| |
36 |
36 |
run as another user, which you must specify on the command line. It's |
| |
37 |
37 |
important that this user has as few privileges as possible. Why? |
| |
38 |
38 |
Because if an intruder somehow breaks in through AOLserver, you don't |
| |
39 |
39 |
want her to have any ability to do damage to the rest of your |
| |
40 |
40 |
server.</para> |
| |
41 |
41 |
<para>At the same time, AOLserver needs to have write access to |
| |
42 |
42 |
some files on your system in order for OpenACS to function |
| |
43 |
43 |
properly. So, we'll run AOLserver with a different user account |
| |
44 |
44 |
for each different service. A service name should be a single |
| |
45 |
45 |
word, <emphasis>letters and numbers only</emphasis>. If the name |
| |
46 |
46 |
of your site is one word, that would be a good choice. For |
| |
47 |
47 |
example "<replaceable>$OPENACS_SERVICE_NAME</replaceable>" might be the service name for the |
| |
48 |
48 |
<ulink url="http://$OPENACS_SERVICE_NAME.net/"><replaceable>$OPENACS_SERVICE_NAME</replaceable>.net</ulink> |
| |
49 |
49 |
community.</para> |
| |
50 |
50 |
<para>We'll leave the password blank, which prevents login by |
| |
51 |
51 |
password, for increased security. The only way to log in will |
| |
52 |
52 |
be with ssh certificates. The only people who should log in are |
| |
53 |
53 |
developers for that specific instance. Add this user, and put |
| |
54 |
54 |
it in the <computeroutput><replaceable>$OPENACS_SERVICE_NAME</replaceable></computeroutput> group so that it |
| |
55 |
55 |
can use database and server commands associated with that group. |
| |
|
56 |
(If you don't know how to do this, type |
| |
|
57 |
<userinput>man usermod</userinput>. You can type |
| |
|
58 |
<userinput>groups</userintput> to find out which groups a user |
| |
|
59 |
is a part of) |
| |
56 |
60 |
</para> |
| |
57 |
61 |
<screen> |
| |
58 |
62 |
[root root]# <userinput>useradd <replaceable>$OPENACS_SERVICE_NAME</replaceable></userinput> |
| |
59 |
|
[root root]#</screen> |
| |
|
63 |
</screen> |
| |
60 |
64 |
</sect2> |
| |
61 |
65 |
|
| |
62 |
66 |
<sect2 id="install-with-script"> |
| |
63 |
67 |
<title>Installation Option 1: Use automated script</title> |
| |
64 |
68 |
<para>A bash script is available to automate all of the steps for the rest of this section. It requires <link linkend="install-tclwebtest">tclwebtest</link>. The automated script can greatly accelerate the install process, but is very sensitive to the install environment. We recommend that you run the automated install and, if it does not work the first time, consider switching to a <link linkend="install-from-tarball">manual installation</link>.</para> |
| |
65 |
69 |
<para>Get the install script from CVS. It is located within |
| |
66 |
70 |
the main cvs tree, at /etc/install. Use anonymous CVS |
| |
67 |
71 |
checkout to get that directory in the home directory of the |
| |
68 |
72 |
service's dedicated user. We put it there so that it is not |
| |
69 |
73 |
overwritten when we do the main CVS checkout to the target |
| |
70 |
74 |
location.</para> |
| |
71 |
75 |
<screen>[root root]# <userinput>su - <replaceable>$OPENACS_SERVICE_NAME</replaceable></userinput> |
| |
72 |
76 |
[$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$ <userinput>cvs -d :pserver:anonymous@openacs.org:/cvsroot co -d install openacs-4/etc/install</userinput> |
| |
73 |
77 |
cvs server: Updating install |
| |
74 |
78 |
U install/README |
| |
75 |
79 |
U install/TODO |
| |
76 |
80 |
... many lines omitted ... |
| |
77 |
81 |
U install/tcl/twt-procs.tcl |
| |
78 |
82 |
U install/tcl/user-procs.tcl |
| |
79 |
83 |
[$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$ <userinput>cd install</userinput> |
