7190
Comment:
|
8921
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
These steps are listed in approximately the order in which they should be performed; please try to maintain that. | These steps are listed in approximately the order in which they should be performed; please try to maintain that as you add to it. === List the Machine on the Wiki === Add the machine to the ["Hardware"] page. It is a very good idea to photograph the front and back panels of the machine and put those images on the wiki page; that way remote admins and people in the data center can be sure they're talking about the same ports. |
Line 11: | Line 17: |
Functions 1+2 are typically provided by kvm.hcoop.net; assuming you plan on going with that, you should connect the server's keyboard and video to the kvm switch. | Functions 1+2 are typically provided by {{{kvm.hcoop.net}}} (see KvmAccess); assuming you plan on going with that, you should connect the server's keyboard and video to the kvm switch. |
Line 21: | Line 27: |
We use Debian. Install it. | We use Debian. Install it. We should put our standard {{{/etc/apt/sources.list}}} here. |
Line 28: | Line 34: |
First, give our preferences to {{{debconf}}}: {{{ debconf openafs-client/thiscell hcoop.net debconf openafs-client/dynroot true debconf openafs-client/cachesize 500000 # cache size in kB; default is way too small }}} |
|
Line 75: | Line 89: |
dpkg -i /afs/hcoop.net/common/debian/libnss-afspag/*.deb | |
Line 84: | Line 99: |
You should copy {{{/etc/krb5.conf}}} from deleuze to the new server. This is VERY IMPORTANT. What is NOT in this file is also almost as important as what IS in this file, so think three times before adding or removing anything. | '''''VERY IMPORTANT''''': put exactly the following in {{{/etc/krb5.conf}}} -- no more, no less {{{ [libdefaults] default_realm = HCOOP.NET kdc_timesync = 1 forwardable = true proxiable = true [logging] default = FILE:/proc/self/fd/2 }}} We distribute our Kerberos configuration via DNS, so it is very important that we do not "hardwire" the settings on any of the servers (except the KDCs themselves). If we did, we wouldn't notice at first, but strange problems would crop up as soon as the DNS settings were changed. So, it is important that we put only the bare minimum amount of information in {{{krb5.conf}}}. |
Line 88: | Line 116: |
The {{{libnss-ptdb}}} package lets linux use the AFS {{{ptserver}}} (protection server) as a name service. The {{{ptserver}}} keeps track of all the users in AFS. A "name service" is Linux's mechanism for answering these four queries: | A "name service" is Linux's mechanism for answering these queries: |
Line 90: | Line 118: |
1. the userid for a given username 2. the username for a userid |
1. the userid for a given username and vice versa 2. the groupid for a given groupname and vice versa |
Line 96: | Line 124: |
To make {{{ptserver}}} our primary choice for name service, edit {{{/etc/nsswitch.conf}}} and change the following three lines to look like this: | The {{{libnss-ptdb}}} package lets linux use the AFS user database (the {{{ptserver}}} or protection server) as a name service. The {{{libnss-afspag}}} package makes PAGs show up as a special group. To enable these changes, edit {{{/etc/nsswitch.conf}}} and change the {{{passwd}}} and {{{group}}} lines to look like this: |
Line 99: | Line 127: |
passwd: ptdb files group: afspag files shadow: files |
passwd: ptdb files group: afspag files |
Line 106: | Line 133: |
PAM is the mechanism used by Linux to do the following: | PAM is Linux's mechanism to do the following: |
Line 114: | Line 141: |
Mostly this consists of copying mire's {{{/etc/pam.d/*}}}, although it would be a good idea to state precisely which parts of that need to be copied. | Mostly this consists of copying mire's {{{/etc/pam.d/*}}}, although it would be a good idea to state precisely which parts of that need to be copied. Also should document the mechanism used on deleuze and other non-member servers to restrict logins to admins only. |
Line 124: | Line 151: |
Add this principal to the KDC like this (execute these commands on the new server, as root, while holding admin tokens): | Add this principal to the KDC like this (execute these commands on the new server, as root, while holding admin tickets): |
Line 127: | Line 154: |
kadmin -r HCOOP.NET ank -randkey host/server.hcoop.net@HCOOP.NET ktadd -k /etc/krb5.keytab quit |
rm -f /etc/krb5.keytab # important -- if it already exists the new key will merely be appended kadmin -r HCOOP.NET -q 'ank -randkey host/server.hcoop.net@HCOOP.NET' kadmin -r HCOOP.NET -q 'ktadd -k /etc/krb5.keytab host/server.hcoop.net@HCOOP.NET' |
Line 146: | Line 172: |
==== Performance-Tune the OpenAFS Client ==== FIXME: AdamM needs to fill this in |
|
Line 151: | Line 181: |
3. Runit eliminates the need for pidfiles and the associated risk of starting multiple copies of a daemon. 4. Runit captures the daemon's {{{stdout}}} and either sends it to a logger (if specified) or else displays it in the process name (output of {{{ps}}}) |
These steps are listed in approximately the order in which they should be performed; please try to maintain that as you add to it.
