User:Valtri/sci2
From EgeeWiki
platforma:
- dva stroje, SL4 32 a 64
xen:
- 64bitová může hostovat 32 bitovou
- dom0 64 (nativní), domu 32 (zkusit, že de disk a síť podobně rychle...)
partitionování: kousek nativně (i na grub), datové libovolně LVMkem
Contents |
[edit]
Instalace
Vycházel jsem z minimální instalace (z netu to maji pošahaný a přiznávaji to).
[edit]
Xen
- na domU:
mv /lib/tls /lib/tls.disabled
# disable selinux (nekompatibilní kernel 2.6.18 s SL4...)
...
# download z SL5:
# - odstranit: selinux-policy*, ...
# - xen a nexen jádra 2.6.18
# - překompilovat pár src balíků ze SL5 pro SL4 podle závislostí jádra: iptables, ...
# irqbalance strasne zlobi
chkconfig --level 2345 irqbalance off
# paravirtualizace - počáteční příprava initrd (při updatech se už do initrd dává samo)
scp /boot/vmlinuz-2.6.18-128.1.1.el5xen root@sci-xen:/boot/sci65/
mkdir /tmp/image
cd /tmp/image
gzip -dc initrd-2.6.18-128.1.1.el5xen.img | cpio -i
cp /lib/modules/`uname -r`/kernel/drivers/xen/{blkfront/xenblk.ko,netfront/xennet.ko} lib/
chmod -x lib/xen*.ko
# pridat insmod
vim init
find . | cpio -o -c | gzip > ../img2
scp ../img2 root@sci-xen:/boot/sci65/initrd-2.6.18-128.1.1.el5xen.img
vim /etc/fstab
poweroff
- na dom0:
kpartx -v -a /dev/vg/root65 kpartx -v -a /dev/vg/swap65 # editace /etc/xen/stroj ... xm create stroj
[edit]
Báze
# gpgcheck na 1
vi /etc/yum.repos.d/sl.repo
vi /etc/yum.repos.d/sl-errata.repo
yum update
# omezit služby NTP, BACULA, NAGIOS
# CRACKERS feature
vi /etc/sysconfig/iptables
# nagios a krekry
crontab -e
yum install pam_krb5
# krb5 pam modul, += auth sufficient /lib/security/$ISA/pam_krb5.so afs_cells=META use_first_pass
vi /etc/pam.d/system-auth
# scientific2.zcu.cz jako první
vi /etc/hosts
kadmin -p MAKAC/root
ank -randkey -policy default_nohistory host/scientific2.zcu.cz@ZCU.CZ
ktadd host/scientific2.zcu.cz@ZCU.CZ
yum install ntp
# clock1.zcu.cz a clock2.zcu.cz
vi /etc/ntp.conf
cat >/etc/step-tickers <<EOF
147.228.57.10
147.228.52.11
EOF
chkconfig --level 2345 ntpd on
yum install openafs krbafs-utils openafs-client openafs-krb5
cat > /usr/vice/etc/ThisCell <<EOF
zcu.cz
EOF
vi /usr/vice/etc/CellServDB
chkconfig --level 2345 afs on
# mysql
yum install mysql-devel mysql-server selinux-doc selinux-policy-targeted-sources
rpm -e mysql-devel-4.1.22-2.el4.sl.i386
# přesun do /home/mysql
# /var/lib/mysql -> /home/mysql, old_password pryč
vi /etc/my.cnf
usermod -d /home/mysql mysql
cd /etc/selinux/targeted/src/policy
cat > file_contexts/misc/scientific.fc <<EOF
/home/mysql(/.*)? system_u:object_r:mysqld_db_t
/home/mysql/mysql\.sock -s system_u:object_r:mysqld_var_run_t
EOF
cat > domains/misc/scientific.te <<EOF
file_type_auto_trans(mysqld_t, home_root_t, mysqld_db_t, { dir file })
EOF
make load
setfiles file_contexts/file_contexts /home/mysql
# start
/etc/init.d/mysqld start
chkconfig --level 2345 mysqld on
# zkontrolovat pripojeni
mysql -u root
# kejkle s pathmunge a /sbin, /usr/sbin
vi /etc/profile
# PS1="[\u@`/bin/hostname | idn -u --quiet` \W]\\$ "
vi /etc/bashrc
[edit]
ZCU
Zalohovani:
- do /etc/sysconfig/iptables:
-A INPUT -p tcp -m tcp --dport 9102 -j BACULA -A BACULA -s 147.228.54.24 -j ACCEPT -A BACULA -j DROP
apt-get install bacula
Nagios:
- ve FW povolit 1040/tcp z nagios serveru
yum install xinetd
