Stellar 2 Server Setup

There are two types of machine which may have a full Stellar installation: an Athena workstation for development, and a server maintained by "OPS". Many steps in setting up the servers are the same, but many differ.

Athena workstation

Privatize as usual, see the Private Athena Workstation Owner's guide http://web.mit.edu/olh/Private/.

Ops server

It needs to have a kerberos ID and be added to the stellar-servers list for AFS access. It needs to be given access to the subversion repository. Send mail to stellar-ops@mit.edu to have it given AFS access and be added to the stellar-servers list. Send mail to svn-admin to have the host's kerberos ID added to the .k5login file for the stellarcvs user on svn.mit.edu

To avoid putting settings in the root login which would always be active, we use a separate file which must be sourced after logging in. AMPS was the organization which included Stellar from the creation of AMPS until the end of 2006.

mkdir -p /var/local/amps
cat > /var/local/amps/cshrc <<EOF
alias rm 'rm -i'
alias cp 'cp -i'
alias mv 'mv -i'
alias ll 'ls -ltr'
setenv CVSROOT :kserver:cvs.mit.edu:/cvs/okapi
set ignoreeof
set noclobber
bindkey "^U" universal-argument
setenv EDITOR emacs
set history=20000
set histfile=/var/local/amps/history
set savehist=20000
history -L /var/local/amps/history

set path=($path /var/local/maven-2.0.7/bin/)
setenv JAVA_HOME /var/local/java1.6

setenv KRB5CCNAME /tmp/krb5cc_stellarcvs
setenv KRBTKFILE /tmp/tkt_stellarcvs
kinit -k
EOF
source /var/local/amps/cshrc

Every time you log in to this server as root, first do source /var/local/amps/cshrc.

Checkout code

(similar on both types of machine)

e.g.

add gnu stellar-sakai svn
mkdir /var/local/stellar-svn
cd /var/local/stellar-svn
svn co svn+ssh://stellarcvs@svn.mit.edu/svn/amps

If you are checking out code on your own workstation using your own identity, use

kinit 
mkdir /var/local/stellar-svn
cd /var/local/stellar-svn
svn co svn+ssh://svn.mit.edu/amps

Users and Groups

(the same on both types of machine, though oracle is now optional since we no longer expect to install oracle on each machine)

Add to /etc/passwd.local, and /etc/passwd:

oracle:*:9877:33537:Oracle Database,,,,:/var/local/oracle-user:/bin/ksh
www:*:6623:101:Unprivileged W User,,,,:/mit/www:/dev/null

Add to /etc/shadow.local, and /etc/shadow:

oracle:SSpbaftOt8rE6:8573::::::

Add to /etc/group.local and /etc/group:

oinstall:*:33537:oracle
oracle:*:19620:oracle
dba:*:29263:oracle
www:*:15588:

Check /etc/system parameters, if needed, the following are from Athena 9.3.18

set noexec_user_stack=1
set noexec_user_stack_log=1
set shmsys:shminfo_shmmax=4294967295
set shmsys:shminfo_shmmin=1
set shmsys:shminfo_shmmni=100
set shmsys:shminfo_shmseg=10
set semsys:seminfo_semmni=100
set semsys:seminfo_semmsl=256
set semsys:seminfo_semmns=1024
set semsys:seminfo_semopm=100
set semsys:seminfo_semvmx=32767

Apache-served Documents

(the same on both types of machine)

cd /var/local/stellar-svn/amps/stellar/support-files/docs/trunk/
mv stellar-docs /var/local/
svn update

Java 1.6

(the same on both categories of machine)

To be sure of the java version being used, download and install it in /var/local anyhow so we always have a known and potentially newer version including bugfixes. Download the "Java SE Development Kit" for the desired platform (e.g. Solaris SPARC), the self-installing shell script version; the directory to which you have downloaded it is denoted $COMPONENTS below.

chmod 755  $COMPONENTS/jdk-6u2-solaris-sparc.sh 
chmod 755  $COMPONENTS/jdk-6u2-solaris-sparcv9.sh 
mkdir /var/local/java
cd /var/local/java
$COMPONENTS/jdk-6u2-solaris-sparc.sh 
$COMPONENTS/jdk-6u2-solaris-sparcv9.sh 
cd /var/local
ln -s /var/local/java/jdk1.6.0_02 /var/local/java1.6

maven

Install maven in /var/local by untarring the binary distribution. Set the path and JAVA_HOME in /var/local/amps/cshrc as above.

Use the settings.xml in the shared-build project.

XSL files

(the same on both types of machine)

Put stellar xsl on local disk:

cd /var/local/stellar-svn/amps/stellar/support-files
mv templates/xslt/xsl /var/local/stellar-xsl
svn update

Make the directory for logs:

mkdir  /var/local/stellar-logs
chown www:www /var/local/stellar-logs

If you aren't doing this on your own workstation, make the directories for jforum:

mkdir /var/local/stellar-jforum-config
mkdir /var/local/stellar-jforum
mkdir /var/local/stellar-jforum/avatars
mkdir /var/local/stellar-jforum/attachments
chown www:www /var/local/stellar-jforum*

IPF firewall

(similar on both types of machine)

Tomcat ajp connector ports (8009 and others) need to be protected and only accessable from the httpd hosts (in production these would be asterope and merope). Oracle DB port 1521 needs to be accessable only from the Tomcat hosts (e.g. aludra).

