Changeset 2066 for trunk/server/doc
- Timestamp:
- Nov 22, 2011, 12:45:17 AM (13 years ago)
- Location:
- trunk
- Files:
-
- 6 edited
- 1 copied
Legend:
- Unmodified
- Added
- Removed
-
trunk
- Property svn:mergeinfo changed
-
trunk/server/doc/install-fedora
r1698 r2066 6 6 lvcreate -n $MACHINE-root --size 50.00G $HOST 7 7 lvcreate -n $MACHINE-swap --size 10.00G $HOST 8 lvcreate -n $MACHINE-cache --size 11.00G $HOST 9 10 /-------------------------------------------------------------------\ 11 Note: If you need to manually format the the swap and cache 12 partitions (for example, you are migrating a host from 'migrate'), 13 these commands should work. If in doubt, consult the kickstart. 14 15 # Use fdisk to generate a DOS partition table, and a single 16 # partition extending the entire volume. 17 fdisk /dev/$HOST/$MACHINE-swap 18 fdisk /dev/$HOST/$MACHINE-cache 19 # Figure out what kpartx is going to make the devices as 20 # (e.g. $SWAP_DEV and $CACHE_DEV) 21 kpartx -l /dev/$HOST/$MACHINE-swap 22 kpartx -l /dev/$HOST/$MACHINE-cache 23 # Read out the partition tables 24 kpartx -a /dev/$HOST/$MACHINE-swap 25 kpartx -a /dev/$HOST/$MACHINE-cache 26 27 # FORMAT! 28 mkswap $SWAP_DEV 29 mkfs.ext4 -O ^has_journal -m 0 -N 1000000 $CACHE_DEV 30 31 # Remove the devices 32 kpartx -d /dev/$HOST/$MACHINE-swap 33 kpartx -d /dev/$HOST/$MACHINE-cache 34 \-------------------------------------------------------------------/ 35 36 Make sure that the console has an entry for this host: 37 38 vim /etc/conserver/conserver.cf 39 40 If it doesn't, add: 41 42 console $MACHINE { 43 master $HOST; 44 include xen; 45 } 8 46 9 47 We use Kickstart to to initial Fedora configuration. Installing a new -
trunk/server/doc/install-howto.sh
r1961 r2066 7 7 # [WIZARD] Semi-production server that will only have 8 8 # daemon.scripts-security-upd bits, among other 9 # restricted permissions bits, among other10 # restricted permissions bits, among other11 # restricted permissions bits, among other12 9 # restricted permissions 13 10 # [TESTSERVER] Completely untrusted server 14 15 set -e -x16 17 # Some commands should be run as the scripts-build user, not root.18 19 alias asbuild="sudo -u scripts-build"20 21 # Old versions of this install document advised setting22 # NSS_NONLOCAL_IGNORE=1 anytime you're setting up anything, e.g. using23 # yum, warning that useradd will query LDAP in a stupid way that makes24 # it hang forever. As of Fedora 13, this does not seem to be a problem,25 # so it's been removed from the instructions. If an install is hanging,26 # though, try adding NSS_NONLOCAL_IGNORE.27 11 28 12 # This is actually just "pick an active scripts server". It can't be … … 41 25 server=YOUR-SERVER-NAME-HERE 42 26 43 # Start with a Scripts kickstarted install of Fedora (install-fedora) 44 45 # Take updates, reboot if there's a kernel update. 46 yum update -y 47 48 # Get rid of network manager 49 yum remove NetworkManager 50 51 # Copy over root's dotfiles from one of the other machines. 52 # Perhaps a useful change is to remove the default aliases 53 cd /root 54 ls -l .bashrc 55 ls -l .screenrc 56 ls -l .ssh 57 ls -l .vimrc 58 ls -l .k5login 59 # [PRODUCTION] This rc file has sensitive data on it and should only 60 # be pushed onto production servers. 61 ls -l .ldapvirc 62 # Trying to scp from server to server won't work, as scp 63 # will attempt to negotiate a server-to-server connection. 64 # Instead, scp to your trusted machine as a temporary file, 65 # and then push to the other server 66 scp -r root@$source_server:~/{.bashrc,.screenrc,.ssh,.vimrc,.k5login} . 67 scp -r {.bashrc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~ 68 # [PRODUCTION] 69 scp root@$source_server:~/.ldapvirc . 