| Size: 1574 Comment: stub for migration guide | Size: 9120 Comment:  | 
| Deletions are marked like this. | Additions are marked like this. | 
| Line 1: | Line 1: | 
| A guide to moving your services to our new virtual infrastructure at digital ocean. | A guide to moving your services to our new virtual infrastructure at DigitalOcean. | 
| Line 4: | Line 4: | 
| == Changes Requiring Action == If you... * have a crontab * run any daemons on `bog` * use postgresql * use the low level `domain` domtool type instead of `dom`, the `vhost`/`vhostDefault`/`webAt` actions instead of `web`, or (reverse) proxies ...you will need to take some manual actions during the migration or '''your services may break'''. Migration should be otherwise transparent. | |
| Line 9: | Line 22: | 
| * email migration * database migration * volumes migration | * All domains converted from suphp/cgi php to fastcgi based php: 2018-10-10 ('''done!''') * email migration: 2018-11-04 ('''done!''') * mailman list migration: 2018-11-04. ''Delayed'' by a day or two * database migration (incurring downtime): 2018-11-10 * TODO: estimated max downtime window for migrating databases after doing test run * home directory volumes and domain migration: 2018-11-11 == Service Impacts During Migration == The migration should have minimal impact for most members. However, there will be some impact during a few phases. === Email === While we are moving mail volumes, IMAP PUSH may not function correctly and result in delays in your client notifying you of new mail. This is due to multiple mail delivery servers writing to your email volume; when the mail delivery agent and imap server are on separate machines, [[https://en.wikipedia.org/wiki/File_Alteration_Monitor|FAM]] notifications are not delivered to the imap server so it can't see that a new message was delivered without explicitly polling the directory. Mail access will still work generally, and IMAP PUSH notifications should only behave oddly for a few hours. Spam detection may also be affected during a brief window -- the new mail server does not share the SpamAssassin bayes database with the current mail server, so for the window when both mail servers are active spam detection may be impaired slightly. === Databases === There will be up to ~2h of downtime for databases to ensure that no data is lost when moving data to the new servers. We will be disabling Mysql and Postgres separately, so each will be down for a shorter period during the window. | 
| Line 15: | Line 46: | 
| The new machines that members will directly interact with are: | |
| Line 16: | Line 48: | 
| === Networking Change: IPv6 is Supported === | * marsh, the new shell server. replaces [[ServerBog|bog]]. This is the server you will login to. * shelob, the new web server. replaces [[ServerNavajos|navajos]] * minsky, the new mail server. replaces [[ServerMcCarthy|mccarthy]] For a full list of servers at the new host and their purposes, see [[Hardware#Digital_Ocean]] All servers are now running Debian Stretch (the latest stable release). Packages that were requested through the members portal on both bog and navajos have been installed on marsh and shelob so if your software works now, it ought to work on the new servers. If you are using compiled binaries that link against system libraries you might need to recompile. === New Features === ==== Networking Change: IPv6 is Supported ==== | 
| Line 20: | Line 62: | 
| By default, domtool will not generate `AAAA` (IPv6) DNS records for your domains, but this will be enabled for the `dom` type after all sites are migrated. | By default, domtool will not generate `AAAA` (IPv6) DNS records for your domains, but this will be enabled for the `dom` type after all sites are migrated. {{{#!wiki comment note: not quite, since domtool set the vhost to listen on the ipv4 address only If you're feeling like living on the cutting edge, you can set an `AAAA` record to the web server manually using `dnsIPv6` and `dnsDefaultv6`, for example: {{{ dom "yourdomain" where DefaultWebNode = "shelob"; ... with dnsDefaultv6 shelob_ipv6; (* sets AAAA for "yourdomain" *) dnsIPv6 "www.yourdomain" shelob_ipv6; ... end }}} ==== Web Server ==== All sites are now using mod_fcgid based php 5.6, which should provide a significant improvement in performance. The new webserver has the latest Apache 2.4.x release, so the `sslCertificateChainFile` directive will no longer be required for https -- the certificates can contain the full chain now. | 
| Line 24: | Line 88: | 
