Installing the CN Stack
=======================
Notes by Dave, 20100204. and Robert, 20100316.
These are the (almost) literal steps taken to install the CN stack on a
squeaky clean, brand new instance of Ubuntu 9.10 64bit, running as an amd64
virtual machine under vmware on my laptop.
Installation of Mercury was manually excluded (package still under development).
Hardware specs
--------------
:Processor: 1 CPU, 512MB RAM
:Display: 3d Disabled
:Network: NAT
:Hard Disks: SCSI, 20GB
Procedure
---------
::
sudo apt-get update
sudo apt-get dist-upgrade
sudo reboot #new kernel
sudo apt-get install subversion
sudo apt-get install dpkg-dev
sudo apt-get autoremove
Edited /etc/hostname to be::
cn-dev.dataone.org
and changed /etc/hosts to show::
127.0.0.1 localhost
127.0.1.1 cn-dev.dataone.org
...
Shut down, snapshot of clean system. Restart.
::
pwd
/home/dave
mkdir dataone
cd dataone
svn co https://repository.dataone.org/software/cicore/trunk/cn-buildout
svn co https://repository.dataone.org/software/cicore/trunk/os-base-install
Moving right along, make some room for the local packages::
sudo mkdir -p /var/dataone/apt/dists/karmic/universe/binary-amd64
sudo sh -c "echo \"deb file:/var/dataone/apt karmic universe\" >> /etc/apt/sources.list"
Self-Signed Key generation:
This is where the key (``dataone_org.key``) should be added to the folder
``/etc/ssl/private``. The instal step will fail otherwise, requiring ``apt-get
remove dataone-cn-metacat`` then re-install.
The procedure for generating your own self-signed cert
::
cd
pwd
/home/rwaltz
mkdir ssl
cd ssl
openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
...........................................++++++
.............++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: <type something here and remember it>
Verifying - Enter pass phrase for server.key: <type something here and remember it>
chmod 600 server.key
openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: <type something here that you typed above>
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Tennessee
Locality Name (eg, city) []:Knoxville
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DataONE.org
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:cn-dev.dataone.org
Email Address []:rwaltz@cn-dev
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <pressed enter>
An optional company name []: <pressed enter>
XXX NOTE that the common name is spurious XXX
cp server.key server.key.orig
openssl rsa -in server.key.orig -out server.key
Enter pass phrase for server.key.orig: <type something here that you typed above>
writing RSA key
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=US/ST=Tennessee/L=Knoxville/O=DataONE.org/CN=cn-dev.utk.edu/emailAddress=rwaltz@cn-dev.utk.edu
Getting Private key
sudo cp server.key /etc/ssl/private/dataone_org.key
sudo cp server.crt /etc/ssl/certs/dataone.org.crt
Build out base system
~~~~~~~~~~~~~~~~~~~~~
If you are using Ubuntu 10.04 or above then you will need to run these commands::
apt-get install python-software-properties
add-apt-repository "deb http://archive.canonical.com/ lucid partner"
cd ~/dataone/os-base-install
make install
#Configuring ldap-auth-config
Please enter the URI of the LDAP server to use. This is a string in the
form of ldap://<hostname or IP>:<port>/. ldaps:// or ldapi:// can also
be used. The port number is optional.
Note: It is usually a good idea to use an IP address because it reduces
risks of failure in the event name service problems.
LDAP server Uniform Resource Identifier: <pressed enter>
#Configuring ldap-auth-config
Please enter the distinguished name of the LDAP search base. Many sites
use the components of their domain names for this purpose. For example,
the domain "example.net" would use "dc=example,dc=net" as the
distinguished name of the search base.
Distinguished name of the search base: <erased string pressed enter>
#Configuring ldap-auth-config
Please enter which version of the LDAP protocol should be used by
ldapns. It is usually a good idea to set this to the highest available
version.
LDAP version to use: <pressed enter>
#Configuring ldap-auth-config
This option will allow you to make password utilities that use pam to behave like you would be changing local passwords.
