Coordinating Node System Configuration ====================================== This file represents a log of system configuration that needs to be done on the CN instances. Many of these settings will be already done for the CN virtual machines, but some settings will need to be changed in order to run multiple instances of the CN at different sites. The CN buildout has been automated by creating a series of debian packages that are build and installed using a custom Makefile. To build a coordinating node from scratch, one should only need to install the base OS, upgrade it to catch security updates, modify the apt sources list, then add in the 'dpkg-dev' package, and then run:: make install at the root of the CN buildout. Notes on various components that make up the CN node are included below. OS -- Install Ubuntu 9.10. Plan to use Ubuntu 10.4 LTS release, so building off of 9.10 as this is the closest OS to that release. Install standard server install. The run apt-get update; apt-get dist-upgrade to keep packages in sync. Afterwards, need to modify the sources.list to create a new local repository for the packages that we will generate:: $ sudo mkdir -p /var/dataone/apt $ echo "deb file:/var/dataone/apt karmic universe" >> /etc/apt/sources.list You will also need dpkg-dev for a few dpkg utilities before the Makefile will run properly, so use:: $ sudo apt-get install dpkg-dev HOST, NETWORK AND ACCOUNTS --------------------------- * Assign IP on local network, configure DHCP, DNS, hostname, etc. * Create local sysadmin accounts for brand and jones, enable sudo through group 'admin' * Host for development server is:: cn-dev.dataone.org -> 128.111.220.50 * Accounts are controlled through LDAP. (See below for LDAP system configuration). To be able to login, the user must: 1) have a valid LDAP account on ldap.ecoinformatics.org 2) Be added to the dataone-sysadmin group 3) Have valid homedir, shell, and other posix attributes in their ldap entry 4) Have a home directory on cn-dev with skel files * Administrator is: brand * Additional accounts with sudo root access: jones, vieglais * Additional accounts: daigle, dahl, palanisamy OS CORE ------- * Created package dataone-os-core to contain dependencies on packages that we need to configure the OS but which are not part of the standard install PAM-LDAP -------- * During install of libnss-ldap, configure LDAP to point at ldap.ecoinformatics.org * Edit /etc/ldap.conf to configure LDAP to use TLS, etc. * set pam_groupdn to point at an appropriate group (dataone-sysadmin) * set pam_member_attribute to "uniqueMember" * Copy the LDAP server certificate to this host in /etc/ssl/certs * set tlscacert to point at this certificate, and turn on starttls * To enable LDAP logins: * root@cn-dev:/var/log# auth-client-config -t nss -p lac_ldap * root@cn-dev:/var/log# pam-auth-update * edit /etc/nsswitch.conf and remove 'ldap' from the shadow line (this interferes with the group filter in pam_groupdn if not removed * To disable LDAP logins: * root@cn-dev:/var/log# auth-client-config -r -t nss -p lac_ldap * root@cn-dev:/var/log# pam-auth-update * Added all of these files to the dataone-os-core package so they are put in place properly ..TODO: Check if the ecoinfo-cacert.pem is needed and if so install it FIREWALL -------- * Added 'ufw' package to the dataone-cn-os-core package * after deb install, run: * ufw enable * ufw allow ssh * ufw allow http * ufw default deny * Added these commands to thepostinst script in dataone-os-core APACHE ------ * Added apache2 to metacat dependency list * Added certs for dataone.org to the dataone-os-core package * however, can't add the private key file here for security reasons -- that will need to be distributed securely. * Some of the SSL configuration is in the Metacat package as part of the vhost config * may want to reconsider this, install SSL in the os-core package to avoid setup conflicts between Metacat and Mercury JAVA ---- * Added sun-java6-jdk to metacat dependency list * careful to not introduce dependencies on gcj, which is seriously broken * Added tomcat6 to metacat dependency list POSTGRES -------- * Added postgresql to the metacat dependency list METACAT ------- * Created debian package dataone-cn-metacat to handle the metacat installation * Added packages needed for metacat to the control file dependency list * Added a postinst script to handle the actual installation and configuration of metacat * Tomcat needed to be customized to support metacat, by configuring the KNB app in the postinst script. * Tomcat6 by default restricts permissions on logging, so the 51metacat.policy script was added to allow logging operations by metacat and geoserver * Restricted the permissions granted in the 51metacat.policy file to only apply to the metacat code ..TODO: Eliminate hardcoding in the metacat postinst script -- it is too brittle MERCURY ------- * Created a dataone-cn-mercury package to be used to enumerate mercury dependencies and put mercury software in place on the system ..TODO: This is just a stub and Mercury needs to be configured and installed still CN SERVICE ---------- ..TODO: Create the wrapper scripts that expose CN services, and point them at the appropriate Metacat and Mercury functions ..TODO: Create a dataone-cn-service package to install the CN SERVICE layer