Index: /trunk/server/common/oursrc/accountadm/Makefile.in =================================================================== --- /trunk/server/common/oursrc/accountadm/Makefile.in (revision 1692) +++ /trunk/server/common/oursrc/accountadm/Makefile.in (revision 1693) @@ -11,5 +11,5 @@ admof: admof.c - $(CC) $(CPPFLAGS) $(CFLAGS) $< -L/usr/lib/afs -L/usr/lib64/afs -lprot -lauth -lrxkad -lubik -laudit -lsys -lrx -llwp -lsys -lafsutil -lcom_err -lresolv -lkrb5 -ldes -lkrb4 -o $@ + $(CC) $(CPPFLAGS) $(CFLAGS) $< -L/usr/lib/afs -L/usr/lib64/afs -lprot -lauth -lrxkad -lubik -laudit -lsys -lrx -llwp -lsys -lafsutil -lcom_err -lresolv -lkrb5 -ldes -o $@ install: Index: /trunk/server/common/oursrc/accountadm/admof.c =================================================================== --- /trunk/server/common/oursrc/accountadm/admof.c (revision 1692) +++ /trunk/server/common/oursrc/accountadm/admof.c (revision 1693) @@ -30,7 +30,11 @@ #include #include -#include #include #include + +#define ANAME_SZ 40 +#define REALM_SZ 40 +#define INST_SZ 40 +#define MAX_K_NAME_SZ (ANAME_SZ + INST_SZ + REALM_SZ + 2) extern int pioctl(char *, afs_int32, struct ViceIoctl *, afs_int32); @@ -117,7 +121,15 @@ if (krb5_524_conv_principal(context, principal, pname, pinst, prealm) != 0) die("internal error: krb5_524_conv_principal failed\n"); - if (kname_unparse(user, pname, pinst, - strcmp(prealm, realm_list[0]) == 0 ? NULL : prealm) != 0) - die("internal error: kname_unparse failed\n"); + + krb5_data realm = *krb5_princ_realm(context, principal); + if (realm.length > REALM_SZ - 1) + realm.length = REALM_SZ - 1; + if (strlen(realm_list[0]) == realm.length && + memcmp(realm.data, realm_list[0], realm.length) == 0) + snprintf(user, MAX_K_NAME_SZ, "%s%s%s", + pname, pinst[0] ? "." : "", pinst); + else + snprintf(user, MAX_K_NAME_SZ, "%s%s%s@%.*s", + pname, pinst[0] ? "." : "", pinst, realm.length, realm.data); krb5_free_principal(context, principal); Index: unk/server/common/patches/ghostscript-CVE-2010-1628.patch =================================================================== --- /trunk/server/common/patches/ghostscript-CVE-2010-1628.patch (revision 1692) +++ (revision ) @@ -1,127 +1,0 @@ -Index: gs/psi/idosave.h -=================================================================== ---- gs/psi/idosave.h (revision 11306) -+++ gs/psi/idosave.h (working copy) -@@ -18,6 +18,22 @@ - # define idosave_INCLUDED - - /* -+ * Structure for saved change chain for save/restore. Because of the -+ * garbage collector, we need to distinguish the cases where the change -+ * is in a static object, a dynamic ref, or a dynamic struct. -+ */ -+typedef struct alloc_change_s alloc_change_t; -+struct alloc_change_s { -+ alloc_change_t *next; -+ ref_packed *where; -+ ref contents; -+#define AC_OFFSET_STATIC (-2) /* static object */ -+#define AC_OFFSET_REF (-1) /* dynamic ref */ -+#define AC_OFFSET_ALLOCATED (-3) /* a newly allocated ref array */ -+ short offset; /* if >= 0, offset within struct */ -+}; -+ -+/* - * Save a change that must be undone by restore. We have to pass the - * pointer to the containing object to alloc_save_change for two reasons: - * -@@ -29,6 +45,7 @@ - * relocate the pointer to it from the change record during garbage - * collection. - */ -+ - int alloc_save_change(gs_dual_memory_t *dmem, const ref *pcont, - ref_packed *ptr, client_name_t cname); - int alloc_save_change_in(gs_ref_memory_t *mem, const ref *pcont, -@@ -36,6 +53,6 @@ - /* Remove an AC_OFFSET_ALLOCATED element. */ - void alloc_save_remove(gs_ref_memory_t *mem, ref_packed *obj, client_name_t cname); - /* Allocate a structure for recording an allocation event. */ --int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, ref_packed ***ppr); -+int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, alloc_change_t **pcp); - - #endif /* idosave_INCLUDED */ -Index: gs/psi/isave.c -=================================================================== ---- gs/psi/isave.c (revision 11306) -+++ gs/psi/isave.c (working copy) -@@ -156,22 +156,6 @@ - /* A link to igcref.c . */ - ptr_proc_reloc(igc_reloc_ref_ptr_nocheck, ref_packed); - --/* -- * Structure for saved change chain for save/restore. Because of the -- * garbage collector, we need to distinguish the cases where the change -- * is in a static object, a dynamic ref, or a dynamic struct. -- */ --typedef struct alloc_change_s alloc_change_t; --struct alloc_change_s { -- alloc_change_t *next; -- ref_packed *where; -- ref contents; --#define AC_OFFSET_STATIC (-2) /* static object */ --#define AC_OFFSET_REF (-1) /* dynamic ref */ --#define AC_OFFSET_ALLOCATED (-3) /* a newly allocated ref array */ -- short offset; /* if >= 0, offset within struct */ --}; -- - static - CLEAR_MARKS_PROC(change_clear_marks) - { -@@ -519,7 +503,7 @@ - - /* Allocate a structure for recording an allocation event. */ - int --alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, ref_packed ***ppr) -+alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, alloc_change_t **pcp) - { - register alloc_change_t *cp; - -@@ -533,8 +517,7 @@ - cp->where = 0; - cp->offset = AC_OFFSET_ALLOCATED; - make_null(&cp->contents); -- mem->changes = cp; -- *ppr = &cp->where; -+ *pcp = cp; - return 1; - } - -Index: gs/psi/ialloc.c -=================================================================== ---- gs/psi/ialloc.c (revision 11306) -+++ gs/psi/ialloc.c (working copy) -@@ -185,7 +185,14 @@ - */ - chunk_t *pcc = mem->pcc; - ref *end; -+ alloc_change_t *cp = 0; -+ int code = 0; - -+ if ((gs_memory_t *)mem != mem->stable_memory) { -+ code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &cp); -+ if (code < 0) -+ return code; -+ } - obj = gs_alloc_struct_array((gs_memory_t *) mem, num_refs + 1, - ref, &st_refs, cname); - if (obj == 0) -@@ -210,14 +217,10 @@ - chunk_locate_ptr(obj, &cl); - cl.cp->has_refs = true; - } -- if ((gs_memory_t *)mem != mem->stable_memory) { -- ref_packed **ppr = 0; -- int code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &ppr); -- if (code < 0) -- return code; -- if (ppr) -- *ppr = (ref_packed *)obj; -- } -+ if (cp) { -+ mem->changes = cp; -+ cp->where = (ref_packed *)obj; -+ } - } - make_array(parr, attrs | mem->space, num_refs, obj); - return 0; Index: /trunk/server/common/patches/krb5-kuserok-scripts.patch =================================================================== --- /trunk/server/common/patches/krb5-kuserok-scripts.patch (revision 1692) +++ /trunk/server/common/patches/krb5-kuserok-scripts.patch (revision 1693) @@ -36,5 +36,5 @@ FILE *fp; char kuser[MAX_USERNAME]; -@@ -79,70 +79,35 @@ +@@ -79,71 +79,35 @@ char linebuf[BUFSIZ]; char *newline; @@ -72,4 +72,5 @@ - return(FALSE); - } +- set_cloexec_file(fp); - /* - * For security reasons, the .k5login file must be owned either by Index: unk/server/common/patches/openafs-release-glock.patch =================================================================== --- /trunk/server/common/patches/openafs-release-glock.patch (revision 1692) +++ (revision ) @@ -1,14 +1,0 @@ -diff --git a/src/afs/LINUX/osi_vnodeops.c b/src/afs/LINUX/osi_vnodeops.c -index 77c4440..1d83549 100644 ---- a/src/afs/LINUX/osi_vnodeops.c -+++ b/src/afs/LINUX/osi_vnodeops.c -@@ -308,7 +308,9 @@ afs_linux_readdir(struct file *fp, void *dirbuf, filldir_t filldir) - /* clean up from afs_FindVCache */ - afs_PutVCache(tvc); - } -+ AFS_GUNLOCK(); - code = (*filldir) (dirbuf, de->name, len, offset, ino, type); -+ AFS_GLOCK(); - } - #else - code = (*filldir) (dirbuf, de->name, len, offset, ino); Index: /trunk/server/common/patches/openafs-scripts.patch =================================================================== --- /trunk/server/common/patches/openafs-scripts.patch (revision 1692) +++ /trunk/server/common/patches/openafs-scripts.patch (revision 1693) @@ -134,5 +134,5 @@ --- openafs-1.4/src/afs/afs_osi_pag.c +++ openafs-1.4+scripts/src/afs/afs_osi_pag.c -@@ -51,6 +51,8 @@ +@@ -49,6 +49,8 @@ #endif /* Local variables */ @@ -143,5 +143,5 @@ * Pags are implemented as follows: the set of groups whose long * representation is '41XXXXXX' hex are used to represent the pags. -@@ -458,6 +460,15 @@ +@@ -449,6 +451,15 @@ av->uid = acred->cr_ruid; /* default when no pag is set */ #endif @@ -156,7 +156,7 @@ + } + - av->initd = 0; return 0; } + diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c --- openafs-1.4/src/afs/afs_pioctl.c Index: unk/server/common/patches/openssh-4.5p1-multihomed.patch =================================================================== --- /trunk/server/common/patches/openssh-4.5p1-multihomed.patch (revision 1692) +++ (revision ) @@ -1,61 +1,0 @@ -diff -ur openssh-4.5p1.orig/gss-genr.c openssh-4.5p1/gss-genr.c ---- openssh-4.5p1.orig/gss-genr.c 2006-08-29 21:08:04.000000000 -0400 -+++ openssh-4.5p1/gss-genr.c 2007-09-10 16:19:50.000000000 -0400 -@@ -235,22 +235,11 @@ - ssh_gssapi_acquire_cred(Gssctxt *ctx) - { - OM_uint32 status; -- char lname[MAXHOSTNAMELEN]; - gss_OID_set oidset; - - gss_create_empty_oid_set(&status, &oidset); - gss_add_oid_set_member(&status, ctx->oid, &oidset); - -- if (gethostname(lname, MAXHOSTNAMELEN)) { -- gss_release_oid_set(&status, &oidset); -- return (-1); -- } -- -- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { -- gss_release_oid_set(&status, &oidset); -- return (ctx->major); -- } -- - if ((ctx->major = gss_acquire_cred(&ctx->minor, - ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) - ssh_gssapi_error(ctx); -diff -ur openssh-4.5p1.orig/gss-serv.c openssh-4.5p1/gss-serv.c ---- openssh-4.5p1.orig/gss-serv.c 2006-09-01 01:38:36.000000000 -0400 -+++ openssh-4.5p1/gss-serv.c 2007-09-10 16:19:50.000000000 -0400 -@@ -102,6 +102,8 @@ - { - OM_uint32 status; - gss_OID mech; -+ gss_name_t acceptor_name = GSS_C_NO_NAME; -+ gss_buffer_desc acceptor_name_buffer = GSS_C_EMPTY_BUFFER; - - ctx->major = gss_accept_sec_context(&ctx->minor, - &ctx->context, ctx->creds, recv_tok, -@@ -116,6 +118,22 @@ - else - debug("Got no client credentials"); - -+ ctx->major = gss_inquire_context(&ctx->minor, ctx->context, NULL, &acceptor_name, NULL, NULL, NULL, NULL, NULL); -+ -+ if (GSS_ERROR(ctx->major)) { -+ ssh_gssapi_error(ctx); -+ } else { -+ ctx->major = gss_display_name(&ctx->minor, acceptor_name, &acceptor_name_buffer, NULL); -+ -+ if (GSS_ERROR(ctx->major)) { -+ ssh_gssapi_error(ctx); -+ } else if (acceptor_name_buffer.length < 5 || strncmp(acceptor_name_buffer.value, "host@", 5) != 0 && strncmp(acceptor_name_buffer.value, "host/", 5) != 0) { -+ debug("Accepting credential '%s' was not for the host service.", acceptor_name_buffer.value); -+ ctx->major = GSS_S_BAD_NAME; -+ } -+ } -+ gss_release_buffer(&status, &acceptor_name_buffer); -+ gss_release_name(&status, &acceptor_name); - status = ctx->major; - - /* Now, if we're complete and we have the right flags, then Index: unk/server/common/patches/openssh-5.0p1-multihomed.patch =================================================================== --- /trunk/server/common/patches/openssh-5.0p1-multihomed.patch (revision 1692) +++ (revision ) @@ -1,62 +1,0 @@ -# OpenSSH multihomed patch -# -# Anders Kaseorg -# ported from 4.5 to 5.0 by Joe Presbrey -diff -ur openssh-5.0p1.orig/gss-serv.c openssh-5.0p1/gss-serv.c ---- openssh-5.0p1.orig/gss-serv.c 2008-05-20 00:00:00.000000000 -0400 -+++ openssh-5.0p1/gss-serv.c 2008-05-20 00:00:00.000000000 -0400 -@@ -77,22 +77,11 @@ - ssh_gssapi_acquire_cred(Gssctxt *ctx) - { - OM_uint32 status; -- char lname[MAXHOSTNAMELEN]; - gss_OID_set oidset; - - gss_create_empty_oid_set(&status, &oidset); - gss_add_oid_set_member(&status, ctx->oid, &oidset); - -- if (gethostname(lname, MAXHOSTNAMELEN)) { -- gss_release_oid_set(&status, &oidset); -- return (-1); -- } -- -- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { -- gss_release_oid_set(&status, &oidset); -- return (ctx->major); -- } -- - if ((ctx->major = gss_acquire_cred(&ctx->minor, - ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) - ssh_gssapi_error(ctx); -@@ -102,6 +102,8 @@ - { - OM_uint32 status; - gss_OID mech; -+ gss_name_t acceptor_name = GSS_C_NO_NAME; -+ gss_buffer_desc acceptor_name_buffer = GSS_C_EMPTY_BUFFER; - - ctx->major = gss_accept_sec_context(&ctx->minor, - &ctx->context, ctx->creds, recv_tok, -@@ -116,6 +118,22 @@ - else - debug("Got no client credentials"); - -+ ctx->major = gss_inquire_context(&ctx->minor, ctx->context, NULL, &acceptor_name, NULL, NULL, NULL, NULL, NULL); -+ -+ if (GSS_ERROR(ctx->major)) { -+ ssh_gssapi_error(ctx); -+ } else { -+ ctx->major = gss_display_name(&ctx->minor, acceptor_name, &acceptor_name_buffer, NULL); -+ -+ if (GSS_ERROR(ctx->major)) { -+ ssh_gssapi_error(ctx); -+ } else if (acceptor_name_buffer.length < 5 || strncmp(acceptor_name_buffer.value, "host@", 5) != 0 && strncmp(acceptor_name_buffer.value, "host/", 5) != 0) { -+ debug("Accepting credential '%s' was not for the host service.", acceptor_name_buffer.value); -+ ctx->major = GSS_S_BAD_NAME; -+ } -+ } -+ gss_release_buffer(&status, &acceptor_name_buffer); -+ gss_release_name(&status, &acceptor_name); - status = ctx->major; - - /* Now, if we're complete and we have the right flags, then Index: unk/server/doc/389-ds-enable-ssl-and-kerberos.diff =================================================================== --- /trunk/server/doc/389-ds-enable-ssl-and-kerberos.diff (revision 1692) +++ (revision ) @@ -1,59 +1,0 @@ ---- o-f.config.ldif 2008-07-05 06:24:48.000000000 -0400 -+++ b-m.config.ldif 2008-07-05 06:25:34.000000000 -0400 -@@ -123,7 +123,7 @@ - passwordMaxFailure: 3 - nsslapd-accesslog: /var/log/dirsrv/slapd-scripts/access - nsslapd-lastmod: on --nsslapd-security: off -+nsslapd-security: on - passwordMaxAge: 8640000 - nsslapd-auditlog-logrotationtimeunit: day - passwordResetFailureCount: 600 -@@ -180,7 +180,7 @@ - nsslapd-referralmode: - nsslapd-maxdescriptors: 1024 - nsslapd-conntablesize: 1024 --nsslapd-sslclientauth: off -+nsslapd-sslclientauth: allowed - nsslapd-config: cn=config - nsslapd-instancedir: - nsslapd-schemadir: /etc/dirsrv/slapd-scripts/schema -@@ -217,7 +217,8 @@ - nsSSLSessionTimeout: 0 - nsSSLClientAuth: allowed - nsSSL2: off --nsSSL3: off -+nsSSL3: on -+nsSSL3Ciphers: +rsa_rc4_128_md5 - nsSSLSupportedCiphers: SSL3::rc4::RC4::MD5::128 - nsSSLSupportedCiphers: SSL3::rc4export::RC4::MD5::128 - nsSSLSupportedCiphers: SSL3::rc2::RC2::MD5::128 -@@ -315,6 +316,15 @@ - objectClass: extensibleObject - cn: uniqueid generator - -+# RSA, encryption, config -+dn: cn=RSA,cn=encryption,cn=config -+objectClass: top -+objectClass: nsEncryptionModule -+cn: RSA -+nsSSLPersonalitySSL: ldap/better-mousetrap -+nsSSLToken: internal (software) -+nsSSLActivation: on -+ - # options, features, config - dn: cn=options,cn=features,cn=config - objectClass: top -@@ -1264,3 +1274,12 @@ - nsslapd-pluginVendor: Fedora Project - nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA512) - -+# mapname, mapping, sasl, config -+dn: cn=mapname,cn=mapping,cn=sasl,cn=config -+objectClass: top -+objectClass: nsSaslMapping -+cn: mapname -+nsSaslMapRegexString: \(.