|
Size: 1052
Comment:
|
Size: 3324
Comment: $HOST is short hostname
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| To deploy DomTool on a new HCoop machine: | In this document, `$HOST` is equivalent to `$(hostname)` (i.e. the first part of the fqdn). |
| Line 3: | Line 3: |
| * Install these Debian packages: `mlton libssl-dev libpcre3-dev` * Change to an appropriate directory for your personal check-out of the `domtool2` CVS repo and run: |
== Deploying an Update == Push all changes to the release branch, and tag as `release_${isodate}` (e.g. `release_20121022` for October 22nd, 2012). If you make multiple releases in a day append `-N` starting with `1`. Running the `deploy-domtool` script will then pull, build, and install domtool sitewide. To deploy on an individual host, use the `deploy-domtool-on-host` script. == New Machine == Ensure these Debian packages are installed: `mlton libssl-dev libpcre3-dev rsync` (our AutomatedSystemInstall does this for you) `$HOST` = `$(hostname --short)` (e.g. `fritz.hcoop.net` is `fritz`, we should probably switch to using the FQDN). Create `/afs/hcoop.net/common/domtool/build/$HOST` Clone the `domtool2` repository and checkout release: |
| Line 6: | Line 22: |
| cvs -d$YOU@hcoop.cvs.sourceforge.net:/cvsroot/hcoop co domtool2 cd domtool2 |
cd /afs/hcoop.net/common/domtool/build/$HOST git clone -b release /afs/hcoop.net/user/h/hc/hcoop/.hcoop-git/domtool2.git domtool2 |
| Line 9: | Line 25: |
| * Run: | If a slave (the usual setup): * Add node to `HOSTS_SLAVE` (unless it is the new master) variable `deploy-domtool` script. Afterward the general deployment procedure should work. * Create the needed SSL certificate for the node by running (on the machine with the domtool certificate authority): `domtool-addcert $HOST` Work directories under `/var/domtool` may need to be created, but at hcoop puppet should automatically create them. The first time DomTool is deployed to a host, it should be done manually using `deploy-domtool-on-host --slave --bootstrap` to ensure systemd units are installed and enabled. === Work Directories === DomTool should create these during installation, but it does not yet (see [[https://bugzilla.hcoop.net/show_bug.cgi?id=935|Bug 935]]). Domtool's scratch directory: |
| Line 11: | Line 42: |
| make | sudo mkdir /var/domtool sudo chown domtool.nogroup /var/domtool |
| Line 13: | Line 45: |
| * It will fail at the very end because a shared library hasn't been installed yet. Run: {{{ sudo make install rm elisp/domtool-tables.el make sudo make install }}} |
Create subdirectories of `/var/domtool` in the same way, depending on which services this slave will be managing: (incomplete) * bind: `/var/domtool/zones` * apache: `/var/domtool/vhosts` and `/var/domtool/apache2_logs` * firewall: `/var/domtool/firewall` == etc. == |
| Line 25: | Line 60: |
| * Add a local `domtool` user: {{{ sudo useradd -d /afs/hcoop.net/common/etc/domtool -s /bin/false domtool }}} * Make Domtool's scratch directory: {{{ sudo mkdir /var/domtool sudo chown domtool.domtool /var/domtool |
* If this slave manages BIND, make sure that the directory `/etc/bind/zones` exists. * Configure Certifications and keys * If setting up the disptacher possibly set up local CA and SSL, and certificate for a node as said on [[DomTool/SslProcedures]], and manually copy the certificate and key into the right places:{{{ mkdir ~domtool/keys/$HOST cp serverkey.pem ~domtool/keys/$HOST/key.pem cp servercert.pem ~domtool/certs/$HOST.pem |
| Line 35: | Line 71: |
| The rest to follow once AFS tools are installed to the right places on outpost. | * Be sure a keytab for `domtool` is in `/etc/keytabs/domtool`, with permissions set so that only `domtool` can read it. This is handled by puppet automatically at hcoop. * Try starting the slave server: {{{ sudo service domtool-slave start }}} * After ensuring that the slave starts, make the slave (or server) start at boot {{{ sudo insserv domtool-slave }}} ---- CategorySystemAdministration CategoryNeedsWork |
In this document, $HOST is equivalent to $(hostname) (i.e. the first part of the fqdn).
1. Deploying an Update
Push all changes to the release branch, and tag as release_${isodate} (e.g. release_20121022 for October 22nd, 2012). If you make multiple releases in a day append -N starting with 1.
Running the deploy-domtool script will then pull, build, and install domtool sitewide.
To deploy on an individual host, use the deploy-domtool-on-host script.
2. New Machine
Ensure these Debian packages are installed: mlton libssl-dev libpcre3-dev rsync (our AutomatedSystemInstall does this for you)
$HOST = $(hostname --short) (e.g. fritz.hcoop.net is fritz, we should probably switch to using the FQDN).
Create /afs/hcoop.net/common/domtool/build/$HOST
Clone the domtool2 repository and checkout release:
cd /afs/hcoop.net/common/domtool/build/$HOST git clone -b release /afs/hcoop.net/user/h/hc/hcoop/.hcoop-git/domtool2.git domtool2
If a slave (the usual setup):
Add node to HOSTS_SLAVE (unless it is the new master) variable deploy-domtool script. Afterward the general deployment procedure should work.
Create the needed SSL certificate for the node by running (on the machine with the domtool certificate authority): domtool-addcert $HOST
Work directories under /var/domtool may need to be created, but at hcoop puppet should automatically create them.
The first time DomTool is deployed to a host, it should be done manually using deploy-domtool-on-host --slave --bootstrap to ensure systemd units are installed and enabled.
2.1. Work Directories
DomTool should create these during installation, but it does not yet (see Bug 935).
Domtool's scratch directory:
sudo mkdir /var/domtool sudo chown domtool.nogroup /var/domtool
Create subdirectories of /var/domtool in the same way, depending on which services this slave will be managing: (incomplete)
bind: /var/domtool/zones
apache: /var/domtool/vhosts and /var/domtool/apache2_logs
firewall: /var/domtool/firewall
3. etc.
To make everyone's Emacs autoload domtool-mode by default, put this in /usr/local/share/emacs/site-lisp/default.el:
(add-to-list 'load-path "/usr/local/share/emacs/site-lisp/domtool-mode") (require 'domtool-mode-startup)
If this slave manages BIND, make sure that the directory /etc/bind/zones exists.
- Configure Certifications and keys
If setting up the disptacher possibly set up local CA and SSL, and certificate for a node as said on DomTool/SslProcedures, and manually copy the certificate and key into the right places:
mkdir ~domtool/keys/$HOST cp serverkey.pem ~domtool/keys/$HOST/key.pem cp servercert.pem ~domtool/certs/$HOST.pem
Be sure a keytab for domtool is in /etc/keytabs/domtool, with permissions set so that only domtool can read it. This is handled by puppet automatically at hcoop.
- Try starting the slave server:
sudo service domtool-slave start
- After ensuring that the slave starts, make the slave (or server) start at boot
sudo insserv domtool-slave