|
Size: 1934
Comment: Finishing the process
|
← Revision 23 as of 2018-04-19 02:12:01 ⇥
Size: 3276
Comment: i'm redundant
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| To deploy DomTool on a new HCoop machine: | <<TableOfContents>> |
| Line 3: | Line 3: |
| * Install these Debian packages: `mlton libssl-dev libpcre3-dev` * Change to an appropriate directory for your personal check-out of the `domtool2` CVS repo and run: |
{{{#!wiki note In this document, `$HOST` is equivalent to `$(hostname)` (i.e. the first part of the fqdn, e.g. `fritz` for `fritz.hcoop.net` `fritz`, we should probably switch to using the FQDN ) }}} == Deploying an Update == Push all changes to the release branch, and tag as `release_${isodate}` (e.g. `release_20121022` for October 22nd, 2012). If you make multiple releases in a day append `-N` starting with `1`. Running the `deploy-domtool` script will then pull, build, and install domtool sitewide. To deploy on an individual host, use the `deploy-domtool-on-host` script. == New Machine == Ensure these Debian packages are installed: `mlton libssl-dev libpcre3-dev rsync` (our AutomatedSystemInstall does this for you) Create `/afs/hcoop.net/common/domtool/build/$HOST` Clone the `domtool2` repository and checkout release: |
| Line 6: | Line 24: |
| cvs -d$YOU@hcoop.cvs.sourceforge.net:/cvsroot/hcoop co domtool2 cd domtool2 |
cd /afs/hcoop.net/common/domtool/build/$HOST git clone -b release /afs/hcoop.net/user/h/hc/hcoop/.hcoop-git/domtool2.git domtool2 |
| Line 9: | Line 27: |
| * Run: | If a slave (the usual setup): * Add node to `HOSTS_SLAVE` (unless it is the new master) variable `deploy-domtool` script. Afterward the general deployment procedure should work. * Create the needed SSL certificate for the node by running (on the machine with the domtool certificate authority): `domtool-addcert $HOST` The first time DomTool is deployed to a host, it should be done manually using `deploy-domtool-on-host --slave --bootstrap` to ensure systemd units are installed and enabled. === Work Directories === DomTool should create these during installation, but it does not yet (see [[https://bugzilla.hcoop.net/show_bug.cgi?id=935|Bug 935]]). At HCoop, Puppet should automatically create them. Domtool's scratch directory: |
| Line 11: | Line 44: |
| make | sudo mkdir /var/domtool sudo chown domtool.nogroup /var/domtool |
| Line 13: | Line 47: |
| * It will fail at the very end because a shared library hasn't been installed yet. Run: {{{ sudo make install rm elisp/domtool-tables.el make sudo make install }}} |
Create subdirectories of `/var/domtool` in the same way, depending on which services this slave will be managing: (incomplete) * bind: `/var/domtool/zones` * apache: `/var/domtool/vhosts` and `/var/domtool/apache2_logs` * firewall: `/var/domtool/firewall` == etc. == |
| Line 25: | Line 62: |
| * Add a local `domtool` user: {{{ sudo useradd -d /afs/hcoop.net/common/etc/domtool -s /bin/false domtool }}} * Make Domtool's scratch directory: {{{ sudo mkdir /var/domtool sudo chown domtool.domtool /var/domtool }}} * Create Domtool's log file and set the right permissions on it: {{{ sudo touch /var/log/domtool.log sudo chown domtool.domtool /var/log/domtool.log }}} * Create an SSL certificate and key to stand for the new machine's Domtool server. Where `$HOST` is the default hostname the machine gives for itself, run this on deleuze. When prompted for field values, only enter a common name (`$HOST`) and e-mail address (`domtool@hcoop.net`). {{{ openssl genrsa -out serverkey.pem openssl req -new -key serverkey.pem -out newreq.pem -days 365 cat newreq.pem serverkey.pem > new.pem openssl ca -config /etc/domtool/openssl.cnf -policy policy_anything -out servercert.pem -infiles new.pem }}} * Copy the certificate and key into the right places: {{{ |