*\) -+nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=scripts,dc=mit,dc=edu -+nsSaslMapFilterTemplate: (objectClass=posixAccount) -+ Index: unk/server/doc/HOWTO-SETUP-LDAP =================================================================== --- /trunk/server/doc/HOWTO-SETUP-LDAP (revision 1692) +++ (revision ) @@ -1,106 +1,0 @@ -To set up a new LDAP server: - -- Install the RPM 389-ds-base with yum -- root# env NSS_NONLOCAL_IGNORE=1 useradd -r -d /var/lib/dirsrv fedora-ds -- root# /usr/sbin/setup-ds.pl - - Choose a typical install - - Tell it to use the fedora-ds user and group - - Directory server identifier: scripts - - Suffix: dc=scripts,dc=mit,dc=edu - - Input directory manager password -- yum install ldapvi -- /sbin/service dirsrv start -- Apply ./fedora-ds-enable-ssl-and-kerberos.diff manually -- Also set nsslapd-ldapifilepath: /var/run/dirsrv/slapd-scripts.socket - and nsslapd-ldapilisten: on, otherwise ldapi won't work. -- /sbin/service dirsrv stop -- Add the scripts schemas to /var/lib/dirsrv/slapd-scripts -- wget http://web.mit.edu/geofft/Public/scripts-ca.pem -- certutil -d /etc/dirsrv/slapd-scripts -A -n "scripts.mit.edu CA" -t CT,, -a -i scripts-ca.pem -- Generate a pkcs12 cert for the server: -- openssl pkcs12 -export -in c-w.pem -inkey c-w.key -name 'ldap/cats-whiskers' -out c-w.pkcs12 -- pk12util -i ldap-server-cert.p12 -d /etc/dirsrv/slapd-scripts -- Put LDAP keytab in /etc/dirsrv/keytab -- Uncomment and modify in /etc/syscnfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME -- mkdir -p /var/tmp/dirsrv -- chown fedora-ds:fedora-ds /var/tmp/dirsrv -- chmod 755 /var/run/dirsrv -- /sbin/service dirsrv restart -- Use ldapvi -b cn=config to add these indexes: - -add cn=apacheServerName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -cn: apacheServerName -nsSystemIndex: false -nsIndexType: eq -nsIndexType: pres - -add cn=apacheServerAlias, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -cn: apacheServerAlias -nsSystemIndex: false -nsIndexType: eq -nsIndexType: pres - -add cn=scriptsVhostName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -cn: scriptsVhostName -nsSystemIndex: false -nsIndexType: eq -nsIndexType: pres - -add cn=scriptsVhostAlias, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -cn: scriptsVhostAlias -nsSystemIndex: false -nsIndexType: eq -nsIndexType: pres - -add cn=scriptsVhostAccount, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -cn: scriptsVhostAccount -nsSystemIndex: false -nsIndexType: eq -nsIndexType: pres - -add cn=memberuid, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -cn: memberuid -nsSystemIndex: false -nsIndexType: eq -nsIndexType: pres - -add cn=uidnumber, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -cn: uidnumber -nsSystemIndex: false -nsIndexType: eq -nsIndexType: pres - -add cn=gidnumber, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config -objectClass: top -objectClass: nsIndex -cn: gidnumber -nsSystemIndex: false -nsIndexType: eq -nsIndexType: pres - -- Build the indexes for all the fields: - - /usr/lib64/dirsrv/slapd-scripts/db2index.pl -D "cn=Directory Manager" -j /etc/signup-ldap-pw -n userRoot - -- Watch for the indexing operations to finish with this command: - - ldapsearch -x -y /etc/signup-ldap-pw -D 'cn=Directory Manager' -b cn=tasks,cn=config - -- Set up replication: - (basically, execute - http://directory.fedoraproject.org/sources/contrib/mmr.pl - manually) Index: /trunk/server/doc/install-fedora =================================================================== --- /trunk/server/doc/install-fedora (revision 1692) +++ /trunk/server/doc/install-fedora (revision 1693) @@ -2,143 +2,13 @@ ---------------------------------------- -1. Create the LVS partitions that the Scripts guest will use. +We use Kickstart to to initial Fedora configuration. Installing a new +vanilla machine is as easy as: -Our classic setup is 50GB for the main, root partition (/) and -10GB for our swap. You can consult what things look like -by using `lvdisplay`. Our naming convention is server-name-root -and server-name-swap. + xm create scripts-server machine_name=$MACHINE install=fXX && console $MACHINE -Creating new LVS partitions is done with `lvcreate`: +The only prompt (near the beginning of the install process) should be +for the root password, and at the end, when it asks you to reboot. +Say yes, and the machine will power down, and then restart without +the install parameter: - # Example values: - # SERVERNAME=whole-enchilada - # HOSTNAME=jay-leno - lvcreate -n $SERVERNAME-root $HOSTNAME --size 50.00G - lvcreate -n $SERVERNAME-swap $HOSTNAME --size 10.00G - -2. Acquire the network installation media for Fedora. - -Normally, you would download an ISO and kick off an installation -by burning it to a CD and booting off of that. Since we would like -to make as minimal a Fedora install as possible, we use a different -method. [XXX: Why do we actually do it this way? It seems kind -of convoluted] - -First, we need to create an appropriate installation directory, -which contains the necessary kernel images and bootstrapping code. -Navigate to a Fedora mirrors website, and find the correct release -from the linux/releases directory, then grab the contents of -Fedora/x86_64/os/isolinux. For example, getting the Fedora 13 installer -from mirrors.mit.edu would be: - - mkdir ~/f13-install - cd ~/f13-install - wget -r -nd ftp://mirrors.mit.edu/fedora/linux/releases/13/Fedora/x86_64/os/isolinux/ - -You can then spin up a Xen image for installation with: - - xm create scripts-server machine_name=$HOSTNAME install=f13 - -Note that the -install suffix was dropped. Get a console with `xm -console`. - -3. Tell Fedora where to get the real installer. - -You will now be in a curses installer interface. Since you are doing -a network install, you will need to configure your network and specify -the URL to install. Find the static hostname that you are planning -to install to and get its information with: - - stella $HOSTNAME - -Manually configure its IP, disabling IPv6 for now [XXX I don't know how -to configure that]. The network mask is 16, and you can check -'/etc/resolv.conf' if you don't remember what MIT's DNS servers are. - -It will then ask you for an installation image. Continuing with our -F13 mirrors.mit.edu, the URL will look something like: - - ftp://mirrors.mit.edu/fedora/linux/releases/13/Fedora/x86_64/os - -4. Use VNC - -At this point, Fedora will ask you whether or not you want to use VNC -to continue the installation. Because Scripts has an unusual disk -image setup, you will want to answer yes. [XXX: Unfortunately, this puts -the VNC session on MITnet, so make sure you use a good password, and -we should figure out to make it not do that]. Grab your favorite -VNC client and login to $HOSTNAME:1 - -5. Installation in VNC - -5.1. Disks to use - -We don't have any exotic devices (we did that at the host level, -recall), so you can use normal configuration. The scripts-server Xen -configuration will have automatically selected the LVS partitions you -created in Step 1, and you want both of them. - -5.2. Host - -The default hostname is all caps: we use lower-case, so lower-case the -name before proceeding. - -5.3. Timezone - -Self explanatory - -5.4. Root password - -Use Scripts root password for a real install, and fake password -otherwise. [XXX: Insecure over VNC? Argh!] - -5.5 Formatting the disks - -You can find out what our existing setup looks like by consulting -'/etc/fstab'. - -Select Custom, and select both disks for formatting. Setup the larger -disk as the boot partition. Configure the partitions as follows: - - 50GB - Standard Partition - Mount Point: / - File System Type: ext3 (the default as of F13 is ext4, which - cannot be mounted by the hosts and thus should not be used!) - Additional Size Options: Fill to maximum allowable size (the - Size parameter will not do anything in that case) - Force to be primary partition - 10GB - Standard Partition - File System Type: swap - Additional Size Options: Fill to maximum allowable size - -5.6 Bootloader - -Defaults are fine. - -5.7 Installation - -Do a minimal install (we will proceed to install the packages we care -about), and add the normal F13 repository (testing and updates will be -added when we bring in our /etc configuration). Similarly, we will -install the software we want later, so there is no need to do that now. - -5.8 Reboot - -When the install finishes, it will ask you to reboot. This is fine, but -since we created the VM image with install, upon reboot it will ask us -to install again. Let it reboot, then destroy the virtual machine. - - xm destroy $SERVERNAME - -6. New World Order - -Start up the VM without the install flag: - - xm create scripts-server machine_name=$SERVERNAME - -Use xm console to get a terminal, and proceed with the official install -instructions. - - xm console $SERVERNAME + xm create scripts-server machine_name=$MACHINE && console $MACHINE Index: /trunk/server/doc/install-howto.sh =================================================================== --- /trunk/server/doc/install-howto.sh (revision 1692) +++ /trunk/server/doc/install-howto.sh (revision 1693) @@ -1,86 +1,91 @@ # This document is a how-to for installing a Fedora scripts.mit.edu server. +# It is semi-vaguely in the form of a shell script, but is not really +# runnable as it stands. set -e -x -[ -e /scripts-boot-count ] || echo 0 > /scripts-boot-count - -source_server="old-faithful.mit.edu" - -boot=${1:$(cat /scripts-boot-count)} - -# XXX: let 'branch' be the current svn branch you are on - -doreboot() { - echo $(( $boot + 1 )) > /scripts-boot-count; - shutdown -r now "Rebooting for step $(cat /scripts-boot-count)" -} - -YUM() { - NSS_NONLOCAL_IGNORE=1 yum "$@" -} - -# Helper files for the install are located in server/fedora/config. - -# Start with a normal install of Fedora. - -if [ $boot = 0 ]; then -# When the initial configuration screen comes up, under "Firewall -# configuration", disable the firewall, and under "System services", leave -# enabled (as of Fedora 9) acpid, anacron, atd, cpuspeed, crond, -# firstboot, fuse, haldaemon, ip6tables, iptables, irqbalance, -# kerneloops, mdmonitor, messagebus, microcode_ctl, netfs, network, nscd, ntpd, -# sshd, udev-post, and nothing else. - echo "--disabled" > /etc/sysconfig/system-config-firewall - for i in NetworkManager avahi-daemon bluetooth cups isdn nfslock nfs pcscd restorecond rpcbind rpcgssd rpcidmapd sendmail; do - chkconfig "$i" off - done - -# Turn on network, so we can connect at boot -chkconfig network on - -# Edit /etc/selinux/config so it has SELINUX=disabled and reboot. - sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config - doreboot -fi - -if [ $boot = 1 ]; then -# Create a scripts-build user account, and set up rpm to build in -# $HOME by doing a -# cp config/home/scripts-build/.rpmmacros /home/scripts-build/ -# (If you just use the default setup, it will generate packages -# in /usr/src/redhat.) - adduser scripts-build +# Some commands should be run as the scripts-build user, not root. + +alias asbuild="sudo -u scripts-build" + +# Old versions of this install document advised setting +# NSS_NONLOCAL_IGNORE=1 anytime you're setting up anything, e.g. using +# yum, warning that useradd will query LDAP in a stupid way that makes +# it hang forever. As of Fedora 13, this does not seem to be a problem, +# so it's been removed from the instructions. If an install is hanging, +# though, try adding NSS_NONLOCAL_IGNORE. + +# This is actually just "pick an active scripts server". It can't be +# scripts.mit.edu because our networking config points that domain +# at localhost, and if our server is not setup at that point things +# will break. +source_server="cats-whiskers.mit.edu" + +# 'branch' is the current svn branch you are on. You want to +# use trunk if your just installing a new server, and branches/fcXX-dev +# if your preparing a server on a new Fedora release. +branch="trunk" + +# 'server' is the public hostname of your server, for SCP'ing files +# to and from. +server=YOUR-SERVER-NAME-HERE + +# Start with a Scripts kickstarted install of Fedora (install-fedora) + +# Take updates, reboot if there's a kernel update. + + yum update + +# Get rid of network manager + yum remove NetworkManager # Check out the scripts.mit.edu svn repository. Configure svn not to cache # credentials. - YUM install -y subversion - - cd /srv - svn co svn://$source_server/$branch repository - - sed -i 's/^(# *)*store-passwords.*/store-passwords = no/' /root/.subversion/config - sed -i 's/^(# *)*store-auth-creds.*/store-auth-creds = no/' /root/.subversion/config -# The same tweaks should be made on /home/scripts-build/.subversion/config -# once it exists (do something with svn as scripts-build) - - chown -R scripts-build /srv/repository - -# cd to server/fedora in the svn repository. - cd /srv/repository/server/fedora - -# Run "make install-deps" to install various prereqs. Nonstandard -# deps are in /mit/scripts/rpm. - YUM install -y make - make install-deps - -# Install bind - YUM install -y bind +# Copy over root's dotfiles from one of the other machines. +# Perhaps a useful change is to remove the default aliases + cd /root + ls -l .bashrc + ls -l .ldapvirc + ls -l .screenrc + ls -l .ssh + ls -l .vimrc + ls -l .k5login + # Trying to scp from server to server won't work, as scp + # will attempt to negotiate a server-to-server connection. + # Instead, scp to your trusted machine as a temporary file, + # and then push to the other server +scp -r root@$source_server:~/{.