Changeset 1973 for branches/fc15-dev/server/doc/install-howto.sh
- Timestamp:
- Sep 6, 2011, 4:30:47 PM (13 years ago)
- Location:
- branches/fc15-dev
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/fc15-dev
- Property svn:mergeinfo changed
/trunk merged: 1950-1951,1954,1961,1968-1972
- Property svn:mergeinfo changed
-
branches/fc15-dev/server/doc/install-howto.sh
r1880 r1973 2 2 # It is semi-vaguely in the form of a shell script, but is not really 3 3 # runnable as it stands. 4 5 # Notation 6 # [PRODUCTION] Production server that will be put into the pool 7 # [WIZARD] Semi-production server that will only have 8 # daemon.scripts-security-upd bits, among other 9 # restricted permissions bits, among other 10 # restricted permissions bits, among other 11 # restricted permissions bits, among other 12 # restricted permissions 13 # [TESTSERVER] Completely untrusted server 4 14 5 15 set -e -x … … 20 30 # at localhost, and if our server is not setup at that point things 21 31 # will break. 22 source_server=" cats-whiskers.mit.edu"32 source_server="shining-armor.mit.edu" 23 33 24 34 # 'branch' is the current svn branch you are on. You want to … … 43 53 cd /root 44 54 ls -l .bashrc 45 ls -l .ldapvirc46 55 ls -l .screenrc 47 56 ls -l .ssh 48 57 ls -l .vimrc 49 58 ls -l .k5login 59 # [PRODUCTION] This rc file has sensitive data on it and should only 60 # be pushed onto production servers. 61 ls -l .ldapvirc 50 62 # Trying to scp from server to server won't work, as scp 51 63 # will attempt to negotiate a server-to-server connection. 52 64 # Instead, scp to your trusted machine as a temporary file, 53 65 # and then push to the other server 54 scp -r root@$source_server:~/{.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} . 55 scp -r {.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~ 66 scp -r root@$source_server:~/{.bashrc,.screenrc,.ssh,.vimrc,.k5login} . 67 scp -r {.bashrc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~ 68 # [PRODUCTION] 69 scp root@$source_server:~/.ldapvirc . 70 scp .ldapvirc root@$server:~ 56 71 57 72 # Install the initial set of credentials (to get Kerberized logins once 58 73 # krb5 is installed). Otherwise, SCP'ing things in will be annoying. 59 # o You probably installed the machine keytab long ago74 # o Install the machine keytab. 60 75 ls -l /etc/krb5.keytab 61 76 # Use ktutil to combine the host/scripts.mit.edu and … … 72 87 # 2 3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU 73 88 # 3 2 host/scripts.mit.edu@ATHENA.MIT.EDU 74 # o Replace the ssh host keys with the ones common to all scripts servers (real servers only) 89 # o [PRODUCTION] Replace the ssh host keys with the ones common to all 90 # scripts servers (real servers only) 75 91 ls -l /etc/ssh/*key* 76 92 # You can do that with: … … 85 101 chmod 0440 /etc/sudoers 86 102 87 # If this is the first time you've installed this hostname, you will 88 # need to update a bunch of files to add support for it. These include: 103 # [PRODUCTION] If this is the first time you've installed this hostname, 104 # you will need to update a bunch of files to add support for it. These 105 # include: 89 106 # o Adding all aliases to /etc/httpd/conf.d/scripts-vhost-names.conf 90 107 # (usually this is hostname, hostname.mit.edu, h-n, h-n.mit.edu, … … 141 158 chkconfig syslog-ng on 142 159 143 # Fix the openafs /usr/vice/etc <-> /etc/openafs mapping. 160 # [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs 161 # mapping. 