* If this slave manages BIND, make sure that the directory `/etc/bind/zones` exists. * Configure Certifications and keys * If setting up the disptacher possibly set up local CA and SSL, and certificate for a node as said on [[DomTool/SslProcedures]], and manually copy the certificate and key into the right places:{{{ |
| Line 52: | Line 72: |
* Be sure a keytab for `domtool` is in `/etc/keytabs/domtool`, with permissions set so that only `domtool` can read it. This is handled by puppet automatically at hcoop. |
|
| Line 54: | Line 77: |
| sudo /etc/init.d/domtool-slave start | sudo service domtool-slave start |
| Line 56: | Line 79: |
| * After ensuring that the slave starts, make the slave (or server) start at boot {{{ sudo insserv domtool-slave }}} ---- CategorySystemAdministration CategoryNeedsWork |
In this document, $HOST is equivalent to $(hostname) (i.e. the first part of the fqdn, e.g. fritz for fritz.hcoop.net fritz, we should probably switch to using the FQDN )
1. Deploying an Update
Push all changes to the release branch, and tag as release_${isodate} (e.g. release_20121022 for October 22nd, 2012). If you make multiple releases in a day append -N starting with 1.
Running the deploy-domtool script will then pull, build, and install domtool sitewide.
To deploy on an individual host, use the deploy-domtool-on-host script.
2. New Machine
Ensure these Debian packages are installed: mlton libssl-dev libpcre3-dev rsync (our AutomatedSystemInstall does this for you)
Create /afs/hcoop.net/common/domtool/build/$HOST
Clone the domtool2 repository and checkout release:
cd /afs/hcoop.net/common/domtool/build/$HOST git clone -b release /afs/hcoop.net/user/h/hc/hcoop/.hcoop-git/domtool2.git domtool2
If a slave (the usual setup):
Add node to HOSTS_SLAVE (unless it is the new master) variable deploy-domtool script. Afterward the general deployment procedure should work.
Create the needed SSL certificate for the node by running (on the machine with the domtool certificate authority): domtool-addcert $HOST
The first time DomTool is deployed to a host, it should be done manually using deploy-domtool-on-host --slave --bootstrap to ensure systemd units are installed and enabled.
2.1. Work Directories
DomTool should create these during installation, but it does not yet (see Bug 935).
At HCoop, Puppet should automatically create them.
Domtool's scratch directory:
sudo mkdir /var/domtool sudo chown domtool.nogroup /var/domtool
Create subdirectories of /var/domtool in the same way, depending on which services this slave will be managing: (incomplete)
bind: /var/domtool/zones
apache: /var/domtool/vhosts and /var/domtool/apache2_logs
firewall: /var/domtool/firewall
3. etc.
To make everyone's Emacs autoload domtool-mode by default, put this in /usr/local/share/emacs/site-lisp/default.el:
(add-to-list 'load-path "/usr/local/share/emacs/site-lisp/domtool-mode") (require 'domtool-mode-startup)
If this slave manages BIND, make sure that the directory /etc/bind/zones exists.
- Configure Certifications and keys
If setting up the disptacher possibly set up local CA and SSL, and certificate for a node as said on DomTool/SslProcedures, and manually copy the certificate and key into the right places:
mkdir ~domtool/keys/$HOST cp serverkey.pem ~domtool/keys/$HOST/key.pem cp servercert.pem ~domtool/certs/$HOST.pem
Be sure a keytab for domtool is in /etc/keytabs/domtool, with permissions set so that only domtool can read it. This is handled by puppet automatically at hcoop.
- Try starting the slave server:
sudo service domtool-slave start
- After ensuring that the slave starts, make the slave (or server) start at boot
sudo insserv domtool-slave