source: trunk/server/doc/install-howto.sh @ 2742

Last change on this file since 2742 was 2685, checked in by mitchb, 11 years ago
Let's not create self-signed CAs You know, while we're fixing that command in the fear that someone will end up using this file as guidelines for something other than our test server.
File size: 14.4 KB
RevLine 
[1058]1# This document is a how-to for installing a Fedora scripts.mit.edu server.
[1693]2# It is semi-vaguely in the form of a shell script, but is not really
3# runnable as it stands.
[181]4
[1961]5# Notation
6# [PRODUCTION] Production server that will be put into the pool
7# [WIZARD]     Semi-production server that will only have
8#              daemon.scripts-security-upd bits, among other
9#              restricted permissions
10# [TESTSERVER] Completely untrusted server
11
[1693]12# 'branch' is the current svn branch you are on.  You want to
13# use trunk if your just installing a new server, and branches/fcXX-dev
14# if your preparing a server on a new Fedora release.
15branch="trunk"
[1063]16
[1693]17# 'server' is the public hostname of your server, for SCP'ing files
18# to and from.
19server=YOUR-SERVER-NAME-HERE
[1063]20
[2066]21# ----------------------------->8--------------------------------------
22#                       FIRST TIME INSTRUCTIONS
23#
[1961]24# [PRODUCTION] If this is the first time you've installed this hostname,
25# you will need to update a bunch of files to add support for it. These
26# include:
[1696]27#   o Adding all aliases to /etc/httpd/conf.d/scripts-vhost-names.conf
28#     (usually this is hostname, hostname.mit.edu, h-n, h-n.mit.edu,
29#     scriptsN, scriptsN.mit.edu, and the IP address.)
30#   o Adding routing rules for the static IP in
31#     /etc/sysconfig/network-scripts/route-eth1
32#   o Adding the IP address to the hosts file (same hosts as for
33#     scripts-vhost-names)
[1704]34#   o Update SSH config at
35#       - server/fedora/config/etc/ssh/shosts.equiv
36#       - server/fedora/config/etc/ssh/ssh_known_hosts
37#       - server/fedora/config/etc/ssh/sshd_config : DenyUsers
38#     (the last part is critical to ensure that rooting one server
39#     doesn't give you root to all the other servers)
[1696]40#   o Put the hostname information in LDAP so SVN and Git work
41#   o Set up Nagios monitoring on sipb-noc for the host
42#   o Set up the host as in the pool on r-b/r-b /etc/heartbeat/ldirectord.cf
[2066]43#   o Update locker/etc/known_hosts
[2068]44#   o Update website files:
45#       /mit/scripts/web_scripts/home/server.css.cgi
46#       /mit/scripts/web_scripts/heartbeat/heartbeat.php
[2066]47#
48# You will also need to prepare the keytabs for credit-card.  In particular,
49# use ktutil to combine the host/scripts.mit.edu and
50# host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in
51# the keytab.  Do not use 'k5srvutil change' on the combined keytab
52# or you'll break the other servers. (real servers only).  Be
53# careful about writing out the keytab: if you write it to an
54# existing file the keys will just get appended.  The correct
55# credential list should look like:
56#   ktutil:  l
57#   slot KVNO Principal
58#   ---- ---- ---------------------------------------------------------------------
59#      1    5 host/old-faithful.mit.edu@ATHENA.MIT.EDU
60#      2    3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU
[2068]61#      3    2 host/scripts.mit.edu@ATHENA.MIT.EDU
62#      4    8 host/scripts-test.mit.edu@ATHENA.MIT.EDU
[2066]63#
64# The LDAP keytab should be by itself, so be sure to delete it and
65# put it in its own file.
[1696]66
[2066]67# ----------------------------->8--------------------------------------
68#                      INFINITE INSTALLATION
[1259]69
[2066]70# Start with a Scripts kickstarted install of Fedora (install-fedora)
[1259]71
[2079]72# IMPORTANT: If you are installing a server without the benefit of
73# Kickstart (for example, you are installing on XVM, it is VITALLY
74# IMPORTANT that you go through the kickstart and apply all of the
75# necessary changes--for example, disabling selinux or enabling
76# network.)
77#   XXX We should make Kickstart work for test servers too
78
[2246]79# Make sure selinux is disabled
80    selinuxenabled || echo "selinux not enabled"
81
[2066]82# Take updates, reboot if there's a kernel update.