144 162 echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo 145 163 echo "athena.mit.edu" > /usr/vice/etc/ThisCell 146 164 147 # [TEST 165 # [TESTSERVER] If you're installing a test server, this needs to be 148 166 # much smaller; the max filesize on XVM is 10GB. Pick something like 149 167 # 500000. Also, some of the AFS parameters are kind of retarded (and if 150 168 # you're low on disk space, will actually exhaust our inodes). Edit 151 169 # these parameters in /etc/sysconfig/openafs 170 echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo 171 XXX TODO COMMANDS 152 172 153 173 # Test that zephyr is working … … 176 196 # here's a cute script that removes all extra packages 177 197 yum erase -y $(grep -Fxvf packages.txt newpackages.txt) 198 # 20101208 - Mysteriously we manage to get these extra packages 199 # from kickstart: mcelog mobile-broadband-provider-info 200 # ModemManager PackageKit 178 201 179 202 # We need an upstream version of cgi which we've packaged ourselves, but … … 219 242 # want to be able to write to ~/.python-eggs. (Also makes sourcediving 220 243 # easier.) 221 cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- .egg.txt244 cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt 222 245 cat egg.txt | xargs easy_install -Z 223 246 # - Look at `gem list` for Ruby gems. … … 241 264 pecl install --nodeps $(pecl list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pecl.txt) 242 265 243 # Install the credentials. There are a lot of things to remember here.244 # Be sure to make sure the permissions match up (ls -l on an existing245 # server!).246 scp root@$source_server:{/etc/{sql-mit-edu.cfg.php, daemon.keytab,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} .247 scp daemon.keytabsignup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc266 # [PRODUCTION] Install the credentials. There are a lot of things to 267 # remember here. Be sure to make sure the permissions match up (ls -l 268 # on an existing server!). 269 scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} . 270 scp signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc 248 271 scp scripts.key root@$server:/etc/pki/tls/private 249 272 scp .k5login root@$server:/home/logview 250 chown afsagent:afsagent /etc/daemon.keytab251 # o The daemon.scripts keytab (will be daemon.scripts-test for test)252 ls -l /etc/daemon.keytab253 273 # o The SSL cert private key (real servers only) 254 274 ls -l /etc/pki/tls/private/scripts.key … … 260 280 cat /home/logview/.k5login 261 281 282 # All types of servers will have an /etc/daemon.keytab file, however, 283 # different types of server will have different credentials in this 284 # keytab. 285 # [PRODUCTION] daemon.scripts 286 # [WIZARD] daemon.scripts-security-upd 287 # [TESTSERVER] daemon.scripts-test 288 k5srvutil list -f daemon.keytab 289 scp daemon.keytab root@$server:/etc 290 chown afsagent:afsagent /etc/daemon.keytab 291 # o The daemon.scripts keytab (will be daemon.scripts-test for test) 292 ls -l /etc/daemon.keytab 293 262 294 # Spin up OpenAFS. This will fail if there's been a new kernel since 263 295 # when you last tried. In that case, you can hold on till later to 264 296 # start OpenAFS. This will take a little bit of time; 265 297 service openafs-client start 266 267 # Check that fs sysname is correct. You should see, among others, 298 # Then, check that fs sysname is correct. You should see, among others, 268 299 # 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you 269 300 # probably did a distro upgrade and should update /etc/sysconfig/openafs. 270 301 fs sysname 271 302 272 # [TEST SERVER] If you are setting up a test server, pay attention to 273 # /etc/sysconfig/network-scripts and do not bind scripts' IP address. 