Etics Automatic Deployment Scripts

Starting the Installation

The installation task starts with a shell script named doIT.sh which provides the needed instructions to perform the installation of the service.

wget http://eticssoft.web.cern.ch/eticssoft/internal/public/config/ETICS_testing/continuous_test/etics-dev.cern.ch/doIT.sh

This script in particular exports the YUM_REPOSITORY variable which exposes the url definition for the repo file, in case the user wants to install a particular version of the server (for example etics-dev) he must overwrite this with the proper repo file address for that build.

export YUM_REPOSITORY=http://etics-repository.cern.ch:8080/repository/pm/volatile/repomd/name/yum_etics-dev/etics-volatile-build-by-id.repo

wget http://eticssoft.web.cern.ch/eticssoft/internal/public/dist/Release/pre-production/install_configure_importData.sh -O install_configure_importData.sh

After the next instruction donwload the install_configure_importData.sh script from the eticssoft repository which perform the "real" service installation after executing some check.

The installation script

first of all checks if the command has been executed correctly

function show_usage
{
echo "You need to call this script with one argument"
echo " $0 server | repository"
}

if ( [ "$1" = "server" ] && [ "$1" = "repository" ] ) then
show_usage
exit -1
fi

then if the repository has not been defined it defines the default one

if [ -z ${YUM_REPOSITORY} ]
then
echo "The repository not defined (YUM_REPOSITORY not defined), using default one"
YUM_REPOSITORY="http://eticssoft.web.cern.ch/eticssoft/internal/public/dist/config/yum/etics-production.repo"
echo
fi
echo
echo "YUM_REPOSITORY=${YUM_REPOSITORY}"

remove jpackage-utils and mysql

if [ $? -eq 0 ]
then
yum -y remove jpackage-utils
else
echo "--- Package not installed"
fi

installs the server/repository (depending how the script has been called)

...

##### ETICS Server

if [ "$1" == "server" ]

then package_name=etics-deployment-server

fi

##### ETICS Repository

if [ "$1" == "repository" ]

then package_name=etics-deployment-repository

fi

...
echo "Installing ${package_name}"

yum -y install ${package_name}
rpm -q ${package_name}
if [ $? -ne 0 ]
then
echo "*** Problem with installation of ${package_name}" | tee -a ERROR.log;
exit -1
fi

finally it calls some script as

pre_configure.sh, which copy my.cnf in the proper folder for mysql, asks for mysql status and force the security policy for selinux

configure.sh, described below which performs the proper service configuration

post_install.sh, which download the db file and create the repository

Configure.sh

Performs the system configuration, the script is contained into the folder /opt/etics/deployment that has been generated during the installation phase

[root@eticstest-vm04 deployment]# ll
total 88
drwxr-xr-x 9 root root 4096 Jan 25 11:15 config
-rw-r--r-- 1 root root 5310 Jan 25 11:17 configure.sh
-rw-r--r-- 1 root root 168 Jan 25 11:16 ERROR.log
drwxr-xr-x 2 root root 4096 Jan 25 11:15 etc
-rw-r--r-- 1 root root 6441 Jan 25 11:15 etics.server.conf
-rw-r--r-- 1 root root 6400 Nov 18 16:07 etics.server.conf.orig
-rw-r--r-- 1 root root 2345 Sep 9 17:21 etics.server_defaults.conf
-rw-r--r-- 1 root root 6908 Nov 12 17:35 etics_submitter.conf
-rw-r--r-- 1 root root 227 Jan 25 11:46 INFO.log
-rw-r--r-- 1 root root 4927 Jan 25 11:16 replace_script.sed
-rw-r--r-- 1 root root 3015 Jan 25 11:17 runall.sh
drwxr-xr-x 4 root root 4096 Jan 25 11:46 scripts
-rw-r--r-- 1 root root 2193 May 8 2009 site-specific.conf
drwxr-xr-x 2 root root 4096 Jan 25 11:18 template
drwxr-xr-x 4 root root 4096 Jan 25 11:17 test
-rw-r--r-- 1 root root 1690 Jan 25 11:18 tokenReplacer.py
-rw-r--r-- 1 root root 1846 Jan 25 11:17 tokenReplacer.sh

the scripts performs some step including checking if tomcat is running and java has been installed, it checks the presence of certificate files in /etc/grid_security, it replaces with tokenReplacer.sh the configuration tokens, finally it invokes the runall.sh script.

tokenReplacer.sh it's a short but complex script which uses the sed shell command to substitute the main key values into the configuration files

The runall.sh script

This script executes in numeric order all the scripts contained into the script folder in /opt/etics/deployment. It's impossible to go in detail of each script but we can here add a comment describing the general function of each one.