83    yum update -y
84
85# Get rid of network manager (XXX figure out to make kickstarter do
86# this for us)
87    yum remove NetworkManager
88
[2111]89# Make sure sendmail isn't installed, replace it with postfix
[2316]90    yum shell -y <<EOF
[2111]91remove sendmail
92install postfix
93run
94exit
95EOF
[2066]96
97# Check out the scripts /etc configuration
98    cd /root
99    \cp -a etc /
100    chmod 0440 /etc/sudoers
[2246]101    grub2-mkconfig -o /boot/grub2/grub.cfg
[2066]102
[2080]103# [TEST] You'll need to fix some config now.  See bottom of document.
104
[2246]105# Stop /etc/resolv.conf from getting repeatedly overwritten by
106# purging DNS servers from ifcfg-eth0 and ifcfg-eth1
107    vim /etc/sysconfig/network-scripts/ifcfg-eth0
108    vim /etc/sysconfig/network-scripts/ifcfg-eth1
109
[2066]110# Make sure network is working.  Kickstart should have
[1693]111# configured eth0 and eth1 correctly; use service network restart
[2066]112# to add the new routes from etc in route-eth1.
113    systemctl restart network.service
114    # Check everything worked:
[1693]115    route
116    ifconfig
117    cat /etc/hosts
118    cat /etc/sysconfig/network-scripts/route-eth1
[1259]119
[1693]120# This is the point at which you should start updating scriptsified
121# packages for a new Fedora release.  Consult 'upgrade-tips' for more
122# information.
123    yum install -y scripts-base
124    # Some of these packages are naughty and clobber some of our files
125    cd /etc
[2066]126    svn revert resolv.conf hosts sysconfig/openafs nsswitch.conf
[2079]127    # Troubleshooting: if accountadm, tokensys and nscd fail to install
128    # you probably forgot to turn off selinux
[1259]129
[1058]130# Replace rsyslog with syslog-ng by doing:
[2316]131    yum shell -y <<EOF
[2111]132remove rsyslog
133install syslog-ng
134run
135exit
136EOF
[2066]137    systemctl enable syslog-ng.service
[2316]138    systemctl start syslog-ng.service
[861]139
[1058]140# Install the full list of RPMs that users expect to be on the
[1259]141# scripts.mit.edu servers.
142rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > packages.txt
143# arrange for packages.txt to be passed to the server, then run:
[2111]144    cd /tmp
145    yumdownloader --disablerepo=scripts ghc-cgi ghc-cgi-devel
146    yum localinstall ghc-cgi*.x86_64.rpm
147    yum install -y $(cat packages.txt)
148# The reason this works is that ghc-cgi is marked as installonlypkgs
149# in yum.conf, telling yum to install them side-by-side rather than
150# updating them. If it doesn't work, use --skip-broken on the yum
151# command line.
[1259]152
[1190]153# Check which packages are installed on your new server that are not
154# in the snapshot, and remove ones that aren't needed for some reason
155# on the new machine.  Otherwise, aside from bloat, you may end up
156# with undesirable things for security, like sendmail.
[1693]157    rpm -qa --queryformat "%{Name}.%{Arch}\n" | grep -v kernel | sort > newpackages.txt
158    diff -u packages.txt newpackages.txt | grep -v kernel | less
[1382]159    # here's a cute script that removes all extra packages
[1693]160    yum erase -y $(grep -Fxvf packages.txt newpackages.txt)
[1961]161    # 20101208 - Mysteriously we manage to get these extra packages
162    # from kickstart: mcelog mobile-broadband-provider-info
163    # ModemManager PackageKit
[1190]164
[2066]165# ----------------------------->8--------------------------------------
166#                       INFINITE CONFIGURATION
[812]167
[2112]168# [PROD] Create fedora-ds user (needed for credit-card)
[2318]169# [TEST] too if you want to run a local dirsrv instance
[2214]170useradd -r -d /var/lib/dirsrv fedora-ds
[387]171
[2066]172# Run credit-card to clone in credentials and make things runabble
[2112]173# NOTE: You may be tempted to run credit-card earlier in the install
174# process in order, for example, to be able to SSH in to the servers
175# with Kerberos.  However, it is better to install the credentials
176# *after* we have run a boatload untrusted code as part of the
177# spheroids objects process.  So don't move this step earlier!