274 # You will also need to modify: 303 # [WIZARD/TESTSERVER] If you are setting up a non-production server, 304 # there are some services that it won't provide, and you will need to 305 # make it talk to a real server instead. In particular: 306 # - We don't serve the web, so don't bind scripts.mit.edu 307 # - We don't serve LDAP, so use another server 308 # This involves editing the following files: 309 # o /etc/sysconfig/network-scripts/ifcfg-lo:0 310 # o /etc/sysconfig/network-scripts/ifcfg-lo:1 311 # o /etc/sysconfig/network-scripts/ifcfg-lo:2 312 # o /etc/sysconfig/network-scripts/ifcfg-lo:3 313 \rm /etc/sysconfig/network-scripts/ifcfg-lo:{0,1,2,3} 275 314 # o /etc/ldap.conf 276 315 # add: host scripts.mit.edu 277 # o /etc/ nss-ldapd.conf278 # replace: uri *****316 # o /etc/{nss-ldapd,nslcd}.conf 317 # replace: uri ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/ 279 318 # with: uri ldap://scripts.mit.edu/ 280 319 # o /etc/openldap/ldap.conf … … 282 321 # BASE dc=scripts,dc=mit,dc=edu 283 322 # o /etc/httpd/conf.d/vhost_ldap.conf 284 # replace: VhostLDAPUrl ****323 # replace: VhostLDAPUrl "ldap://127.0.0.1/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu" 285 324 # with: VhostLDAPUrl "ldap://scripts.mit.edu/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu" 286 325 # o /etc/postfix/virtual-alias-{domains,maps}-ldap.cf 287 # replace: server_host *****326 # replace: server_host ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/ 288 327 # with: server_host = ldap://scripts.mit.edu 289 328 # to use scripts.mit.edu instead of localhost. 290 329 # XXX: someone should write sed scripts to do this 291 330 292 # [ TEST SERVER] If you are setting up a test server, afsagent's cronjob293 # will attempt to be renewing with the wrong credentials294 # (daemon.scripts). Change this:331 # [WIZARD/TESTSERVER] If you are setting up a non-production server, 332 # afsagent's cronjob will attempt to be renewing with the wrong 333 # credentials (daemon.scripts). Change this: 295 334 vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu 296 335 297 # Set up replication (see ./install-ldap).336 # [PRODUCTION] Set up replication (see ./install-ldap). 298 337 # You'll need the LDAP keytab for this server: be sure to chown it 299 338 # fedora-ds after you create the fedora-ds user … … 307 346 service nscd start 308 347 service postfix start 309 service httpd start310 chkconfig dirsrv on311 348 chkconfig nslcd on 312 349 chkconfig nscd on 313 350 chkconfig postfix on 351 352 # [PRODUCTION] 353 chkconfig dirsrv on 354 355 # [PRODUCTION/TESTSERVER] 356 # (Maybe WIZARD too once we start doing strange things to autoupgrade 357 # installs behind firewalls.) 358 service httpd start # will fail if AFS is not running 314 359 chkconfig httpd on 315 360 … … 317 362 chkconfig nrpe on 318 363 319 # Check sql user credentials (needs to be done after LDAP is setup) 364 # [PRODUCTION] Check sql user credentials (needs to be done after LDAP 365 # is setup) 320 366 chown sql /etc/sql-mit-edu.cfg.php 321 367 … … 345 391 # Some usual candidates for clobbering include nsswitch.conf and 346 392 # sysconfig/openafs 393 # [WIZARD/TEST] Remember that changes you made should not get 394 # reverted! 347 395 348 396 # ThisCell got clobbered, replace it with athena.mit.edu … … 357 405 # o your lvm thingies; probably don't need to edit 358 406 359 # [TEST SERVER] More stuff for test servers 360 # - You need a self-signed SSL cert. Generate with: 407 # [TESTERVER] 408 # - You need a self-signed SSL cert or Apache will refuse to start 409 # or do SSL. Generate with: 361 410 openssl req -new -x509 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts.cert -nodes 362 # Also make /etc/pki/tls/certs/ca.pem match up 411 # Also make /etc/pki/tls/certs/ca.pem match up (XXX what's the 412 # incant for that?) 413 414 # [TESTSERVER] More stuff for test servers 363 415 # - Make (/etc/aliases) root mail go to /dev/null, so we don't spam people 364 416 # - Edit /etc/httpd/conf.d/scripts-vhost-names.conf to have scripts-fX-test.xvm.mit.edu
Note: See TracChangeset
for help on using the changeset viewer.