70 scp .ldapvirc root@$server:~ 71 72 # Install the initial set of credentials (to get Kerberized logins once 73 # krb5 is installed). Otherwise, SCP'ing things in will be annoying. 74 # o Install the machine keytab. 75 ls -l /etc/krb5.keytab 76 # Use ktutil to combine the host/scripts.mit.edu and 77 # host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in 78 # the keytab. Do not use 'k5srvutil change' on the combined keytab 79 # or you'll break the other servers. (real servers only). Be 80 # careful about writing out the keytab: if you write it to an 81 # existing file the keys will just get appended. The correct 82 # credential list should look like: 83 # ktutil: l 84 # slot KVNO Principal 85 # ---- ---- --------------------------------------------------------------------- 86 # 1 5 host/old-faithful.mit.edu@ATHENA.MIT.EDU 87 # 2 3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU 88 # 3 2 host/scripts.mit.edu@ATHENA.MIT.EDU 89 # o [PRODUCTION] Replace the ssh host keys with the ones common to all 90 # scripts servers (real servers only) 91 ls -l /etc/ssh/*key* 92 # You can do that with: 93 scp root@$source_server:/etc/ssh/*key* . 94 scp *key* root@$server:/etc/ssh/ 95 service sshd reload 96 97 # Check out the scripts /etc configuration 98 # backslash to make us not use the alias 99 cd /root 100 \cp -a etc / 101 chmod 0440 /etc/sudoers 102 27 # ----------------------------->8-------------------------------------- 28 # FIRST TIME INSTRUCTIONS 29 # 103 30 # [PRODUCTION] If this is the first time you've installed this hostname, 104 31 # you will need to update a bunch of files to add support for it. These … … 120 47 # o Set up Nagios monitoring on sipb-noc for the host 121 48 # o Set up the host as in the pool on r-b/r-b /etc/heartbeat/ldirectord.cf 122 XXX TODO COMMANDS 123 124 # NOTE: You will have just lost DNS resolution and the ability 125 # to do password SSH in. If you managed to botch this step without 126 # having named setup, you can do a quick fix by frobbing /etc/resolv.conf 127 # with a non 127.0.0.1 address for the DNS server. Be sure to revert it once 128 # you have named. 129 130 # NOTE: You can get password SSH back by editing /etc/ssh/sshd_config (allow 131 # password auth) and /etc/pam.d/sshd (comment out the first three auth 132 # lines). However, you should have the Kerberos credentials in place 133 # so as soon as you install the full set of Scripts packages, you'll get 134 # Kerberized logins. 135 136 # Make sure network is working. If this is a new server name, you'll 137 # need to add it to /etc/hosts and 138 # /etc/sysconfig/network-scripts/route-eth1. Kickstart should have 49 # o Update locker/etc/known_hosts 50 # 51 # You will also need to prepare the keytabs for credit-card. In particular, 52 # use ktutil to combine the host/scripts.mit.edu and 53 # host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in 54 # the keytab. Do not use 'k5srvutil change' on the combined keytab 55 # or you'll break the other servers. (real servers only). Be 56 # careful about writing out the keytab: if you write it to an 57 # existing file the keys will just get appended. The correct 58 # credential list should look like: 59 # ktutil: l 60 # slot KVNO Principal 61 # ---- ---- --------------------------------------------------------------------- 62 # 1 5 host/old-faithful.mit.edu@ATHENA.MIT.EDU 63 # 2 3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU 64 # 3 2 host/scripts.mit.edu@ATHENA.MIT.EDU 65 # 66 # The LDAP keytab should be by itself, so be sure to delete it and 67 # put it in its own file. 68 69 # ----------------------------->8-------------------------------------- 70 # INFINITE INSTALLATION 71 72 # Start with a Scripts kickstarted install of Fedora (install-fedora) 73 74 # Take updates, reboot if there's a kernel update. 