Differences

This shows you the differences between two versions of the page.

--- upgrade_notes:bt02srv_january_2011 [2011/02/21 12:28] – [System tweaks and cleanup] aorth
+++ upgrade_notes:bt02srv_january_2011 [2011/12/01 08:42] (current) – removed aorth
@@ Line 1: / Line 1: @@
-====== bt02srv upgrade notes ======
-The ''bt02srv'' server started as an experiment, and had Ubuntu 9.10 Desktop on it.  Over a year of use it emerged into a "real" server, so it made much more sense to reinstall with a LTS Ubuntu server version in order to get the server-specific system settings, as well as having long-term update support from repositories.
-===== Backup =====
-==== Existing system files ====
-Manually copy several system directories to a safe location just to be safe.  These will be useful when setting system services up after the installation.
-<code>sudo mkdir /mnt/backups/before_10.04
-sudo cp -a /etc /opt /var/www /boot /root /mnt/backups/before_10.04</code>
-==== List of installed packages ====
-Capture a list of all currently-installed packages, just in case.
-<code>$ sudo su -c 'dpkg --get-selections > /mnt/backups/before_10.04/9.10_packages.txt'</code>
-===== Installation =====
-We're installing Ubuntu 10.04 Server x86_64 LTS (Long-term support).  LTS releases have a longer period of software and security updates then the regular releases.
-During installation make sure use "advanced mode" to select all our existing partitions rather than using the installer defaults.  We already have partitions for ''/'', ''swap'', and ''/home'', so don't erase the hard drive!
-===== Post installation =====
-==== Run all upgrades ====
-After installation it is a good idea to immediately install all software updates.  Ubuntu 10.04 was released in April, 2010, so the packages on the disc are sure to have been upgraded since its release.
-<code>$ sudo apt-get update
-$ sudo apt-get dist-upgrade
-$ sudo reboot</code>
-==== Install RAID tools ====
-We need to install the tools requires to mount the software RAID 5.
-<code>$ sudo apt-get install mdadm</code>
-  * plug in RAID tower eSATA
-  * reboot (probably optional)
-<code>$ sudo mdadm --auto-detect
-$ sudo mount /dev/md0 /mnt
-$ sudo mv /etc/mdadm/mdadm.conf /etc/mdadm/mdadm.conf.orig
-$ sudo cp /mnt/backups/before_10.04/etc/mdadm/mdadm.conf /etc/mdadm/mdadm.conf</code>
-  * add /dev/md0 to fstab
-  * reboot to test
-===== Install system packages =====
-Some system packages we might need later on (to build perl modules, for example).
-<code>sudo apt-get install build-essential</code>
-====== SSH Keys ======
-Copy the system's SSH keys from the old system.  We don't want people to get "man-in-the-middle attack" errors when they SSH to the new server!
-<code>sudo cp -a /etc/ssh /etc/ssh.orig
-sudo service ssh stop
-sudo cp /mnt/backups/before_10.04/etc/ssh/*key* /etc/ssh/
-sudo service ssh start</code>
-====== Copy root's home folder ======
-<code>sudo su -
-cd /
-mv root root.orig
-mv root/ root.orig
-cp -a /mnt/backups/before_10.04/root/ /root</code>
-====== Install apt-cacher-ng ======
-Install the apt-cacher-ng package and make sure our existing package cache is owned by the new user and group.
-<code>$ sudo apt-get install apt-cacher-ng
-$ sudo chown -R apt-cacher-ng:apt-cacher-ng /mnt/apt-cacher-ng</code>
-==== Edit configuration ====
-Edit the configuration to point the ''CacheDir'' to our existing cache.
-///etc/apt-cacher-ng/acng.conf//:
-<file>CacheDir: /mnt/apt-cacher-ng</file>
-==== Restart apt-cacher-ng daemon ====
-<code>$ sudo /etc/init.d/apt-cacher-ng restart</code>
-====== BackupPC ======
-==== Install BackupPC from apt ====
-<code>$ sudo apt-get install backuppc</code>
-(automatically-generated password: 0FY25aM2)
-Change the password for the ''backuppc'' user if you'd like:
-<code>$ sudo htpasswd /etc/backuppc/htpasswd backuppc</code>
-==== BackupPC home directory ====
-<code>cd /var/lib
-sudo mv backuppc/ backuppc.orig
-sudo ln -s /mnt/backuppc backuppc</code>
-==== Restore configuration ====
-<code>sudo mv /etc/backuppc/hosts /etc/backuppc/hosts.orig
-sudo cp /mnt/backups/backup.0/etc/backuppc/hosts /etc/backuppc/
-sudo cp /mnt/backups/backup.0/etc/backuppc/172.26.*pl /etc/backuppc/
-sudo chown -R backuppc:www-data /etc/backuppc
-sudo chown -R backuppc:backuppc /mnt/backuppc/
-sudo usermod -s /bin/bash backuppc
-ps aux | grep "BackupPC -d"
-sudo killall -HUP 7442</code>
-==== Web interface authentication ====
-We'll point BackupPC's authentication to ILRI Active Directory using the Perl AuthenMSAD module from CPAN.