useradd -r -s /sbin/nologin nagios
cat > /etc/xinet.d/netsaint <<EOF
service netsaint
{
disable = no
port = 1040
socket_type = stream
protocol = tcp
wait = no
user = nagios
server = /usr/local/bin/netsaint_statd-stdperl
}
EOF
echo "netsaint_statd-stdperl: hyperochus.zcu.cz" >> /etc/hosts.allow
echo "netsaint 1040/tcp # nagios" >> /etc/services
[edit]
Devel
# další SW yum install mc vim vim-X11 xorg-x11-xauth xorg-x11-apps xorg-x11-fonts-truetype # devel yum install jdk gcc gcc-c++ libtool doxygen cvs subversion valgrind.x86_64 rpm-build tidy docbook-dtds docbook-style-xsl libxml2-devel bison flex tetex-latex docbook-utils gdb chrpath libxslt libxslt-devel cppunit expat-devel ctags strace ant # etics yum install python-devel python-tools pyOpenSSL 4Suite PyXML openssl-devel.x86_64 vim /etc/yum.repos.d/dag.repo yum install hexedit #libtool sux cd /usr/bin mv libtool libtool-sl-sux cat libtool-sl-sux | sed -e 's/3\.4\.4/3.4.6/g' > libtool # java && ETICS sux cat > /etc/profile.d/java-sci.sh << EOF export JDK_HOME="/usr/java/jdk1.6.0_10" export JAVA_HOME="$JDK_HOME/jre" export PATH="$JAVA_HOME/bin:$JDK_HOME/bin:$PATH" EOF cat > /etc/profile.d/java-sci.csh << EOF setenv JDK_HOME "/usr/java/jdk1.5.0_16" setenv JAVA_HOME "/usr/java/jdk1.5.0_16/jre" set path = ( $JAVA_HOME/bin $JDK_HOME/bin $path ) EOF
[edit]
gLite
cat > /etc/yum.repos.d/glite-externals.repo <<EOF [glite-externals] name=glite externals RPMS repository baseurl=http://linuxsoft.cern.ch/EGEE/gLite/R3.1/generic/sl4/\$basearch/ gpgkey=http://linuxsoft.cern.ch/cern/slc4X/\$basearch/docs/RPM-GPG-KEY-atrpms gpgcheck=1 enabled=1 exclude=glite-* lcg-vomscerts* EOF cat > /etc/yum.repos.d/eugridpma.repo <<EOF [eurogridpma] name=EUGridPMA baseurl=http://www.eugridpma.org/distribution/igtf/current gpgkey=http://www.eugridpma.org/distribution/igtf/current/GPG-KEY-EUGridPMA-RPM-3 gpgcheck=1 enabled=1 EOF yum install ca_CESNET ca_INFN ca_GTE-CyberTrust-Global-Root ca_TERENA-SCS # přidat "/C=CZ/*" do cond_subjects vim /etc/grid-security/certificates/7ffb3ace.signing_policy #fetch-crl z https://dist.eugridpma.info/distribution/util/fetch-crl/ #TODO: check, VOMS, ... wget https://dist.eugridpma.info/distribution/util/fetch-crl/fetch-crl-2.6.6-1.noarch.rpm rpm -i fetch-crl-2.6.6-1.noarch.rpm cp /usr/share/doc/fetch-crl-2.6.6/fetch-crl.cron /etc/cron.daily/ chmod +x /etc/cron.daily/fetch-crl.cron yum install vdt_globus_essentials createrepo gridsite-shared vdt_globus_sdk classads # ještě gpt, neni v default 64bit, tak ručně zeticssoft.cern.ch... ... cat > /etc/profile.d/globus.sh << EOF GLOBUS_LOCATION=/opt/globus PATH=\$PATH:\$GLOBUS_LOCATION/bin export PATH GLOBUS_LOCATION GPT_LOCATION EOF cat > /etc/profile.d/globus.csh << EOF set GLOBUS_LOCATION = /opt/globus set path = ( \$path \$GLOBUS_LOCATION/bin ) EOF chmod +x /etc/profile.d/globus.sh /etc/profile.d/globus.csh echo "/opt/globus/lib" > /etc/ld.so.conf.d/globus.conf # needed: $GLOBUS_LOCATION/setup/globus-setup-comon.sh $GLOBUS_LOCATION/etc/globus-user-env.sh $GPT_LOCATION/sbin/gpt-postinstall $GPT_LOCATION/sbin/gpt-build gcc32 -nosrc $GPT_LOCATION/sbin/gpt-build gcc32dbg -nosrc $GPT_LOCATION/sbin/gpt-build gcc32pthr -nosrc $GPT_LOCATION/sbin/gpt-build gcc32dbgpthr -nosrc
[edit]
Etics-less