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} . +scp -r {.bashrc,.ldapvirc,.screenrc,.ssh,.vimrc,.k5login} root@$server:~ + +# Install the initial set of credentials (to get Kerberized logins once +# krb5 is installed). Otherwise, SCP'ing things in will be annoying. +# o You probably installed the machine keytab long ago + ls -l /etc/krb5.keytab +# Use ktutil to combine the host/scripts.mit.edu and +# host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in +# the keytab. Do not use 'k5srvutil change' on the combined keytab +# or you'll break the other servers. (real servers only). Be +# careful about writing out the keytab: if you write it to an +# existing file the keys will just get appended. The correct +# credential list should look like: +# ktutil: l +# slot KVNO Principal +# ---- ---- --------------------------------------------------------------------- +# 1 5 host/old-faithful.mit.edu@ATHENA.MIT.EDU +# 2 3 host/scripts-vhosts.mit.edu@ATHENA.MIT.EDU +# 3 2 host/scripts.mit.edu@ATHENA.MIT.EDU +# o Replace the ssh host keys with the ones common to all scripts servers (real servers only) + ls -l /etc/ssh/*key* +# You can do that with: +scp root@$source_server:/etc/ssh/*key* . +scp *key* root@$server:/etc/ssh/ + service sshd reload # Check out the scripts /etc configuration + # backslash to make us not use the alias cd /root - svn co svn://scripts.mit.edu/$branch/server/fedora/config/etc etc - # backslash to make us not use the alias \cp -a etc / + chmod 0440 /etc/sudoers # NOTE: You will have just lost DNS resolution and the ability @@ -90,121 +95,57 @@ # you have named. - service named start - chkconfig named on - -# In the case of the Kerberos libraries, you'll be told that -# there are conflicting files with the 64-bit versions of the packages, -# which we scriptsify. You'll have to use --force to install those -# rpms despite the conflicts. After doing that, you may want to -# install the corresponding 64-bit scriptsified versions again, just -# to be safe in case the 32-bit versions overwrite files that differ. -# When you try this, it will complain that you already have the same -# version installed; again, you'll need to use --force to do it anyway. - -# We need yumdownloader to force some RPMs - # XXX: This might be wrong. Sanity check what packages ou - # have when done - YUM install -y yum-utils - yumdownloader krb5-libs - # XXX: These version numbers are hardcoded, need some cli-fu to generalize - rpm -i krb5-libs-*.i586.rpm - rpm -U --force krb5-libs-*.scripts.1138.x86_64.rpm - -# env NSS_NONLOCAL_IGNORE=1 yum install scripts-base - YUM install -y scripts-base - -# Remember to set NSS_NONLOCAL_IGNORE=1 anytime you're setting up -# anything, e.g. using yum. Otherwise useradd will query LDAP in a stupid way -# that makes it hang forever. (This is why we're using YUM, not yum) - -# Reload the iptables config to take down the restrictive firewall - service iptables restart - -# Copy over root's dotfiles from one of the other machines. -# Perhaps a useful change is to remove the default aliases - # On 2009-07-01, the dotfiles to transfer where: - # .bashrc .ldapvirc (<- HAS PRIVILEDGED DATA) - # .screenrc .ssh (<- directory) .vimrc - # Trying to scp from server to server won't work, as scp - # will attempt to negotiate a server-to-server connection. - # Instead, scp to your trusted machine as a temporary file, - # and then push to the other server - # You'll need some way to authenticate to the server, and since - # password logins are disabled, you'll need some way of - # temporarily giving yourself credentials. On a test server, - # reenabling password authentication is ok: frob /etc/pam.d/sshd - # and reverse apply r1068. +# NOTE: You can get password SSH back by editing /etc/ssh/sshd_config (allow +# password auth) and /etc/pam.d/sshd (comment out the first three auth +# lines). However, you should have the Kerberos credentials in place +# so as soon as you install the full set of Scripts packages, you'll get +# Kerberized logins. + +# Make sure network is working. If this is a new server name, you'll +# need to add it to /etc/hosts and +# /etc/sysconfig/network-scripts/route-eth1. Kickstart should have +# configured eth0 and eth1 correctly; use service network restart +# to add the new routes in route-eth1. + service network restart + route + ifconfig + cat /etc/hosts + cat /etc/sysconfig/network-scripts/route-eth1 + +# This is the point at which you should start updating scriptsified +# packages for a new Fedora release. Consult 'upgrade-tips' for more +# information. + yum install -y scripts-base + # Some of these packages are naughty and clobber some of our files + cd /etc + svn revert resolv.conf hosts sysconfig/openafs # Replace rsyslog with syslog-ng by doing: rpm -e --nodeps rsyslog - YUM install -y syslog-ng + yum install -y syslog-ng chkconfig syslog-ng on -# Install various dependencies of the scripts system, including -# glibc-devel.i586 (ezyang: already installed for me), -# python-twisted-core (ditto), mod_fcgid, nrpe, nagios-plugins-all. - YUM install -y mod_fcgid - YUM install -y nrpe - YUM install -y nagios-plugins-all - -# Disable NetworkManager with chkconfig NetworkManager off. Configure -# networking on the front end and back end, and the routing table to send -# traffic over the back end. Make sure that chkconfig reports "network" on, so -# that the network will still be configured at next boot. -# ezyang: For me, NetworkManager was not installed at this point, and -# we had already done the basic config for networking front end and -# back end (because I wanted ssh access, and not just conserver access) - -# Fix the openafs /usr/vice/etc <-> /etc/openafs mapping by changing -# /usr/vice/etc/cacheinfo to contain: -# /afs:/usr/vice/cache:10000000 -# Also fix ThisCell to contain athena.mit.edu in both directories -# WARNING: if you're installing a test server, this needs to be much -# smaller; the max filesize on XVM is 10GB. Pick something like -# 500000 +# Fix the openafs /usr/vice/etc <-> /etc/openafs mapping. echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo - # ezyang: ThisCell on b-k and c-w don't have anything special - # written here -# If you're making a test server, some of the AFS parameters are -# kind of retarded (and if you're low on disk space, will actually -# exhaust our inodes). -# Edit the parameters in /etc/sysconfig/openafs - -# Figure out why Zephyr isn't working. Most recently, it was because there -# was a 64-bit RPM installed; remove it and install Joe's 32-bit one - YUM erase -y mit-zephyr - # mit-zephyr has a spurious dependency on mit-krb-config - yumdownloader mit-zephyr.i386 - # if deps change, this breaks - YUM install -y libXaw.i586 libXext.i586 libXmu.i586 ncurses-libs.i586 readline.i586 - rpm -i --nodeps mit-zephyr-2.1-6-linux.i386.rpm - # test if it worked by sending an un-authed message - zwrite -d -c scripts -i test - -# Install the athena-base, athena-lprng, and athena-lprng-misc RPMs -# from the Athena 9 build (these are present in our yum repo). Note -# that you will have to use --nodeps for at least one of the lprng -# ones because it thinks it needs the Athena hesiod RPM. It doesn't -# really. Before doing this, run it without --nodeps and arrange to -# install the rest of the things it really does depend on. This will -# include a bunch of 32-bit rpms; go ahead and install the .i586 versions -# of them. - YUM install -y athena-base - YUM install -y athena-lprng - yumdownloader athena-lprng-misc - # ezyang: I couldn't find any deps for this that existed in the repos - # You might get a "find: `/usr/athena/info': No such file or directory" - # error; this is fine - rpm -i --nodeps athena-lprng-misc-9.4-0.i386.rpm + echo "athena.mit.edu" > /usr/vice/etc/ThisCell + +# [TEST SERVER] If you're installing a test server, this needs to be +# much smaller; the max filesize on XVM is 10GB. Pick something like +# 500000. Also, some of the AFS parameters are kind of retarded (and if +# you're low on disk space, will actually exhaust our inodes). Edit +# these parameters in /etc/sysconfig/openafs + +# Test that zephyr is working + chkconfig zhm on + service zhm start + echo 'Test!' | zwrite -d -c scripts -i test # Install the full list of RPMs that users expect to be on the # scripts.mit.edu servers. - -# on another server, run: rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > packages.txt # arrange for packages.txt to be passed to the server, then run: - # notice that yum is not capitalized - # Also notice skip-broken - cat packages.txt | NSS_NONLOCAL_IGNORE=1 xargs yum install -y --skip-broken +# --skip-broken will (usually) prevent you from having to sit through +# several minutes of dependency resolution until it decides that +# it can't install /one/ package. + yum install -y --skip-broken $(cat packages.txt) # Check which packages are installed on your new server that are not @@ -212,34 +153,30 @@ # on the new machine. Otherwise, aside from bloat, you may end up # with undesirable things for security, like sendmail. - rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > newpackages.txt - diff -u packages.txt newpackages.txt | less - # if all went well, you'll probably see multiple kernel versions - # as the only diff - # ezyang: I got exim installed as another package + rpm -qa --queryformat "%{Name}.%{Arch}\n" | grep -v kernel | sort > newpackages.txt + diff -u packages.txt newpackages.txt | grep -v kernel | less # here's a cute script that removes all extra packages - diff -u packages.txt newpackages.txt | grep '+' | cut -c2- | grep -v "@" | grep -v "++" | xargs yum erase -y + yum erase -y $(grep -Fxvf packages.txt newpackages.txt) + +# We need an upstream version of cgi which we've packaged ourselves, but +# it doesn't work with the haskell-platform package which expects +# explicit versions. So temporarily rpm -e the package, and then +# install it again after you install haskell-platform. [Note: You +# probably won't need this in Fedora 15 or something, when the Haskell +# Platform gets updated.] + rpm -e ghc-cgi-devel ghc-cgi + yum install -y haskell-platform + yumdownloader ghc-cgi + yumdownloader ghc-cgi-devel + rpm -i ghc-cgi*1.8.1*.rpm # Check out the scripts /usr/vice/etc configuration - cd /root - mkdir vice - cd vice - svn co svn://scripts.mit.edu/trunk/server/fedora/config/usr/vice/etc etc + cd /root/vice \cp -a etc /usr/vice # Install the full list of perl modules that users expect to be on the # scripts.mit.edu servers. -# - export PERL_MM_USE_DEFAULT=1 -# - Run 'cpan', accept the default configuration, and do 'o conf -# prerequisites_policy follow'. -# - Parse the output of perldoc -u perllocal | grep head2 on an existing -# server, and "notest install" them from the cpan prompt. -# TO DO THIS: -# On another server, run: -# perldoc -u perllocal | grep head2 | cut -f 3 -d '<' | cut -f 1 -d '|' | sort -u | perl -ne 'chomp; print "notest install $_\n" if system("rpm -q --whatprovides \"perl($_)\" >/dev/null 2>/dev/null")' > /mit/scripts/config/perl-packages.txt -# Then on the server you're installing, -# cat perl-packages.txt | perl -MCPAN -e shell + cd /root export PERL_MM_USE_DEFAULT=1 - # XXX: Some interactive gobbeldygook - cpan + cpan # this is interactive, enter the next two lines o conf prerequisites_policy follow o conf commit @@ -257,5 +194,5 @@ # /usr/lib64/python2.6/site-packages for Python eggs and modules. # There will be a lot of gunk that was installed from packages; -# easy-install.pth will tell you what was easy_installed. +# easy-install.pth in /usr/lib/ will tell you what was easy_installed. # First use 'yum search' to see if the relevant package is now available # as an RPM, and install that if it is. If not, then use easy_install. @@ -263,44 +200,58 @@ # want to be able to write to ~/.python-eggs. (Also makes sourcediving # easier.) + cat /usr/lib/python2.6/site-packages/easy-install.pth # - Look at `gem list` for Ruby gems. # Again, use 'yum search' and prefer RPMs, but failing that, 'gem install'. # ezyang: rspec-rails depends on rspec, and will override the Yum # package, so... don't use that RPM yet +gem list --no-version > gem.txt + gem install $(gem list --no-version | grep -Fxvf - gem.txt) # - Look at `pear list` for Pear fruits (or whatever they're called). # Yet again, 'yum search' for RPMs before resorting to 'pear install'. Note # that for things in the beta repo, you'll need 'pear install package-beta'. # (you might get complaints about the php_scripts module; ignore them) +pear list | tail -n +4 | cut -f 1 -d " " > pear.txt + pear config-set preferred_state beta + pear channel-update pear.php.net + pear install $(pear list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pear.txt) # - Look at `pecl list` for PECL things. 'yum search', and if you must, # 'pecl install' needed items. If it doesn't work, try 'pear install # pecl/foo' or 'pecl install foo-beta' or those two combined. - # Automating this... will require a lot of batonning between - # the servers. Probably best way to do it is to write an actual - # script. +pecl list | tail -n +4 | cut -f 1 -d " " > pecl.txt + pecl install --nodeps $(pecl list | tail -n +4 | cut -f 1 -d " " | grep -Fxvf - pecl.txt) # Setup some Python config echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth -# Install the credentials. There are a lot of things to remember here: -# o This will be different if you're setting up our build/update server. -# o You probably installed the machine keytab long ago - ls -l /etc/krb5.keytab -# o Use ktutil to combine the host/scripts.mit.edu and -# host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in -# the keytab. Do not use 'k5srvutil change' on the combined keytab -# or you'll break the other servers. (real servers only) -# o The daemon.scripts keytab +# Install the credentials. There are a lot of things to remember here. +# Be sure to make sure the permissions match up (ls -l on an existing +# server!). +scp root@$source_server:{/etc/{sql-mit-edu.cfg.php,daemon.keytab,pki/tls/private/scripts.key,signup-ldap-pw,whoisd-password},/home/logview/.k5login} . +scp daemon.keytab signup-ldap-pw whoisd-password sql-mit-edu.cfg.php root@$server:/etc +scp scripts.key root@$server:/etc/pki/tls/private +scp .k5login root@$server:/home/logview + chown afsagent:afsagent /etc/daemon.keytab +# o The daemon.scripts keytab (will be daemon.scripts-test for test) ls -l /etc/daemon.keytab # o The SSL cert private key (real servers only) + ls -l /etc/pki/tls/private/scripts.key # o The LDAP password for the signup process (real servers only) -# o The SQL password for the signup process (real servers only) + ls -l /etc/signup-ldap-pw # o The whoisd password (real servers only) -# o The LDAP keytab for this server, which will be used later (real servers only) -# o Replace the ssh host keys with the ones common to all scripts servers (real servers only) -# o You'll install an LDAP certificate signed by the scripts CA later (real servers only) -# o Make sure root's .k5login is correct - cat /root/.k5login + ls -l /etc/whoisd-password # o Make sure logview's .k5login is correct (real servers only) - -# If you are setting up a test server, pay attention to + cat /home/logview/.k5login + +# Spin up OpenAFS. This will fail if there's been a new kernel since +# when you last tried. In that case, you can hold on till later to +# start OpenAFS. This will take a little bit of time; + service openafs-client start + +# Check that fs sysname is correct. You should see, among others, +# 'amd64_fedoraX_scripts' (vary X) and 'scripts'. If it's not, you +# probably did a distro upgrade and should update /etc/sysconfig/openafs. + fs sysname + +# [TEST SERVER] If you are setting up a test server, pay attention to # /etc/sysconfig/network-scripts and do not bind scripts' IP address. # You will also need to modify: @@ -322,14 +273,22 @@ # XXX: someone should write sed scripts to do this -# If you are setting up a test server, afsagent's cronjob will attempt -# to be renewing with the wrong credentials (daemon.scripts). Change this: +# [TEST SERVER] If you are setting up a test server, afsagent's cronjob +# will attempt to be renewing with the wrong credentials +# (daemon.scripts). Change this: vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu -# Install 389-ds-base and set up replication (see ./HOWTO-SETUP-LDAP -# and ./389-ds-enable-ssl-and-kerberos.diff). +# Set up replication (see ./install-ldap). +# You'll need the LDAP keytab for this server: be sure to chown it +# fedora-ds after you create the fedora-ds user + ls -l /etc/dirsrv/keytab + cat install-ldap # Make the services dirsrv, nslcd, nscd, postfix, and httpd start at # boot. Run chkconfig to make sure the set of services to be run is # correct. + service nslcd start + service nscd start + service postfix start + service httpd start chkconfig dirsrv on chkconfig nslcd on @@ -341,4 +300,7 @@ chkconfig nrpe on +# Check sql user credentials (needs to be done after LDAP is setup) + chown sql /etc/sql-mit-edu.cfg.php + # Postfix doesn't actually deliver mail; fix this cd /etc/postfix @@ -349,6 +311,6 @@ # Run fmtutil-sys --all, which does something that makes TeX work. +# (Note: this errors on XeTeX which is ok.) fmtutil-sys --all - # ezyang: I got errors on xetex # Ensure that PHP isn't broken: @@ -356,11 +318,12 @@ chmod 01777 /tmp/sessions -# Ensure fcgid isn't broken - chmod 755 /var/run/mod_fcgid # ezyang: I suspect