Index: trunk/server/common/patches/httpd-2.2.x-sni.patch =================================================================== --- trunk/server/common/patches/httpd-2.2.x-sni.patch (revision 1256) +++ trunk/server/common/patches/httpd-2.2.x-sni.patch (revision 1259) @@ -971,6 +971,6 @@ Index: httpd-2.2.11/docs/manual/mod/mod_ssl.html.en =================================================================== ---- httpd-2.2.11/docs/manual/mod/mod_ssl.html.en (revision 768863) -+++ httpd-2.2.11/docs/manual/mod/mod_ssl.html.en (working copy) +--- httpd-2.2.11/docs/manual/mod/mod_ssl.html.en 2008-08-20 19:02:48.000000000 -0400 ++++ httpd-2.2.11/docs/manual/mod/mod_ssl.html.en 2009-06-03 05:33:23.000000000 -0400 @@ -75,6 +75,7 @@ to provide the cryptography engine.

  • SSLRequireSSL
    • @@ -1026,3 +1026,5 @@ +

    Copyright 2009 The Apache Software Foundation.
    Licensed under the Apache License, Version 2.0.

    Modules | Directives | FAQ | Glossary | Sitemap

    - +- +\ No newline at end of file ++ Index: trunk/server/common/patches/httpd-suexec-scripts.patch =================================================================== --- trunk/server/common/patches/httpd-suexec-scripts.patch (revision 1256) +++ trunk/server/common/patches/httpd-suexec-scripts.patch (revision 1259) @@ -45,6 +45,6 @@ APACHE_HELP_STRING(--with-suexec-docroot,SuExec root directory),[ AC_DEFINE_UNQUOTED(AP_DOC_ROOT, "$withval", [SuExec root directory] ) ] ) ---- httpd-2.2.2/support/suexec.c.old 2006-04-21 21:53:06.000000000 -0400 -+++ httpd-2.2.2/support/suexec.c 2007-05-22 10:32:04.000000000 -0400 +--- httpd-2.2.11/support/suexec.c.old 2008-11-30 10:47:31.000000000 -0500 ++++ httpd-2.2.11/support/suexec.c 2009-06-08 09:02:17.000000000 -0400 @@ -30,6 +30,9 @@ * @@ -57,5 +57,5 @@ #include "ap_config.h" #include "suexec.h" -@@ -46,6 +48,7 @@ +@@ -46,6 +49,7 @@ #include #include @@ -65,5 +65,5 @@ #ifdef HAVE_PWD_H #include -@@ -95,6 +98,7 @@ +@@ -95,6 +99,7 @@ { /* variable name starts with */ @@ -146,8 +146,8 @@ clean_env(); + setenv("JAVA_TOOL_OPTIONS", "-Xmx128M", 1); /* scripts.mit.edu local hack */ - + prog = argv[0]; /* -@@ -350,6 +406,20 @@ +@@ -350,6 +414,20 @@ #endif /*_OSD_POSIX*/ @@ -170,5 +170,5 @@ * or attempts to back up out of the current directory, * to protect against attacks. If any are -@@ -371,6 +441,7 @@ +@@ -371,6 +449,7 @@ userdir = 1; } @@ -178,5 +178,5 @@ * Error out if the target username is invalid. */ -@@ -450,7 +521,7 @@ +@@ -452,7 +531,7 @@ * Error out if attempt is made to execute as root or as * a UID less than AP_UID_MIN. Tsk tsk. @@ -187,5 +187,5 @@ exit(107); } -@@ -482,6 +553,21 @@ +@@ -484,6 +563,21 @@ log_err("failed to setuid (%ld: %s)\n", uid, cmd); exit(110); @@ -209,5 +209,5 @@ /* * Get the current working directory, as well as the proper -@@ -504,6 +588,21 @@ +@@ -506,6 +600,21 @@ log_err("cannot get docroot information (%s)\n", target_homedir); exit(112); @@ -231,5 +231,5 @@ else { if (((chdir(AP_DOC_ROOT)) != 0) || -@@ -530,15 +629,17 @@ +@@ -532,15 +641,17 @@ /* * Error out if cwd is writable by others. @@ -250,5 +250,5 @@ exit(117); } -@@ -546,10 +647,12 @@ +@@ -548,10 +659,12 @@ /* * Error out if the program is writable by others. @@ -263,5 +263,5 @@ /* * Error out if the file is setuid or setgid. -@@ -563,6 +666,7 @@ +@@ -565,6 +678,7 @@ * Error out if the target name/group is different from * the name/group of the cwd or the program. @@ -271,5 +271,5 @@ (gid != dir_info.st_gid) || (uid != prg_info.st_uid) || -@@ -574,12 +678,14 @@ +@@ -576,16 +690,33 @@ prg_info.st_uid, prg_info.st_gid); exit(120); @@ -287,13 +287,10 @@ exit(121); } -@@ -606,6 +711,21 @@ - exit(122); - } + if (is_static_extension(cmd)) { + argv[2] = STATIC_CAT_PATH; + execv(STATIC_CAT_PATH, &argv[2]); -+ log_err("(%d)%s: static_cat exec failed (%s)\n", errno, strerror(errno), argv[2]); -+ exit(255); ++ log_err("(%d)%s: static_cat exec failed (%s)\n", errno, strerror(errno), argv[2]); ++ exit(255); + } + if (is_php_extension(cmd)) { @@ -302,9 +299,9 @@ + argv[2] = "-f"; + execv(PHP_PATH, &argv[1]); -+ log_err("(%d)%s: php exec failed (%s)\n", errno, strerror(errno), argv[2]); -+ exit(255); -+ } -+ - /* - * Execute the command, replacing our image with its own. - */ ++ log_err("(%d)%s: php exec failed (%s)\n", errno, strerror(errno), argv[2]); ++ exit(255); ++ } ++ + #ifdef AP_SUEXEC_UMASK + /* + * umask() uses inverse logic; bits are CLEAR for allowed access. Index: trunk/server/common/patches/openafs-delta-dprintf-rename-20090427.patch =================================================================== --- trunk/server/common/patches/openafs-delta-dprintf-rename-20090427.patch (revision 1259) +++ trunk/server/common/patches/openafs-delta-dprintf-rename-20090427.patch (revision 1259) @@ -0,0 +1,90 @@ +=================================================================== +RCS file: /cvs/openafs/src/bucoord/bc.p.h,v +retrieving revision 1.8 +retrieving revision 1.9 +diff -u -r1.8 -r1.9 +--- openafs/src/bucoord/bc.p.h 2009/03/16 13:32:04 1.8 ++++ openafs/src/bucoord/bc.p.h 2009/04/27 19:17:14 1.9 +@@ -144,4 +144,4 @@ + #define BC_MAXSIMDUMPS 64 + #define BC_MAXPORTS 128 /* max number of port offsets for volrestore */ + /* debugging support */ +-#define dprintf(x) ++#define afs_dprintf(x) +=================================================================== +RCS file: /cvs/openafs/src/bucoord/ubik_db_if.c,v +retrieving revision 1.17 +retrieving revision 1.18 +diff -u -r1.17 -r1.18 +--- openafs/src/bucoord/ubik_db_if.c 2009/03/27 13:45:49 1.17 ++++ openafs/src/bucoord/ubik_db_if.c 2009/04/27 19:17:14 1.18 +@@ -574,7 +574,7 @@ + + fileSize = (afs_int32) filesize(ctPtr->textStream); + +- dprintf(("filesize is %d\n", fileSize)); ++ afs_dprintf(("filesize is %d\n", fileSize)); + + rewind(ctPtr->textStream); + +@@ -1350,7 +1350,7 @@ + ERROR(errno); + #endif + +- dprintf(("file is %s\n", tmpFileName)); ++ afs_dprintf(("file is %s\n", tmpFileName)); + + normal_exit: + return code; +=================================================================== +RCS file: /cvs/openafs/src/config/debug.h,v +retrieving revision 1.4 +retrieving revision 1.5 +diff -u -r1.4 -r1.5 +--- openafs/src/config/debug.h 2003/07/15 23:14:55 1.4 ++++ openafs/src/config/debug.h 2009/04/27 19:17:12 1.5 +@@ -112,21 +112,21 @@ + + #if defined(AFS_DEBUG) + #if defined(lint) +-#define dprintf(flag, str) printf str ++#define afs_dprintf(flag, str) printf str + #define dlprintf(flag, level, str) printf str + #define dmprintf(flag, bit, str) printf str + #else /* lint */ +-#define dprintf(flag, str) \ ++#define afs_dprintf(flag, str) \ + (void)((flag) ? \ + ( osi_dp str, osi_dp("\t%s, %d\n", __FILE__, __LINE__)):0) +-#define dlprintf(flag, level, str) dprintf(((flag) >= (level)), str) +-#define dmprintf(flag, bit, str) dprintf(((flag)&(1<<((bit)-1))), str) ++#define dlprintf(flag, level, str) afs_dprintf(((flag) >= (level)), str) ++#define dmprintf(flag, bit, str) afs_dprintf(((flag)&(1<<((bit)-1))), str) + + #endif /* lint */ + + #else /* AFS_DEBUG */ + +-#define dprintf(flag, str) ++#define afs_dprintf(flag, str) + #define dlprintf(flag, level,str) + #define