75 yum update -y 76 77 # Get rid of network manager (XXX figure out to make kickstarter do 78 # this for us) 79 yum remove NetworkManager 80 81 # Make sure sendmail isn't installed 82 yum remove sendmail 83 84 # Check out the scripts /etc configuration 85 cd /root 86 \cp -a etc / 87 chmod 0440 /etc/sudoers 88 89 # Make sure network is working. Kickstart should have 139 90 # configured eth0 and eth1 correctly; use service network restart 140 # to add the new routes in route-eth1. 141 service network restart 91 # to add the new routes from etc in route-eth1. 92 systemctl restart network.service 93 # Check everything worked: 142 94 route 143 95 ifconfig … … 151 103 # Some of these packages are naughty and clobber some of our files 152 104 cd /etc 153 svn revert resolv.conf hosts sysconfig/openafs 105 svn revert resolv.conf hosts sysconfig/openafs nsswitch.conf 154 106 155 107 # Replace rsyslog with syslog-ng by doing: 156 108 rpm -e --nodeps rsyslog 157 109 yum install -y syslog-ng 158 chkconfig syslog-ng on 159 160 # [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs 161 # mapping. 162 echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo 163 echo "athena.mit.edu" > /usr/vice/etc/ThisCell 164 165 # [TESTSERVER] If you're installing a test server, this needs to be 166 # much smaller; the max filesize on XVM is 10GB. Pick something like 167 # 500000. Also, some of the AFS parameters are kind of retarded (and if 168 # you're low on disk space, will actually exhaust our inodes). Edit 169 # these parameters in /etc/sysconfig/openafs 170 echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo 171 XXX TODO COMMANDS 172 173 # Test that zephyr is working 174 chkconfig zhm on 175 service zhm start 176 echo 'Test!' | zwrite -d -c scripts -i test 110 systemctl enable syslog-ng.service 177 111 178 112 # Install the full list of RPMs that users expect to be on the … … 184 118 # it can't install /one/ package. 185 119 yum install -y --skip-broken $(cat packages.txt) 186 187 # Make sure sendmail isn't installed188 yum remove sendmail189 120 190 121 # Check which packages are installed on your new server that are not … … 204 135 # explicit versions. So temporarily rpm -e the package, and then 205 136 # install it again after you install haskell-platform. [Note: You 206 # probably won't need this in Fedora 1 5or something, when the Haskell137 # probably won't need this in Fedora 17 or something, when the Haskell 207 138 # Platform gets updated.] 208 139 rpm -e ghc-cgi-devel ghc-cgi … … 212 143 rpm -i ghc-cgi*1.8.1*.rpm 213 144 214 # Check out the scripts /usr/vice/etc configuration 215 cd /root/vice 216 \cp -a etc /usr/vice 145 # ----------------------------->8-------------------------------------- 146 # SPHEROID SHENANIGANS 147 148 # Note: Since ultimately we'd like to move away from using per-language 149 # package manager and all of these be RPMs, it is of questionable 150 # importance how much /good/ automation for these is necessary. 151 152 # Warning: For a new release, we're supposed to check if Fedora has 153 # packaged up the RPM. Unfortunately we don't really have good incants 154 # for this. 217 155 218 156 # Install the full list of perl modules that users expect to be on the … … 242 180 # want to be able to write to ~/.python-eggs. (Also makes sourcediving 243 181 # easier.) 244 cat /usr/lib/python2.6/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt 182 # 'easy_install AuthKit jsonlib2 pygit' 183 cat /usr/lib/python2.7/site-packages/easy-install.pth | grep "^./" | cut -c3- | cut -f1 -d- > egg.txt 245 184 cat egg.txt | xargs easy_install -Z 185 246 186 # - Look at `gem list` for Ruby gems. 247 187 # Again, use 'yum search' and prefer RPMs, but failing that, 'gem install'. 