this is no longer necessary +# Ensure fcgid isn't broken (should be 755) + ls -ld /var/run/mod_fcgid # Fix etc by making sure none of our config files got overwritten cd /etc - svn status | grep M - # ezyang: I had to revert krb5.conf (not with latest), nsswitch.conf and sysconfig/openafs + svn status -q + # Some usual candidates for clobbering include nsswitch.conf and + # sysconfig/openafs # ThisCell got clobbered, replace it with athena.mit.edu @@ -368,23 +331,12 @@ # Reboot the machine to restore a consistent state, in case you -# changed anything. - # ezyang: When I rebooted, the following things happened: - # o Starting kdump failed (this is ok) - # o postfix mailbombed us - # o firstboot configuration screen popped up (ignored; manually will do - # chkconfig after the fact) - -# (Optional) Beat your head against a wall. - -# Possibly perform other steps that I've neglected to put in this -# document. -# o For some reason, syslog-ng wasn't turning on automatically, so we weren't -# getting spew - -# Some info about changing hostnames: it appears to be in: +# changed anything. (Note: Starting kdump fails (this is ok)) + +# [OPTIONAL] Your machine's hostname is baked in at install time; +# in the rare case you need to change it: it appears to be in: # o /etc/sysconfig/network # o your lvm thingies; probably don't need to edit -# More stuff for test servers +# [TEST SERVER] More stuff for test servers # - You need a self-signed SSL cert. Generate with: openssl req -new -x509 -keyout /etc/pki/tls/private/scripts.key -out /etc/pki/tls/certs/scripts.cert -nodes @@ -394,2 +346,12 @@ # be an accepted vhost name # - Look at the old test server and see what config changes are floating around + +# XXX: our SVN checkout should be updated to use scripts.mit.edu +# (repository and etc) once serving actually works. + cd /etc + svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ + cd /usr/vice/etc + svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ + cd /srv/repository + asbuild svn switch --relocate svn://$source_server/ svn://scripts.mit.edu/ + asbuild svn up # verify scripts.mit.edu works Index: /trunk/server/doc/install-ldap =================================================================== --- /trunk/server/doc/install-ldap (revision 1693) +++ /trunk/server/doc/install-ldap (revision 1693) @@ -0,0 +1,354 @@ +To set up a new LDAP server: + +- Install the RPM 389-ds-base with yum (these are installed by kickstart + these days, so these two steps are probably not necessary) + root# yum install -y 389-ds-base + root# yum install -y policycoreutils-python + root# yum install -y ldapvi +- We want to run the directory server as its own user, so create fedora-ds + root# useradd -r -d /var/lib/dirsrv fedora-ds +- Temporarily move away the existing slapd-scripts folder + root# mv /etc/dirsrv/slapd-scripts{,.bak} +- root# /usr/sbin/setup-ds.pl + - Choose a typical install + - Tell it to use the fedora-ds user and group + - Directory server identifier: scripts + Needed to remove this from the config file first + - Suffix: dc=scripts,dc=mit,dc=edu + - Input directory manager password + (this can be found in ~/.ldapvirc) +- Move the schema back + root# cp -R /etc/dirsrv/slapd-scripts.bak/{.svn,*} /etc/dirsrv/slapd-scripts + root# rm -Rf /etc/dirsrv/slapd-scripts.bak +- Turn dirsrv off: service dirsrv stop +- Apply the following configuration changes. If you're editing + dse.ldif, you don't want dirsrv to be on, otherwise it will + overwrite your changes. [XXX: show how to do these changes with + dsconf, which is the "blessed" method] + +# Inside cn=config. These changes definitely require a restart. +nsslapd-ldapifilepath: /var/run/dirsrv/slapd-scripts.socket +nsslapd-ldapilisten: on + +# Add these blocks + +# mapname, mapping, sasl, config +# This is the most liberal mapping you can have for SASL: you can +# basically add authentication for any given GSSAPI mechanism by +# explicitly creating the UID for that SASL string. +dn: cn=mapname,cn=mapping,cn=sasl,cn=config +objectClass: top +objectClass: nsSaslMapping +cn: mapname +nsSaslMapRegexString: \(.*\) +nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=scripts,dc=mit,dc=edu +nsSaslMapFilterTemplate: (objectClass=posixAccount) + +- Put LDAP keytab (ldap/hostname.mit.edu) in /etc/dirsrv/keytab. Make + sure you chown/chgrp it to be readable by fedora-ds +- Uncomment and modify in /etc/sysconfig/dirsrv: KRB5_KTNAME=/etc/dirsrv/keytab ; export KRB5_KTNAME +- chown fedora-ds:fedora-ds /var/run/dirsrv +- chmod 755 /var/run/dirsrv +- /sbin/service dirsrv start +- Use ldapvi -b cn=config to add these indexes (8 of them): + +add cn=apacheServerName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +cn: apacheServerName +nsSystemIndex: false +nsIndexType: eq +nsIndexType: pres + +add cn=apacheServerAlias, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +cn: apacheServerAlias +nsSystemIndex: false +nsIndexType: eq +nsIndexType: pres + +add cn=scriptsVhostName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +cn: scriptsVhostName +nsSystemIndex: false +nsIndexType: eq +nsIndexType: pres + +add cn=scriptsVhostAlias, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +cn: scriptsVhostAlias +nsSystemIndex: false +nsIndexType: eq +nsIndexType: pres + +add cn=scriptsVhostAccount, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +cn: scriptsVhostAccount +nsSystemIndex: false +nsIndexType: eq +nsIndexType: pres + +add cn=memberuid, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +cn: memberuid +nsSystemIndex: false +nsIndexType: eq +nsIndexType: pres + +add cn=uidnumber, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +cn: uidnumber +nsSystemIndex: false +nsIndexType: eq +nsIndexType: pres + +add cn=gidnumber, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config +objectClass: top +objectClass: nsIndex +cn: gidnumber +nsSystemIndex: false +nsIndexType: eq +nsIndexType: pres + +- Build the indexes for all the fields: + + /usr/lib64/dirsrv/slapd-scripts/db2index.pl -D "cn=Directory Manager" -j /etc/signup-ldap-pw -n userRoot + + (/etc/signup-ldap-pw is the LDAP root password, make sure it's + chmodded correctly and chowned to signup. Also, make sure it doesn't + have a trailing newline!) + +- Watch for the indexing operations to finish with this command: + + ldapsearch -x -y /etc/signup-ldap-pw -D 'cn=Directory Manager' -b cn=tasks,cn=config + + (look for nktaskstatus) + +- Set up replication. + + We used to tell people to go execute + http://directory.fedoraproject.org/sources/contrib/mmr.pl manually + (manually because that script assumes only two masters and we have + every one of our servers set up as a master.) However, those + instructions are inaccurate, because we use GSSAPI, not SSL and + because the initializing procedure is actually prone to a race + condition. Here are some better instructions. + + LDAP replication is based around producers and consumers. Producers + push changes in LDAP to consumers: these arrangements are called + "replication agreements" and the producer will hold a + nsDS5ReplicationAgreement object that represents this commitment, + as well as some extra configuration to say who consumers will accept + replication data from (a nsDS5Replica). + + The procedure, at a high level, is this: + + 1. Pick an arbitrary existing master. The current server will + be configured as a slave to that master. Initialize a changelog, + then request a replication to populate our server with + information. + + M1 <---> M2 ---> S + + 2. Configure the new server to be replicated back. + + M1 <---> M2 <---> S + + 3. Set up the rest of the replication agreements at your leisure. + + M1 <---> M2 + ^ ^ + | | + +--> S <--+ + + Here's how you do it. + + 1. Pull open the replication part of the database. It's fairly empty + right now. + + ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config + + 2. Configure the server $SLAVE (this server) to accept $MASTER + replications by adding the following LDAP entries: + +add cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config +objectClass: top +objectClass: nsDS5Replica +cn: replica +nsDS5ReplicaId: $REPLICA_ID +nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu +nsDS5Flags: 1 +nsDS5ReplicaBindDN: uid=ldap/bees-knees.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu +nsDS5ReplicaBindDN: uid=ldap/busy-beaver.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu +nsDS5ReplicaBindDN: uid=ldap/cats-whiskers.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu +nsDS5ReplicaBindDN: uid=ldap/pancake-bunny.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu +nsDS5ReplicaBindDN: uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu +nsDS5ReplicaBindDN: uid=ldap/real-mccoy.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu +nsDS5ReplicaBindDN: uid=ldap/better-mousetrap.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu +nsDS5ReplicaBindDN: uid=ldap/old-faithful.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu +# ADD SERVERS HERE AS YOU ADD NEW SERVERS +nsds5ReplicaPurgeDelay: 604800 +nsds5ReplicaLegacyConsumer: off +nsDS5ReplicaType: 3 + + $REPLICA_ID is the scripts$N number (stella $HOSTNAME to find + out.) You might wonder why we are binding to all servers; + weren't we going to replicate from only one server? That is + correct, however, simply binding won't mean we will receive + updates; we have to setup the $MASTER to send data $SLAVE. + + 3. Although we allowed those uids to bind, that user information + doesn't exist on $SLAVE yet. So you'll need to create the entry + for just $MASTER. + +add uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu +uid: ldap/$MASTER +objectClass: account +objectClass: top + + 4. Though our $SLAVE will not be making changes to LDAP, we need to + initialize the changelog because we intend to be able to do this + later. + +add cn=changelog5,cn=config +objectclass: top +objectclass: extensibleObject +cn: changelog5 +nsslapd-changelogdir: /etc/dirsrv/slapd-scripts/changelogdb + + 5. Ok, now go to your $MASTER server that you picked (it should have + been one of the hosts mentioned in nsDS5ReplicaBindDN) and tell + it to replicate to $SLAVE. + + The last line runs the replication. This is perhaps the most + risky step of the process; see below for help debugging problems. + + WARNING: There is a known bug doing full updates from 1.2.6 to + 1.2.6, see https://bugzilla.redhat.com/show_bug.cgi?id=637852 + +add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config +objectClass: top +objectClass: nsDS5ReplicationAgreement +cn: "GSSAPI Replication to $SLAVE" +cn: GSSAPI Replication to $SLAVE +nsDS5ReplicaHost: $SLAVE +nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu +nsDS5ReplicaPort: 389 +nsDS5ReplicaTransportInfo: LDAP +nsDS5ReplicaBindDN: uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu +nsDS5ReplicaBindMethod: SASL/GSSAPI +nsDS5ReplicaUpdateSchedule: "0000-2359 0123456" +nsDS5ReplicaTimeout: 120 +nsDS5BeginReplicaRefresh: start + + 5. Check that the replication is running; the status will be stored + in the object we've been mucking around with. + + If it fails with LDAP Error 49, check /var/log/dirsrv on $MASTER + for more information. It might be because fedora-ds can't read + /etc/dirsrv/keytab + + 6. Replicate in the other direction. On $MASTER, add $SLAVE + as a nsDS5ReplicaBindDN in cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config + Also, add an account for $SLAVE + +add uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu +uid: ldap/$SLAVE +objectClass: account +objectClass: top + + On $SLAVE, + +add cn="GSSAPI Replication to $MASTER", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config +objectClass: top +objectClass: nsDS5ReplicationAgreement +cn: "GSSAPI Replication to $MASTER" +cn: GSSAPI Replication to $MASTER +nsDS5ReplicaHost: $MASTER +nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu +nsDS5ReplicaPort: 389 +nsDS5ReplicaTransportInfo: LDAP +nsDS5ReplicaBindDN: uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu +nsDS5ReplicaBindMethod: SASL/GSSAPI +nsDS5ReplicaUpdateSchedule: "0000-2359 0123456" +nsDS5ReplicaTimeout: 120 + + If you get a really scary internal server error, that might mean you + forgot to initialize the changelog. Remove the replication + agreement (you'll need to turn off dirsrv), add the changelog, and + then try again. + +Troubleshooting +=============== + +LDAP multimaster replication can fail in a number of colorful ways; +combine that with GSSAPI authentication and it goes exponential. + +If authentication is failing with LDAP error 49, check if: + + * /etc/dirsrv/keytab + * fedora-ds is able to read /etc/dirsrv/keytab + * /etc/hosts has not been modified by Network Manager (you + /did/ uninstall it, right? Right?) + +If the failure is local to a single master, usually you can recover +by asking another master to refresh that master with: + +nsDS5BeginReplicaRefresh: start + +In practice, we've also had problems with this technique. Some of them +include: + +* Something like https://bugzilla.redhat.com/show_bug.cgi?id=547503 + on Fedora 11 ns-slapd, where replication is turned off to do the + replication, but then it wedges and you need to forcibly kill the + process. + +* Failed LDAP authentication because another master attempted to do + an incremental update. + +* Repropagation of the error because the corrupt master thinks it still + should push updates. + +So the extremely safe method to bring up a crashed master is as follows: + +1. Disable all incoming and outgoing replication agreements by editing + /etc/dirsrv/slapd-scripts/dse.ldif. You'll need to munge: + + nsDS5ReplicaBindDN in cn=replica,cn=dc\3Dscripts\2Cdc\3Dmit\2Cdc\3Dedu,cn=mapping tree,cn=config + + and all of the push agreements. Deleting them outright works, but + means you'll have to reconstruct all of the agreements from scratch. + +2. Bring up the server. + +3. Accept incoming replication data from a single server. + +4. Initiate a full update from that server. + +5. Finish setting up replication as described above. + +If your database gets extremely fucked, other servers may not be able +to authenticate because your authentication information has gone missing. +In that case, the minimal set of entries you need is: + +add dc=scripts,dc=mit,dc=edu +objectClass: top +objectClass: domain +dc: scripts + +add ou=People,dc=scripts,dc=mit,dc=edu +objectClass: top +objectClass: organizationalunit +ou: People + +add uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu +objectClass: account +objectClass: top +uid: ldap/whole-enchilada.mit.edu Index: /trunk/server/doc/install-xen =================================================================== --- /trunk/server/doc/install-xen (revision 1692) +++ /trunk/server/doc/install-xen (revision 1693) @@ -43,2 +43,6 @@ git clone ssh://scripts@scripts.mit.edu/mit/scripts/git/xen.git /etc/xen +# setup conserver + cat /etc/conserver/console.cf # add the correct entires here + visudo # add conservr to sudoers list with: + conservr ALL=(ALL) NOPASSWD: /usr/sbin/xm console * Index: /trunk/server/doc/install-xvm =================================================================== --- /trunk/server/doc/install-xvm (revision 1693) +++ /trunk/server/doc/install-xvm (revision 1693) @@ -0,0 +1,48 @@ +Installing a test scripts