Installing the CN Stack ======================= Notes by Dave, 20100204. and Robert, 20100316. These are the (almost) literal steps taken to install the CN stack on a squeaky clean, brand new instance of Ubuntu 9.10 64bit, running as an amd64 virtual machine under vmware on my laptop. Installation of Mercury was manually excluded (package still under development). Hardware specs -------------- :Processor: 1 CPU, 512MB RAM :Display: 3d Disabled :Network: NAT :Hard Disks: SCSI, 20GB Procedure --------- :: sudo apt-get update sudo apt-get dist-upgrade sudo reboot #new kernel sudo apt-get install subversion sudo apt-get install dpkg-dev sudo apt-get autoremove Edited /etc/hostname to be:: cn-dev.dataone.org and changed /etc/hosts to show:: 127.0.0.1 localhost 127.0.1.1 cn-dev.dataone.org ... Shut down, snapshot of clean system. Restart. :: pwd /home/dave mkdir dataone cd dataone svn co https://repository.dataone.org/software/cicore/trunk/cn-buildout svn co https://repository.dataone.org/software/cicore/trunk/os-base-install Moving right along, make some room for the local packages:: sudo mkdir -p /var/dataone/apt/dists/karmic/universe/binary-amd64 sudo sh -c "echo \"deb file:/var/dataone/apt karmic universe\" >> /etc/apt/sources.list" Self-Signed Key generation: This is where the key (``dataone_org.key``) should be added to the folder ``/etc/ssl/private``. The instal step will fail otherwise, requiring ``apt-get remove dataone-cn-metacat`` then re-install. The procedure for generating your own self-signed cert :: cd pwd /home/rwaltz mkdir ssl cd ssl openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus ...........................................++++++ .............++++++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: chmod 600 server.key openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Tennessee Locality Name (eg, city) []:Knoxville Organization Name (eg, company) [Internet Widgits Pty Ltd]:DataONE.org Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:cn-dev.dataone.org Email Address []:rwaltz@cn-dev Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: XXX NOTE that the common name is spurious XXX cp server.key server.key.orig openssl rsa -in server.key.orig -out server.key Enter pass phrase for server.key.orig: writing RSA key openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=US/ST=Tennessee/L=Knoxville/O=DataONE.org/CN=cn-dev.utk.edu/emailAddress=rwaltz@cn-dev.utk.edu Getting Private key sudo cp server.key /etc/ssl/private/dataone_org.key sudo cp server.crt /etc/ssl/certs/dataone.org.crt Build out base system ~~~~~~~~~~~~~~~~~~~~~ If you are using Ubuntu 10.04 or above then you will need to run these commands:: apt-get install python-software-properties add-apt-repository "deb http://archive.canonical.com/ lucid partner" cd ~/dataone/os-base-install make install #Configuring ldap-auth-config Please enter the URI of the LDAP server to use. This is a string in the form of ldap://:/. ldaps:// or ldapi:// can also be used. The port number is optional. Note: It is usually a good idea to use an IP address because it reduces risks of failure in the event name service problems. LDAP server Uniform Resource Identifier: #Configuring ldap-auth-config Please enter the distinguished name of the LDAP search base. Many sites use the components of their domain names for this purpose. For example, the domain "example.net" would use "dc=example,dc=net" as the distinguished name of the search base. Distinguished name of the search base: #Configuring ldap-auth-config Please enter which version of the LDAP protocol should be used by ldapns. It is usually a good idea to set this to the highest available version. LDAP version to use: #Configuring ldap-auth-config This option will allow you to make password utilities that use pam to behave like you would be changing local passwords. The password will be stored in a separate file which will be made readable to root only. If you are using NFS mounted /etc or any other custom setup, you should disable this. Make local root Database admin: Answer: No #Configuring ldap-auth-config Note: Under a normal setup, this is not needed. Does the LDAP database require login? Answer: No # Configuring ldap-auth-config The LDAP authentication libraries now use the new unified configuration file /etc/ldap.conf, and no longer use /etc/pam-ldap.conf or /etc/libnss-ldap.conf. One or both of these old configuration files were found. These files cannot be automatically migrated to the new /etc/ldap.conf. You MUST either reconfigure your settings with debconf, or manually migrate your settings into /etc/ldap.conf and verify your configuration before logging out. Configuring ldap-auth-config? No One or more of the files /etc/pam.d/common-{auth,account,password,session} have been locally modified. Please indicate whether these local changes should be overridden using the system-provided configuration. If you decline this option, you will need to manage your system's authentication configuration by hand. Override local changes to /etc/pam.d/common-*? No Disruption of ssh warning. build out cn software stack ~~~~~~~~~~~~~~~~~~~~~~~~~~~ :: cd ~/dataone/cn-buildout Run the install (several manual steps required):: NEED TO DETERMINE A WAY TO CHANGE THE HOSTNAME IN THE APACHE CONFIG FILES!!!! THERE ARE OTHER PLACES THAT NEED CONFIGURING DURING APT-GET AS WELL (metacat: server.name in the WEB-INF/metacat.properties; services.xml in CnMetadataPackager.. though this will change via refactoring) sudo make install #Notice about unsigned packages: WARNING: The following packages cannot be authenticated! dataone-cn-os-core dataone-cn-metacat #Configuring mysql-server-5.1 While not mandatory, it is highly recommended that you set a password for the MySQL administrative "root" user. If this field is left blank, the password will not be changed New password for the MySQL "root" user: Agree to Java DLJ One or more of the files /etc/pam.d/common-{auth,account,password,session} have been locally modified. Please indicate whether these local changes should be overridden using the system-provided configuration. If you decline this option, you will need to manage your system's authentication configuration by hand. Override local changes to /etc/pam.d/common-*? Answer: Yes Configuring ldap-auth-config Saying yes will allow future upgrades to use these settings. This is the recommended option. Should debconf manage LDAP configuration? Answer: Yes Disruption of ssh warning. If you didn't add the ``dataone_org.key`` then this is what you will see:: appending 'host metacat metacat 127.0.0.1 255.255.255.255 password' to /etc/postgresql/8.4/main/pg_hba.conf Creating metacat database schema Creating metacat user CREATE ROLE Restarting postgres database * Restarting PostgreSQL 8.4 database server ...done. * Starting web server apache2 Warning: DocumentRoot [/usr/share/tomcat6/webapps/knb] does not exist Warning: DocumentRoot [/usr/share/tomcat6/webapps/knb] does not exist Syntax error on line 28 of /etc/apache2/sites-enabled/knb-ssl: SSLCertificateKeyFile: file '/etc/ssl/private/dataone_org.key' does not exist or is empty ...fail! starting Tomcat server * Starting Tomcat servlet engine tomcat6 ...done. Otherwise you should be golden. :: /etc/init.d/apache2 restart Check out http://localhost/knb You will need to setup Metacat for administrative privileges. The user should already be correct, but you will need to to go http://localhost/knb/admin, type in the administrative user name, and then configure the database. You will also need to startup the mnsynchronization process which at this point is still sort of ill-defined. Testing Only ------------ turned off firewall:: ufw disable /etc/init.d/tomcat6 restart perform mercury_setup_notes and then restart tomcat6 again