dmprintf(flag, bit, str) + +=================================================================== +RCS file: /cvs/openafs/src/sgistuff/rcmd.c,v +retrieving revision 1.1 +retrieving revision 1.2 +diff -u -r1.1 -r1.2 +--- openafs/src/sgistuff/rcmd.c 2005/08/16 17:58:27 1.1 ++++ openafs/src/sgistuff/rcmd.c 2009/04/27 19:17:15 1.2 +@@ -55,8 +55,8 @@ + #endif /* defined(AFS_HPUX_ENV) */ + #ifdef TCP_DEBUG + #include +-# define DPRINTF(args) dprintf args +-dprintf(args) ++# define DPRINTF(args) afs_dprintf args ++afs_dprintf(args) + char *args; + { + char **argv; Index: trunk/server/common/patches/openafs-delta-linux26-defer-cred-changing-20090511.patch =================================================================== --- trunk/server/common/patches/openafs-delta-linux26-defer-cred-changing-20090511.patch (revision 1259) +++ trunk/server/common/patches/openafs-delta-linux26-defer-cred-changing-20090511.patch (revision 1259) @@ -0,0 +1,15 @@ +--- openafs-1.4.10/src/afs/LINUX/osi_cred.c.orig 2009-06-12 02:03:13.000000000 -0400 ++++ openafs-1.4.10/src/afs/LINUX/osi_cred.c 2009-06-12 02:03:16.000000000 -0400 +@@ -104,6 +104,12 @@ + #if defined(STRUCT_TASK_HAS_CRED) + struct cred *new_creds; + ++ /* If our current task doesn't have identical real and effective ++ * credentials, commit_cred won't let us change them, so we just ++ * bail here. ++ */ ++ if (current->cred != current->real_cred) ++ return; + new_creds = prepare_creds(); + new_creds->fsuid = cr->cr_uid; + new_creds->uid = cr->cr_ruid; Index: trunk/server/common/patches/openafs-numsysnames.patch =================================================================== --- trunk/server/common/patches/openafs-numsysnames.patch (revision 1259) +++ trunk/server/common/patches/openafs-numsysnames.patch (revision 1259) @@ -0,0 +1,11 @@ +--- openafs-1.4.10/src/afs/afs.h.orig 2009-06-06 21:02:53.000000000 -0400 ++++ openafs-1.4.10/src/afs/afs.h 2009-06-06 21:03:28.000000000 -0400 +@@ -75,7 +75,7 @@ + #define PIGGYSIZE 1350 /* max piggyback size */ + #define MAXVOLS 128 /* max vols we can store */ + #define MAXSYSNAME 128 /* max sysname (i.e. @sys) size */ +-#define MAXNUMSYSNAMES 16 /* max that current constants allow */ ++#define MAXNUMSYSNAMES 32 /* max that current constants allow */ + #define NOTOKTIMEOUT (2*3600) /* time after which to timeout conns sans tokens */ + #define NOPAG 0xffffffff + #define AFS_NCBRS 300 /* max # of call back return entries */ Index: trunk/server/common/patches/openafs-scripts.patch =================================================================== --- trunk/server/common/patches/openafs-scripts.patch (revision 1256) +++ trunk/server/common/patches/openafs-scripts.patch (revision 1259) @@ -127,5 +127,5 @@ short multiPage; /* count of multi-page getpages in progress */ #endif -+ bool apache_access; /* whether or not Apache has access to a file */ ++ int apache_access; /* whether or not Apache has access to a file */ }; Index: trunk/server/common/patches/openssh-4.7p1-gssapi-name-in-env.patch =================================================================== --- trunk/server/common/patches/openssh-4.7p1-gssapi-name-in-env.patch (revision 1259) +++ trunk/server/common/patches/openssh-4.7p1-gssapi-name-in-env.patch (revision 1259) @@ -0,0 +1,16 @@ +--- openssh-4.7p1/gss-serv.c ++++ openssh-4.7p1/gss-serv.c +@@ -355,6 +355,13 @@ + child_set_env(envp, envsizep, gssapi_client.store.envvar, + gssapi_client.store.envval); + } ++ if (gssapi_client.exportedname.length != 0 && ++ gssapi_client.exportedname.value != NULL) { ++ debug("Setting %s to %s", "SSH_GSSAPI_NAME", ++ gssapi_client.exportedname.value); ++ child_set_env(envp, envsizep, "SSH_GSSAPI_NAME", ++ gssapi_client.exportedname.value); ++ } + } + + /* Privileged */ Index: trunk/server/doc/install-howto.sh =================================================================== --- trunk/server/doc/install-howto.sh (revision 1256) +++ trunk/server/doc/install-howto.sh (revision 1259) @@ -8,4 +8,6 @@ boot=${1:$(cat /scripts-boot-count)} + +# XXX: let 'branch' be the current svn branch you are on doreboot() { @@ -53,5 +55,5 @@ cd /srv - svn co svn://$source_server/trunk repository + svn co svn://$source_server/$branch repository sed -i 's/^(# *)*store-passwords.*/store-passwords = no/' /root/.subversion/config @@ -67,4 +69,5 @@ # Run "make install-deps" to install various prereqs. Nonstandard # deps are in /mit/scripts/rpm. + YUM install -y make make install-deps @@ -74,34 +77,69 @@ # Check out the scripts /etc configuration cd /root - svn co svn://scripts.mit.edu/trunk/server/fedora/config/etc etc + svn co svn://scripts.mit.edu/$branch/server/fedora/config/etc etc + # backslash to make us not use the alias \cp -a etc / +# NOTE: You will have just lost DNS resolution and the abilit +# to do password SSH in + + service named start + chkconfig named on + +# XXX: This sometimes doesn't exist, but it really sucks if it +# does exist. So check for it. # yum remove nss_ldap, because nss-ldapd conflicts with it + +# In the case of the Kerberos libraries, you'll be told that +# there are conflicting files with the 64-bit versions of the packages, +# which we scriptsify. You'll have to use --force to install those +# rpms despite the conflicts. After doing that, you may want to +# install the corresponding 64-bit scriptsified versions again, just +# to be safe in case the 32-bit versions overwrite files that differ. +# When you try this, it will complain that you already have the same +# version installed; again, you'll need to use --force to do it anyway. + +# We need yumdownloader to force some RPMs + # XXX: This might be wrong. Sanity check what packages ou + # have when done + YUM install -y yum-utils + yumdownloader krb5-libs + # XXX: These version numbers are hardcoded, need some cli-fu to generalize + rpm -i krb5-libs-*.i586.rpm + rpm -U --force krb5-libs-*.scripts.1138.x86_64.rpm # env NSS_NONLOCAL_IGNORE=1 yum install scripts-base YUM install -y scripts-base -# Rebuild mit-zephyr on a 32-bit machine, like the one at Joe's home. +# Install mit-zephyr + YUM install -y mit-zephyr # Remember to set NSS_NONLOCAL_IGNORE=1 anytime you're setting up # anything, e.g. using yum. Otherwise useradd will query LDAP in a stupid way -# that makes it hang forever. - -# Install and configure bind -# - env NSS_NONLOCAL_IGNORE=1 yum install bind -# - chkconfig named on -# - service named start +# that makes it hang forever. (This is why we're using YUM, not yum) # Reload the iptables config to take down the restrictive firewall -# service iptables restart + service iptables restart # Copy over root's dotfiles from one of the other machines. +# Perhaps a useful change is to remove the default aliases + # On 2009-07-01, the dotfiles to transfer where: + # .bashrc .ldapvirc .screenrc .ssh (<- directory) .vimrc + # Trying to scp from server to server won't work, as scp + # will attempt to negotiate a server-to-server connection. + # Instead, scp to your trusted machine as a temporary file, + # and then push to the other server # Replace rsyslog with syslog-ng by doing: -# # rpm -e --nodeps rsyslog -# # yum install syslog-ng - -# Install various dependencies of the scripts system, including syslog-ng, -# glibc-devel.i586, python-twisted-core, mod_fcgid, nrpe, nagios-plugins-all. + rpm -e --nodeps rsyslog + YUM install -y syslog-ng + chkconfig syslog-ng on + +# Install various dependencies of the scripts system, including +# glibc-devel.i586 (ezyang: already installed for me), +# python-twisted-core (ditto), mod_fcgid, nrpe, nagios-plugins-all. + YUM install -y mod_fcgid + YUM install -y nrpe + YUM install -y nagios-plugins-all # Disable NetworkManager with chkconfig NetworkManager off. Configure @@ -109,4 +147,7 @@ # traffic over the back end. Make sure that chkconfig reports "network" on, so # that the network will still be configured at next boot. +# ezyang: For me, NetworkManager was not installed at this point, and +# we had already done the basic config for networking front end and +# back end (because I wanted ssh access, and not just conserver access) # Fix the openafs /usr/vice/etc <-> /etc/openafs mapping by changing @@ -114,7 +155,16 @@ # /afs:/usr/vice/cache:10000000 # Also fix ThisCell to contain athena.mit.edu in both directories + echo "/afs:/usr/vice/cache:10000000" > /usr/vice/etc/cacheinfo + # ezyang: ThisCell on b-k and c-w don't have anything special + # written here # Figure out why Zephyr isn't working. Most recently, it was because there # was a 64-bit RPM installed; remove it and install Joe's 32-bit one + YUM erase -y mit-zephyr + # mit-zephyr has a spurious dependency on mit-krb-config + yumdownloader mit-zephyr.i386 + # if deps change, this breaks + YUM install -y libXaw.i586 libXext.i586 libXmu.i586 ncurses-libs.i586 readline.i58 + rpm -i --nodeps mit-zephyr-2.1-6-linux.i386.rpm # Install the athena-base, athena-lprng, and athena-lprng-misc RPMs @@ -125,18 +175,33 @@ # install the rest of the things it really does depend on. This will # include a bunch of 32-bit rpms; go ahead and install the .i586 versions -# of them. In the case of the Kerberos libraries, you'll be told that -# there are conflicting files with the 64-bit versions of the packages, -# which we scriptsify. You'll have to use --force to install those -# rpms despite the conflicts. After doing that, you may want to -# install the corresponding 64-bit scriptsified versions again, just -# to be safe in case the 32-bit versions overwrite files that differ. -# When you try this, it will complain that you already have the same -# version installed; again, you'll need to use --force to do it anyway. -# Yuck. +# of them. + YUM install -y athena-base + YUM install -y athena-lprng + yumdownloader athena-lprng-misc + # ezyang: I couldn't find any deps for this that existed in the repos + # You might get a "find: `/usr/athena/info': No such file or directory" + # error; this is fine + rpm -i --nodeps athena-lprng-misc-9.4-0.i386.rpm # Install the full list of RPMs that users expect to be on the -# scripts.mit.edu servers. See server/doc/rpm and -# server/doc/rpm_snapshot. (Note that this is only a snapshot, and not -# all packages may in fact be in use.) +# scripts.mit.edu servers. + +# ezyang: Running the below I got file conflicts. To fix (since I had +# botched steps above), I manually compared package lists and installed +# them. If you've done the krb5 setup originally correctly, then +# write down what you had to do here. + yumdownloader krb5-devel + rpm -i --force krb5-devel-*.i586.rpm + rpm -U --force krb5-devel-*.scripts.1138.x86_64.rpm + yumdownloader krb5-server + rpm -i --force krb5-server-*.scripts.1138.x86_64.rpm + + +# on another server, run: +rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > packages.txt +# arrange for packages.txt to be passed to the server, then run: + # notice that yum is not capitalized + # Also notice skip-broken + cat packages.txt | NSS_NONLOCAL_IGNORE=1 xargs yum install -y --skip-broken # Check which packages are installed on your new server that are not @@ -144,4 +209,9 @@ # on the new machine. Otherwise, aside from bloat, you may end up # with undesirable things for security, like sendmail. + rpm -qa --queryformat "%{Name}.%{Arch}\n" | sort > newpackages.txt + diff -u packages.txt newpackages.txt | less + # if all went well, you'll probably see multiple kernel versions + # as the only diff + # ezyang: I got exim installed as another package # Check out the scripts /usr/vice/etc configuration @@ -164,42 +234,82 @@ # Then on the server you're installing, # cat perl-packages.txt | perl -MCPAN -e shell + export PERL_MM_USE_DEFAULT=1 + # XXX: Some interactive gobbeldygook + cpan + o conf prerequisites_policy follow + o conf commit +# on a reference server +perldoc -u perllocal | grep head2 | cut -f 3 -d '<' | cut -f 1 -d '|' | sort -u | perl -ne 'chomp; print "notest install $_\n" if system("rpm -q --whatprovides \"perl($_)\" >/dev/null 2>/dev/null")' > perl-packages.txt +# arrange for perl-packages.txt to be transferred to server + cat perl-packages.txt | perl -MCPAN -e shell # Install the Python eggs and Ruby gems and PEAR/PECL doohickeys that are on # the other scripts.mit.edu servers and do not have RPMs. +# The general mode of operation will be to run the "list" command +# on both servers, see what the differences are, check if those diffs +# are packaged up as rpms, and install them (rpm if possible, native otherwise) # - Look at /usr/lib/python2.6/site-packages and # /usr/lib64/python2.6/site-packages for Python eggs and modules. +# There will be a lot of gunk that was installed from packages; +# easy-install.pth will tell you what was easy_installed. # First use 'yum search' to see if the relevant package is now available # as an RPM, and install that if it is. If not, then use easy_install. # - Look at `gem list` for Ruby gems. # Again, use 'yum search' and prefer RPMs, but failing that, 'gem install'. +# ezyang: rspec-rails depends on rspec, and will override the Yum +# package, so... don't use that RPM yet # - Look at `pear list` for Pear fruits (or whatever they're called). # Yet again, 'yum search' for RPMs before resorting to 'pear install'. Note # that for things in the beta repo, you'll need 'pear install package-beta'. +# (you might get complaints about the php_scripts module; ignore them) # - Look at `pecl list` for PECL things. 