[root@eticstest-vm04 scripts]# ll
total 132
-rw-r--r-- 1 root root 1517 Jan 25 11:17 050_pre-sitespecific.sh (performs some platform dependent operation, es. kernel version...)
-rw-r--r-- 1 root root 1545 Jan 25 11:17 100_certificates_keystore.sh (checks user certificate in pkcs12 format and update the CRLs of each trusted CA)
-rw-r--r-- 1 root root 5437 Jan 25 11:17 200_condor.sh (configures condor files and start condor deamons)
-rw-r--r-- 1 root root 7325 Jan 25 11:17 300_nmi.sh (grants privileges on tables for nmi db and performs the nmi framework setup)
-rw-r--r-- 1 root root 5275 Jan 25 11:17 400_mysql.sh (creates the etics db and grants privileges on tables and creates indexes on tables)
-rw-r--r-- 1 root root 3431 Jan 25 11:17 450_tomcat.sh (setting up the configuration files and tomcat configuration by server.xml)
-rw-r--r-- 1 root root 580 Jan 25 11:17 480_web_services.sh (copies xml and properties configuration files)
-rw-r--r-- 1 root root 7599 Jan 25 11:17 610_webapplication_certs.sh (fills database with data from certificates)
-rw-r--r-- 1 root root 4698 Jan 25 11:17 950_post-sitespecific.sh (redirecting with IPTABLES from 443/80 to 8443/8080)
-rw-r--r-- 1 root root 4144 Jan 25 11:17 960_apache_tomcat.sh (configuring httpd.conf and ssl.conf)
-rw-r--r-- 1 root root 1854 Jan 25 11:17 970_apache_tomcat_redirections.sh (redirecting HTML links to refresh pages)
drwxr-xr-x 3 root root 4096 Jan 25 12:21 database_migration
-rw-r--r-- 1 root root 74 Jan 25 11:46 ERROR.log
-rw-r--r-- 1 root root 260 Jan 25 12:22 INFO.log
-rw-r--r-- 1 root root 5072 Jan 25 11:17 insertCAs.py
-rw-r--r-- 1 root root 7077 Jan 25 11:17 install.sh
-rw-r--r-- 1 root root 96 Jan 25 11:46 mysql_for_WSschema.sql
-rw-r--r-- 1 root root 594 Jan 25 11:46 mysql_for_WS.sql
-rw-r--r-- 1 root root 758 Jan 25 12:22 rights_for_ADMIN.sql
-rw-r--r-- 1 root root 685 Jan 25 12:22 rights_for_REP.sql
-rw-r--r-- 1 root root 1177 Jan 25 12:22 rights_for_WA.sql
drwxr-xr-x 2 root root 4096 Jan 25 11:17 template
-rw-r--r-- 1 root root 289 Jan 25 12:22 test_repositoryDN_presence.sql
-rw-r--r-- 1 root root 281 Jan 25 12:22 test_WA_DN_presence.sql
-rw-r--r-- 1 root root 2157 Jan 25 11:17 upgrade.sh

this is the code algorithm which iterates on the script list

################################################################################
## run all the scripts in the ascending order
################################################################################