248 188 # ezyang: rspec-rails depends on rspec, and will override the Yum 249 189 # package, so... don't use that RPM yet 190 # XXX This doesn't do the right thing for old version gems 250 191 gem list --no-version > gem.txt 251 192 gem install $(gem list --no-version | grep -Fxvf - gem.txt) 193 # Also, we need to install the old rails version 194 gem install -v=2.3.5 rails 195 252 196 # - Look at `pear list` for Pear fruits (or whatever they're called). 253 197 # Yet again, 'yum search' for RPMs before resorting to 'pear install'. Note … … 258 202 pear channel-update pear.php.net 259 203 pear install $(pear list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pear.txt) 204 260 205 # - Look at `pecl list` for PECL things. 'yum search', and if you must, 261 206 # 'pecl install' needed items. If it doesn't work, try 'pear install … … 264 209 pecl install --nodeps $(pecl list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pecl.txt) 265 210 266 # Setup some Python config 267 echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth 268 269 # [PRODUCTION] Install the credentials. There are a lot of things to 270 # remember here. Be sure to make sure the permissions match up (ls -l 271 # on an existing server!). 272 scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} . 273 scp signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc 274 scp scripts.key root@$server:/etc/pki/tls/private 275 scp .k5login root@$server:/home/logview 276 # o The SSL cert private key (real servers only) 277 ls -l /etc/pki/tls/private/scripts.key 278 # o The LDAP password for the signup process (real servers only) 279 ls -l /etc/signup-ldap-pw 280 # o The whoisd password (real servers only) 281 ls -l /etc/whoisd-password 282 # o Make sure logview's .k5login is correct (real servers only) 283 cat /home/logview/.k5login 284 285 # All types of servers will have an /etc/daemon.keytab file, however, 286 # different types of server will have different credentials in this 287 # keytab. 288 # [PRODUCTION] daemon.scripts 289 # [WIZARD] daemon.scripts-security-upd 290 # [TESTSERVER] daemon.scripts-test 291 k5srvutil list -f daemon.keytab 292 scp daemon.keytab root@$server:/etc 293 chown afsagent:afsagent /etc/daemon.keytab 294 # o The daemon.scripts keytab (will be daemon.scripts-test for test) 295 ls -l /etc/daemon.keytab 296 297 # Spin up OpenAFS. This will fail if there's been a new kernel since 298 # when you last tried. In that case, you can hold on till later to 299 # start OpenAFS. This will take a little bit of time; 300 service openafs-client start 301 # Then, check that fs sysname is correct. You should see, among others, 302 # 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you 303 # probably did a distro upgrade and should update /etc/sysconfig/openafs. 211 # ----------------------------->8-------------------------------------- 212 # INFINITE CONFIGURATION 213 214 # Create fedora-ds user (needed for credit-card) 215 useradd -u 103 -r -d /var/lib/dirsrv fedora-ds 216 217 # Run credit-card to clone in credentials and make things runabble 218 python host.py push $server 219 220 # This is superseded by credit-card, but only for [PRODUCTION] 221 # Don't use credit-card on [WIZARD]: it will put in the wrong creds! 222 # 223 # # All types of servers will have an /etc/daemon.keytab file, however, 224 # # different types of server will have different credentials in this 225 # # keytab. 226 # # [PRODUCTION] daemon.scripts 227 # # [WIZARD] daemon.scripts-security-upd 228 # # [TESTSERVER] daemon.scripts-test 229 230 # [PRODUCTION/WIZARD] Fix the openafs /usr/vice/etc <-> /etc/openafs 231 # mapping. 