'yum search', and if you must, # 'pecl install' needed items. - -# echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth + # Automating this... will require a lot of batonning between + # the servers. Probably best way to do it is to write an actual + # script. + +# Setup some Python config + echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth # Install the credentials. There are a lot of things to remember here: +# o This will be different if you're setting up our build/update server. # o You probably installed the machine keytab long ago + ls -l /etc/krb5.keytab # o Use ktutil to combine the host/scripts.mit.edu and # host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in # the keytab. Do not use 'k5srvutil change' on the combined keytab -# or you'll break the other servers. +# or you'll break the other servers. (real servers only) # o The daemon.scripts keytab -# o The SSL cert private key -# o The LDAP password for the signup process -# o The SQL password for the signup process -# o The LDAP keytab for this server, which will be used later -# o Replace the ssh host keys with the ones common to all scripts servers -# o You'll install an LDAP certificate signed by the scripts CA later + ls -l /etc/daemon.keytab +# o The SSL cert private key (real servers only) +# o The LDAP password for the signup process (real servers only) +# o The SQL password for the signup process (real servers only) +# o The LDAP keytab for this server, which will be used later (real servers only) +# o Replace the ssh host keys with the ones common to all scripts servers (real servers only) +# o You'll install an LDAP certificate signed by the scripts CA later (real servers only) # o Make sure root's .k5login is correct -# o Make sure logview's .k5login is correct + cat /root/.k5login +# o Make sure logview's .k5login is correct (real servers only) # If you are setting up a test server, pay attention to # /etc/sysconfig/network-scripts and do not bind scripts' IP address. -# You will also need to modify /etc/ldap.conf, /etc/nss-ldapd.conf, -# /etc/openldap/ldap.conf, and /etc/httpd/conf.d/vhost_ldap.conf to -# use scripts.mit.edu instead of localhost. +# You will also need to modify: +# o /etc/ldap.conf +# add: host scripts.mit.edu +# o /etc/nss-ldapd.conf +# replace: uri ***** +# with: uri ldap://scripts.mit.edu/ +# o /etc/openldap/ldap.conf +# add: URI ldap://scripts.mit.edu/ +# BASE dc=scripts,dc=mit,dc=edu +# o /etc/httpd/conf.d/vhost_ldap.conf +# replace: VhostLDAPUrl **** +# with: VhostLDAPUrl "ldap://scripts.mit.edu/ou=VirtualHosts,dc=scripts,dc=mit,dc=edu" +# to use scripts.mit.edu instead of localhost. +# XXX: someone should write sed scripts to do this + +# If you are setting up a test server, afsagent's cronjob will attempt +# to be renewing with the wrong credentials (daemon.scripts). Change this: + vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu # Install fedora-ds-base and set up replication (see ./HOWTO-SETUP-LDAP @@ -209,16 +319,40 @@ # boot. Run chkconfig to make sure the set of services to be run is # correct. - -# cd /etc/postfix; postmap virtual -# Otherwise postfix will appear to work, but actually not deliver mail + chkconfig dirsrv on + chkconfig nslcd on + chkconfig nscd on + chkconfig postfix on + chkconfig httpd on + +# Postfix doesn't actually deliver mail; fix this + cd /etc/postfix + postmap virtual # Run fmtutil-sys --all, which does something that makes TeX work. + fmtutil-sys --all + # ezyang: I got errors on xetex # Ensure that PHP isn't broken: -# # mkdir /tmp/sessions -# # chmod 01777 /tmp/sessions + mkdir /tmp/sessions + chmod 01777 /tmp/sessions + +# Ensure that fcgid isn't broken: + chmod 755 /var/run/httpd + # ezyang: The below didn't exist for me + chmod 755 /var/run/httpd/mod_fcgid + chmod 755 /var/run/mod_fcgid + +# Fix etc by making sure none of our config files got overwritten + cd /etc + svn status | grep M + # ezyang: I had to revert krb5.conf, nsswitch.conf and sysconfig/openafs # Reboot the machine to restore a consistent state, in case you # changed anything. + # ezyang: When I rebooted, the following things happened: + # o Starting kdump failed (this is ok) + # o postfix mailbombed us + # o firstboot configuration screen popped up (ignored; manually will do + # chkconfig after the fact) # (Optional) Beat your head against a wall. @@ -226,2 +360,11 @@ # Possibly perform other steps that I've neglected to put in this # document. +# o In the first install of not-backward, ThisCell got clobbered, resulting +# in trying to get tickets from openafs.org. Not sure when it got +# clobbered -- ezyang +# o For some reason, syslog-ng wasn't turning on automatically, so we weren't +# getting spew + +# Some info about changing hostnames: it appears to be in: +# o /etc/sysconfig/network +# o your lvm thingies; probably don't need to edit Index: trunk/server/fedora/Makefile =================================================================== --- trunk/server/fedora/Makefile (revision 1256) +++ trunk/server/fedora/Makefile (revision 1259) @@ -19,7 +19,7 @@ # See /COPYRIGHT in this repository for more information. -upstream_yum = krb5 httpd openssh pysvn php +upstream_yum = krb5 httpd openssh php upstream = openafs $(upstream_yum) -oursrc = execsys tokensys accountadm httpdmods logview sql-signup nss_nonlocal nss_nonlocal.i386 whoisd mit-zephyr nss-ldapd nss-ldapd.i386 athrun php_scripts scripts-base +oursrc = execsys tokensys accountadm httpdmods logview sql-signup nss_nonlocal nss_nonlocal.i586 whoisd mit-zephyr nss-ldapd nss-ldapd.i586 athrun php_scripts scripts-base allsrc = $(upstream) $(oursrc) oursrcdir = ${PWD}/../common/oursrc @@ -127,9 +127,9 @@ $(oursrc): rpmbuild_args += --define 'scriptsversion $(shell svnversion ${oursrcdir}/$** | tr ':' '_')' -$(filter %.i386,$(oursrc)): %.i386: setup +$(filter %.i586,$(oursrc)): %.i586: setup PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ - setarch i386 rpmbuild $(rpmbuild_args) --target=i386 --define="_lib lib" -bb ${tmp_specs}/$**.spec + setarch i586 rpmbuild $(rpmbuild_args) --target=i586 --define="_lib lib" -bb ${tmp_specs}/$**.spec -$(filter-out %.i386,$(oursrc)): %: setup +$(filter-out %.i586,$(oursrc)): %: setup PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ rpmbuild $(rpmbuild_args) -bb ${tmp_specs}/$**.spec @@ -179,14 +179,15 @@ # The following packages are needed for our packages -basic-deps = kernel-devel rpm-build rpmdevtools gcc autoconf patch krb5-workstation glibc-devel.i386 glibc-devel libtool libgcc.i386 -oursrc-deps = hesinfo openldap-clients php-devel +basic-deps = kernel-devel rpm-build rpmdevtools gcc autoconf patch krb5-workstation glibc-devel.i586 glibc-devel libtool libgcc.i586 +oursrc-deps = hesinfo openldap-clients openldap-devel.i586 php-devel httpdmods-deps = httpd-devel httpd-deps = xmlto db4-devel expat-devel zlib-devel libselinux-devel apr-devel apr-util-devel pcre-devel openssl-devel distcache-devel -krb5-deps = bison ncurses-devel texinfo keyutils-libs-devel texinfo-tex +krb5-deps = bison ncurses-devel texinfo keyutils-libs-devel texinfo-tex texlive-latex openafs-deps = pam-devel automake -mit-zephyr-deps = readline-devel hesiod-devel hesiod-devel.i386 hesiod.i386 libXt.i386 #compat-readline43 -openssh-deps = gtk2-devel libX11-devel autoconf automake openssl-devel perl zlib-devel audit-libs-devel util-linux groff man pam-devel tcp_wrappers-devel krb5-devel libselinux-devel audit-libs xauth gobject-devel pango-devel cairo-devel libedit-devel nss-devel +mit-zephyr-deps = readline-devel hesiod-devel hesiod-devel.i586 hesiod.i586 libXt.i586 #compat-readline43 +openssh-deps = gtk2-devel libX11-devel autoconf automake openssl-devel perl zlib-devel audit-libs-devel util-linux groff man pam-devel tcp_wrappers-devel krb5-devel libselinux-devel audit-libs xauth pango-devel cairo-devel libedit-devel nss-devel fipscheck-devel +php-deps = bzip2-devel curl-devel gmp-devel libstdc++-devel sqlite-devel gcc-c++ libc-client-devel mysql-devel postgresql-devel unixODBC-devel libxml2-devel net-snmp-devel libxslt-devel libxml2-devel libXpm-devel libjpeg-devel t1lib-devel libmcrypt-devel mhash-devel libtidy-devel freetds-devel aspell-devel recode-devel install-deps: - yum -y install $(basic-deps) $(oursrc-deps) $(httpdmods-deps) $(httpd-deps) $(krb5-deps) $(openafs-deps) $(mit-zephyr-deps) $(openssh-deps) + yum -y install $(basic-deps) $(oursrc-deps) $(httpdmods-deps) $(httpd-deps) $(krb5-deps) $(openafs-deps) $(mit-zephyr-deps) $(openssh-deps) $(php-deps) rpm -ivh ftp://ftp.muug.mb.ca/mirror/fedora/linux/core/6/i386/os/Fedora/RPMS/compat-readline43-4.3-3.i386.rpm # rpm -ivh http://download.fedora.redhat.com/pub/fedora/linux/core/6/i386/os/Fedora/RPMS/compat-readline43-4.3-3.i386.rpm Index: trunk/server/fedora/config/etc/httpd/conf/httpd.