| The new shell server may be accessed using `ssh marsh.hcoop.net`. Thanks to [[AndrewFileSystem|openafs]], both the old and new infrastructure share the same volumes and you can access your data from either. === Using Cron: Permissions No Longer Needed === All members have cron enabled by default on the new login server and no longer need to specially request permissions. Members with crontabs on bog will need to re-create the crontab on marsh. This should just be a matter of copying the crontab contents to marsh, and removing it from bog afterward. | |
| Line 25: | Line 97: | 
| We are upgrading from apache 2.2 to 2.4, but have a configuration that should behave identically the one currently used on ServerNavajos. We are currently using `mod_access_compat` (Allow/Deny/Satisfy directives) instead of the newer `Require` access framework so that existing configurations do not need to be updated. At some point in the future we will update domtool and convert member configurations to the new access control directives. If you are using the `dom` type, the move should be transparent; we will update `DefaultWebNode` to the new web server and reconfigure all domains on the date scheduled for transitioning to the new servers. If you would like to migrate your domains early, you may set the environment variable `DefaultWebNode = "shelob";` in your configuration to force the domain to be configured on the new webserver. | |
| Line 28: | Line 104: | 
| The new webserver is running php 5.6, with a configuration matching the existing production configuration. We have supported a simple fastcgi based php for a while now, but have not widely deployed it. Our current method of supporting php-cgi based php (suphp) has been removed from debian stretch, and `shelob` only supports fastcgi based php. All domains have been automatically upgraded to fastcgi based php, and plain cgi php support has been removed from domtool. After we migrate all domains, we will be able to enable php 7.2 with minimal effort (due to domtool limitations, it's not feasible to support it while ServerNavajos is in production). | |
| Line 29: | Line 113: | 
| === Low-level domain users === You're on your own, possibly ;-) If you use `vhost` or `vhostDefault` to configure your websites, you will need to set the Web``Places environment variable to host them on `shelob`: {{{ domain "yourdomain" with vhostDefault where WebPlaces = [web_place_default "shelob"]; with ... end; end; }}} Any `dnsIP` or `dnsDefault` records pointing toward `navajos_ip` or "69.90.123.70" need to be changed to point to `shelob`: {{{ domain "yourdomain" with ... dnsDefault shelob_ip; end; }}} You may have `webAt` directives that need fixing up: {{{ webAt "shelob" "www" with ... end; }}} Proxies and reverse proxies are similar: switch from `bog` to `marsh`. {{{ web "www" with proxyPass "/" "http://marsh:50000/"; proxyPassReverse "/" "http://marsh:50000/"; ... end; }}} | |
| Line 34: | Line 163: | 
| todo: example of proxied server config and update. | |
| Line 36: | Line 167: | 
| Postgresql is upgraded to 9.6. 9.1 no longer supported, data automatically migrated. | === Postgresql === Postgres users '''must''' take action! Due to our usage of gssapi and ident for authentication, we cannot set up a simple stunnel for secure connections between the datacenters. To ensure the security of your data, connections from one datacenter to the other will require ssl be enabled in postgres. Applications based on `libpq` ought to negotiate ssl automatically, but php applications using the PDO library will not automatically negotiate, and require `sslmode=require` be added to the connection string. Postgresql is also being upgraded to 9.6 as 9.1 is not longer supported. There should be no major compatibility issues, and all databases will be automatically migrated. Postgres will still listen on port `5433`; some time after migration is complete we will enable postgresql 11 on port `5432`. | 
| Line 40: | Line 175: | 
| MySQL is still using Percona 5.6. | === MySQL === The MySQL migration should be transparent. We are staying on Percona MySQL 5.6, and are using an stunnel to transparently/securely proxy connections between the datacenters during migration. | 
| Line 52: | Line 189: | 
| * Postgresql 10.x support | * Postgresql 11.x support | 
A guide to moving your services to our new virtual infrastructure at DigitalOcean.
Contents
1. Changes Requiring Action
If you...
- have a crontab
- run any daemons on bog 
- use postgresql
- use the low level domain domtool type instead of dom, the vhost/vhostDefault/webAt actions instead of web, or (reverse) proxies 
...you will need to take some manual actions during the migration or your services may break.
Migration should be otherwise transparent.