232 echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo 233 echo "athena.mit.edu" > /usr/vice/etc/ThisCell 234 # [TESTSERVER] If you're installing a test server, this needs to be 235 # much smaller; the max filesize on XVM is 10GB. Pick something like 236 # 500000. Also, some of the AFS parameters are kind of retarded (and if 237 # you're low on disk space, will actually exhaust our inodes). Edit 238 # these parameters in /etc/sysconfig/openafs (but wait, that won't 239 # work, will it...) 240 echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo 241 vim /etc/sysconfig/openafs 242 243 # Test that zephyr is working 244 systemctl enable zhm.service 245 systemctl start zhm.service 246 echo 'Test!' | zwrite -d -c scripts -i test 247 248 # Check out the scripts /usr/vice/etc configuration 249 cd /root/vice 250 \cp -a etc /usr/vice 251 252 # [PRODUCTION] Set up replication (see ./install-ldap). 253 # You'll need the LDAP keytab for this server: be sure to chown it 254 # fedora-ds after you create the fedora-ds user 255 ls -l /etc/dirsrv/keytab 256 cat install-ldap 257 258 # Enable lots of services 259 systemctl enable openafs-client.service 260 systemctl enable dirsrv.service 261 systemctl enable nslcd.service 262 systemctl enable nscd.service 263 systemctl enable postfix.service 264 systemctl enable nrpe.service 265 systemctl enable httpd.service # not for [WIZARD] 266 267 systemctl start openafs-client.service 268 systemctl start dirsrv.service 269 systemctl start nslcd.service 270 systemctl start nscd.service 271 systemctl start postfix.service 272 systemctl start nrpe.service 273 systemctl start httpd.service # not for [WIZARD] 274 275 # Note about OpenAFS: Check that fs sysname is correct. You should see, 276 # among others, 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's 277 # not, you probably did a distro upgrade and should update 278 # /etc/sysconfig/openafs (XXX this is wrong: figuring out new 279 # systemd world order). 304 280 fs sysname 281 282 # Postfix doesn't actually deliver mail; fix this 283 cd /etc/postfix 284 postmap virtual 285 286 # Munin might not be monitoring packages that were installed after it 287 munin-node-configure --suggest --shell | sh 288 289 # Run fmtutil-sys --all, which does something that makes TeX work. 290 # (Note: this errors on XeTeX which is ok.) 291 fmtutil-sys --all 292 293 # Ensure that PHP isn't broken: 294 mkdir /tmp/sessions 295 chmod 01777 /tmp/sessions 296 # XXX: this seems to get deleted if tmp gets cleaned up, so we 297 # might need something a little better (maybe init script.) 298 299 # Fix etc by making sure none of our config files got overwritten 300 cd /etc 301 svn status -q 302 # Some usual candidates for clobbering include nsswitch.conf, 303 # resolv.conf and sysconfig/openafs 304 # [WIZARD/TEST] Remember that changes you made should not get 305 # reverted! 306 307 # Reboot the machine to restore a consistent state, in case you 308 # changed anything. (Note: Starting kdump fails (this is ok)) 309 310 # When all is said and done, fix up the Subversion checkouts 311 cd /etc 312 svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ 313 cd /usr/vice/etc 314 svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ 315 cd /srv/repository 316 # Some commands should be run as the scripts-build user, not root. 317 alias asbuild="sudo -u scripts-build" 318 asbuild svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ 319 asbuild svn up # verify scripts.mit.edu works 320 321 # ------------------------------->8------------------------------- 322 # ADDENDA AND MISCELLANEOUS THINGS 323 324 # [OPTIONAL] Your machine's hostname is baked in at install time; 325 # in the rare case you need to change it: it appears to be in: 326 # o /etc/sysconfig/network 327 # o your lvm thingies; probably don't need to edit 305 328 306 329 # [WIZARD/TESTSERVER] If you are setting up a non-production server, … … 337 360 vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu 338 361 339 # [PRODUCTION] Set up replication (see ./install-ldap).340 # You'll need the LDAP keytab for this server: be sure to chown it341 # fedora-ds after you create the fedora-ds user342 ls -l /etc/dirsrv/keytab343 cat install-ldap344 345 # Make the services dirsrv, nslcd, nscd, postfix, and httpd start at346 # boot. Run chkconfig to make sure the set of services to be run is347 # correct.348 service nslcd start349 service nscd start350 service postfix start351 chkconfig nslcd on352 chkconfig nscd on353 chkconfig postfix on354 355 # [PRODUCTION]356 chkconfig dirsrv on357 358 # [PRODUCTION/TESTSERVER]359 # (Maybe WIZARD too once we start doing strange things to autoupgrade360 # installs behind firewalls.)361 service httpd start # will fail if AFS is not running362 chkconfig httpd on363 364 # nrpe is required for nagios alerts365 chkconfig nrpe on366 367 # [PRODUCTION] Check sql user credentials (needs to be done after LDAP368 # is setup)369 chown sql /etc/sql-mit-edu.cfg.php370 371 # Postfix doesn't actually deliver mail; fix this372 cd /etc/postfix373 postmap virtual374 375 # Munin might not be monitoring packages that were installed after it376 munin-node-configure --suggest --shell | sh377 378 # Run fmtutil-sys --all, which does something that makes TeX work.379 # (Note: this errors on XeTeX which is ok.)380 fmtutil-sys --all381 382 # Ensure that PHP isn't broken:383 mkdir /tmp/sessions384 chmod 01777 /tmp/sessions385 # XXX: this seems to get deleted if tmp gets cleaned up, so we386 # might need something a little better (maybe init script.)387 388 # Ensure fcgid isn't broken (should be 755)389 ls -ld /var/run/mod_fcgid390 391 # Fix etc by making sure none of our config files got overwritten392 cd /etc393 svn status -q394 # Some usual candidates for clobbering include nsswitch.conf and395 # sysconfig/openafs396 # [WIZARD/TEST] Remember that changes you made should not get397 # reverted!398 399 # ThisCell got clobbered, replace it with athena.mit.edu400 echo "athena.mit.edu" > /usr/vice/etc/ThisCell401 402 # Reboot the machine to restore a consistent state, in case you403 # changed anything. (Note: Starting kdump fails (this is ok))404 405 # [OPTIONAL] Your machine's hostname is baked in at install time;406 # in the rare case you need to change it: it appears to be in:407 # o /etc/sysconfig/network408 # o your lvm thingies; probably don't need to edit409 410 362 # [TESTERVER] 411 363 # - You need a self-signed SSL cert or Apache will refuse to start … … 420 372 # be an accepted vhost name 421 373 # - Look at the old test server and see what config changes are floating around 422 423 # XXX: our SVN checkout should be updated to use scripts.mit.edu424 # (repository and etc) once serving actually works.425 cd /etc426 svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/427 cd /usr/vice/etc428 svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/429 cd /srv/repository430 asbuild svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/431 asbuild svn up # verify scripts.mit.edu works -
trunk/server/doc/install-ldap