server on XVM +======================================= + +It's useful to have a less secure scripts server for testing +purposes. Here's what you have to do: + +1. Creating the VM +------------------ + +To authenticate to xvm.mit.edu with root tickets, you need +a browser that suppors SPNEGO; Firefox is one such browser and +the following instructions will assume it. Browse to about:config +and modify the key 'network.negotiate-auth.trusted-uris' to be + + https://xvm.mit.edu:442/* + +Then, with active root tickets on your system, navigate to + + https://xvm.mit.edu:442/ + +You should be logged in as root, and if you are on scripts-root +you should be able to assign ownership to scripts. + +[XXX: there should be a way to do this with remctl too] + +2. Spin up +---------- + +These instructions are mostly the same as the latter part of +install-fedora, with the following changes: + +VNC +--- + +You will not need to sketchily forward VNC, because XVM has a built +in VNC console. + +Password +-------- + +Do NOT use the scripts-root password. Pick something else. + +Disks +----- + +The standard Scripts setup has separate LVM partitions for root and +swap, as well as a non-LVM partition for boot. You will not have this +for XVM, so the Fedora defaults mostly work. Don't use ext4 though. Index: /trunk/server/doc/kernel-build-howto =================================================================== --- /trunk/server/doc/kernel-build-howto (revision 1692) +++ /trunk/server/doc/kernel-build-howto (revision 1693) @@ -19,4 +19,7 @@ [root@old-faithful ~]# rpm -ivh kernel-vanilla{,-devel}-2.6.23.8-28.scripts1.fc7.x86_64.rpm +You can build kernel-firmware, which is a bunch of binary blobs for +hardware, by running the mock build with --arch=noarch. + Index: /trunk/server/doc/ldap-kerberos-replication.txt =================================================================== --- /trunk/server/doc/ldap-kerberos-replication.txt (revision 1693) +++ /trunk/server/doc/ldap-kerberos-replication.txt (revision 1693) @@ -0,0 +1,93 @@ +How to migrate from SSL authentication to GSSAPI authentication +=============================================================== + + :author: Edward Z. Yang + :author: Geoffrey Thomas + +NOTE: This document is strictly for HISTORICAL purposes. It may +come in handy if you ever need to migrate from SSL to GSSAPI on +another LDAP setup, though! This assumes that ldap service keytabs +are setup properly on all hosts involved. + +---- + +On $CONSUMER (e.g. real-mccoy.mit.edu) + +To cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config: +Add nsDS5ReplicaBindDN: uid=ldap/$PRODUCER,ou=People,dc=scripts,dc=mit,dc=edu + This tells the CONSUMER to accept replication pushes from PRODUCER. + However, PRODUCER is not configured yet, so you should keep + the cn=repman,cn=config entry which is old style. + +Create uid=ldap/$PRODUCER,ou=People,dc=scripts,dc=mit,dc=edu +uid: ldap/$PRODUCER +objectClass: account +objectClass: top + This creates the LDAP user entry for GSSAPI authentication via the + service keytab of LDAP replication. This information /is/ + replicated, so if you felt like it you could create entries for all + PRODUCERS (which, in full multimaster replication, is all servers.) + +---- + +On $PRODUCER (e.g. cats-whiskers.mit.edu) + You will destroy and recreate a replication agreement (well, + actually, ldapvi will attempt to create and then destroy the old + agreement). + +To cn="SSL Replication to $CONSUMER",cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config +Replace all instances of "SSL Replication" to "GSSAPI Replication" +Replace the number on the entry with 'add'; to indicate destroy/recreate +Replace nsDS5ReplicaBindDN: uid=ldap/cats-whiskers.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu + (instead of cn=repman,cn=config) +Replace nsDS5ReplicaTransportInfo: LDAP + (instead of SSL) +Replace nsDS5ReplicaPort: 389 + (instead of 636) +Replace nsDS5ReplicaBindMethod: SASL/GSSAPI + (instead of simple) +Remove nsDS5ReplicaCredentials + +Here are some search-replace lines that will probably do what you want, +but be sure to double check how many substitutions were made. '<,'> lines +should exclude the cn=replica section. + + # n = NUMBER OF SERVERS - 1 = 4 + # n*3 substitutions + :%s/SSL Replication/GSSAPI Replication/g + # n substitutions + :'<,'>s/cn=repman,cn=config/uid=ldap\/$HOST,ou=People,dc=scripts,dc=mit,dc=edu/g + :%s/simple/SASL\/GSSAPI/ + :%s/nsDS5ReplicaPort: 636/nsDS5ReplicaPort: 389/ + :%s/SSL/LDAP/g + :%s/^nsDS5ReplicaCredentials.\+\n//g + :'<,'>s/^nsds5replicareapactive: 0\n//g + :%s/^[1-9] /add /g # fix if more than 9 servers + +There is some cleanup that needs to happen after these values change; +I had luck forcibly rebooting the servers and making LDAP cleanup +after an unclean shutdown. You can tell if this cleanup is necessary +if LDAP refuses to start replication sessions. This issue is known to +clear up after several reboots or by destroying and recreating all +replicas. + +---- + +Once everything is on the new replication and you verify it's working +correctly, you should then clean out the SSL configuration (most +notably, turn nsslapd-security off. Despite its ominous name, it only +controls SSL authentication, not GSSAPI authentication.) You will need +to take the server offline to do that; edit +/etc/dirsrv/slapd-scripts/dse.ldif + +When that's gone, there may be some vestigial SSL configuration left. +Scripts specifically had the following sections that needed to be +cleaned up: + + cn=RSA,cn=encryption,cn=config + (whole thing) + cn=encryption,cn=config + nsSSL3: on [change to off] + nsSSL3Ciphers: +rsa_rc4_128_md5 [delete] + cn=config + nsslapd-sslclientauth: on [change to off] Index: /trunk/server/doc/package-build-howto =================================================================== --- /trunk/server/doc/package-build-howto (revision 1692) +++ /trunk/server/doc/package-build-howto (revision 1693) @@ -146,2 +146,7 @@ overwrite any changes you made in place). +Tips +==== + + * Don't try to build a 32-bit package without building the 64-bit + package as well. Index: /trunk/server/doc/upgrade-tips =================================================================== --- /trunk/server/doc/upgrade-tips (revision 1693) +++ /trunk/server/doc/upgrade-tips (revision 1693) @@ -0,0 +1,186 @@ +Upgrading Scripts for a new Fedora distribution +=============================================== + +1. Gather knowledge +------------------- + +You should read the Release Notes for all of the intervening +releases. For example, here are the Fedora 13 release notes: + + http://docs.fedoraproject.org/en-US/Fedora/13/html/Release_Notes/ + +Because we sometimes skip releases, you should read any skipped +release's report notes. + +Example: + + In Fedora 12, i586 was deprecated in favor of i686; this meant + that any parts of Scripts that referenced i586 explicitly had to + changed to i686. + +2. Update the Scripts build environment +--------------------------------------- + +A large amount of the Scripts source repository is Fedora Release +specific, so when you are ramping up the new release, you will want +a new branch to do development on, before merging back upon the +official release. You can do this with: + + svn cp svn://scripts.mit.edu/trunk \ + svn://scripts.mit.edu/branches/fcXX-dev + +On the new branch, there are a number of files you will have to +update: + +2.1 Mock + +Mock needs to be setup for the new environment. The first thing to do +is to update the Makefile by substituting +s/scripts-fcOLD/scripts-fcNEW/g on the /usr/bin/mock invocations. +After that, you need to go to /etc/mock and create the new cfg file +for the new scripts-fcXX-ARCH configurations (where ARCH is x86_64 and +i386). You can base the new cfg off of the older version's, however +you will want to make the following changes: + + * Update all references to the old Fedora release to the new + Fedora release. This includes root, dist, mirrorlist, baseurl + + * Temporarily disabling the web.mit.edu Scripts RPM repository + and the local RPM repository by setting enabled=0 (it's there for + a reason!) However, the local RPM repository is fairly painless + to create and will come in handy when you start attempting to + build packages that have dependencies on other scriptsified + packages: you can set one up as scripts-build with: + + mkdir ~/mock-local + createrepo ~/mock-local + +3. Rebuild Scripts packages +--------------------------- + +In order to support specific extra functionality, we have scriptsified +a variety of Fedora packages. When the base packages get upgrades, +we need to upgrade the scriptsification. Some of the following topics +are covered in 'package-build-howto', but a new Fedora release tends +to also result in somewhat rarer situations. + +As you finish building packages, you'll want to place them somewhere +so they don't get blown away on a successive mock build. ~/mock-local +is a good choice. The Mock RPMs will be created in: + + /var/lib/mock/$MOCK_ENV/result/ + +Here are some of the common troubles you'll have to deal with: + +3.1 Spec patches are no longer necessary + +When a Fedora release gets EOL'ed, we may continue to backport +patches for CVE's manually. When we upgrade to a non-EOL'd release, +those patches will generally become unnecessary and can be dropped. + +You can drop a modified specfile from the repository simply by +`svn rm`ing: + + * The spec patch in server/fedora/specs, + * The source code patch in server/common/patches, and + * The upstream_yum entry in server/fedora/Makefile + +If a specfile merely bumps the version field, there may be no extra +patch (this indicates that the maintainer rebuilt the package simply +by manually dropping the new source tarball in rpmbuild/SOURCES, +which is kind of sketchy but works. See -c 1586 for an example.) + +3.2 Spec patches no longer apply + +Symptom: + + $ make patch-specs + patching file openssh.spec + Hunk #1 succeeded at 74 with fuzz 2 (offset 11 lines). + Hunk #2 failed at 88. + Hunk #3 succeeded at 177 (offset 14 lines). + Hunk #4 succeeded at 270 with fuzz 2 (offset 36 lines). + 1 out of 4 hunks failed--saving rejects to openssh.spec.rej + +Fix: + + The main thing to remember is where the generated files live + they are placed in rpmbuild/SPECS/openssh.spec{.rej,.orig}. + A workflow for fixing them might look like: + + 1. Inspect the rejects file. + 2. As much as possible, manually fix the original diff + file in /srv/repository/server/fedora/specs + 3. If absolutely necessary, edit the rpmbuild/SPECS/openssh.spec + file with any final changes (this is dangerous because + this file is blown away on a successive make) + 4. Generate a new unified diff: + diff -u openssh.spec.orig openssh.spec > \ + /srv/repository/server/fedora/specs\openssh.spec.patch + +3.3 Mock fails with no error message + +Fix: You forgot to add scripts-build to the mock group. See + https://bugzilla.redhat.com/show_bug.cgi?id=630791 + [XXX: remove this entry when this bug is fixed] + +3.4 Source patches no longer apply + +Symptoms: + + Generally, you will see these error messages after Mock starts + building (if they occur before Mock, that means it's a bug in the + spec patch, not a source patch that the spec patch references.) + +Fix: + + The error message will be from within a schroot that Mock is using. + As a result, it's not immediately obvious where the files live. + + The easiest approach is to use rpmbuild to manually reapply the + patches. + + rpmbuild -bp path/to/foo.spec + + If this fails complaining about a dependency, you should install + the dependency and add it to the Makefile. + + Once you've fixed the patch, you can rerun rpmbuild after running + + make setup + + (This is useful if you can't do a full make due to another mock + process running.) + +4. "Officializing" everything +----------------------------- + +web.mit.edu scripts repository (/mit/scripts/rpm-fcXX and +/mit/scripts/rpm-fcXX-testing) needs to be made. It's quite simple; +all you need to do is copy the RPMs from the build server to there +(probably going through a trusted machine, since you don't want to +put your root tickets on a server.) When you're done, run `createrepo` +on the directory. + +Note that if you do a successive rebuild without bumping the Subversion +revision (via a `svn up`), the new package will have the *same* version +and yum will probably insist on using the old cached version. You can +use `yum clean all` to reset your cache and force yum to get the latest +version. + +5. Update fs sysname +-------------------- + +Update /etc/sysconfig/openafs with an extra amd64_fedoraX_scripts and +amd64_fedoraX sysname. The format should be evident from the existing +entries. [XXX There might be other things you want] + +6. Extra stuff +-------------- + +Fedora occasionally updates the architecture name for 32-bit; the last +such update was in Fedora 12, when i586 became i686. Fixing this +usually just involves replacing i586 with i686 in the appropriate places +(Makefile, specfiles, /etc/mock configuration). Note that for +hysterical raisins we still refer to our 32-bit builds as i386. +[XXX: Maybe this should change] Index: /trunk/server/fedora/Makefile =================================================================== --- /trunk/server/fedora/Makefile (revision 1692) +++ /trunk/server/fedora/Makefile (revision 1693) @@ -19,9 +19,9 @@ # See /COPYRIGHT in this repository for more information. -upstream_yum = krb5 krb5.i586 httpd openssh shadow-utils libpng ghostscript +upstream_yum = krb5 krb5.i686 httpd openssh hackage = MonadCatchIO-mtl-0.3.0.1 cgi-3001.1.8.1 unix-handle-0.0.0 upstream_hackage = ghc-MonadCatchIO-mtl ghc-cgi ghc-unix-handle -upstream = openafs $(upstream_yum) $(upstream_hackage) moira cluster-glue heartbeat pacemaker -oursrc = execsys tokensys accountadm httpdmods logview sql-signup nss_nonlocal nss_nonlocal.i586 whoisd mit-zephyr athrun php_scripts scripts-wizard scripts-base scripts-static-cat +upstream = openafs $(upstream_yum) $(upstream_hackage) moira cluster-glue heartbeat pacemaker zephyr zephyr.i686 python-zephyr +oursrc = execsys tokensys accountadm httpdmods logview sql-signup nss_nonlocal nss_nonlocal.i686 whoisd athrun php_scripts scripts-wizard scripts-base scripts-static-cat allsrc = $(upstream) $(oursrc) oursrcdir = ${PWD}/../common/oursrc @@ -40,10 +40,12 @@ server_url = "http://web.mit.edu/scripts/src" server_arch = "fedora.stable" -openafs_url = "http://dl.openafs.org/dl/openafs/1.4.11/openafs-1.4.11-1.1.1.src.rpm" +#openafs_url = "http://dl.openafs.org/dl/openafs/1.4.12/openafs-1.4.12-1.1.2.src.rpm" +openafs_url = "file:///home/scripts-build/mock-local/openafs-1.4.12-1.0.pre3.src.rpm" clusterglue_url = "http://kojipkgs.fedoraproject.org/packages/cluster-glue/1.0/0.11.b79635605337.hg.fc12/src/cluster-glue-1.0-0.11.b79635605337.hg.fc12.src.rpm" heartbeat_url = "http://kojipkgs.fedoraproject.org/packages/heartbeat/3.0.0/0.5.0daab7da36a8.hg.fc12/src/heartbeat-3.0.0-0.5.0daab7da36a8.hg.fc12.src.rpm" pacemaker_url = "http://kojipkgs.fedoraproject.org/packages/pacemaker/1.0.5/5.fc12/src/pacemaker-1.0.5-5.fc12.src.rpm" - -PKG = $(patsubst %.i586,%,$@) +zephyr_url = "http://zephyr.1ts.org/export/HEAD/distribution/zephyr-3.0.tar.gz" + +PKG = $(patsubst %.i686,%,$@) .PHONY: minimal-clean @@ -59,4 +61,5 @@ clean: minimal-clean rm -rf $(out_rpms) $(out_srpms) $(out_sbin) + rm -f download_stamp mkdir-tree: @@ -66,5 +69,5 @@ download: download_stamp -download_stamp: | SRPMS/mit-zephyr-2.1-6.src.rpm +download_stamp: @mkdir -p $(dload); \ #wget -qO- -nv $(server_url)/$(server_arch) | xargs make @@ -74,8 +77,10 @@ wget -P $(dload) $(heartbeat_url) wget -P $(dload) $(pacemaker_url) + wget -P $(dload) $(zephyr_url) cd $(tmp_src) && wget -nd -r -l1 -np -A.orig.tar.gz http://debathena.mit.edu/apt/pool/debathena/d/debathena-moira/ cabal update cabal fetch $(hackage) cp -a $(hackage:%=~/.cabal/packages/*/*/*/%.tar.gz) $(tmp_src) + spectool -g -R $(specs)/python-zephyr.spec touch download_stamp @@ -139,28 +144,28 @@ $(oursrc): rpmbuild_args += --define 'scriptsversion $(shell svnversion ${oursrcdir}/$** | tr ':' '_' | sed -e 's/-.