm -ivh kernel-vanilla{,-devel}-2.6.23.8-28.scripts1.fc7.x86_64.rpm
 
+You can build kernel-firmware, which is a bunch of binary blobs for
+hardware, by running the mock build with --arch=noarch.
+
 <Build kmod-openafs>
 

trunk/server/doc/package-build-howto

@@ -146 +146 @@
       overwrite any changes you made in place).
 
+Tips
+====
+
+    * Don't try to build a 32-bit package without building the 64-bit
+      package as well.