r1986 r2066 1 To set up a new LDAP server: 2 3 - Install the RPM 389-ds-base with yum (these are installed by kickstart 4 these days, so these two steps are probably not necessary) 5 root# yum install -y 389-ds-base 6 root# yum install -y policycoreutils-python 7 root# yum install -y ldapvi 8 - We want to run the directory server as its own user, so create fedora-ds 9 root# useradd -r -d /var/lib/dirsrv fedora-ds 10 - Temporarily move away the existing slapd-scripts folder 11 root# mv /etc/dirsrv/slapd-scripts{,.bak} 12 - root# /usr/sbin/setup-ds.pl 13 - Choose a typical install 14 - Tell it to use the fedora-ds user and group 15 - Directory server identifier: scripts 16 Needed to remove this from the config file first 17 - Suffix: dc=scripts,dc=mit,dc=edu 18 - Input directory manager password 19 (this can be found in ~/.ldapvirc) 20 - Move the schema back 21 root# cp -R /etc/dirsrv/slapd-scripts.bak/{.svn,*} /etc/dirsrv/slapd-scripts 22 root# rm -Rf /etc/dirsrv/slapd-scripts.bak 23 - Turn dirsrv off: service dirsrv stop 24 - Apply the following configuration changes. If you're editing 25 dse.ldif, you don't want dirsrv to be on, otherwise it will 26 overwrite your changes. [XXX: show how to do these changes with 27 dsconf, which is the "blessed" method] 1 # To set up a new LDAP server: 2 3 # Temporarily move away the existing slapd-scripts folder 4 mv /etc/dirsrv/slapd-scripts{,.bak} 5 6 # Setup directory server 7 /usr/sbin/setup-ds.pl 8 # - Choose a typical install 9 # - Tell it to use the fedora-ds user and group 10 # - Directory server identifier: scripts 11 # - Suffix: dc=scripts,dc=mit,dc=edu 12 # - Input directory manager password 13 # (this can be found in ~/.ldapvirc) 14 15 # Move the schema back 16 cp -R /etc/dirsrv/slapd-scripts.bak/{.svn,*} /etc/dirsrv/slapd-scripts 17 rm -Rf /etc/dirsrv/slapd-scripts.bak 18 19 # Turn dirsrv off: 20 systemctl stop dirsrv.service 21 22 # Apply the following configuration changes. If you're editing 23 # dse.ldif, you don't want dirsrv to be on, otherwise it will 24 # overwrite your changes. [XXX: show how to do these changes with 25 # dsconf, which is the "blessed" method, although it seems 26 # dsconf only exists for Red Hat] 27 28 vim /etc/dirsrv/slapd-scripts/dse.ldif 29 <<<EOF 28 30 29 31 # Inside cn=config. These changes definitely require a restart. 30 nsslapd-ldapifilepath: /var/run/slapd-scripts.socket31 32 nsslapd-ldapilisten: on 32 33 nsslapd-syntaxcheck: off 34 35 # We need to turn off syntax check because our schema is wrong and too 36 # restrictive on some value. This should get fixed. 33 37 34 38 # Add these blocks … … 46 50 nsSaslMapFilterTemplate: (objectClass=posixAccount) 47 51 48 - Put LDAP keytab (ldap/hostname.mit.edu) in /etc/dirsrv/keytab. Make 49 sure you chown/chgrp it to be readable by fedora-ds 50 - Uncomment and modify in /etc/sysconfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME 51 - chown fedora-ds:fedora-ds /var/run/dirsrv 52 - chown fedora-ds /etc/dirsrv/keytab 53 - /sbin/service dirsrv start 54 - Use ldapvi -b cn=config to add these indexes (8 of them): 52 EOF; 53 54 systemctl start dirsrv.service 55 56 ldapvi -b cn=config 57 # Add these indexes (8 of them): 58 59 <<<EOF 55 60 56 61 add cn=apacheServerName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config … … 117 122 nsIndexType: eq 118 123 nsIndexType: pres 124 125 EOF; 119 126 120 127 - Build the indexes for all the fields: … … 181 188 182 189 Here's how you do it. 190 191 NOTE: There's this spiffy new tool MMR hammer which automates some of 192 this process. Check the "MMR Hammer" sections to see how. Install it 193 here: https://github.com/ezyang/mmr-hammer 183 194 184 195 0. Tell -c scripts not to go off and reboot servers until you're … … 209 220 nsDS5ReplicaBindDN: uid=ldap/old-faithful.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 210 221 nsDS5ReplicaBindDN: uid=ldap/shining-armor.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 222 nsDS5ReplicaBindDN: uid=ldap/golden-egg.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu 211 223 nsds5ReplicaPurgeDelay: 604800 212 224 nsds5ReplicaLegacyConsumer: off … … 223 235 for just $MASTER. 224 236 237 REMEMBER: You need to use FOO.mit.edu for the names! Otherwise you will get 238 unauthorized errors. 