*/0.uncommitted/')' -$(filter %.i586,$(oursrc)): %.i586: setup +$(filter %.i686,$(oursrc)): %.i686: setup PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec - /usr/bin/mock -r scripts-fc11-i386 --arch=i586 ${rpmbuild_args} --define="_lib lib" -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` - -$(filter-out %.i586,$(oursrc)): %: setup + /usr/bin/mock -r scripts-fc13-i386 --arch=i686 ${rpmbuild_args} --define="_lib lib" -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` + +$(filter-out %.i686,$(oursrc)): %: setup PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec - /usr/bin/mock -r scripts-fc11-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` + /usr/bin/mock -r scripts-fc13-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` $(upstream) openafs-kernel: rpmbuild_args += --define 'scriptsversion $(shell svnversion ${patches} | tr ':' '_')' -$(filter %.i586,$(upstream)): %.i586: setup patch-specs - rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec - /usr/bin/mock -r scripts-fc11-i386 --arch=i586 ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` - -$(filter-out %.i586,$(upstream)): %: setup patch-specs - rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec - /usr/bin/mock -r scripts-fc11-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` +$(filter %.i686,$(upstream)): %.i686: setup patch-specs + rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec + /usr/bin/mock -r scripts-fc13-i386 --arch=i686 ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` + +$(filter-out %.i686,$(upstream)): %: setup patch-specs + rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/${PKG}.spec + /usr/bin/mock -r scripts-fc13-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/${PKG}-[0-9]*.src.rpm | head -1` openafs-kernel: setup PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ rpmbuild ${rpmbuild_args} -bs ${tmp_specs}/openafs*.spec - /usr/bin/mock -r scripts-fc11-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/openafs*.src.rpm | head -1` + /usr/bin/mock -r scripts-fc13-`uname -m` ${rpmbuild_args} -v --rebuild `ls -t ${out_srpms}/openafs*.src.rpm | head -1` #sort -n sorts "2.6.25-1" later than "2.6.25.1-1", so it's Wrong @@ -172,22 +177,4 @@ openafs-kernel: rpmbuild_args += $(openafs_rpmbuild_args) --define "build_userspace 0" --define "build_modules 1" -suexec: #install-srpms - @rm -rf ${tmp_src}/httpd-2*/; \ - tar zxvf ${tmp_src}/httpd-2*.tar.gz; \ - cd httpd-2*; \ - patch -p1 < ${patches}/httpd-suexec-scripts.patch; \ - autoreconf; \ - ./configure --prefix=/etc/httpd --with-suexec-userdir=web_scripts --with-suexec-caller=apache --with-suexec-uidmin=50 --with-suexec-gidmin=50 --with-suexec-docroot=/ --with-suexec-trusteddir=/usr/libexec/scripts-trusted; \ - pushd support; \ - mkdir -p ${out_sbin}; make suexec && cp suexec ${out_sbin}; \ - popd; \ - rm -rf httpd-2*; \ - echo; \ - echo "suexec binary written to ${out_sbin}."; \ - echo "Run 'make install-suexec' as root to install it."; - -install-suexec: - install -m 4510 -o 0 -g apache ${out_sbin}/suexec /usr/sbin/; - frob-openafs: @if [ ! -d "/etc/openafs/" ]; then \ @@ -199,17 +186,19 @@ # The following packages are needed for our packages -basic-deps = kernel-devel rpm-build rpmdevtools mock gcc autoconf patch krb5-workstation glibc-devel.i586 glibc-devel libtool libgcc.i586 -oursrc-deps = hesinfo openldap-clients openldap-devel.i586 php-devel +basic-deps = kernel-devel rpm-build rpmdevtools mock gcc autoconf patch krb5-workstation glibc-devel.i686 glibc-devel libtool libgcc.i686 +oursrc-deps = hesinfo openldap-clients openldap-devel.i686 php-devel httpdmods-deps = httpd-devel httpd-deps = xmlto db4-devel expat-devel zlib-devel libselinux-devel apr-devel apr-util-devel pcre-devel openssl-devel distcache-devel -krb5-deps = bison ncurses-devel texinfo keyutils-libs-devel texinfo-tex texlive-latex +krb5-deps = bison ncurses-devel texinfo keyutils-libs-devel texinfo-tex texlive-latex libss-devel rsh openafs-deps = pam-devel automake -mit-zephyr-deps = readline-devel hesiod-devel hesiod-devel.i586 hesiod.i586 libXt.i586 #compat-readline43 +moira-deps = e2fsprogs-devel +zephyr-deps = hesiod-devel libss-devel krb5-devel readline-devel openssh-deps = gtk2-devel libX11-devel autoconf automake openssl-devel perl zlib-devel audit-libs-devel util-linux groff man pam-devel tcp_wrappers-devel krb5-devel libselinux-devel audit-libs xauth pango-devel cairo-devel libedit-devel nss-devel fipscheck-devel php-deps = bzip2-devel curl-devel gmp-devel libstdc++-devel sqlite-devel gcc-c++ libc-client-devel mysql-devel postgresql-devel unixODBC-devel libxml2-devel net-snmp-devel libxslt-devel libxml2-devel libXpm-devel libjpeg-devel t1lib-devel libmcrypt-devel mhash-devel libtidy-devel freetds-devel aspell-devel recode-devel haskell-deps = cabal-install install-deps: - yum -y install $(basic-deps) $(oursrc-deps) $(httpdmods-deps) $(httpd-deps) $(krb5-deps) $(openafs-deps) $(mit-zephyr-deps) $(openssh-deps) $(php-deps) $(haskell-deps) - rpm -ivh http://kojipkgs.fedoraproject.org/packages/compat-readline43/4.3/3/i386/compat-readline43-4.3-3.i386.rpm + yum -y install $(basic-deps) $(oursrc-deps) $(httpdmods-deps) $(httpd-deps) $(krb5-deps) $(openafs-deps) $(moira-deps) $(zephyr-deps) $(openssh-deps) $(php-deps) $(haskell-deps) +# XXX: We need to figure out what's going on with compat-readline43 +# rpm -ivh http://kojipkgs.fedoraproject.org/packages/compat-readline43/4.3/3/i386/compat-readline43-4.3-3.i386.rpm # rpm -ivh http://download.fedora.redhat.com/pub/fedora/linux/core/6/i386/os/Fedora/RPMS/compat-readline43-4.3-3.i386.rpm Index: /trunk/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf =================================================================== --- /trunk/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf (revision 1692) +++ /trunk/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf (revision 1693) @@ -1,2 +1,2 @@ ServerName scripts.mit.edu -ServerAlias scripts 18.181.0.43 scripts-vhosts.mit.edu scripts-vhosts 18.181.0.46 scripts-test.mit.edu scripts-test 18.181.0.229 better-mousetrap.mit.edu better-mousetrap b-m.mit.edu b-m scripts1.mit.edu scripts1 18.181.0.57 old-faithful.mit.edu old-faithful o-f.mit.edu o-f scripts2.mit.edu scripts2 18.181.0.53 bees-knees.mit.edu bees-knees b-k.mit.edu b-k sx-blade-4.mit.edu sx-blade-4 scripts3.mit.edu scripts3 18.181.0.167 cats-whiskers.mit.edu cats-whiskers c-w.mit.edu c-w scripts4.mit.edu scripts4 18.181.0.228 pancake-bunny.mit.edu pancake-bunny p-b.mit.edu p-b scripts6.mit.edu scripts6 18.181.0.237 busy-beaver.mit.edu busy-beaver b-b.mit.edu b-b scripts7.mit.edu scripts7 18.181.0.234 real-mccoy.mit.edu real-mccoy r-m.mit.edu r-m scripts8.mit.edu scripts8 18.181.0.235 localhost 127.0.0.1 ::1 +ServerAlias scripts 18.181.0.43 scripts-vhosts.mit.edu scripts-vhosts 18.181.0.46 scripts-test.mit.edu scripts-test 18.181.0.229 better-mousetrap.mit.edu better-mousetrap b-m.mit.edu b-m scripts1.mit.edu scripts1 18.181.0.57 old-faithful.mit.edu old-faithful o-f.mit.edu o-f scripts2.mit.edu scripts2 18.181.0.53 bees-knees.mit.edu bees-knees b-k.mit.edu b-k sx-blade-4.mit.edu sx-blade-4 scripts3.mit.edu scripts3 18.181.0.167 cats-whiskers.mit.edu cats-whiskers c-w.mit.edu c-w scripts4.mit.edu scripts4 18.181.0.228 pancake-bunny.mit.edu pancake-bunny p-b.mit.edu p-b scripts6.mit.edu scripts6 18.181.0.237 busy-beaver.mit.edu busy-beaver b-b.mit.edu b-b scripts7.mit.edu scripts7 18.181.0.234 real-mccoy.mit.edu real-mccoy r-m.mit.edu r-m scripts8.mit.edu scripts8 18.181.0.235 w-e whole-enchilada w-e.mit.edu whole-enchilada.mit.edu 18.181.0.236 localhost 127.0.0.1 ::1 Index: /trunk/server/fedora/config/etc/postfix/main.cf =================================================================== --- /trunk/server/fedora/config/etc/postfix/main.cf (revision 1692) +++ /trunk/server/fedora/config/etc/postfix/main.cf (revision 1693) @@ -17,6 +17,6 @@ recipient_delimiter = + inet_interfaces = all -readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES -sample_directory = /usr/share/doc/postfix-2.5.6/samples +readme_directory = /usr/share/doc/postfix-2.7.0/README_FILES +sample_directory = /usr/share/doc/postfix-2.7.0/samples sendmail_path = /usr/sbin/sendmail html_directory = no Index: /trunk/server/fedora/config/etc/ssh/sshd_config =================================================================== --- /trunk/server/fedora/config/etc/ssh/sshd_config (revision 1692) +++ /trunk/server/fedora/config/etc/ssh/sshd_config (revision 1693) @@ -5,4 +5,5 @@ GSSAPIAuthentication yes GSSAPICleanupCredentials yes +GSSAPIStrictAcceptorCheck no UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES Index: /trunk/server/fedora/config/etc/sysconfig/openafs =================================================================== --- /trunk/server/fedora/config/etc/sysconfig/openafs (revision 1692) +++ /trunk/server/fedora/config/etc/sysconfig/openafs (revision 1693) @@ -12,4 +12,6 @@ Leonidas) /usr/bin/fs sysname 'amd64_fedora11_scripts' 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora11' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb50' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' ;; + Goddard) + /usr/bin/fs sysname 'amd64_fedora13_scripts' 'amd64_fedora11_scripts' 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora13' 'amd64_fedora11' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb50' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' ;; *) echo "Warning: unknown platform. AFS sysname not set." Index: /trunk/server/fedora/config/etc/syslog-ng/d_zroot.pl =================================================================== --- /trunk/server/fedora/config/etc/syslog-ng/d_zroot.pl (revision 1692) +++ /trunk/server/fedora/config/etc/syslog-ng/d_zroot.pl (revision 1693) @@ -115,4 +115,5 @@ } elsif ($message =~ m|^ *nrpe .* COMMAND=/etc/nagios/check_ldap_mmr.real$|) { } elsif ($message =~ m|^ *root : TTY=|) { + } elsif ($message =~ m|^Set /proc/self/oom_adj to 0|) { } else { sendmsg($message, "scripts-spew"); Index: /trunk/server/fedora/config/etc/yum.repos.d/scripts.repo =================================================================== --- /trunk/server/fedora/config/etc/yum.repos.d/scripts.repo (revision 1692) +++ /trunk/server/fedora/config/etc/yum.repos.d/scripts.repo (revision 1693) @@ -1,5 +1,5 @@ [scripts] name=Scripts -baseurl=http://web.mit.edu/scripts/rpm-fc11/ +baseurl=http://web.mit.edu/scripts/rpm-fc13/ enabled=1 gpgcheck=0 @@ -7,5 +7,5 @@ [scripts-testing] name=Scripts Testing -baseurl=http://web.mit.edu/scripts/rpm-fc11-testing/ +baseurl=http://web.mit.edu/scripts/rpm-fc13-testing/ enabled=0 gpgcheck=0 Index: /trunk/server/fedora/specs/ghc-MonadCatchIO-mtl.spec =================================================================== --- /trunk/server/fedora/specs/ghc-MonadCatchIO-mtl.spec (revision 1692) +++ /trunk/server/fedora/specs/ghc-MonadCatchIO-mtl.spec (revision 1693) @@ -1,8 +1,17 @@ %global pkg_name MonadCatchIO-mtl -%bcond_without doc -%bcond_without prof +%global common_summary Haskell %{pkg_name} library -# ghc does not emit debug information +%global common_description A %{pkg_name} library for Haskell. + +# add any Haskell library dependencies here: +%global ghc_pkg_deps ghc-mtl-devel + +# add any foreign library dependencies here: +#%%global ghc_pkg_c_deps @CDEP1@-devel + +%bcond_without shared + +# debuginfo is not useful for ghc %global debug_package %{nil} @@ -10,7 +19,7 @@ Version: 0.3.0.1 Release: 0.%{scriptsversion}%{?dist} -Summary: Haskell %{pkg_name} library +Summary: %{common_summary} -Group: Development/Libraries +Group: System Environment/Libraries License: BSD URL: http://hackage.haskell.org/cgi-bin/hackage-scripts/package/%{pkg_name} @@ -19,53 +28,17 @@ # fedora ghc archs: ExclusiveArch: %{ix86} x86_64 ppc alpha -BuildRequires: ghc, ghc-rpm-macros -%if %{with doc} -BuildRequires: ghc-doc -%endif -%if %{with prof} -BuildRequires: ghc-prof -%endif +BuildRequires: ghc, ghc-doc, ghc-prof +BuildRequires: ghc-rpm-macros >= 0.7.0 +%{?ghc_pkg_deps:BuildRequires: %{ghc_pkg_deps}, %(echo %{ghc_pkg_deps} | sed -e "s/\(ghc-[^, ]\+\)-devel/\1-doc,\1-prof/g")} +%{?ghc_pkg_c_deps:BuildRequires: %{ghc_pkg_c_deps}} %description -This package provides the Haskell %{pkg_name} library for ghc. - - -%package devel -Summary: Haskell %{pkg_name} library -Group: Development/Libraries -Requires: ghc = %{ghc_version} -Requires(post): ghc = %{ghc_version} -Requires(preun): ghc = %{ghc_version} - -%description devel -This package contains the development files for %{name} -built for ghc-%{ghc_version}. - - -%if %{with doc} -%package doc -Summary: Documentation for %{name} -Group: Development/Libraries -Requires: ghc-doc = %{ghc_version} -Requires(post): ghc-doc = %{ghc_version} -Requires(postun): ghc-doc = %{ghc_version} - -%description doc -This package contains development documentation files for -the %{name} library. +%{common_description} +%if %{with shared} +This package provides the shared library. %endif -%if %{with prof} -%package prof -Summary: Profiling libraries for %{name} -Group: Development/Libraries -Requires: %{name}-devel = %{version}-%{release} -Requires: ghc-prof = %{ghc_version} - -%description prof -This package contains profiling libraries for %{name} -built for ghc-%{ghc_version}. -%endif +%{?ghc_lib_package} @@ -75,17 +48,10 @@ %build -%cabal_configure --ghc %{?with_prof:-p} -%cabal build -%if %{with doc} -%cabal haddock -%endif -%ghc_gen_scripts +%ghc_lib_build %install rm -rf $RPM_BUILD_ROOT -%cabal_install -%ghc_install_scripts -%ghc_gen_filelists %{name} +%ghc_lib_install @@ -94,46 +60,5 @@ -%post devel -%ghc_register_pkg - - -%if %{with doc} -%post doc -%ghc_reindex_haddock -%endif - - -%preun devel -if [ "$1" -eq 0 ] ; then - %ghc_unregister_pkg -fi - - -%if %{with doc} -%postun doc -if [ "$1" -eq 0 ] ; then - %ghc_reindex_haddock -fi -%endif - - -%files devel -f %{name}-devel.files -%defattr(-,root,root,-) -#%{_docdir}/%{name}-%{version} - - -%if %{with doc} -%files doc -f %{name}-doc.files -%defattr(-,root,root,-) -%endif - - -%if %{with prof} -%files prof -f %{name}-prof.files -%defattr(-,root,root,-) -%endif - - %changelog -* Mon Mar 15 2010 Anders Kaseorg - 0.3.0.1-0 -- initial packaging for Fedora automatically generated by cabal2spec +* Thu Sep 9 2010 Anders Kaseorg - 0.3.0.1-0 +- initial packaging for Fedora automatically generated by cabal2spec-0.22.1 Index: /trunk/server/fedora/specs/ghc-cgi.spec =================================================================== --- /trunk/server/fedora/specs/ghc-cgi.spec (revision 1692) +++ /trunk/server/fedora/specs/ghc-cgi.spec (revision 1693) @@ -1,8 +1,17 @@ %global pkg_name cgi -%bcond_without doc -%bcond_without prof +%global common_summary Haskell %{pkg_name} library -# ghc does not emit debug information +%global common_description A %{pkg_name} library for Haskell. + +# add any Haskell library dependencies here: +%global ghc_pkg_deps ghc-network-devel, ghc-parsec-devel, ghc-mtl-devel, ghc-MonadCatchIO-mtl-devel, ghc-xhtml-devel + +# add any foreign library dependencies here: +#%%global ghc_pkg_c_deps @CDEP1@-devel + +%bcond_without shared + +# debuginfo is not useful for ghc %global debug_package %{nil} @@ -10,7 +19,7 @@ Version: 3001.1.8.1 Release: 0.