1. List the Machine on the Wiki
Add the machine to the ["Hardware"] page.
It is a very good idea to photograph the front and back panels of the machine and put those images on the wiki page; that way remote admins and people in the data center can be sure they're talking about the same ports.
2. Set Up Out Of Band Access
All machines owned by hcoop should, if possible, have some out-of-band mechanism for:
- Keyboard access
- Screen access
- Power-cycling
Functions 1+2 are typically provided by kvm.hcoop.net (see KvmAccess); assuming you plan on going with that, you should connect the server's keyboard and video to the kvm switch.
Each server has its own solution for 3, usually in the form of a "service processor". You should investigate and document the appropriate service processor settings. If the service processor requires its own IP address, you should name it foo-sp.hcoop.net where foo.hcoop.net is the name of the server.
3. Add a DNS entry for the server
Straightforward.
4. Install Debian
We use Debian. Install it. We should put our standard /etc/apt/sources.list here.
5. Compile a Kernel
It is generally a good idea for hcoop to compile its own kernels. Regarding statically-compiled kernels, see StaticallyCompiledKernels for some opinions.
6. Install the AFS Client
First, give our preferences to debconf:
debconf openafs-client/thiscell hcoop.net debconf openafs-client/dynroot true debconf openafs-client/cachesize 500000 # cache size in kB; default is way too small
You should install the module-assistant, build-essential, module-init-tools, openafs-client, openafs-krb5, openafs-modules-source, openafs-dbg, openafs-doc, libopenafs-dev, packages from /afs/hcoop.net/common/debian/. Here is a block of commands to cut and paste if you are lazy:
apt-get install krb5-user libkrb5-dev module-assistant build-essential module-init-tools mkdir -p /tmp/openafs-packages cd /tmp/openafs-packages scp ssh.hcoop.net:/afs/hcoop.net/common/debian/openafs/1.4.6/\*.deb ./ dpkg -i \ openafs-client*.deb \ openafs-krb5*.deb \ openafs-modules-source*.deb \ openafs-dbg*.deb \ openafs-doc*.deb \ libopenafs-dev*.deb cd /tmp rm -rf /tmp/openafs-packages
Once these packages are installed, you will want to run
module-assistant a-i -t openafs-modules
... assuming you compiled your own kernel and the compiled kernel tree resides in /usr/src/linux. If this is not the case, you are on your own.
If the command above completes, it will have created and installed a .deb containing the kernel module. You may need to run
/etc/init.d/module-init-tools start
to refresh whatever module wonkery linux maintains in obscure locations. Once this is figured out (if all else fails, reboot) you should be able to
/etc/init.d/openafs-client start
Do this and check that /afs shows up.
7. Install Packages
Now that afs is up, you can easily install packages. The block of commands below installs the set of packages which must be on every hcoop server (this list will be expanded as necessary).
dpkg -i /afs/hcoop.net/common/debian/libnss-ptdb/*.deb dpkg -i /afs/hcoop.net/common/debian/libnss-afspag/*.deb dpkg -i /afs/hcoop.net/common/debian/libpam-afs-session/*.deb dpkg -i /afs/hcoop.net/common/debian/libpam-krb5/*.deb dpkg -i /afs/hcoop.net/common/debian/fsr/*.deb
The first three packages are explained below; the last one is the fsr command (recursive "fs").
