|
Size: 1934
Comment: Finishing the process
|
Size: 3690
Comment: more reorg
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| To deploy DomTool on a new HCoop machine: | In this document, `$HOST` is equivalent to `$(hostname)` (i.e. the first part of the fqdn). |
| Line 3: | Line 3: |
| * Install these Debian packages: `mlton libssl-dev libpcre3-dev` * Change to an appropriate directory for your personal check-out of the `domtool2` CVS repo and run: |
== Deploying an Update == Push all changes to the release branch, and tag as `release_${isodate}` (e.g. `release_20121022` for October 22nd, 2012). If you make multiple releases in a day append `-N` starting with `1`. Running the `deploy-domtool` script will then pull, build, and install domtool sitewide. To deploy on an individual host, use the `deploy-domtool-on-host` script. == New Machine == Ensure these Debian packages are installed: `mlton libssl-dev libpcre3-dev rsync` (our AutomatedSystemInstall does this for you) Create `/afs/hcoop.net/common/domtool/build/$HOST` Clone the `domtool2` repository and checkout release: |
| Line 6: | Line 20: |
| cvs -d$YOU@hcoop.cvs.sourceforge.net:/cvsroot/hcoop co domtool2 | cd /afs/hcoop.net/common/domtool/build/$HOST git clone /afs/hcoop.net/user/h/hc/hcoop/.hcoop-git/domtool2.git domtool2 |
| Line 8: | Line 23: |
| git checkout release | |
| Line 9: | Line 25: |
| * Run: | If a slave (the usual setup): * Add node to `HOSTS_SLAVE` (unless it is the new master) variable `deploy-domtool` script. Afterward the general deployment procedure should work. * Create the needed SSL certificate for the node by running (on the machine with the domtool certificate authority): `domtool-addcert $HOST` You will also need to create various work directories, although the preseed for the particular install should handle that. The first time DomTool is deployed to a host, it should be done manually using `deploy-domtool-on-host --slave --bootstrap` to install the proper sysvinit files. === Work Directories === DomTool should create these during installation, but it does not yet (see [[https://bugzilla.hcoop.net/show_bug.cgi?id=935|Bug 935]]). Domtool's scratch directory: |
| Line 11: | Line 42: |
| make | sudo mkdir /var/domtool sudo chown domtool.nogroup /var/domtool |
| Line 13: | Line 45: |
| * It will fail at the very end because a shared library hasn't been installed yet. Run: | Create subdirectories of `/var/domtool` in the same way, depending on which services this slave will be managing: (incomplete) * bind: `/var/domtool/zones` * apache: `/var/domtool/vhosts` and `/var/domtool/apache2_logs` * firewall: `/var/domtool/firewall` Domtool's log file: |
| Line 15: | Line 55: |
| sudo make install rm elisp/domtool-tables.el make sudo make install |
sudo touch /var/log/domtool.log sudo chown domtool.nogroup /var/log/domtool.log |
| Line 20: | Line 58: |
== etc. == |
|
| Line 25: | Line 66: |
| * Add a local `domtool` user: | * If this slave manages BIND, make sure a UNIX group `bind_config` exists, as Domtool will try to `chgrp` all relevant configuration to that group. It doesn't really matter which users belong to the group, as these actions are performed as root. If the group doesn't exist, you can create it with: |
| Line 27: | Line 71: |
| sudo useradd -d /afs/hcoop.net/common/etc/domtool -s /bin/false domtool | sudo groupadd bind_config |
| Line 29: | Line 73: |
| * Make Domtool's scratch directory: {{{ sudo mkdir /var/domtool sudo chown domtool.domtool /var/domtool }}} * Create Domtool's log file and set the right permissions on it: {{{ sudo touch /var/log/domtool.log sudo chown domtool.domtool /var/log/domtool.log }}} * Create an SSL certificate and key to stand for the new machine's Domtool server. Where `$HOST` is the default hostname the machine gives for itself, run this on deleuze. When prompted for field values, only enter a common name (`$HOST`) and e-mail address (`domtool@hcoop.net`). {{{ openssl genrsa -out serverkey.pem openssl req -new -key serverkey.pem -out newreq.pem -days 365 cat newreq.pem serverkey.pem > new.pem openssl ca -config /etc/domtool/openssl.cnf -policy policy_anything -out servercert.pem -infiles new.pem }}} * Copy the certificate and key into the right places: {{{ |
* If this slave manages BIND, make sure that the directory `/etc/bind/zones` exists. * Configure Certifications and keys * If setting up the disptacher possibly set up local CA and SSL, and certificate for a node as said on [[DomTool/SslProcedures]], and manually copy the certificate and key into the right places:{{{ |
| Line 52: | Line 81: |
* Be sure a keytab for `domtool` is in `/etc/keytabs/domtool`, with permissions set so that `domtool` can read it but random users can't. You might copy the file from deleuze. |
|
| Line 56: | Line 87: |
| * After ensuring that the slave starts, make the slave (or server) start at boot {{{ sudo insserv domtool-slave }}} ---- CategorySystemAdministration CategoryNeedsWork |
In this document, $HOST is equivalent to $(hostname) (i.e. the first part of the fqdn).