%{scriptsversion}%{?dist} -Summary: Haskell %{pkg_name} library +Summary: %{common_summary} -Group: Development/Libraries +Group: System Environment/Libraries License: BSD URL: http://hackage.haskell.org/cgi-bin/hackage-scripts/package/%{pkg_name} @@ -19,53 +28,17 @@ # fedora ghc archs: ExclusiveArch: %{ix86} x86_64 ppc alpha -BuildRequires: ghc, ghc-rpm-macros, ghc-MonadCatchIO-mtl-devel -%if %{with doc} -BuildRequires: ghc-doc, ghc-MonadCatchIO-mtl-doc -%endif -%if %{with prof} -BuildRequires: ghc-prof, ghc-MonadCatchIO-mtl-prof -%endif +BuildRequires: ghc, ghc-doc, ghc-prof +BuildRequires: ghc-rpm-macros >= 0.7.0 +%{?ghc_pkg_deps:BuildRequires: %{ghc_pkg_deps}, %(echo %{ghc_pkg_deps} | sed -e "s/\(ghc-[^, ]\+\)-devel/\1-doc,\1-prof/g")} +%{?ghc_pkg_c_deps:BuildRequires: %{ghc_pkg_c_deps}} %description -This package provides the Haskell %{pkg_name} library for ghc. - - -%package devel -Summary: Haskell %{pkg_name} library -Group: Development/Libraries -Requires: ghc = %{ghc_version}, ghc-MonadCatchIO-mtl-devel -Requires(post): ghc = %{ghc_version}, ghc-MonadCatchIO-mtl-devel -Requires(preun): ghc = %{ghc_version}, ghc-MonadCatchIO-mtl-devel - -%description devel -This package contains the development files for %{name} -built for ghc-%{ghc_version}. - - -%if %{with doc} -%package doc -Summary: Documentation for %{name} -Group: Development/Libraries -Requires: ghc-doc = %{ghc_version}, ghc-MonadCatchIO-mtl-doc -Requires(post): ghc-doc = %{ghc_version}, ghc-MonadCatchIO-mtl-doc -Requires(postun): ghc-doc = %{ghc_version}, ghc-MonadCatchIO-mtl-doc - -%description doc -This package contains development documentation files for -the %{name} library. +%{common_description} +%if %{with shared} +This package provides the shared library. %endif -%if %{with prof} -%package prof -Summary: Profiling libraries for %{name} -Group: Development/Libraries -Requires: %{name}-devel = %{version}-%{release} -Requires: ghc-prof = %{ghc_version}, ghc-MonadCatchIO-mtl-prof - -%description prof -This package contains profiling libraries for %{name} -built for ghc-%{ghc_version}. -%endif +%{?ghc_lib_package} @@ -75,17 +48,10 @@ %build -%cabal_configure --ghc %{?with_prof:-p} -%cabal build -%if %{with doc} -%cabal haddock -%endif -%ghc_gen_scripts +%ghc_lib_build %install rm -rf $RPM_BUILD_ROOT -%cabal_install -%ghc_install_scripts -%ghc_gen_filelists %{name} +%ghc_lib_install @@ -94,46 +60,5 @@ -%post devel -%ghc_register_pkg - - -%if %{with doc} -%post doc -%ghc_reindex_haddock -%endif - - -%preun devel -if [ "$1" -eq 0 ] ; then - %ghc_unregister_pkg -fi - - -%if %{with doc} -%postun doc -if [ "$1" -eq 0 ] ; then - %ghc_reindex_haddock -fi -%endif - - -%files devel -f %{name}-devel.files -%defattr(-,root,root,-) -%{_docdir}/%{name}-%{version} - - -%if %{with doc} -%files doc -f %{name}-doc.files -%defattr(-,root,root,-) -%endif - - -%if %{with prof} -%files prof -f %{name}-prof.files -%defattr(-,root,root,-) -%endif - - %changelog -* Mon Mar 15 2010 Anders Kaseorg - 3001.1.8.1-0 -- initial packaging for Fedora automatically generated by cabal2spec +* Thu Sep 9 2010 Anders Kaseorg - 3001.1.8.1-0 +- initial packaging for Fedora automatically generated by cabal2spec-0.22.1 Index: /trunk/server/fedora/specs/ghc-unix-handle.spec =================================================================== --- /trunk/server/fedora/specs/ghc-unix-handle.spec (revision 1692) +++ /trunk/server/fedora/specs/ghc-unix-handle.spec (revision 1693) @@ -1,8 +1,17 @@ %global pkg_name unix-handle -%bcond_without doc -%bcond_without prof +%global common_summary Haskell %{pkg_name} library -# ghc does not emit debug information +%global common_description A %{pkg_name} library for Haskell. + +# add any Haskell library dependencies here: +#%%global ghc_pkg_deps ghc-@DEP1@-devel, ghc-@DEP2@-devel + +# add any foreign library dependencies here: +#%%global ghc_pkg_c_deps @CDEP1@-devel + +%bcond_without shared + +# debuginfo is not useful for ghc %global debug_package %{nil} @@ -10,7 +19,7 @@ Version: 0.0.0 Release: 0.%{scriptsversion}%{?dist} -Summary: Haskell %{pkg_name} library +Summary: %{common_summary} -Group: Development/Libraries +Group: System Environment/Libraries License: BSD URL: http://hackage.haskell.org/cgi-bin/hackage-scripts/package/%{pkg_name} @@ -19,53 +28,17 @@ # fedora ghc archs: ExclusiveArch: %{ix86} x86_64 ppc alpha -BuildRequires: ghc, ghc-rpm-macros -%if %{with doc} -BuildRequires: ghc-doc -%endif -%if %{with prof} -BuildRequires: ghc-prof -%endif +BuildRequires: ghc, ghc-doc, ghc-prof +BuildRequires: ghc-rpm-macros >= 0.7.0 +%{?ghc_pkg_deps:BuildRequires: %{ghc_pkg_deps}, %(echo %{ghc_pkg_deps} | sed -e "s/\(ghc-[^, ]\+\)-devel/\1-doc,\1-prof/g")} +%{?ghc_pkg_c_deps:BuildRequires: %{ghc_pkg_c_deps}} %description -This package provides the Haskell %{pkg_name} library for ghc. - - -%package devel -Summary: Haskell %{pkg_name} library -Group: Development/Libraries -Requires: ghc = %{ghc_version} -Requires(post): ghc = %{ghc_version} -Requires(preun): ghc = %{ghc_version} - -%description devel -This package contains the development files for %{name} -built for ghc-%{ghc_version}. - - -%if %{with doc} -%package doc -Summary: Documentation for %{name} -Group: Development/Libraries -Requires: ghc-doc = %{ghc_version} -Requires(post): ghc-doc = %{ghc_version} -Requires(postun): ghc-doc = %{ghc_version} - -%description doc -This package contains development documentation files for -the %{name} library. +%{common_description} +%if %{with shared} +This package provides the shared library. %endif -%if %{with prof} -%package prof -Summary: Profiling libraries for %{name} -Group: Development/Libraries -Requires: %{name}-devel = %{version}-%{release} -Requires: ghc-prof = %{ghc_version} - -%description prof -This package contains profiling libraries for %{name} -built for ghc-%{ghc_version}. -%endif +%{?ghc_lib_package} @@ -75,17 +48,10 @@ %build -%cabal_configure --ghc %{?with_prof:-p} -%cabal build -%if %{with doc} -%cabal haddock -%endif -%ghc_gen_scripts +%ghc_lib_build %install rm -rf $RPM_BUILD_ROOT -%cabal_install -%ghc_install_scripts -%ghc_gen_filelists %{name} +%ghc_lib_install @@ -94,46 +60,5 @@ -%post devel -%ghc_register_pkg - - -%if %{with doc} -%post doc -%ghc_reindex_haddock -%endif - - -%preun devel -if [ "$1" -eq 0 ] ; then - %ghc_unregister_pkg -fi - - -%if %{with doc} -%postun doc -if [ "$1" -eq 0 ] ; then - %ghc_reindex_haddock -fi -%endif - - -%files devel -f %{name}-devel.files -%defattr(-,root,root,-) -%{_docdir}/%{name}-%{version} - - -%if %{with doc} -%files doc -f %{name}-doc.files -%defattr(-,root,root,-) -%endif - - -%if %{with prof} -%files prof -f %{name}-prof.files -%defattr(-,root,root,-) -%endif - - %changelog -* Mon Mar 15 2010 Anders Kaseorg - 0.0.0-0 -- initial packaging for Fedora automatically generated by cabal2spec +* Thu Sep 9 2010 Anders Kaseorg - 0.0.0-0 +- initial packaging for Fedora automatically generated by cabal2spec-0.22.1 Index: unk/server/fedora/specs/ghostscript.spec.patch =================================================================== --- /trunk/server/fedora/specs/ghostscript.spec.patch (revision 1692) +++ (revision ) @@ -1,44 +1,0 @@ ---- ghostscript.spec 2010-07-16 01:35:28.000000000 -0400 -+++ ghostscript.spec 2010-07-16 01:55:49.000000000 -0400 -@@ -5,7 +5,7 @@ - Name: ghostscript - Version: %{gs_ver} - --Release: 6%{?dist} -+Release: 6.scripts%{scriptsversion}%{?dist} - - # Included CMap data is Redistributable, no modification permitted, - # see http://bugzilla.redhat.com/487510 -@@ -35,6 +35,8 @@ - Patch17: ghostscript-tiff-default-strip-size.patch - Patch18: ghostscript-tiff-fixes.patch - -+Patch100: ghostscript-CVE-2010-1628.patch -+ - Requires: urw-fonts >= 1.1, ghostscript-fonts - BuildRequires: xz - BuildRequires: libjpeg-devel, libXt-devel -@@ -151,6 +153,9 @@ - # Backported some more TIFF fixes (bug #573970). - %patch18 -p1 -b .tiff-fixes - -+# Avoid an exploitable overflow (scripts.mit.edu local patch). -+%patch100 -p1 -b .CVE-2010-1628 -+ - # Convert manual pages to UTF-8 - from8859_1() { - iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_" -@@ -332,6 +337,13 @@ - %{_libdir}/libgs.so - - %changelog -+* Fri Jul 16 2010 Geoffrey Thomas 8.71-6.scripts -+- Include the patch -+ http://bugs.ghostscript.com/attachment.cgi?id=6350 -+ to fix CVE-2010-1628 (potential arbitrary code execution via -+ an overflow), from the upstream bug report: -+ http://bugs.ghostscript.com/show_bug.cgi?id=691295 -+ - * Tue Mar 16 2010 Tim Waugh 8.71-6 - - Backported some more TIFF fixes (bug #573970). - - Use upstream fix for TIFF default strip size (bug #571520). Index: /trunk/server/fedora/specs/httpd.spec.patch =================================================================== --- /trunk/server/fedora/specs/httpd.spec.patch (revision 1692) +++ /trunk/server/fedora/specs/httpd.spec.patch (revision 1693) @@ -1,10 +1,10 @@ ---- httpd.spec.orig 2010-08-26 21:00:40.771666965 -0400 -+++ httpd.spec 2010-08-26 21:01:56.601668199 -0400 +--- httpd.spec.orig 2010-07-27 11:55:33.000000000 -0400 ++++ httpd.spec 2010-09-06 20:45:28.000000000 -0400 @@ -7,7 +7,7 @@ Summary: Apache HTTP Server Name: httpd - Version: 2.2.15 --Release: 1%{?dist}.1 -+Release: 1%{?dist}.1.scripts.%{scriptsversion} + Version: 2.2.16 +-Release: 1%{?dist} ++Release: 1%{?dist}.scripts.%{scriptsversion} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz @@ -33,5 +33,5 @@ %description devel The httpd-devel package contains the APXS binary and other files -@@ -102,6 +111,7 @@ +@@ -103,6 +112,7 @@ Requires(post): openssl >= 0.9.7f-4, /bin/cat Requires(pre): httpd @@ -41,5 +41,5 @@ %description -n mod_ssl -@@ -129,6 +139,13 @@ +@@ -130,6 +140,13 @@ # Patch in vendor/release string sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 @@ -55,5 +55,5 @@ vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'` if test "x${vmmn}" != "x%{mmn}"; then -@@ -177,10 +194,12 @@ +@@ -178,10 +195,12 @@ --with-apr=%{_prefix} --with-apr-util=%{_prefix} \ --enable-suexec --with-suexec \ Index: /trunk/server/fedora/specs/krb5.spec.patch =================================================================== --- /trunk/server/fedora/specs/krb5.spec.patch (revision 1692) +++ /trunk/server/fedora/specs/krb5.spec.patch (revision 1693) @@ -1,16 +1,16 @@ ---- krb5.spec.orig 2010-05-18 14:16:44.000000000 -0400 -+++ krb5.spec 2010-05-20 10:20:32.000000000 -0400 -@@ -16,7 +16,7 @@ - Summary: The Kerberos network authentication system. +--- rpmbuild/SPECS/krb5.spec.orig 2010-08-25 11:36:57.000000000 -0400 ++++ rpmbuild/SPECS/krb5.spec 2010-09-12 20:47:47.000000000 -0400 +@@ -10,7 +10,7 @@ + Summary: The Kerberos network authentication system Name: krb5 - Version: 1.6.3 --Release: 31%{?dist} -+Release: 31%{?dist}.scripts.%{scriptsversion} + Version: 1.7.1 +-Release: 13%{?dist} ++Release: 13%{?dist}.scripts.%{scriptsversion} # Maybe we should explode from the now-available-to-everybody tarball instead? - # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar + # http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar Source0: krb5-%{version}.tar.gz -@@ -114,6 +114,8 @@ - Patch88: krb5-1.6.1-cs22427.patch - Patch89: krb5-CVE-2010-1321-1.6.1.patch +@@ -92,6 +92,8 @@ + Patch103: krb5-1.7.1-24139.patch + Patch104: krb5-1.7.1-explife.patch +Patch1000: krb5-kuserok-scripts.patch @@ -19,18 +19,18 @@ URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries -@@ -155,6 +157,7 @@ +@@ -136,6 +138,7 @@ + %package libs + Summary: The shared libraries used by Kerberos 5 Group: System Environment/Libraries - Prereq: grep, /sbin/ldconfig, sh-utils - Obsoletes: krb5-configs +Provides: scripts-krb5-libs %description libs Kerberos is a network authentication system. The krb5-libs package -@@ -1478,6 +1481,7 @@ - %patch87 -p0 -b .kpasswd_ipv6 - %patch88 -p0 -b .cs22427 - %patch89 -p1 -b .CVE-2010-1321 +@@ -1654,6 +1657,7 @@ + %patch102 -p1 -b .CVE-2010-1321 + %patch103 -p1 -b .24139 + %patch104 -p0 -b .explife +%patch1000 -p1 -b .kuserok - cp src/krb524/README README.krb524 gzip doc/*.ps + sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex Index: unk/server/fedora/specs/libpng.spec.patch =================================================================== --- /trunk/server/fedora/specs/libpng.spec.patch (revision 1692) +++ (revision ) @@ -1,24 +1,0 @@ ---- libpng.spec 2010-03-15 13:26:15.000000000 -0400 -+++ libpng.spec 2010-07-14 00:07:10.000000000 -0400 -@@ -1,8 +1,8 @@ - Summary: A library of functions for manipulating PNG image format files - Name: libpng - Epoch: 2 --Version: 1.2.43 --Release: 1%{?dist} -+Version: 1.2.44 -+Release: 1.scripts.%{scriptsversion}%{?dist} - License: zlib - Group: System Environment/Libraries - URL: http://www.libpng.org/pub/png/ -@@ -94,6 +94,10 @@ - rm -rf $RPM_BUILD_ROOT - - %changelog -+* Tue Jul 13 2010 Geoffrey Thomas 2:1.2.44-1 -+- Update to libpng 1.2.44, includes fixes for CVE-2010-1205 and CVE-2010-2249 -+ (This is equivalent to Tom Lane's 2:1.2.44-1 change from non-EOL'd distros) -+ - * Mon Mar 15 2010 Tom Lane 2:1.2.43-1 - - Update to libpng 1.2.43, includes fix for CVE-2010-0205 - Related: #566234 Index: unk/server/fedora/specs/mit-zephyr.spec.patch =================================================================== --- /trunk/server/fedora/specs/mit-zephyr.spec.patch (revision 1692) +++ (revision ) @@ -1,10 +1,0 @@ ---- mit-zephyr.spec 2006-08-10 10:32:01.000000000 -0400 -+++ mit-zephyr.spec.new 2007-01-14 15:43:04.000000000 -0500 -@@ -67,7 +67,6 @@ - Source1: zhm.init - URL: http://web.mit.edu/afs/dev.mit.edu/source/src-current/athena/lib/zephyr/ - Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot --Requires: mit-krb-config - BuildPreReq: readline-devel, ncurses-devel - %if %{redhat}=="yes" - Requires: hesiod, krb5-libs Index: /trunk/server/fedora/specs/openafs.spec.patch =================================================================== --- /trunk/server/fedora/specs/openafs.spec.patch (revision 1692) +++ /trunk/server/fedora/specs/openafs.spec.patch (revision 1693) @@ -1,14 +1,14 @@ ---- openafs.spec.orig -+++ openafs.spec +--- openafs.spec.orig 2010-09-10 18:21:53.000000000 -0400 ++++ openafs.spec 2010-09-10 18:34:30.000000000 -0400 @@ -8,7 +8,7 @@ # for beta/rc releases make pkgrel 0.X. # for real releases make pkgrel 1 (or more for extra releases) #%define pkgrel 0.1.rc1 --%define pkgrel 1.1 -+%define pkgrel 1.1.99scripts.%{scriptsversion} +-%define pkgrel 0.pre3 ++%define pkgrel 0.pre3.99scripts.