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/conf/httpd.conf (revision 1256) +++ trunk/server/fedora/config/etc/httpd/conf/httpd.conf (revision 1259) @@ -260,5 +260,5 @@ RLimitCPU 300 300 -RLimitMEM 536870912 536870912 +RLimitMEM 1342177280 1342177280 RLimitNPROC 4096 4096 Index: trunk/server/fedora/config/etc/logrotate.d/httpd =================================================================== --- trunk/server/fedora/config/etc/logrotate.d/httpd (revision 1256) +++ trunk/server/fedora/config/etc/logrotate.d/httpd (revision 1259) @@ -6,5 +6,5 @@ sharedscripts postrotate - /bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true + /bin/kill -HUP `cat /var/run/httpd/httpd.pid 2>/dev/null` 2> /dev/null || true endscript } Index: trunk/server/fedora/config/etc/munin/munin-node.conf =================================================================== --- trunk/server/fedora/config/etc/munin/munin-node.conf (revision 1256) +++ trunk/server/fedora/config/etc/munin/munin-node.conf (revision 1259) @@ -5,11 +5,9 @@ log_level 4 log_file /var/log/munin/munin-node.log -port 4949 pid_file /var/run/munin/munin-node.pid + background 1 setseid 1 -# Which port to bind to; -host * user munin group munin @@ -23,9 +21,10 @@ ignore_file \.dpkg-(tmp|new|old|dist)$ ignore_file \.rpm(save|new)$ +ignore_file \.pod$ # Set this if the client doesn't report the correct hostname when # telnetting to localhost, port 4949 # -#host_name ppc2.fedora.redhat.com +#host_name x86-3.fedora.phx.redhat.com # A list of addresses that are allowed to connect. This must be a @@ -37,2 +36,10 @@ allow ^18\.187\.1\.128$ allow ^18\.181\.0\.65$ + +# Which address to bind to; +host * +# host 127.0.0.1 + +# And which port +port 4949 + Index: trunk/server/fedora/config/etc/munin/plugin-conf.d/munin-node =================================================================== --- trunk/server/fedora/config/etc/munin/plugin-conf.d/munin-node (revision 1256) +++ trunk/server/fedora/config/etc/munin/plugin-conf.d/munin-node (revision 1259) @@ -1,13 +1,15 @@ +# This file is used to configure how the plugins are invoked. +# Place in /etc/munin/plugin-conf.d/ or corresponding directory. # -# This file contains configuration options for the plugins. Three -# options are understood by munin-node itself: +# PLEASE NOTE: Changes in the plugin-conf.d directory are only +# read at munin-node startup, so restart at any changes. # -# user # Set the user to run the plugin as -# group # Set the group to run the plugin as -# command # Run instead of the plugin. %c -# expands to what would normally be run. -# env. # Sets in the plugin's environment, see the -# individual plugins to find out which variables they -# care about. +# user # Set the user to run the plugin as +# group # Set the group to run the plugin as +# command # Run instead of the plugin. %c +# expands to what would normally be run. +# env. # Sets in the plugin's environment, see the +# individual plugins to find out which variables they +# care about. # # Index: trunk/server/fedora/config/etc/nagios/nrpe.cfg =================================================================== --- trunk/server/fedora/config/etc/nagios/nrpe.cfg (revision 1256) +++ trunk/server/fedora/config/etc/nagios/nrpe.cfg (revision 1259) @@ -3,5 +3,5 @@ # Written by: Ethan Galstad (nagios@nagios.org) # -# Last Modified: 02-23-2006 +# Last Modified: 11-23-2007 # # NOTES: @@ -12,4 +12,11 @@ +# LOG FACILITY +# The syslog facility that should be used for logging purposes. + +log_facility=daemon + + + # PID FILE # The name of the file in which the NRPE daemon should write it's process ID @@ -35,5 +42,5 @@ # NOTE: This option is ignored if NRPE is running under either inetd or xinetd -#server_address=192.168.1.1 +#server_address=127.0.0.1 @@ -45,5 +52,5 @@ # NOTE: This option is ignored if NRPE is running under either inetd or xinetd -nrpe_user=nagios +nrpe_user=nrpe @@ -55,5 +62,5 @@ # NOTE: This option is ignored if NRPE is running under either inetd or xinetd -nrpe_group=nagios +nrpe_group=nrpe @@ -125,4 +132,15 @@ command_timeout=60 + + + +# CONNECTION TIMEOUT +# This specifies the maximum number of seconds that the NRPE daemon will +# wait for a connection to be established before exiting. This is sometimes +# seen where a network problem stops the SSL being established even though +# all network sessions are connected. This causes the nrpe daemons to +# accumulate, eating system resources. Do not set this too low. + +connection_timeout=300 @@ -176,17 +194,19 @@ # examples only! + # The following examples use hardcoded command arguments... #command[check_users]=/usr/lib64/nagios/plugins/check_users -w 5 -c 10 #command[check_load]=/usr/lib64/nagios/plugins/check_load -w 15,10,5 -c 30,25,20 -#command[check_disk1]=/usr/lib64/nagios/plugins/check_disk -w 20 -c 10 -p /dev/hda1 -#command[check_disk2]=/usr/lib64/nagios/plugins/check_disk -w 20 -c 10 -p /dev/hdb1 +#command[check_hda1]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1 #command[check_zombie_procs]=/usr/lib64/nagios/plugins/check_procs -w 5 -c 10 -s Z #command[check_total_procs]=/usr/lib64/nagios/plugins/check_procs -w 150 -c 200 + # The following examples allow user-supplied arguments and can # only be used if the NRPE daemon was compiled with support for # command arguments *AND* the dont_blame_nrpe directive in this -# config file is set to '1'... +# config file is set to '1'. This poses a potential security risk, so +# make sure you read the SECURITY file before doing this. command[check_users]=/usr/lib64/nagios/plugins/check_users -w $ARG1$ -c $ARG2$ Index: trunk/server/fedora/config/etc/nscd.conf =================================================================== --- trunk/server/fedora/config/etc/nscd.conf (revision 1256) +++ trunk/server/fedora/config/etc/nscd.conf (revision 1259) @@ -35,5 +35,5 @@ max-threads 128 server-user nscd -# stat-user nocpulse +# stat-user somebody debug-level 0 #31 Index: trunk/server/fedora/config/etc/printcap =================================================================== --- trunk/server/fedora/config/etc/printcap (revision 1256) +++ trunk/server/fedora/config/etc/printcap (revision 1259) @@ -0,0 +1,3 @@ +# This file was automatically