8. Configure Kerberos
VERY IMPORTANT: put exactly the following in /etc/krb5.conf -- no more, no less
[libdefaults] default_realm = HCOOP.NET kdc_timesync = 1 forwardable = true proxiable = true [logging] default = FILE:/proc/self/fd/2
We distribute our Kerberos configuration via DNS, so it is very important that we do not "hardwire" the settings on any of the servers (except the KDCs themselves). If we did, we wouldn't notice at first, but strange problems would crop up as soon as the DNS settings were changed. So, it is important that we put only the bare minimum amount of information in krb5.conf.
9. Configure Name Service
A "name service" is Linux's mechanism for answering these queries:
- the userid for a given username and vice versa
- the groupid for a given groupname and vice versa
- the home directory for a user
- the shell for a user
- what groups a user is in
The libnss-ptdb package lets linux use the AFS user database (the ptserver or protection server) as a name service. The libnss-afspag package makes PAGs show up as a special group. To enable these changes, edit /etc/nsswitch.conf and change the passwd and group lines to look like this:
passwd: ptdb files group: afspag files
10. Configure PAM
PAM is Linux's mechanism to do the following:
- decide if somebody is who they say they are (authentication; in our case via kerberos)
set up sessions (in the case of AFS, this means creating PAGs)
- change passwords (in our case, changing the password in the KDC)
FIXME
Mostly this consists of copying mire's /etc/pam.d/*, although it would be a good idea to state precisely which parts of that need to be copied. Also should document the mechanism used on deleuze and other non-member servers to restrict logins to admins only.
11. Configure SSH
You will need to create a "host principal" for the new server; if you are setting up server.hcoop.net, then it must have the name
host/server.hcoop.net@HCOOP.NET
Add this principal to the KDC like this (execute these commands on the new server, as root, while holding admin tickets):
rm -f /etc/krb5.keytab # important -- if it already exists the new key will merely be appended kadmin -r HCOOP.NET -q 'ank -randkey host/server.hcoop.net@HCOOP.NET' kadmin -r HCOOP.NET -q 'ktadd -k /etc/krb5.keytab host/server.hcoop.net@HCOOP.NET' chown root:root /etc/krb5.keytab chmod go-rwx /etc/krb5.keytab
Then these lines to /etc/ssh/sshd_config:
GssapiKeyExchange yes GssapiAuthentication yes GSSAPICleanupCredentials no UsePAM yes
12. Optional Steps
12.1. Performance-Tune the OpenAFS Client
FIXME: AdamM needs to fill this in
12.2. runit
The runit package is a mechanism for starting, stopping, and monitoring daemons. It is an alternative to the traditional /etc/init.d and start-stop-daemon scheme. Its chief advantages are:
It launches daemons with clean process state; the daemon inherits nothing from the administrator invoking the start/stop command because the daemon is not forked as a child of the administrator's shell (rather, a request is sent runit daemon asking it to fork the daemon). This is very important when dealing with tokens and pags.
- Runit monitors the processes that it forks, and restarts them if they die.
- Runit eliminates the need for pidfiles and the associated risk of starting multiple copies of a daemon.
Runit captures the daemon's stdout and either sends it to a logger (if specified) or else displays it in the process name (output of ps)
apt-get install runit
When you move a process from /etc/init.d/ control to runit supervision, you should inform debian that you have done so:
# assuming /var/service/$SERVICE/run is the runit script dpkg-divert --rename /etc/init.d/$SERVICE ln -s /usr/bin/sv /etc/init.d/$SERVICE
This will cause invocations of /etc/init.d/script {start|stop} to do "the right thing".
12.3. dnscache
You can install the dnscache package to make the server self-sufficient for dns resolution purposes (it acts as a tiny dns server just for localhost). This improves the reliability of the overall infrastructure. There is a copy of this package in /afs/megacz.com/debian/dnscache/; the author of the software recently changed its license, so it will be a standard package in the next release of debian (it may even be in etch-backports already; when it is, this paragraph should be updated to recommend that instead).
Starting dnscache via runit is often a good idea; this ensures that it starts early in the boot process and that it is restarted if it dies for any reason.