%{scriptsversion} %if %{?osvers:0}%{!?osvers:1} %define osvers 1 -@@ -261,6 +261,11 @@ +@@ -261,6 +261,10 @@ %endif ExclusiveArch: %{ix86} x86_64 ia64 s390 s390x sparc64 ppc ppc64 @@ -17,18 +17,17 @@ +Patch1003: openafs-localcsdb.patch +Patch1005: openafs-numsysnames.patch -+Patch1006: openafs-release-glock.patch + # http://dl.openafs.org/dl/openafs/candidate/%{afsvers}/... Source0: http://www.openafs.org/dl/openafs/%{afsvers}/openafs-%{afsvers}-src.tar.bz2 Source1: http://www.openafs.org/dl/openafs/%{afsvers}/openafs-%{afsvers}-doc.tar.bz2 -@@ -343,6 +348,7 @@ +@@ -343,6 +347,7 @@ %if %{build_userspace} %package client +Provides: scripts-openafs-client - Requires: binutils, openafs = %{PACKAGE_VERSION} + Requires: binutils, openafs = %{version} %if %{fedorakmod} -@@ -403,6 +409,7 @@ +@@ -403,6 +408,7 @@ %if %{build_authlibs} @@ -38,5 +37,5 @@ Group: Networking/Filesystems -@@ -419,6 +426,7 @@ +@@ -419,6 +425,7 @@ %endif @@ -44,7 +43,7 @@ +Provides: scripts-openafs-authlibs-devel %if %{build_authlibs} - Requires: openafs-authlibs = %{PACKAGE_VERSION} + Requires: openafs-authlibs = %{version} %endif -@@ -437,6 +445,7 @@ +@@ -437,6 +444,7 @@ libraries. @@ -54,5 +53,5 @@ Group: Development/Filesystems -@@ -465,6 +474,7 @@ +@@ -465,6 +473,7 @@ administrators. @@ -61,6 +60,6 @@ Summary: OpenAFS Kernel Module source tree Group: Networking/Filesystems - Provides: openafs-kernel = %{PACKAGE_VERSION} -@@ -514,6 +524,7 @@ + Provides: openafs-kernel = %{version} +@@ -514,6 +523,7 @@ %if %{krb5support} @@ -68,7 +67,7 @@ +Provides: scripts-openafs-krb5 Summary: OpenAFS programs to use with krb5 - Requires: openafs = %{PACKAGE_VERSION} + Requires: openafs = %{version} Group: Networking/Filesystems -@@ -540,7 +551,7 @@ +@@ -540,7 +550,7 @@ %if %{build_modules} @@ -79,5 +78,5 @@ %else -@@ -699,6 +710,10 @@ +@@ -699,6 +709,9 @@ # Patch openafs to build a kernel module named "openafs" instead of "libafs" @@ -86,23 +85,5 @@ +%patch1003 -p1 -b .localcsdb +%patch1005 -p1 -b .numsysnames -+%patch1006 -p1 -b .release-glock ############################################################################## # -@@ -1209,7 +1224,7 @@ - rm -rf $RPM_BUILD_ROOT%{_sbindir}/kdump* - - # remove man pages from programs deleted above --for f in 1/dlog 1/dpass 1/livesys 1/xstat_cm_test 1/xstat_fs_test 8/kdb 8/kpwvalid 8/xfs_size_check 1/package_test 5/package 8/package ; do -+for f in 1/compile_et 1/dlog 1/dpass 1/livesys 1/xstat_cm_test 1/xstat_fs_test 8/kdb 8/kpwvalid 8/xfs_size_check 1/package_test 5/package 8/package ; do - rm -f $RPM_BUILD_ROOT%{_mandir}/man$f.* - done - -@@ -1569,7 +1584,6 @@ - %{_libdir}/librxstat.a - %{_libdir}/libubik.a - %{_mandir}/man1/rxgen.* --%{_mandir}/man1/compile_et.* - - %if %{build_dkmspkg} - %files -n dkms-%{name} Index: /trunk/server/fedora/specs/openssh.spec.patch =================================================================== --- /trunk/server/fedora/specs/openssh.spec.patch (revision 1692) +++ /trunk/server/fedora/specs/openssh.spec.patch (revision 1693) @@ -1,23 +1,22 @@ ---- openssh.spec.orig 2010-03-30 02:27:53.000000000 -0400 -+++ openssh.spec 2010-03-30 02:30:09.000000000 -0400 -@@ -63,7 +63,7 @@ +--- openssh.spec.orig 2010-05-31 06:20:02.000000000 -0400 ++++ openssh.spec 2010-09-06 21:53:21.000000000 -0400 +@@ -74,7 +74,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh - Version: 5.2p1 --Release: 6%{?dist}%{?rescue_rel} -+Release: 6%{?dist}%{?rescue_rel}.scripts.%{scriptsversion} + Version: 5.4p1 +-Release: %{openssh_rel}%{?dist}%{?rescue_rel} ++Release: %{openssh_rel}%{?dist}%{?rescue_rel}.scripts.%{scriptsversion} URL: http://www.openssh.com/portable.html + #URL1: http://pamsshagentauth.sourceforge.net #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz - #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc -@@ -74,6 +74,8 @@ - Source1: openssh-nukeacss.sh - Source2: sshd.pam +@@ -88,6 +88,7 @@ Source3: sshd.init -+Patch1000: openssh-5.0p1-multihomed.patch + Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2 + Source5: pam_ssh_agent-rmheaders +Patch1001: openssh-4.7p1-gssapi-name-in-env.patch - Patch0: openssh-5.2p1-redhat.patch - Patch2: openssh-5.1p1-skip-initial.patch - Patch3: openssh-3.8.1p1-krb5-config.patch -@@ -161,6 +163,7 @@ + Patch0: openssh-5.4p1-redhat.patch + Patch2: openssh-5.3p1-skip-initial.patch + Patch4: openssh-5.2p1-vendor.patch +@@ -175,6 +177,7 @@ Requires(post): chkconfig >= 0.9, /sbin/service Requires(pre): /usr/sbin/useradd @@ -27,9 +26,8 @@ %package askpass Summary: A passphrase dialog for OpenSSH and X -@@ -231,6 +234,9 @@ - %patch65 -p1 -b .fips - %patch67 -p1 -b .selabel +@@ -267,6 +270,8 @@ + %patch75 -p1 -b .dso + %patch76 -p1 -b .bz595935 -+%patch1000 -p1 -b .multihomed +%patch1001 -p1 -b .gssapi-env + Index: /trunk/server/fedora/specs/python-zephyr.spec =================================================================== --- /trunk/server/fedora/specs/python-zephyr.spec (revision 1693) +++ /trunk/server/fedora/specs/python-zephyr.spec (revision 1693) @@ -0,0 +1,50 @@ +%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} + +Name: python-zephyr +Version: 0.2.0 +%define commit_hash c9a7f05 +%define tag_hash ed65206 +Release: 0.%{scriptsversion}%{?dist} +Summary: Python access to zephyr library + +Group: Development/Languages +License: MIT +URL: http://github.com/ebroder/python-zephyr +Source0: http://github.com/ebroder/python-zephyr/tarball/%{version}/ebroder-%{name}-%{version}-0-g%{commit_hash}.tar.gz +Patch1: http://github.com/ebroder/python-zephyr/commit/944b3c3a2a2476758268d4b75b65c2ec38fa46e7.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: python-devel, python-setuptools, Pyrex, zephyr-devel, libcom_err-devel + +%description +Get at the zephyr library from Python. Woo. + + +%prep +%setup -q -n ebroder-%{name}-%{tag_hash} +%patch1 -p1 + + +%build +CFLAGS="$RPM_OPT_FLAGS" CPPFLAGS="-I%{_includedir}/et" %{__python} setup.py build + + +%install +rm -rf $RPM_BUILD_ROOT +%{__python} setup.py install -O1 --skip-build --root $RPM_BUILD_ROOT + + +%clean +rm -rf $RPM_BUILD_ROOT + + +%files +%defattr(-,root,root,-) +%doc +%{python_sitearch}/* + + +%changelog +* Sun Sep 19 2010 Anders Kaseorg - 0.2.0-0 +- Initial RPM release + Index: /trunk/server/fedora/specs/scripts-base.spec =================================================================== --- /trunk/server/fedora/specs/scripts-base.spec (revision 1692) +++ /trunk/server/fedora/specs/scripts-base.spec (revision 1693) @@ -9,5 +9,5 @@ Source: %{name}.tar.gz BuildRoot: %{_tmppath}/%(%{__id_u} -n)-%{name}-%{version}-root -Requires: accountadm, execsys, scripts-kmod-openafs, scripts-krb5-libs, scripts-httpd, scripts-mod_ssl, openafs, scripts-openafs-client, scripts-openafs-authlibs, scripts-openafs-devel, scripts-openafs-krb5, openafs-docs, scripts-openssh-server, sql-signup, tokensys, whoisd, logview, nss-ldapd, php_scripts, scripts-shadow-utils +Requires: accountadm, execsys, scripts-kmod-openafs, scripts-krb5-libs, scripts-httpd, scripts-mod_ssl, openafs, scripts-openafs-client, scripts-openafs-authlibs, scripts-openafs-devel, scripts-openafs-krb5, openafs-docs, scripts-openssh-server, sql-signup, tokensys, whoisd, logview, nss-ldapd, php_scripts, zephyr, httpdmods, nss_nonlocal, nss_nonlocal.i686 %define debug_package %{nil} Index: /trunk/server/fedora/specs/scripts-static-cat.spec =================================================================== --- /trunk/server/fedora/specs/scripts-static-cat.spec (revision 1692) +++ /trunk/server/fedora/specs/scripts-static-cat.spec (revision 1693) @@ -1,2 +1,6 @@ +# link with shared libs +# andersk: Disabled for 3x faster startup speed. +#%%bcond_without dynamic + # ghc does not emit debug information %global debug_package %{nil} @@ -14,5 +18,7 @@ # fedora ghc archs: ExclusiveArch: %{ix86} x86_64 ppc alpha -BuildRequires: ghc, ghc-rpm-macros, ghc-cgi-devel >= 3001.1.8, ghc-MonadCatchIO-mtl-devel, ghc-unix-handle-devel +BuildRequires: ghc +BuildRequires: ghc-rpm-macros >= 0.7.0 +BuildRequires: ghc-cgi-devel >= 3001.1.8, ghc-MonadCatchIO-mtl-devel, ghc-unix-handle-devel %description @@ -25,11 +31,10 @@ %build -%cabal_configure --ghc -%cabal build +%ghc_bin_build %install rm -rf $RPM_BUILD_ROOT -%cabal_install +%ghc_bin_install @@ -44,4 +49,4 @@ %changelog -* Sun Mar 14 2010 Anders Kaseorg - 0.0-0 -- initial packaging for Fedora automatically generated by cabal2spec +* Thu Sep 9 2010 Anders Kaseorg - 0.0-0 +- initial packaging for Fedora automatically generated by cabal2spec-0.22.1 Index: unk/server/fedora/specs/shadow-utils.spec.patch =================================================================== --- /trunk/server/fedora/specs/shadow-utils.spec.patch (revision 1692) +++ (revision ) @@ -1,39 +1,0 @@ ---- shadow-utils.spec.orig 2010-03-12 00:48:00.000000000 -0500 -+++ shadow-utils.spec 2010-03-12 00:55:36.000000000 -0500 -@@ -1,7 +1,7 @@ - Summary: Utilities for managing accounts and shadow password files - Name: shadow-utils - Version: 4.1.4.1 --Release: 5%{?dist} -+Release: 5.scripts.%{scriptsversion}%{?dist} - Epoch: 2 - URL: http://pkg-shadow.alioth.debian.org/ - Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 -@@ -21,6 +21,7 @@ - Requires: audit-libs >= 1.6.5 - Requires: setup - Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -+Provides: scripts-shadow-utils - - %description - The shadow-utils package includes the necessary programs for -@@ -60,7 +61,8 @@ - --with-selinux \ - --without-libcrack \ - --without-libpam \ -- --disable-shared -+ --disable-shared \ -+ --with-group-name-max-length=32 - make - - %install -@@ -182,6 +184,9 @@ - %{_mandir}/man8/vigr.8* - - %changelog -+* Fri Mar 12 2010 Mitchell Berger 2:4.1.4.1-5.scripts -+- change max group name length back to 32 -+ - * Wed Aug 05 2009 Peter Vrabec 2:4.1.4.1-5 - - increase threshold for uid/gid reservations to 200 (#515667) - Index: /trunk/server/fedora/specs/zephyr.spec =================================================================== --- /trunk/server/fedora/specs/zephyr.spec (revision 1693) +++ /trunk/server/fedora/specs/zephyr.spec (revision 1693) @@ -0,0 +1,147 @@ +Name: zephyr +Version: 3.0 +Release: 0.%{scriptsversion}%{?dist} +Summary: Client programs for the Zephyr real-time messaging system + +Group: Applications/Communications +License: MIT +URL: http://zephyr.1ts.org/ +Source0: http://zephyr.1ts.org/export/HEAD/distribution/%{name}-%{version}.tar.gz +Source1: zhm.init +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: krb5-devel hesiod-devel libss-devel libcom_err-devel readline-devel bison +Requires: %{name}-libs = %{version}-%{release} +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts + +%description +Zephyr is an institutional/enterprise-scale distributed real-time messaging and +notification system. Zephyr's design choices seem to imbue it with a specific +culture. It is impossible to explain what Zephyr is, you must experience it +for yourself. + + +%package server +Summary: Server for the Zephyr real-time messaging system +Group: System Environment/Daemons + +Requires: %{name}-libs = %{version}-%{release} + +%description server +The %{name}-server package contains the server daemon for the Zephyr +messaging service. It maintains a location and subscription database +for all the receiving clients, and routes all zephyrgrams to the +intended recipients. + + +%package libs +Summary: Shared libraries for Zephyr real-time messaging system +Group: System Environment/Libraries + +%description libs +The %{name}-libs package contains shared libraries for applications +that use %{name}. + + +%package devel +Summary: Development files for Zephyr real-time messaging system +Group: Development/Libraries + +Requires: %{name}-libs = %{version}-%{release}, libcom_err-devel + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + + +%prep +%setup -q +cp -p %{SOURCE1} . + + +%build +# Mitch wants to make an awesome specfile which makes hesiod/krb5 and friends +# all fully configurable. This configure line will have to do for now. +%configure --with-hesiod --with-krb5 --disable-static +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool +make %{?_smp_mflags} + + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT libdir=%{_libdir} +find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' + +mkdir -p $RPM_BUILD_ROOT%{_initddir} +install -m755 zhm.init \ + $RPM_BUILD_ROOT%{_initddir}/zhm + + +%post +/sbin/chkconfig --add zhm + + +%preun +if [ $1 = 0 ] ; then + /sbin/service zhm stop >/dev/null 2>&1 + /sbin/chkconfig --del zhm +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service zhm condrestart >/dev/null 2>&1 || : +fi + + +%post libs -p /sbin/ldconfig + +%postun libs -p /sbin/ldconfig + + +%clean +rm -rf $RPM_BUILD_ROOT + + +%files +%defattr(-,root,root,-) +%doc README USING +%{_bindir}/* +%{_sbindir}/zhm +%{_sbindir}/zshutdown_notify +%{_mandir}/man1/* +%{_mandir}/man8/zhm.8* +%{_mandir}/man8/zstat.8* +%{_mandir}/man8/zshutdown_notify.8* +%{_datadir}/zephyr +%{_initddir}/zhm + + +%files server +%doc OPERATING +%{_sysconfdir}/zephyr +%{_sbindir}/zephyrd +%{_mandir}/man8/zephyrd.8* + + +%files libs +%{_libdir}/*.so.* + + +%files devel +%{_libdir}/*.so +%{_includedir}/* + + +%changelog +* Sun Sep 19 2010 Anders Kaseorg - 3.0-0 +- Decrease version below a hypothetical Fedora package. +- Split out -server, -libs, and -devel into subpackages. +- Disable the static library and remove the libtool archive. + +* Thu Sep 09 2010 Edward Z. Yang 3.0-1 +- Initial packaging release, superseding mit-zephyr. Index: /trunk/server/fedora/specs/zhm.init =================================================================== --- /trunk/server/fedora/specs/zhm.init (revision 1693) +++ /trunk/server/fedora/specs/zhm.init (revision 1693) @@ -0,0 +1,107 @@ +#!/bin/sh +# +# zhm Startup script for Zephyr Host Manager +# +# chkconfig: - 20 80 +# description: The Zephyr Host Manager coordinates all incoming +# and outgoing messages for a given host. If it +# is not running, you will not be able to send or +# receive Zephyr messages. + +# XXX needs configuration file support + +# XXX this needs to be audited +### BEGIN INIT INFO +# Provides: zhm +# Required-Start: $local_fs $remote_fs $network $named +# Required-Stop: $local_fs $remote_fs $network +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop Zephyr Host Manager +# Description: The Zephyr Host Manager coordinates all incoming +# and outgoing messages for a given host. +### END INIT INFO + +# Source function library. +. /etc/rc.d/init.d/functions + +exec="/usr/sbin/zhm" +prog="zhm" + +[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog + +lockfile=/var/lock/subsys/$prog + +start() { + [ -x $exec ] || exit 5 + echo -n $"Starting $prog: " + daemon $exec + retval=$? + echo + [ $retval -eq 0 ] && touch $lockfile + return $retval +} + +stop() { + echo -n $"Stopping $prog: " + killproc $prog + retval=$? + echo + [ $retval -eq 0 ] && rm -f $lockfile + return $retval +} + +restart() { + stop + start +} + +reload() { + restart +} + +force_reload() { + restart +} + +rh_status() { + # run checks to determine if the service is running or use generic status + status $prog +} + +rh_status_q() { + rh_status >/dev/null 2>&1 +} + + +case "$1" in + start) + rh_status_q && exit 0 + $1 + ;; + stop) + rh_status_q || exit 0 + $1 + ;; + restart) + $1 + ;; + reload) + rh_status_q || exit 7 + $1 + ;; + force-reload) + force_reload + ;; + status) + rh_status + ;; + condrestart|try-restart) + rh_status_q || exit 0 + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 2 +esac +exit $?