All other access should be left alone.

Filter rules for 18.89.3.242 to allow apache on 18.89.1.67 to tomcat on 18.89.3.242 (untried):

block in  on bge0 proto tcp from any to 18.89.3.242/32 port=8559
pass in quick on bge0 proto tcp from 18.89.1.67/32  to 18.89.3.242/32 port=8559

For some machines the interface is ce0 rather than bge0

Athena 9.4

These should be put in /etc/ipf/ipf.conf, the ce line in /etc/ipf/pfil.ap should be uncommented and the commands in http://docs.sun.com/app/docs/doc/816-4554/ should be run.

To update the ipf after the ipf.conf file is changed, do ipf -Fa -f /etc/ipf/ipf.conf

Oracle Software

Oracle software installation is in a separate document.

Database import

Oracle database import is in a separate document.

Using X windows from an OPS server to a local display

SSH is handling the X windows traffic, so it pretends to be a display on the machine you're sshed in to.

The problem with su - oracle is that there's an additional layer of security, xauth is being used. in the login message is something like: /usr/openwin/bin/xauth: creating new authority file /tmp/xauth-root-27444/Xauthority

As root, after ssh -l root -X servername:

chmod 644 $XAUTHORITY 
chmod 755 $XAUTHORITY:h 
chgrp oinstall $XAUTHORITY:h $XAUTHORITY
echo "as oracle do: export XAUTHORITY=$XAUTHORITY"
echo "as oracle do: export DISPLAY=$DISPLAY"

As oracle (substitute DISPLAY and XAUTHORITY from above):

export DISPLAY=localhost:10.0
export XAUTHORITY=/tmp/xauth-123/XAuthority

SSH

Servers will be exporting data, private workstations may be importing data from the servers.

To allow a server (e.g. stellar.mit.edu) to scp files to another server (opening up a ssh hole for root@stellar to have root access on the other machine)

On the server, as root:

ssh-keygen -t dsa

Use nothing for the password (just press enter)

Then ssh to the other machine, and add the contents of /.ssh/id_dsa.pub on the server to /.ssh/authorized_keys on the target machine.

chmod 400  /.ssh/authorized_keys

Be sure to set /etc/sshd_config to allow RSAAuthentication and PubkeyAuthentication.

Cronjobs

See the crontabs in subversion at svn+ssh://svn.mit.edu/amps/stellar/2.0/trunk/support/src/site/resources/crontabs for the appropriate type of machine.

More old notes, yet to be consolidated. Better information is in the source and the wiki https://wikis.mit.edu/confluence/display/STLRP/Home.

mkdir  /var/local/stellar-backups/
chown oracle /var/local/stellar-backups

mkdir  /var/local/stellar-support

cp /var/local/stellar-cvs/stellar/sysutils/runCookieMonitor /var/local/stellar-support/
cp -r /var/local/stellar-cvs/stellar/sysutils/gnu /var/local/stellar-support/
cp /var/local/stellar-cvs/stellar/sysutils/probe-cookie-monitor.perl /var/local/stellar-support/
cp /var/local/stellar-cvs/stellar/sysutils/spacereport.perl /var/local/stellar-support/
cp /var/local/stellar-cvs/stellar/sysutils/eval-nexus-info.perl /var/local/stellar-support/
cp /var/local/stellar-cvs/stellar/conf/production/yesterday /var/local/stellar-support/
cp /var/local/stellar-cvs/stellar/sysutils/cleanup /var/local/stellar-support/
cp /var/local/stellar-cvs/stellar/sysutils/CookieMonitor.java /var/local/stellar-support/
cp /var/local/stellar-cvs/stellar/sysutils/update-users.perl /var/local/stellar-support/
cp /var/local/stellar-cvs/stellar/db/OkapiCoreTablesReLoad-* /var/local/stellar-support/
cp /var/local/stellar-cvs/stellar/sysutils/videocron.perl /var/local/stellar-support/
cp /afs/athena/project/gnu/bin/wget /var/local/stellar-support/
cp /var/local/stellar-cvs/stellar/sysutils/bull.perl /var/local/stellar-support/
cp /var/local/stellar-cvs/stellar/sysutils/copy-logs.perl /var/local/stellar-support/
cp /var/local/stellar-cvs/stellar/conf/production/cronjob2 /var/local/stellar-support/
cp /var/local/stellar-cvs/stellar/conf/production/cronjob-hourly /var/local/stellar-support/
cp /var/local/stellar-cvs/stellar/conf/production/oracle/cronjob1 /var/local/oracle-user/
chmod 755 /var/local/stellar-support/cronjob2 /var/local/stellar-support/cronjob-hourly /var/local/stellar-support/eval-nexus-info.perl

modify cronjob2 to export to desired servers and use correct backup directories
modify cronjob1 to use correct SID and directories

modify probe-cookie-monitor.perl as needed
modify cleanup as needed
modify update-users.perl as needed
modify copy-logs.perl as needed

date > /var/local/stellar-backups/incremental-after
and edit time as needed
touch /var/local/stellar-logs/usercount

for reporting:
mkdir /var/local/stellar-support/reports
cp -r /var/local/stellar-cvs/stellar/sysutils/reports /var/local/stellar-support/


crontabs