-==== Install AuthenMSAD ====
-<code>sudo apt-get install libapache2-mod-perl2 libapache2-mod-perl2-dev  libauthen-simple-ldap-perl
-sudo cpan
-install Apache2::AuthenMSAD
-exit</code>
-==== Set up Apache to use AD auth ====
-<code>$ sudo vim /etc/backuppc/apache2.conf</code>
-<file>AuthName "Microsoft Active Directory Authentication"
-AuthType Basic
-PerlAuthenHandler Apache2::AuthenMSAD
-PerlSetVar MSADDomain ilri.cgiarad.org
-PerlSetVar MSADServer 172.26.0.218
-require valid-user
-#require user aorth akihara</file>
-==== Enable the Apache module ====
-<code>sudo a2enmod perl
-sudo apache2ctl graceful</code>
-===== Email alerts =====
-BackupPC can send emails to notify of failed backups, etc.  We will use postfix's sendmail to relay all the mails to the REAL mail server at the institute; this is called a "relay" or "smart" host.
-Postfix is installed by default when you install BackupPC, but it's not configured.  Reconfigure it to act as a "Satellite System" using ''dpkg-reconfigure'':
-<code>sudo dkpg-reconfigure postfix</code>
-After that the emails should be working.  Test if BackupPC is able to send messages:
-<code>sudo su - backuppc
-/usr/share/backuppc/bin/BackupPC_sendEmail -u a.orth@cgiar.org</code>
-===== Redmine =====
-==== Install system dependencies ====
-<code>sudo apt-get install ruby rubygems libopenssl-ruby</code>
-==== Install ruby dependencies ====
-<code>$ sudo gem install rails -v=2.3.5
-$ sudo apt-get install libsqlite3-dev
-$ sudo gem install sqlite3-ruby
-$ sudo gem install fastthread
-$ sudo gem install -v=0.4.2 i18n</code>
-==== Copy existing Redmine installation back ====
-<code>sudo cp -a /mnt/backups/before_10.04/opt/redmine* /opt/</code>
-==== Test using the standalone Ruby web server ====
-<code>sudo /opt/redmine/script/server -e production</code>
-====== Passenger (mod_rails) ======
-Install Phusion Passenger, aka "mod_rails", to enable Apache to execute Ruby code.
-<code>sudo sh -c 'echo "deb http://apt.brightbox.net lucid main" > /etc/apt/sources.list.d/phusion_passengerlist'
-wget -q -O - http://apt.brightbox.net/release.asc | apt-key add -
-sudo apt-get update
-sudo apt-get install libapache2-mod-passenger</code>
-==== Configuration ====
-Create ///etc/apache2/conf.d/redmine.conf//:
-<file>RailsBaseURI /redmine
-RailsEnv production
-<Directory "/var/www/redmine">
-        AllowOverride all
-        Options -MultiViews
-        #Options Indexes ExecCGI FollowSymLinks
-        Order allow,deny
-        Allow from all
-</Directory></file>
-==== Create symbolic link to redmine ====
-<code>sudo ln -s /opt/redmine/public /var/www/redmine</code>
-====== Apache SSL ======
-Force all HTTP -> HTTPS using ''mod_rewrite''.
-===== Enable Apache modules ======
-<code>sudo a2enmod ssl rewrite</code>
-===== Copy SSL settings =====
-Copy the keys and Apache configuration for SSL from the old machine.
-The "snake oil" certificate is the self-signed certificate we generated ourselves.  It's secure, but called "snake oil" because it's self generated, and not issued by a certificate authority.  Don't worry, we can't even get a "real" one with our current setup (as we don't control the ilri.org domain, mail addresses, IPs, etc).
-<code>sudo cp /mnt/backups/before_10.04/etc/apache2/sites-enabled/default-ssl /etc/apache2/sites-enabled/
-sudo cp -a /etc/ssl /etc/ssl.orig
-cp /mnt/backups/before_10.04/etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/ssl-cert-snakeoil.pem
-cp /mnt/backups/before_10.04/etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/ssl-cert-snakeoil.key</code>
-===== Set up redirect for HTTP -> HTTPS =====
-///etc/apache2/sites-enabled/000-default//:
-<file><IfModule mod_rewrite.c>
-    RewriteEngine On
-    RewriteCond %{HTTPS} off
-    # rewrite only trac login pages to HTTPS
-    #RewriteCond %{REQUEST_URI} trac/(avid|beca)/login
-    # grab the request minus the / (we place a slash in the rewritten URL)
-    RewriteRule ^/(.*)$ https://172.26.17.2/$1 [R,L]
-</IfModule></file>
-  * add "ServerName bt02srv" to the default-ssl VirtualHost configuration.
-  * Restart Apache
-  * <code>sudo apache2ctl graceful</code>
-====== git repositories ======
-Set up git repositories from the old system by creating a ''git'' user and copying its home directory (including SSH keys in .ssh!!) to ///var/cache/git//:
-  *<code>sudo apt-get install git-core
-adduser --system --group --shell /bin/bash --disabled-password --home /var/cache/git/ --no-create-home git
-cp -a backup.0/var/cache/git/* backup.0/var/cache/git/.ssh /var/cache/git/
-chown -R git:git /var/cache/git</code>
-====== Add users from old system ======
-Here I add a user for Solomon Kihara:
-  * <code>$ sudo cp -a /mnt/backup/akihara /home/
-$ sudo adduser --shell /bin/bash --home /home/akihara/ --no-create-home akihara
-$ sudo chown -R akihara:akihara /home/akihara/
-$ sudo gpasswd -a akihara admin</code>
-====== Automatic security updates ======
-Installed [[:cron-apt]] and configured to automatically install security updates only.
-====== System tweaks and cleanup ======
-  * add ''noatime'' to all ext4 partitions in /etc/fstab.  This tells the kernel not to update timestamps on files when they are accessed!
-  * Remove ''command-not-found'', as we're all pros on this server ;):
-  * <code>sudo apt-get purge command-not-found command-not-found-data</code>
-  * Remove unneeded/obsolete packages:
-  * <code>sudo apt-get autoremove</code>