[2066]178python host.py push $server
[1961]179
[2298]180# This is superseded by credit-card, which works for [PRODUCTION] and
181# [WIZARD].  We don't have an easy way of running credit-card for XVM...
[2318]182#b
[2066]183#
184#   # All types of servers will have an /etc/daemon.keytab file, however,
185#   # different types of server will have different credentials in this
186#   # keytab.
187#   #   [PRODUCTION] daemon.scripts
188#   #   [WIZARD]     daemon.scripts-security-upd
189#   #   [TESTSERVER] daemon.scripts-test
[1693]190
[2066]191# Test that zephyr is working
192    systemctl enable zhm.service
193    systemctl start zhm.service
194    echo 'Test!' | zwrite -d -c scripts -i test
[1259]195
[2066]196# Check out the scripts /usr/vice/etc configuration
197    cd /root/vice
198    \cp -a etc /usr/vice
[2112]199# [TESTSERVER] If you're installing a test server, this needs to be
200# much smaller; the max filesize on XVM is 10GB.  Pick something like
[2485]201# 500000. Also, some of the AFS parameters are kind of silly (and if
[2112]202# you're low on disk space, will actually exhaust our inodes).  Edit
203# these parameters in /etc/sysconfig/openafs (I just chopped a zero
204# off of all of our parameters)
205    echo "/afs:/usr/vice/cache:500000" > /usr/vice/etc/cacheinfo
206    vim /etc/sysconfig/openafs
[2066]207
[1961]208# [PRODUCTION] Set up replication (see ./install-ldap).
[1693]209# You'll need the LDAP keytab for this server: be sure to chown it
210# fedora-ds after you create the fedora-ds user
211    ls -l /etc/dirsrv/keytab
212    cat install-ldap
[785]213
[2246]214# Enable lots of services (currently in /etc checkout)
[2066]215    systemctl enable openafs-client.service
[2246]216    systemctl enable dirsrv.target
[2066]217    systemctl enable nslcd.service
218    systemctl enable nscd.service
219    systemctl enable postfix.service
[2246]220    systemctl enable nrpe.service # chkconfig'd
[2066]221    systemctl enable httpd.service # not for [WIZARD]
[1961]222
[2066]223    systemctl start openafs-client.service
[2246]224    systemctl start dirsrv.target
[2066]225    systemctl start nslcd.service
226    systemctl start nscd.service
227    systemctl start postfix.service
228    systemctl start nrpe.service
229    systemctl start httpd.service # not for [WIZARD]
[1961]230
[2066]231# Note about OpenAFS: Check that fs sysname is correct.  You should see,
232# among others, 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's
233# not, you probably did a distro upgrade and should update
[2246]234# tokensys (server/common/oursrc/tokensys/scripts-afsagent-startup.in)
[2066]235    fs sysname
[818]236
[1259]237# Postfix doesn't actually deliver mail; fix this
238    cd /etc/postfix
239    postmap virtual
[1178]240
[1451]241# Munin might not be monitoring packages that were installed after it
242    munin-node-configure --suggest --shell | sh
243
[1058]244# Run fmtutil-sys --all, which does something that makes TeX work.
[1693]245# (Note: this errors on XeTeX which is ok.)
[1259]246    fmtutil-sys --all
[803]247
[2246]248# Check for unwanted setuid/setgid binaries
[2298]249    find / -xdev -not -perm -o=x -prune -o -type f -perm /ug=s -print | grep -Fxvf /etc/scripts/allowed-setugid.list
250    find / -xdev -not -perm -o=x -prune -o -type f -print0 | xargs -0r /usr/sbin/getcap | cut -d' ' -f1 | grep -Fxvf /etc/scripts/allowed-filecaps.list
[2318]251    # You can prune the first set of binaries using 'chmod u-s' and 'chmod g-s'
252    # and remove capabilities using 'setcap -r'
[2246]253
[2318]254# XXX check for selinux gunk
255
[1259]256# Fix etc by making sure none of our config files got overwritten
257    cd /etc
[1693]258    svn status -q
[2066]259    # Some usual candidates for clobbering include nsswitch.conf,
260    # resolv.conf and sysconfig/openafs
[1961]261    # [WIZARD/TEST] Remember that changes you made should not get
262    # reverted!