# gsoap # get 2.7.10 z http://www.cs.fsu.edu/~engelen/soap.html ... ./configure --prefix=/opt/gSOAP --enable-debug make su make install # c-ares 1.3.1 (novější verze dělávají potíže) wget http://eticssoft.web.cern.ch/eticssoft/repository/externals/c-ares/1.3.1/src/c-ares.tar.gz tar xzf c-ares.tar.gz cd c-ares-1.3.1 ./configure --prefix=/opt/c-ares --enable-shared --disable-static make -j6 su make install # VOMS & LCAS #https://erebor.ics.muni.cz/wiki/lb_build.html#index8h4 #https://erebor.ics.muni.cz/wiki/lb_build.html#index8h4 cat > etics.properties << EOF org.glite.security.lcas.DEFAULT = glite-security-lcas_R_1_3_6_2 org.glite.security.lcas-interface.DEFAULT = glite-security-lcas-interface_R_1_3_6_2 vdt_globus_essentials.DEFAULT = vdt_globus_essentials v. 4.0.7-VDT-1.10.1-1 globus.DEFAULT = globus v. 4.0.7-VDT-1.10.1-1 globus.location = /opt/globus vdt_globus_essentials.location = /opt/globus globus.dbg.thr.flavor=gcc32dbgpthr globus.dbg.nothr.flavor=gcc32dbg globus.thr.flavor=gcc32dbgpthr globus.nothr.flavor=gcc32dbg EOF etics-checkout --project-config glite_branch_3_2_0_dev --config glite-security-lcas_R_1_3_6_2 org.glite.security.lcas etics-configuration prepare -c glite-security-voms_R_1_8_10_1 org.glite.security.voms # data enable-java=no a odstranit --with-bc gvim Configuration-glite-security-voms_R_1_8_10_1.ini etics-configuration modify -i Configuration-glite-security-voms_R_1_8_10_1.ini etics-build org.glite.security.lcas su rpm -ivh ...
[edit]
/home/valtri
- .bash_profile
SSH_INFO_FILE=~/ssh-agent-info.sh
if [ -f $SSH_INFO_FILE ]; then
export SSH_AUTH_SOCK=`cat $SSH_INFO_FILE | grep SSH_AUTH_SOCK | sed -e 's/.*=\([^;]*\).*/\1/'`
export SSH_AGENT_PID=`cat $SSH_INFO_FILE | grep SSH_AGENT_PID | sed -e 's/.*=\([^;]*\).*/\1/'`
fi
if [ x"$SSH_AGENT_PID" = "x" -o x"`ps x | grep ' ssh-agent$' | awk -F' ' '{print $1}' | grep $SSH_AGENT_PID`" = "x" ]; then
ssh-agent > $SSH_INFO_FILE
export SSH_AUTH_SOCK=`cat $SSH_INFO_FILE | grep SSH_AUTH_SOCK | sed -e 's/.*=\([^;]*\).*/\1/'`
export SSH_AGENT_PID=`cat $SSH_INFO_FILE | grep SSH_AGENT_PID | sed -e 's/.*=\([^;]*\).*/\1/'`
echo Agent PID $SSH_AGENT_PID
ssh-add
fi
ETICS_HOME=$HOME/ETICS/etics
JDK_HOME=$HOME/ETICS/repository/externals/jdk/1.5.0_06/noarch
JAVA_HOME=$JDK_HOME/jre
JDK_HOME=$HOME/ETICS/repository/externals/jdk/1.5.0_06/noarch
PATH=$PATH:$HOME/bin:$JAVA_HOME/bin:$JDK_HOME/bin:$ETICS_HOME/bin:$HOME/ETICS/repository/externals/ant/1.6.2/noarch/bin
CVSROOT=valtri@jra1mw.cvs.cern.ch:/cvs/jra1mw
CVS_RSH=ssh
export PATH ETICS_HOME JAVA_HOME CVSROOT CVS_RSH
- .bashrc
alias etics='etics-workspace-setup && etics-get-project org.glite'
- .certs/, .globus/, .ssh/, .etics.conf
[edit]
VOMS
certifikaty uz snad nejsou potreba pro skoro nic v glite 3.2 a mel by stacit konfigurak s subject a issuser DN pro kazdy VOMS server. Napr. pro VOCE:
[root@ui1 voce]# cat /etc/grid-security/vomsdir/voce/voms1.egee.cesnet.cz.lsc /DC=cz/DC=cesnet-ca/O=CESNET/CN=voms1.egee.cesnet.cz /DC=cz/DC=cesnet-ca/CN=CESNET CA
Pokud chces byt schopny udelat i vomsovou proxy (tj. voms-proxy-init), tak potrebujes zaznam v adresari (?) $GLITE_LOCATION/etc/vomses (/opt/glite/etc/vomses). Pro voce:
[root@ui1 voce]# cat /opt/glite/etc/vomses/voce-voms1.egee.cesnet.cz "voce" "voms1.egee.cesnet.cz" "7001" "/DC=cz/DC=cesnet-ca/O=CESNET/CN=voms1.egee.cesnet.cz" "voce" "24"