239 225 240 add uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu 226 241 uid: ldap/$MASTER … … 245 260 risky step of the process; see below for help debugging problems. 246 261 247 WARNING: There is a known bug doing full updates from 1.2.6 to 248 1.2.6, see https://bugzilla.redhat.com/show_bug.cgi?id=637852 262 MMR Hammer: mmr-hammer -h $MASTER init agreements $SLAVE 263 264 ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config 249 265 250 266 add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config … … 268 284 If it fails with LDAP Error 49, check /var/log/dirsrv on $MASTER 269 285 for more information. It might be because fedora-ds can't read 270 /etc/dirsrv/keytab 286 /etc/dirsrv/keytab or because you setup the account on the SLAVE 287 incorrectly. 271 288 272 289 6. Replicate in the other direction. On $MASTER, add $SLAVE 273 290 as a nsDS5ReplicaBindDN in cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config 274 Also, add an account for $SLAVE 291 Also, add an account for $SLAVE if it doesn't exist already. 275 292 276 293 add uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu … … 280 297 281 298 On $SLAVE, 299 300 MMR Hammer: mmr-hammer -h $SLAVE init agreements $MASTER 282 301 283 302 add cn="GSSAPI Replication to $MASTER", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config … … 308 327 new server. 309 328 329 With MMR hammer, that's something like: 330 331 for i in $SERVER_NAMES; do mmr-hammer -h $i init agreements $SERVER_NAMES; done 332 310 333 8. If at this point you look at the new server's changelog with 311 334 cl-dump (preferably /mit/scripts/admin/cl-dump.pl, to not prompt you … … 316 339 also good for making sure the replication agreements actually work. 317 340 341 With MMR hammer, that's something like: 342 343 for i in $SERVER_NAMES; do mmr-hammer -h $i test; sleep 20; done 344 318 345 Troubleshooting 319 346 =============== -
trunk/server/doc/package-build-howto
r1712 r2066 50 50 51 51 * # Rebuild the repo metadata to include the new packages. 52 cd /mit/scripts/ rpm-fc[RELEASE]52 cd /mit/scripts/yum-repos/rpm-fc[RELEASE] 53 53 # If you have a trusted machine: 54 createrepo .54 createrepo -d . 55 55 # Otherwise, on a scripts server, as root: 56 56 mkdir /root/repodata-YYYYMMDD # Or any suitable temp directory 57 createrepo - o /root/repodata-YYYYMMDD .57 createrepo -d -o /root/repodata-YYYYMMDD . 58 58 # Then from your trusted machine 59 59 krootscp -r root@[BUILD-SERVER]:/root/repodata-YYYYMMDD /mit/scripts/rpm-fc[RELEASE] -
trunk/server/doc/upgrade-tips
r1695 r2066 159 159 /mit/scripts/rpm-fcXX-testing) needs to be made. It's quite simple; 160 160 all you need to do is copy the RPMs from the build server to there 161 (probably going through a trusted machine, since you don't want to 162 put your root tickets on a server.) When you're done, run `createrepo`161 (probably going through a trusted machine, since you don't want to put 162 your root tickets on a server.) When you're done, run `createrepo -d` 163 163 on the directory. 164 164 … … 197 197 hysterical raisins we still refer to our 32-bit builds as i386. 198 198 [XXX: Maybe this should change] 199 200 Until we decide that the performance impact is negligible, any new PHP 201 extensions other than the few we’ve whitelisted should be disabled by 202 emptying their .ini files in /etc/php.d. 203 204 8. Sending announcements 205 ------------------------ 206 207 Once development work has finished, we need to allow users to test 208 their websites on the new servers. 209 210 SIPB Internal Testing: Send an email to scripts-team@mit.edu 211 and -c sipb notifying them of testing procedure and known 212 issues. 213 214 General Testing:
Note: See TracChangeset
for help on using the changeset viewer.