[ "$1" = "server" ] && script_selection=`ls scripts/[0-9]*.sh | sort`
[ "$1" = "repository" ] && script_selection=`ls scripts/[0-9]*.sh |egrep "(050|100|400|450|480|950|970)" | sort`

for i in `echo ${script_selection}`
do
echo "------- running: ${i} ($1) ------"
(cd scripts; sh `basename ${i} ` $1 )
runResult=$?
echo -e "------- finished: ${i} ($1) ------\n"
if [ ${runResult} -ne 0 ]
then
echo
echo "Error when executing script: ${i}; exiting here" | tee -a ERROR.log
echo "See the ERROR.log for the possible messages and run manually the script: ${i} $1" | tee -a ERROR.log
echo
exit 1
fi
done

finally restart services

################################################################################
## Tomcat, condor, mysql, httpd (re)start needed
################################################################################

echo "--- Starting the services (common): mysql and httpd "
/sbin/service mysql start || exit 1
/sbin/service httpd start || exit 1

The template files

Into the folder /opt/etics/deployment/config are contained the scripts template files

[root@eticstest-vm04 config]# ll
total 28
drwxr-xr-x 3 root root 4096 Jan 25 11:16 afs
drwxr-xr-x 3 root root 4096 Jan 25 11:17 apache
drwxr-xr-x 3 root root 4096 Jan 25 11:16 condor
drwxr-xr-x 3 root root 4096 Jan 25 11:16 mysql
drwxr-xr-x 3 root root 4096 Jan 25 11:16 nmi
drwxr-xr-x 3 root root 4096 Jan 25 11:16 selinux
drwxr-xr-x 3 root root 4096 Jan 25 11:16 tomcat

each subfolder contains the configuration template files, these contain some parameter closed in double @ characters that will be substitute using sed.

For example:

[root@eticstest-vm04 template]# pwd
/opt/etics/deployment/config/apache/template

[root@eticstest-vm04 template]# ls
ssl.conf workers.properties

from the file ssl.conf

# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
SSLCACertificatePath @@sec_path@@/certificates
#SSLCACertificateFile /usr/share/ssl/certs/ca-bundle.crt

sec_path will be substituted with the right values by tokenReplacer.sh

Etics: performing manual installation

In case you decide to perform manual installation of the Etics Server one can eventually follows these steps:

Marian Scripts

Installation Server Procedure:

1) copy your certificates and keystore inside the /etc/grid-security folder of your slc_4 32 bit machine installation

check to have:

[root@etics-04 yum.repos.d]# ls -lt /etc/grid-security/
total 148
-rwxrwxrwx 1 root root 950 Dec 3 10:12 caKeystore.jks
-rwxrwxrwx 1 root root 3093 Dec 1 17:00 hostcert.pkcs12
-rwxrwxrwx 1 root root 0 Dec 1 15:24 hostcert.chain
-rwxrwxrwx 1 root root 1431 Dec 1 15:24 hostcert.pem
-rwxrwxrwx 1 root root 887 Dec 1 15:24 hostkey.pem
-rwxrwxrwx 1 root root 1257 Dec 1 15:24 INFN-CA.pem
drwxrwxrwx 2 root root 4096 Dec 1 10:37 certificates

caKeystore is generally provided by cern Etics administrators but can eventually be created using the keytool command:

keytool -import -keystore caKeystore.jks -storepass "changeit" -file hostcert.pem
keytool -import -trustcacerts -alias INFNCA -file INFN-CA.pem -keystore caKeystore.jks -storetype JKS (to import also the root CA certificate)
keytool -list -keystore caKeystore.jks

[root@etics-04 grid-security]# keytool -list -keystore caKeystore.jks
Enter keystore password: changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

infnca, Dec 3, 2009, trustedCertEntry,
Certificate fingerprint (MD5): 0A:D8:F4:7E:9E:39:6B:85:AE:68:FD:E5:8E:EA:6D:1B

2) Download Etics Nightly Build Installation Script

wget http://eticssoft.web.cern.ch/eticssoft/internal/public/config/ETICS_testing/continuous_test/etics-dev.cern.ch/doIT.sh

Inside this script there are a few steps which is preferrable to execute by hand:

3) (doIT.sh execution) export the yum repo file url path into the environment

export YUM_REPOSITORY=http://etics-repository.cern.ch:8080/repository/pm/volatile/repomd/id/5a23aedb-c66d-40dc-84d4-ac05c6ccbe0d/slc4_ia32_gcc346/etics-volatile-build-by-id.repo

this url corresponds to the right link path to the artefacts built using the etics system and published on the repository