1. Deploying an Update
Push all changes to the release branch, and tag as release_${isodate} (e.g. release_20121022 for October 22nd, 2012). If you make multiple releases in a day append -N starting with 1.
Running the deploy-domtool script will then pull, build, and install domtool sitewide.
To deploy on an individual host, use the deploy-domtool-on-host script.
2. New Machine
Ensure these Debian packages are installed: mlton libssl-dev libpcre3-dev rsync (our AutomatedSystemInstall does this for you)
Create /afs/hcoop.net/common/domtool/build/$HOST
Clone the domtool2 repository and checkout release:
cd /afs/hcoop.net/common/domtool/build/$HOST git clone /afs/hcoop.net/user/h/hc/hcoop/.hcoop-git/domtool2.git domtool2 cd domtool2 git checkout release
If a slave (the usual setup):
Add node to HOSTS_SLAVE (unless it is the new master) variable deploy-domtool script. Afterward the general deployment procedure should work.
Create the needed SSL certificate for the node by running (on the machine with the domtool certificate authority): domtool-addcert $HOST
You will also need to create various work directories, although the preseed for the particular install should handle that.
The first time DomTool is deployed to a host, it should be done manually using deploy-domtool-on-host --slave --bootstrap to install the proper sysvinit files.
2.1. Work Directories
DomTool should create these during installation, but it does not yet (see Bug 935).
Domtool's scratch directory:
sudo mkdir /var/domtool sudo chown domtool.nogroup /var/domtool
Create subdirectories of /var/domtool in the same way, depending on which services this slave will be managing: (incomplete)
bind: /var/domtool/zones
apache: /var/domtool/vhosts and /var/domtool/apache2_logs
firewall: /var/domtool/firewall
Domtool's log file:
sudo touch /var/log/domtool.log sudo chown domtool.nogroup /var/log/domtool.log
3. etc.
To make everyone's Emacs autoload domtool-mode by default, put this in /usr/local/share/emacs/site-lisp/default.el:
(add-to-list 'load-path "/usr/local/share/emacs/site-lisp/domtool-mode") (require 'domtool-mode-startup)
If this slave manages BIND, make sure a UNIX group bind_config exists, as Domtool will try to chgrp all relevant configuration to that group. It doesn't really matter which users belong to the group, as these actions are performed as root. If the group doesn't exist, you can create it with:
sudo groupadd bind_config
If this slave manages BIND, make sure that the directory /etc/bind/zones exists.
- Configure Certifications and keys
If setting up the disptacher possibly set up local CA and SSL, and certificate for a node as said on DomTool/SslProcedures, and manually copy the certificate and key into the right places:
mkdir ~domtool/keys/$HOST cp serverkey.pem ~domtool/keys/$HOST/key.pem cp servercert.pem ~domtool/certs/$HOST.pem
Be sure a keytab for domtool is in /etc/keytabs/domtool, with permissions set so that domtool can read it but random users can't. You might copy the file from deleuze.
- Try starting the slave server:
sudo /etc/init.d/domtool-slave start
- After ensuring that the slave starts, make the slave (or server) start at boot
sudo insserv domtool-slave