[1259]263
[1058]264# Reboot the machine to restore a consistent state, in case you
[1693]265# changed anything. (Note: Starting kdump fails (this is ok))
[875]266
[2066]267# ------------------------------->8-------------------------------
268#                ADDENDA AND MISCELLANEOUS THINGS
269
[1693]270# [OPTIONAL] Your machine's hostname is baked in at install time;
271# in the rare case you need to change it: it appears to be in:
[1259]272#   o /etc/sysconfig/network
273#   o your lvm thingies; probably don't need to edit
[1382]274
[2080]275# [TESTSERVER] Enable password log in
276        vim /etc/ssh/sshd_config
277        service sshd reload
278        vim /etc/pam.d/sshd
279# Replace the first auth block with:
280#           # If they're not root, but their user exists (success),
281#           auth    [success=ignore ignore=ignore default=1]        pam_succeed_if.so uid > 0
282#           # print the "You don't have tickets" error:
283#           auth    [success=die ignore=reset default=die]  pam_echo.so file=/etc/issue.net.no_tkt
284#           # If !(they are root),
285#           auth    [success=1 ignore=ignore default=ignore]        pam_succeed_if.so uid eq 0
286#           # print the "your account doesn't exist" error:
287#           auth    [success=die ignore=reset default=die]  pam_echo.so file=/etc/issue.net.no_user
288
289
[2066]290# [WIZARD/TESTSERVER] If you are setting up a non-production server,
291# there are some services that it won't provide, and you will need to
292# make it talk to a real server instead.  In particular:
293#   - We don't serve the web, so don't bind scripts.mit.edu
294#   - We don't serve LDAP, so use another server
[2298]295# XXX: Someone should write sed scripts to do this
[2066]296# This involves editing the following files:
[2318]297        svn rm /etc/sysconfig/network-scripts/ifcfg-lo:{0,1,2,3}
298        svn rm /etc/sysconfig/network-scripts/route-eth1 # [TESTSERVER] only
[2079]299#   o /etc/nslcd.conf
[2066]300#       replace: uri ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
301#       with: uri ldap://scripts.mit.edu/
[2079]302#           (what happened to nss-ldapd?)
[2066]303#   o /etc/openldap/ldap.conf
304#       add: URI ldap://scripts.mit.edu/
305#            BASE dc=scripts,dc=mit,dc=edu
306#   o /etc/httpd/conf.d/vhost_ldap.conf
307#       replace: VhostLDAPUrl "ldap://127.0.0.1/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu"
308#       with: VhostLDAPUrl "ldap://scripts.mit.edu/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu"
309#   o /etc/postfix/virtual-alias-{domains,maps}-ldap.cf
310#       replace: server_host ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
311#       with: server_host = ldap://scripts.mit.edu
312# to use scripts.mit.edu instead of localhost.
313
314# [WIZARD/TESTSERVER] If you are setting up a non-production server,
315# afsagent's cronjob will attempt to be renewing with the wrong
316# credentials (daemon.scripts). Change this:
317    vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu
318
[2298]319# [TESTSERVER]
[1961]320#   - You need a self-signed SSL cert or Apache will refuse to start
[2318]321#     or do SSL.  Generate with: (XXX recommended CN?)
[2685]322    openssl req -new -x509 -sha256 -newkey rsa:2048 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts-cert.pem -nodes -extensions v3_req
[2683]323    ln -s /etc/pki/tls/private/scripts.key /etc/pki/tls/private/scripts-2048.key
[2318]324#     Also make the various public keys match up
325    openssl rsa -in /etc/pki/tls/private/scripts.key -pubout > /etc/pki/tls/certs/star.scripts.pem
326    openssl rsa -in /etc/pki/tls/private/scripts.key -pubout > /etc/pki/tls/certs/scripts.pem
327    openssl rsa -in /etc/pki/tls/private/scripts.key -pubout > /etc/pki/tls/certs/scripts-cert.pem
328#     Nuke the CSRs since they will all mismatch
329#     XXX alternate strategy replace all the pem's as above
330    cd /etc/httpd/vhosts.d
331    svn rm *.conf
[1961]332
[2318]333# [TESTSERVER]
334#   Remove vhosts.d which we don't have rights for XXX
335
[1961]336# [TESTSERVER] More stuff for test servers
[1382]337#   - Make (/etc/aliases) root mail go to /dev/null, so we don't spam people
338#   - Edit /etc/httpd/conf.d/scripts-vhost-names.conf to have scripts-fX-test.xvm.mit.edu
339#     be an accepted vhost name
340#   - Look at the old test server and see what config changes are floating around
Note: See TracBrowser for help on using the repository browser.