The password will be stored in a separate file which will be made readable to root only.
If you are using NFS mounted /etc or any other custom setup, you should disable this.
Make local root Database admin:
Answer: No
#Configuring ldap-auth-config
Note: Under a normal setup, this is not needed.
Does the LDAP database require login?
Answer: No
# Configuring ldap-auth-config
The LDAP authentication libraries now use the new unified configuration
file /etc/ldap.conf, and no longer use /etc/pam-ldap.conf or
/etc/libnss-ldap.conf. One or both of these old configuration files were
found. These files cannot be automatically migrated to the new
/etc/ldap.conf. You MUST either reconfigure your settings with debconf,
or manually migrate your settings into /etc/ldap.conf and verify your
configuration before logging out.
Configuring ldap-auth-config? No
One or more of the files
/etc/pam.d/common-{auth,account,password,session} have been locally
modified. Please indicate whether these local changes should be
overridden using the system-provided configuration. If you decline this
option, you will need to manage your system's authentication
configuration by hand.
Override local changes to /etc/pam.d/common-*? No
Disruption of ssh warning.
build out cn software stack
~~~~~~~~~~~~~~~~~~~~~~~~~~~
::
cd ~/dataone/cn-buildout
Run the install (several manual steps required)::
NEED TO DETERMINE A WAY TO CHANGE THE HOSTNAME IN THE APACHE CONFIG FILES!!!! THERE ARE OTHER PLACES THAT NEED CONFIGURING DURING APT-GET AS WELL (metacat: server.name in the WEB-INF/metacat.properties; services.xml in CnMetadataPackager.. though this will change via refactoring)
sudo make install
#Notice about unsigned packages:
WARNING: The following packages cannot be authenticated!
dataone-cn-os-core dataone-cn-metacat
#Configuring mysql-server-5.1
While not mandatory, it is highly recommended that you set a password
for the MySQL administrative "root" user.
If this field is left blank, the password will not be changed
New password for the MySQL "root" user: <typed in dataone>
Agree to Java DLJ
One or more of the files /etc/pam.d/common-{auth,account,password,session} have been locally modified. Please indicate
whether these local changes should be overridden using the system-provided configuration. If you decline this option, you
will need to manage your system's authentication configuration by hand.
Override local changes to /etc/pam.d/common-*?
Answer: Yes
Configuring ldap-auth-config
Saying yes will allow future upgrades to use these settings. This is the recommended option.
Should debconf manage LDAP configuration?
Answer: Yes
Disruption of ssh warning.
If you didn't add the ``dataone_org.key`` then this is what you will see::
appending 'host metacat metacat 127.0.0.1 255.255.255.255 password' to /etc/postgresql/8.4/main/pg_hba.conf
Creating metacat database schema
Creating metacat user
CREATE ROLE
Restarting postgres database
* Restarting PostgreSQL 8.4 database server
...done.
* Starting web server apache2
Warning: DocumentRoot [/usr/share/tomcat6/webapps/knb] does not exist
Warning: DocumentRoot [/usr/share/tomcat6/webapps/knb] does not exist
Syntax error on line 28 of /etc/apache2/sites-enabled/knb-ssl:
SSLCertificateKeyFile: file '/etc/ssl/private/dataone_org.key' does not exist or is empty
...fail!
starting Tomcat server
* Starting Tomcat servlet engine tomcat6
...done.
Otherwise you should be golden.
::
/etc/init.d/apache2 restart
Check out http://localhost/knb
You will need to setup Metacat for administrative privileges. The user should
already be correct, but you will need to to go http://localhost/knb/admin, type
in the administrative user name, and then configure the database.
You will also need to startup the mnsynchronization process which at this point
is still sort of ill-defined.
Testing Only
------------
turned off firewall::
ufw disable
/etc/init.d/tomcat6 restart
perform mercury_setup_notes
and then restart tomcat6 again