4) (doIT.sh execution) download the install_configure_importData.sh script

wget http://eticssoft.web.cern.ch/eticssoft/internal/public/dist/Release/pre-production/install_configure_importData.sh -O install_configure_importData.sh

5) disable the jpackage repo file

mv /etc/yum.repos.d/jpackage.repo /etc/yum.repos.d/jpackage.repo.disabled

6) create a copy of the etics.server.conf file and put it into the same folder you're executing etics scripts, after that set all the variables you need and also the submitter service path

7) check if these files are present into the yum.repos.d directory

[root@etics-04 yum.repos.d]# ls -lt
total 112
-rw-r--r-- 1 root root 12473 Nov 30 14:58 etics-production.repo
-rw-r--r-- 1 root root 622 Nov 30 14:58 atrpms.repo
-rw-r--r-- 1 root root 413 Nov 30 14:58 cern-extra.repo
-rw-r--r-- 1 root root 436 Nov 30 14:58 cern-extra-srpms.repo
-rw-r--r-- 1 root root 642 Nov 30 14:58 cern-only.repo
-rw-r--r-- 1 root root 664 Nov 30 14:58 cern-only-srpms.repo
-rw-r--r-- 1 root root 379 Nov 30 14:58 cern.repo
-rw-r--r-- 1 root root 401 Nov 30 14:58 cern-srpms.repo
-rw-r--r-- 1 root root 511 Nov 30 14:58 cern-test.repo
-rw-r--r-- 1 root root 536 Nov 30 14:58 cern-test-srpms.repo
-rw-r--r-- 1 root root 485 Nov 30 14:58 cern-update.repo
-rw-r--r-- 1 root root 507 Nov 30 14:58 cern-update-srpms.repo
-rw-r--r-- 1 root root 363 Nov 30 14:58 dag.repo
-rw-r--r-- 1 root root 151 Nov 30 14:58 eugrid.repo
-rw-r--r-- 1 root root 270 Nov 30 14:58 ig.repo
-rw-r--r-- 1 root root 1039 Nov 30 14:58 jpackage.repo.disabled
-rw-r--r-- 1 root root 168 Nov 30 14:58 lemon.repo
-rw-r--r-- 1 root root 818 Nov 30 14:58 rhaps2.repo
-rw-r--r-- 1 root root 839 Nov 30 14:58 rhaps2-srpms.repo
-rw-r--r-- 1 root root 73 Nov 27 10:44 lcg-ca.repo

you need that for the installation dependencies

8) execute

sh install_configure_importData.sh server/repository

if some problem arises it's possible you've to check to remove eventually some yum.repo file not necessary from the yum.repos.d directory

9) once everything has been done also "sh configure.sh server" is executed

10) At this point what you should have is an Etics Server installation empty, in order to populate the database you need to execute the other steps of the doIt.sh script:

(doIT.sh)

echo "Reimporting database"
wget http://eticssoft.web.cern.ch/eticssoft/internal/public/config/ETICS_testing/data/mysql_data/eticsDBBackup-INFN.sql
time mysqladmin -f drop etics
time mysql < /opt/etics/etc/mysql/eticsDBSchema.sql
time mysql etics < eticsDBBackup-INFN.sql

and for the multipackaging:

echo "Add multi-packaging data"
wget "http://etics.cvs.cern.ch/cgi-bin/etics.cgi/org.etics.build-system.client-py/etc/templates/store/packageData-server.sql?revision=1.1.2.3&pathrev=etics-$
time mysql < /opt/etics/deployment/scripts/database_migration/packageData-server.sql
echo "After addition of multi-packaging data"

11) finish to configure what remains, for example the Etics repository service path or the Submitter Service address, configuration files are stored into the /opt/etics/etc directory and the services log files are saved into /tmp

Remember to execute

iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-port 8443

on the server host to redirect traffic from port 443 to 8443 cause the Etics server expects data from 8443

12) always remember that the user hostname must be present as user and administrator on etics mysql db cause if not you're not recognized as an administrator too

Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r2 - 2010-01-27 - unknown
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    ETICS All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback