Coordinating Node System Configuration
======================================

This file represents a log of system configuration that needs to be done on
the CN instances. Many of these settings will be already done for the CN
virtual machines, but some settings will need to be changed in order to run
multiple instances of the CN at different sites.

The CN buildout has been automated by creating a series of debian packages
that are build and installed using a custom Makefile. To build a coordinating
node from scratch, one should only need to install the base OS, upgrade it to
catch security updates, modify the apt sources list, then add in the
'dpkg-dev' package, and then run::

    make install

at the root of the CN buildout.

Notes on various components that make up the CN node are included below.

OS
--

Install Ubuntu 9.10. Plan to use Ubuntu 10.4 LTS release, so building off of
9.10 as this is the closest OS to that release. Install standard server
install. The run apt-get update; apt-get dist-upgrade to keep packages in
sync. Afterwards, need to modify the sources.list to create a new local
repository for the packages that we will generate::

  $ sudo mkdir -p /var/dataone/apt
  $ echo "deb file:/var/dataone/apt karmic universe" >> /etc/apt/sources.list

You will also need dpkg-dev for a few dpkg utilities before the Makefile will
run properly, so use::

  $ sudo apt-get install dpkg-dev


HOST, NETWORK AND ACCOUNTS
---------------------------

* Assign IP on local network, configure DHCP, DNS, hostname, etc.

* Create local sysadmin accounts for brand and jones, enable sudo through
  group 'admin'

* Host for development server is::

    cn-dev.dataone.org -> 128.111.220.50

* Accounts are controlled through LDAP. (See below for LDAP system 
  configuration).  To be able to login, the user must:
  
    1) have a valid LDAP account on ldap.ecoinformatics.org

    2) Be added to the dataone-sysadmin group

    3) Have valid homedir, shell, and other posix attributes in their ldap
       entry

    4) Have a home directory on cn-dev with skel files

* Administrator is: brand

* Additional accounts with sudo root access: jones, vieglais

* Additional accounts: daigle, dahl, palanisamy


OS CORE
-------

* Created package dataone-os-core to contain dependencies on packages that we
  need to configure the OS but which are not part of the standard install
 
PAM-LDAP
--------

* During install of libnss-ldap, configure LDAP to point at ldap.ecoinformatics.org

* Edit /etc/ldap.conf to configure LDAP to use TLS, etc.

    * set pam_groupdn to point at an appropriate group (dataone-sysadmin)

    * set pam_member_attribute to "uniqueMember"

    * Copy the LDAP server certificate to this host in /etc/ssl/certs

    * set tlscacert to point at this certificate, and turn on starttls

* To enable LDAP logins:

    * root@cn-dev:/var/log# auth-client-config -t nss -p lac_ldap

    * root@cn-dev:/var/log# pam-auth-update 

    * edit /etc/nsswitch.conf and remove 'ldap' from the shadow line 
      (this interferes with the group filter in pam_groupdn if not removed

* To disable LDAP logins:

    * root@cn-dev:/var/log# auth-client-config -r -t nss -p lac_ldap

    * root@cn-dev:/var/log# pam-auth-update 

* Added all of these files to the dataone-os-core package so they are put in place properly

..TODO: Check if the ecoinfo-cacert.pem is needed and if so install it

FIREWALL
--------

* Added 'ufw' package to the dataone-cn-os-core package

* after deb install, run:

    * ufw enable

    * ufw allow ssh

    * ufw allow http

    * ufw default deny

* Added these commands to thepostinst script in dataone-os-core

APACHE
------

* Added apache2 to metacat dependency list

* Added certs for dataone.org to the dataone-os-core package

    * however, can't add the private key file here for security reasons -- that
      will need to be distributed securely.

* Some of the SSL configuration is in the Metacat package as part of the vhost config

    * may want to reconsider this, install SSL in the os-core package to avoid setup conflicts between Metacat and Mercury

JAVA
----

* Added sun-java6-jdk to metacat dependency list

    * careful to not introduce dependencies on gcj, which is seriously broken

* Added tomcat6 to metacat dependency list

POSTGRES
--------

* Added postgresql to the metacat dependency list

METACAT
-------

* Created debian package dataone-cn-metacat to handle the metacat installation

* Added packages needed for metacat to the control file dependency list

* Added a postinst script to handle the actual installation and configuration
  of metacat

* Tomcat needed to be customized to support metacat, by configuring the KNB
  app in the postinst script.

* Tomcat6 by default restricts permissions on logging, so the 51metacat.policy
  script was added to allow logging operations by metacat and geoserver

* Restricted the permissions granted in the 51metacat.policy file to only
  apply to the metacat code

..TODO: Eliminate hardcoding in the metacat postinst script -- it is too brittle

MERCURY
-------

* Created a dataone-cn-mercury package to be used to enumerate mercury
  dependencies and put mercury software in place on the system

..TODO: This is just a stub and Mercury needs to be configured and installed still

CN SERVICE
----------

..TODO: Create the wrapper scripts that expose CN services, and point them at the appropriate Metacat and Mercury functions

..TODO: Create a dataone-cn-service package to install the CN SERVICE layer