|
Size: 3509
Comment: update install guide
|
Size: 3324
Comment: $HOST is short hostname
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 15: | Line 15: |
| `$HOST` = `$(hostname --short)` (e.g. `fritz.hcoop.net` is `fritz`, we should probably switch to using the FQDN). |
|
| Line 21: | Line 23: |
| git clone /afs/hcoop.net/user/h/hc/hcoop/.hcoop-git/domtool2.git domtool2 cd domtool2 git checkout release |
git clone -b release /afs/hcoop.net/user/h/hc/hcoop/.hcoop-git/domtool2.git domtool2 |
| Line 29: | Line 29: |
| * Create the needed SSL certificate for the node by running: `domtool-addcert $HOST` | * Create the needed SSL certificate for the node by running (on the machine with the domtool certificate authority): `domtool-addcert $HOST` |
| Line 31: | Line 31: |
| You will also need to create various work directories, although the preseed for the particular install should handle that. | Work directories under `/var/domtool` may need to be created, but at hcoop puppet should automatically create them. |
| Line 33: | Line 33: |
| The first time DomTool is deployed to a host, it should be done manually using `deploy-domtool-on-host --slave --bootstrap` to install the proper sysvinit files. | The first time DomTool is deployed to a host, it should be done manually using `deploy-domtool-on-host --slave --bootstrap` to ensure systemd units are installed and enabled. === Work Directories === DomTool should create these during installation, but it does not yet (see [[https://bugzilla.hcoop.net/show_bug.cgi?id=935|Bug 935]]). Domtool's scratch directory: {{{ sudo mkdir /var/domtool sudo chown domtool.nogroup /var/domtool }}} Create subdirectories of `/var/domtool` in the same way, depending on which services this slave will be managing: (incomplete) * bind: `/var/domtool/zones` * apache: `/var/domtool/vhosts` and `/var/domtool/apache2_logs` * firewall: `/var/domtool/firewall` |
| Line 44: | Line 62: |
| * Make Domtool's scratch directory: {{{ sudo mkdir /var/domtool sudo chown domtool.domtool /var/domtool }}} * Create subdirectories of `/var/domtool` in the same way, depending on which services this slave will be managing. If this slave manages BIND, create `/var/domtool/zones`. If this slave manages Apache, create `/var/domtool/vhosts` and `/var/domtool/apache2_logs`. * If this slave manages BIND, make sure a UNIX group `bind_config` exists, as Domtool will try to `chgrp` all relevant configuration to that group. It doesn't really matter which users belong to the group, as these actions are performed as root. If the group doesn't exist, you can create it with: {{{ sudo groupadd bind_config }}} |
|
| Line 55: | Line 63: |
| * Create Domtool's log file and set the right permissions on it: {{{ sudo touch /var/log/domtool.log sudo chown domtool.domtool /var/log/domtool.log }}} |
|
| Line 67: | Line 71: |
| * Be sure a keytab for `domtool` is in `/etc/keytabs/domtool`, with permissions set so that `domtool` can read it but random users can't. You might copy the file from deleuze. | * Be sure a keytab for `domtool` is in `/etc/keytabs/domtool`, with permissions set so that only `domtool` can read it. This is handled by puppet automatically at hcoop. |
| Line 70: | Line 75: |
| sudo /etc/init.d/domtool-slave start | sudo service domtool-slave start |
| Line 72: | Line 77: |
| * After ensuring that the slave starts make the slave (or server) starts at boot | * After ensuring that the slave starts, make the slave (or server) start at boot |
In this document, $HOST is equivalent to $(hostname) (i.e. the first part of the fqdn).
1. Deploying an Update
Push all changes to the release branch, and tag as release_${isodate} (e.g. release_20121022 for October 22nd, 2012). If you make multiple releases in a day append -N starting with 1.
Running the deploy-domtool script will then pull, build, and install domtool sitewide.
To deploy on an individual host, use the deploy-domtool-on-host script.
2. New Machine
Ensure these Debian packages are installed: mlton libssl-dev libpcre3-dev rsync (our AutomatedSystemInstall does this for you)
$HOST = $(hostname --short) (e.g. fritz.hcoop.net is fritz, we should probably switch to using the FQDN).
Create /afs/hcoop.net/common/domtool/build/$HOST
Clone the domtool2 repository and checkout release:
cd /afs/hcoop.net/common/domtool/build/$HOST git clone -b release /afs/hcoop.net/user/h/hc/hcoop/.hcoop-git/domtool2.git domtool2
If a slave (the usual setup):
Add node to HOSTS_SLAVE (unless it is the new master) variable deploy-domtool script. Afterward the general deployment procedure should work.
Create the needed SSL certificate for the node by running (on the machine with the domtool certificate authority): domtool-addcert $HOST
Work directories under /var/domtool may need to be created, but at hcoop puppet should automatically create them.
The first time DomTool is deployed to a host, it should be done manually using deploy-domtool-on-host --slave --bootstrap to ensure systemd units are installed and enabled.
2.1. Work Directories
DomTool should create these during installation, but it does not yet (see Bug 935).
Domtool's scratch directory:
sudo mkdir /var/domtool sudo chown domtool.nogroup /var/domtool
Create subdirectories of /var/domtool in the same way, depending on which services this slave will be managing: (incomplete)
bind: /var/domtool/zones
apache: /var/domtool/vhosts and /var/domtool/apache2_logs
firewall: /var/domtool/firewall
3. etc.
To make everyone's Emacs autoload domtool-mode by default, put this in /usr/local/share/emacs/site-lisp/default.el:
(add-to-list 'load-path "/usr/local/share/emacs/site-lisp/domtool-mode") (require 'domtool-mode-startup)
If this slave manages BIND, make sure that the directory /etc/bind/zones exists.
- Configure Certifications and keys
If setting up the disptacher possibly set up local CA and SSL, and certificate for a node as said on DomTool/SslProcedures, and manually copy the certificate and key into the right places:
mkdir ~domtool/keys/$HOST cp serverkey.pem ~domtool/keys/$HOST/key.pem cp servercert.pem ~domtool/certs/$HOST.pem
Be sure a keytab for domtool is in /etc/keytabs/domtool, with permissions set so that only domtool can read it. This is handled by puppet automatically at hcoop.
- Try starting the slave server:
sudo service domtool-slave start
- After ensuring that the slave starts, make the slave (or server) start at boot
sudo insserv domtool-slave