generated by cupsd(8) from the +# /etc/cups/printers.conf file. All changes to this file +# will be lost. Index: trunk/server/fedora/config/etc/security/limits.conf =================================================================== --- trunk/server/fedora/config/etc/security/limits.conf (revision 1256) +++ trunk/server/fedora/config/etc/security/limits.conf (revision 1259) @@ -27,5 +27,5 @@ # - cpu - max CPU time (MIN) # - nproc - max number of processes -# - as - address space limit +# - as - address space limit (KB) # - maxlogins - max number of logins for this user # - maxsyslogins - max number of logins on the system @@ -34,5 +34,5 @@ # - sigpending - max number of pending signals # - msgqueue - max memory used by POSIX message queues (bytes) -# - nice - max nice priority allowed to raise to +# - nice - max nice priority allowed to raise to values: [-20, 19] # - rtprio - max realtime priority # @@ -41,11 +41,14 @@ # No limits for root -root - +root - +scripts-build - # For everyone else, -* soft core 0 -* - rss 524268 -* - data 1048576 -* - as 1048576 +* soft core 0 +* - rss 524268 +* - data 1048576 +* - as 1310720 + +#* soft core 0 #* hard rss 10000 #@student hard nproc 20 Index: trunk/server/fedora/config/etc/sudoers =================================================================== --- trunk/server/fedora/config/etc/sudoers (revision 1256) +++ trunk/server/fedora/config/etc/sudoers (revision 1259) @@ -34,5 +34,5 @@ ## Updating the locate database -Cmnd_Alias LOCATE = /usr/sbin/updatedb +Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage Index: trunk/server/fedora/config/etc/sysconfig/networking/profiles/default/resolv.conf =================================================================== --- trunk/server/fedora/config/etc/sysconfig/networking/profiles/default/resolv.conf (revision 1259) +++ trunk/server/fedora/config/etc/sysconfig/networking/profiles/default/resolv.conf (revision 1259) @@ -0,0 +1,2 @@ +search mit.edu +nameserver 127.0.0.1 Index: trunk/server/fedora/config/etc/sysconfig/openafs =================================================================== --- trunk/server/fedora/config/etc/sysconfig/openafs (revision 1256) +++ trunk/server/fedora/config/etc/sysconfig/openafs (revision 1259) @@ -10,4 +10,6 @@ Sulphur) /usr/bin/fs sysname 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' ;; + Leonidas) + /usr/bin/fs sysname 'amd64_fedora11_scripts' 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora11' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb50' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' ;; *) echo "Warning: unknown platform. AFS sysname not set." Index: trunk/server/fedora/config/etc/syslog-ng/syslog-ng.conf =================================================================== --- trunk/server/fedora/config/etc/syslog-ng/syslog-ng.conf (revision 1256) +++ trunk/server/fedora/config/etc/syslog-ng/syslog-ng.conf (revision 1259) @@ -6,52 +6,21 @@ # See syslog-ng(8) and syslog-ng.conf(5) for more information. # -# 20000925 gb@sysfive.com -# -# Updated by Frank Crawford () - 10 Aug 2002 -# - for Red Hat 7.3 -# - totally do away with klogd -# - add message "kernel:" as is done with klogd. -# -# Updated by Frank Crawford () - 22 Aug 2002 -# - use the log_prefix option as per Balazs Scheidler's email -# -# Updated by Jose Pedro Oliveira () - 05 Apr 2003 -# - corrected filters 'f_filter2' and 'f_filter6' -# these filters were only allowing messages of one specific -# priority level; they should be allowing messages from that -# priority and upper levels. -# -# Updated by Jose Pedro Oliveira () - 25 Jan 2005 -# - Don't sync the d_mail destination -# -# Updated by Jose Pedro Oliveira () - 01 Feb 2005 -# - /proc/kmsg is a file not a pipe. -# (https://lists.balabit.hu/pipermail/syslog-ng/2005-February/006963.html) -# -# Updated by Jose Pedro Oliveira () - 31 May 2007 -# - increase the number of unix-stream max-connections (syslog-ng 2.0.4) -# -# Updated by Jose Pedro Oliveira () - 26 July 2007 -# - revert previous unix-stream max-connections change -# (the new unix-stream max-connections default in syslog-ng 2.0.5 is 256) -# options { - sync (0); - time_reopen (10); - log_fifo_size (1000); - long_hostnames (off); - use_dns (no); - use_fqdn (no); - create_dirs (no); - keep_hostname (yes); + sync (0); + time_reopen (10); + log_fifo_size (1000); + long_hostnames (off); + use_dns (no); + use_fqdn (no); + create_dirs (no); + keep_hostname (yes); }; source s_sys { - file ("/proc/kmsg" log_prefix("kernel: ")); - unix-stream ("/dev/log"); - internal(); - # udp(ip(0.0.0.0) port(514)); - # tcp(ip(0.0.0.0) port(514)); + file ("/proc/kmsg" log_prefix("kernel: ")); + unix-stream ("/dev/log"); + internal(); + # udp(ip(0.0.0.0) port(514)); }; @@ -63,4 +32,5 @@ destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; +#destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); }; @@ -68,29 +38,33 @@ #destination d_watch { program("/usr/local/libexec/watch-syslog.py"); }; -#filter f_filter1 { facility(kern); }; -filter f_filter2 { level(info..emerg) and - not facility(mail,authpriv,cron); }; -filter f_filter3 { facility(authpriv); }; -filter f_filter4 { facility(mail); }; -filter f_filter5 { level(emerg); }; -filter f_filter6 { facility(uucp) or - (facility(news) and level(crit..emerg)); }; -filter f_filter7 { facility(local7); }; -filter f_filter8 { facility(cron); }; +#filter f_kernel { facility(kern); }; +filter f_default { level(info..emerg) and + not (facility(mail) + or facility(authpriv) + or facility(cron)); }; +filter f_auth { facility(authpriv); }; +filter f_mail { facility(mail); }; +filter f_emergency { level(emerg); }; +filter f_news { facility(uucp) or + (facility(news) + and level(crit..emerg)); }; +filter f_boot { facility(local7); }; +filter f_cron { facility(cron); }; filter f_oom { facility(kern) and (match("Out of memory:") or match("Killed process")); }; -#log { source(s_sys); filter(f_filter1); destination(d_cons); }; -log { source(s_sys); filter(f_filter2); destination(d_mesg); }; -log { source(s_sys); filter(f_filter3); destination(d_auth); }; -log { source(s_sys); filter(f_filter4); destination(d_mail); }; -log { source(s_sys); filter(f_filter5); destination(d_mlal); }; -log { source(s_sys); filter(f_filter6); destination(d_spol); }; -log { source(s_sys); filter(f_filter7); destination(d_boot); }; -log { source(s_sys); filter(f_filter8); destination(d_cron); }; +#log { source(s_sys); filter(f_kernel); destination(d_cons); }; +#log { source(s_sys); filter(f_kernel); destination(d_kern); }; +log { source(s_sys); filter(f_default); destination(d_mesg); }; +log { source(s_sys); filter(f_auth); destination(d_auth); }; +log { source(s_sys); filter(f_mail); destination(d_mail); }; +log { source(s_sys); filter(f_emergency); destination(d_mlal); }; +log { source(s_sys); filter(f_news); destination(d_spol); }; +log { source(s_sys); filter(f_boot); destination(d_boot); }; +log { source(s_sys); filter(f_cron); destination(d_cron); }; -log { source(s_sys); filter(f_filter3); destination(d_zroot); }; -#log { source(s_sys); filter(f_filter2); destination(d_watch); }; +log { source(s_sys); filter(f_auth); destination(d_zroot); }; +#log { source(s_sys); filter(f_default); destination(d_watch); }; log { source(s_sys); filter(f_oom); destination(d_zroot); }; -# vim:set ai ts=4 sw=4 sts=4 et: +# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: Index: trunk/server/fedora/config/etc/yum.repos.d/fedora-updates-testing-newkey.repo =================================================================== --- trunk/server/fedora/config/etc/yum.repos.d/fedora-updates-testing-newkey.repo (revision 1256) +++ (revision ) @@ -1,27 +1,0 @@ -[updates-testing-newkey] -name=Fedora $releasever - $basearch - Test Updates Newkey -failovermethod=priority -#baseurl=http://download.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch.newkey/ -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f$releasever.newkey&arch=$basearch -enabled=1 -gpgcheck=1 -includepkgs=subversion mod_dav_svn subversion-devel -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-test-8-and-9-$basearch - -[updates-testing-newkey-debuginfo] -name=Fedora $releasever - $basearch - Test Updates Debug Newkey -failovermethod=priority -#baseurl=http://download.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/$basearch.newkey/debug/ -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-debug-f$releasever.newkey&arch=$basearch -enabled=0 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-test-8-and-9-$basearch - -[updates-testing-newkey-source] -name=Fedora $releasever - Test Updates Source Newkey -failovermethod=priority -#baseurl=http://download.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/SRPMS.newkey/ -mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-source-f$releasever.newkey&arch=$basearch -enabled=0 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-test-8-and-9-$basearch Index: trunk/server/fedora/config/etc/yum.repos.d/scripts.repo =================================================================== --- trunk/server/fedora/config/etc/yum.repos.d/scripts.repo (revision 1256) +++ trunk/server/fedora/config/etc/yum.repos.d/scripts.repo (revision 1259) @@ -1,5 +1,5 @@ [scripts] name=Scripts -baseurl=http://web.mit.edu/scripts/rpm/ +baseurl=http://web.mit.edu/scripts/rpm-fc11/ enabled=1 gpgcheck=0 Index: trunk/server/fedora/config/etc/yum/yum-updatesd.conf =================================================================== --- trunk/server/fedora/config/etc/yum/yum-updatesd.conf (revision 1259) +++ trunk/server/fedora/config/etc/yum/yum-updatesd.conf (revision 1259) @@ -0,0 +1,18 @@ +[main] +# how often to check for new updates (in seconds) +run_interval = 14400 +# how often to allow checking on request (in seconds) +updaterefresh = 600 + +# how to send notifications (valid: dbus, email, syslog) +emit_via = dbus email +# should we listen via dbus to give out update information/check for +# new updates +dbus_listener = yes + +# automatically install updates +do_update = no +# automatically download updates +do_download = yes +# automatically download deps of updates +do_download_deps = yes Index: trunk/server/fedora/specs/httpd.spec.patch =================================================================== --- trunk/server/fedora/specs/httpd.spec.patch (revision 1256) +++ trunk/server/fedora/specs/httpd.spec.patch (revision 1259) @@ -1,16 +1,16 @@ ---- httpd.spec.orig 2009-03-28 13:32:47.000000000 -0400 -+++ httpd.spec 2009-03-28 14:20:15.000000000 -0400 -@@ -6,7 +6,7 @@ +--- httpd.spec.orig 2009-03-17 09:12:22.000000000 -0400 ++++ httpd.spec 2009-06-03 05:05:30.000000000 -0400 +@@ -7,7 +7,7 @@ Summary: Apache HTTP Server Name: httpd - Version: 2.2.10 --Release: 1%{?dist} -+Release: 1%{?dist}.scripts.%{scriptsversion} + Version: 2.2.11 +-Release: 8 ++Release: 8.scripts.%{scriptsversion} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz Source1: index.html -@@ -54,6 +54,12 @@ +@@ -56,6 +56,12 @@ Conflicts: pcre < 4.0 - Requires: httpd-tools = %{version}-%{release} + Requires: httpd-tools = %{version}-%{release}, apr-util-ldap +Provides: scripts-httpd @@ -23,5 +23,5 @@ The Apache HTTP Server is a powerful, efficient, and extensible web server. -@@ -100,6 +106,7 @@ +@@ -102,6 +108,7 @@ BuildRequires: openssl-devel, distcache-devel Requires(post): openssl >= 0.9.7f-4, /bin/cat @@ -31,5 +31,5 @@ %description -n mod_ssl -@@ -127,6 +134,11 @@ +@@ -130,6 +137,11 @@ # Patch in vendor/release string sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 @@ -43,5 +43,5 @@ vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'` if test "x${vmmn}" != "x%{mmn}"; then -@@ -175,10 +187,12 @@ +@@ -178,10 +190,12 @@ --with-apr=%{_prefix} --with-apr-util=%{_prefix} \ --enable-suexec --with-suexec \ Index: trunk/server/fedora/specs/krb5.spec.patch =================================================================== --- trunk/server/fedora/specs/krb5.spec.patch (revision 1256) +++ trunk/server/fedora/specs/krb5.spec.patch (revision 1259) @@ -1,23 +1,23 @@ ---- krb5.spec.old 2009-04-08 06:26:23.000000000 -0400 -+++ krb5.spec 2009-04-08 06:29:20.000000000 -0400 +--- krb5.spec.orig 2009-04-07 15:17:07.000000000 -0400 ++++ krb5.spec 2009-06-03 04:47:31.000000000 -0400 @@ -16,7 +16,7 @@ Summary: The Kerberos network authentication system. Name: krb5 Version: 1.6.3 --Release: 16%{?dist} -+Release: 16%{?dist}.scripts.%{scriptsversion} +-Release: 20%{?dist} ++Release: 20%{?dist}.scripts.%{scriptsversion} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar Source0: krb5-%{version}.tar.gz -@@ -105,6 +105,8 @@ - Patch82: krb5-CVE-2009-0846.patch - Patch83: krb5-CVE-2009-0847.patch +@@ -106,6 +106,8 @@ + Patch83: krb5-CVE-2009-0846.patch + Patch84: krb5-CVE-2009-0847.patch +Patch1000: krb5-kuserok-scripts.patch + - License: MIT, freely distributable. + License: MIT URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries -@@ -146,6 +148,7 @@ +@@ -147,6 +149,7 @@ Group: System Environment/Libraries Prereq: grep, /sbin/ldconfig, sh-utils @@ -27,8 +27,8 @@ %description libs Kerberos is a network authentication system. The krb5-libs package -@@ -1389,6 +1392,7 @@ - %patch81 -p1 -b .CVE-2009-0844-0845-2 - %patch82 -p1 -b .CVE-2009-0846 - %patch83 -p1 -b .CVE-2009-0847 +@@ -1413,6 +1416,7 @@ + %patch82 -p1 -b .CVE-2009-0844-0845-2 + %patch83 -p1 -b .CVE-2009-0846 + %patch84 -p1 -b .CVE-2009-0847 +%patch1000 -p1 -b .kuserok cp src/krb524/README README.krb524 Index: trunk/server/fedora/specs/nss-ldapd.spec.patch =================================================================== --- trunk/server/fedora/specs/nss-ldapd.spec.patch (revision 1256) +++ trunk/server/fedora/specs/nss-ldapd.spec.patch (revision 1259) @@ -1,4 +1,4 @@ --- nss-ldapd.spec.orig 2009-03-30 04:33:50.000000000 -0400 -+++ nss-ldapd.spec 2009-05-24 18:39:15.000000000 -0400 ++++ nss-ldapd.spec 2009-06-03 03:18:49.000000000 -0400 @@ -19,18 +19,19 @@ @@ -55,5 +55,5 @@ %files %defattr(-,root,root) -@@ -104,11 +99,12 @@ +@@ -104,7 +99,6 @@ %doc %{_mandir}/man8/* %config(noreplace) %attr(640,root,root) /etc/nss-ldapd.conf @@ -63,11 +63,5 @@ /usr/sbin/nslcd - %changelog -+* Sun May 24 2009 Anders Kaseorg - 0.6.8-2.1 -+- Update for Fedora again. - * Wed Mar 25 2009 rhafer@suse.de - - Updated to 0.6.8: - * the nss-ldapd.conf was created world-readable which could cause -@@ -129,6 +125,10 @@ +@@ -129,6 +123,10 @@ - Adjust config file permissions upon update, to fix world-readable /etc/nss-ldapd.conf as created by older versions Index: trunk/server/fedora/specs/openafs.spec.patch =================================================================== --- trunk/server/fedora/specs/openafs.spec.patch (revision 1256) +++ trunk/server/fedora/specs/openafs.spec.patch (revision 1259) @@ -1,4 +1,4 @@ ---- openafs.spec.orig 2009-04-08 08:17:00.000000000 -0400 -+++ openafs.spec 2009-04-14 04:32:44.000000000 -0400 +--- openafs.spec.orig 2009-06-03 04:16:03.000000000 -0400 ++++ openafs.spec 2009-06-12 02:05:57.000000000 -0400 @@ -8,7 +8,7 @@ # for beta/rc releases make pkgrel 0.X. @@ -10,5 +10,5 @@ %if %{?osvers:0}%{!?osvers:1} %define osvers 1 -@@ -261,6 +261,11 @@ +@@ -261,6 +261,14 @@ %endif ExclusiveArch: %{ix86} x86_64 ia64 s390 s390x sparc64 ppc ppc64 @@ -18,9 +18,12 @@ +Patch1002: openafs-pts-encrypt.patch +Patch1003: openafs-localcsdb.patch ++Patch1004: openafs-delta-dprintf-rename-20090427.patch ++Patch1005: openafs-numsysnames.patch ++Patch1006: openafs-delta-linux26-defer-cred-changing-20090511.patch + # http://dl.openafs.org/dl/openafs/candidate/%{afsvers}/... Source0: http://www.openafs.org/dl/openafs/%{afsvers}/openafs-%{afsvers}-src.tar.bz2 Source1: http://www.openafs.org/dl/openafs/%{afsvers}/openafs-%{afsvers}-doc.tar.bz2 -@@ -343,6 +348,7 @@ +@@ -343,6 +351,7 @@ %if %{build_userspace} @@ -30,5 +33,5 @@ %if %{fedorakmod} -@@ -403,6 +409,7 @@ +@@ -403,6 +412,7 @@ %if %{build_authlibs} @@ -38,5 +41,5 @@ Group: Networking/Filesystems -@@ -419,6 +426,7 @@ +@@ -419,6 +429,7 @@ %endif @@ -46,5 +49,5 @@ Requires: openafs-authlibs = %{PACKAGE_VERSION} %endif -@@ -437,6 +445,7 @@ +@@ -437,6 +448,7 @@ libraries. @@ -54,5 +57,5 @@ Group: Development/Filesystems -@@ -465,6 +474,7 @@ +@@ -465,6 +477,7 @@ administrators. @@ -62,5 +65,5 @@ Group: Networking/Filesystems Provides: openafs-kernel = %{PACKAGE_VERSION} -@@ -514,6 +524,7 @@ +@@ -514,6 +527,7 @@ %if %{krb5support} @@ -70,5 +73,5 @@ Requires: openafs = %{PACKAGE_VERSION} Group: Networking/Filesystems -@@ -540,7 +551,7 @@ +@@ -540,7 +554,7 @@ %if %{build_modules} @@ -79,5 +82,5 @@ %else -@@ -699,6 +710,10 @@ +@@ -699,6 +713,13 @@ # Patch openafs to build a kernel module named "openafs" instead of "libafs" @@ -87,4 +90,7 @@ +%patch1002 -p1 -b .pts-encrypt +%patch1003 -p1 -b .localcsdb ++%patch1004 -p1 -b .dprintf ++%patch1005 -p1 -b .numsysnames ++%patch1006 -p1 -b .defercredchanging ############################################################################## Index: trunk/server/fedora/specs/openssh.spec.patch =================================================================== --- trunk/server/fedora/specs/openssh.spec.patch (revision 1256) +++ trunk/server/fedora/specs/openssh.spec.patch (revision 1259) @@ -1,22 +1,23 @@ ---- openssh.spec.orig 2009-01-01 21:06:01.000000000 -0500 -+++ openssh.spec 2009-01-01 22:52:02.000000000 -0500 +--- openssh.spec-pristine 2009-07-01 18:55:04.579034598 -0400 ++++ openssh.spec 2009-07-01 18:49:33.068037580 -0400 @@ -63,7 +63,7 @@ - Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 + Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh - Version: 5.1p1 --Release: 3%{?dist}%{?rescue_rel} -+Release: 3%{?dist}%{?rescue_rel}.scripts.%{scriptsversion} + Version: 5.2p1 +-Release: 2%{?dist}%{?rescue_rel} ++Release: 2%{?dist}%{?rescue_rel}.scripts.%{scriptsversion} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc -@@ -74,6 +74,7 @@ +@@ -74,6 +74,8 @@ Source1: openssh-nukeacss.sh Source2: sshd.pam Source3: sshd.init +Patch1000: openssh-5.0p1-multihomed.patch - Patch0: openssh-5.1p1-redhat.patch ++Patch1001: openssh-4.7p1-gssapi-name-in-env.patch + Patch0: openssh-5.2p1-redhat.patch Patch2: openssh-5.1p1-skip-initial.patch Patch3: openssh-3.8.1p1-krb5-config.patch -@@ -159,6 +160,7 @@ +@@ -160,6 +162,7 @@ Requires(post): chkconfig >= 0.9, /sbin/service Requires(pre): /usr/sbin/useradd @@ -26,9 +27,10 @@ %package askpass Summary: A passphrase dialog for OpenSSH and X -@@ -232,6 +234,8 @@ - %patch63 -p1 -b .bannerlen - %patch64 -p1 -b .compat-sessions +@@ -229,6 +232,9 @@ + %patch62 -p1 -b .manpage + %patch65 -p1 -b .fips +%patch1000 -p1 -b .multihomed ++%patch1001 -p1 -b .gssapi-env + autoreconf Index: trunk/server/fedora/specs/php.spec.patch =================================================================== --- trunk/server/fedora/specs/php.spec.patch (revision 1256) +++ trunk/server/fedora/specs/php.spec.patch (revision 1259) @@ -1,4 +1,4 @@ ---- php.spec.orig 2009-04-23 11:58:08.000000000 -0400 -+++ php.spec 2009-04-23 12:00:32.000000000 -0400 +--- php.spec.orig 2009-04-15 09:24:35.000000000 -0400 ++++ php.spec 2009-06-03 05:40:37.000000000 -0400 @@ -7,7 +7,7 @@ Summary: PHP scripting language for creating dynamic web sites @@ -10,5 +10,5 @@ Group: Development/Languages URL: http://www.php.net/ -@@ -38,6 +38,10 @@ +@@ -39,6 +39,10 @@ Patch60: php-5.2.7-tests-dashn.patch Patch61: php-5.0.4-tests-wddx.patch @@ -21,5 +21,5 @@ BuildRequires: bzip2-devel, curl-devel >= 7.9, db4-devel, gmp-devel -@@ -374,6 +378,8 @@ +@@ -404,6 +408,8 @@ %patch60 -p1 -b .tests-dashn %patch61 -p1 -b .tests-wddx Index: trunk/server/fedora/specs/pysvn.spec.patch =================================================================== --- trunk/server/fedora/specs/pysvn.spec.patch (revision 1256) +++ (revision ) @@ -1,19 +1,0 @@ ---- pysvn.spec 2009-03-23 10:49:59.000000000 -0400 -+++ pysvn.spec.new 2009-03-23 10:53:10.000000000 -0400 -@@ -2,7 +2,7 @@ - - Name: pysvn - Version: 1.6.2 --Release: 1%{dist} -+Release: 1%{dist}.scripts.%{scriptsversion} - Summary: Pythonic style bindings for Subversion - Group: Development/Languages - License: ASL 1.1 -@@ -17,6 +17,7 @@ - BuildRequires: neon-devel - BuildRequires: apr-devel - BuildRequires: openssl-devel -+Provides: scripts-pysvn - - %description - Pythonic style bindings for Subversion Index: trunk/server/fedora/specs/scripts-base.spec =================================================================== --- trunk/server/fedora/specs/scripts-base.spec (revision 1256) +++ trunk/server/fedora/specs/scripts-base.spec (revision 1259) @@ -9,5 +9,5 @@ Source: %{name}.tar.gz BuildRoot: %{_tmppath}/%(%{__id_u} -n)-%{name}-%{version}-root -Requires: accountadm, execsys, scripts-kmod-openafs, scripts-krb5-libs, scripts-httpd, scripts-mod_ssl, openafs, scripts-openafs-client, scripts-openafs-authlibs, scripts-openafs-devel, scripts-openafs-krb5, openafs-docs, scripts-openssh-server, sql-signup, tokensys, whoisd, logview, nss-ldapd, scripts-pysvn, scripts-php, php_scripts +Requires: accountadm, execsys, scripts-kmod-openafs, scripts-krb5-libs, scripts-httpd, scripts-mod_ssl, openafs, scripts-openafs-client, scripts-openafs-authlibs, scripts-openafs-devel, scripts-openafs-krb5, openafs-docs, scripts-openssh-server, sql-signup, tokensys, whoisd, logview, nss-ldapd, scripts-php, php_scripts %define debug_package %{nil}