2. Important Dates
TBD
- All domains converted from suphp/cgi php to fastcgi based php: 2018-10-10 (done!) 
- email migration: 2018-11-04 (done!) 
- mailman list migration: 2018-11-04. Delayed by a day or two 
- database migration (incurring downtime): 2018-11-10 - TODO: estimated max downtime window for migrating databases after doing test run
 
- home directory volumes and domain migration: 2018-11-11
3. Service Impacts During Migration
The migration should have minimal impact for most members. However, there will be some impact during a few phases.
3.1. Email
While we are moving mail volumes, IMAP PUSH may not function correctly and result in delays in your client notifying you of new mail. This is due to multiple mail delivery servers writing to your email volume; when the mail delivery agent and imap server are on separate machines, FAM notifications are not delivered to the imap server so it can't see that a new message was delivered without explicitly polling the directory. Mail access will still work generally, and IMAP PUSH notifications should only behave oddly for a few hours.
Spam detection may also be affected during a brief window -- the new mail server does not share the SpamAssassin bayes database with the current mail server, so for the window when both mail servers are active spam detection may be impaired slightly.
3.2. Databases
There will be up to ~2h of downtime for databases to ensure that no data is lost when moving data to the new servers. We will be disabling Mysql and Postgres separately, so each will be down for a shorter period during the window.
4. Overview of New Machines
The new machines that members will directly interact with are:
- marsh, the new shell server. replaces bog. This is the server you will login to. 
- shelob, the new web server. replaces navajos 
- minsky, the new mail server. replaces mccarthy 
For a full list of servers at the new host and their purposes, see Hardware#Digital_Ocean
All servers are now running Debian Stretch (the latest stable release). Packages that were requested through the members portal on both bog and navajos have been installed on marsh and shelob so if your software works now, it ought to work on the new servers. If you are using compiled binaries that link against system libraries you might need to recompile.
4.1. New Features
4.1.1. Networking Change: IPv6 is Supported
Core HCoop services (ssh, email, dns, ...) are now IPv6 enabled. Members with native IPv6 are encouraged to test the new services and report any problems.
By default, domtool will not generate AAAA (IPv6) DNS records for your domains, but this will be enabled for the dom type after all sites are migrated.
4.1.2. Web Server
All sites are now using mod_fcgid based php 5.6, which should provide a significant improvement in performance.
The new webserver has the latest Apache 2.4.x release, so the sslCertificateChainFile directive will no longer be required for https -- the certificates can contain the full chain now.
5. Using the New Shell Server
The new shell server may be accessed using ssh marsh.hcoop.net. Thanks to openafs, both the old and new infrastructure share the same volumes and you can access your data from either.
5.1. Using Cron: Permissions No Longer Needed
All members have cron enabled by default on the new login server and no longer need to specially request permissions.
Members with crontabs on bog will need to re-create the crontab on marsh. This should just be a matter of copying the crontab contents to marsh, and removing it from bog afterward.
6. Moving Web Sites
We are upgrading from apache 2.2 to 2.4, but have a configuration that should behave identically the one currently used on ServerNavajos. We are currently using mod_access_compat (Allow/Deny/Satisfy directives) instead of the newer Require access framework so that existing configurations do not need to be updated. At some point in the future we will update domtool and convert member configurations to the new access control directives.
If you are using the dom type, the move should be transparent; we will update DefaultWebNode to the new web server and reconfigure all domains on the date scheduled for transitioning to the new servers. If you would like to migrate your domains early, you may set the environment variable DefaultWebNode = "shelob"; in your configuration to force the domain to be configured on the new webserver.
6.1. PHP
The new webserver is running php 5.6, with a configuration matching the existing production configuration.
We have supported a simple fastcgi based php for a while now, but have not widely deployed it. Our current method of supporting php-cgi based php (suphp) has been removed from debian stretch, and shelob only supports fastcgi based php.
All domains have been automatically upgraded to fastcgi based php, and plain cgi php support has been removed from domtool.
After we migrate all domains, we will be able to enable php 7.2 with minimal effort (due to domtool limitations, it's not feasible to support it while ServerNavajos is in production).
(fastcgi php is mandatory now)
6.2. Low-level domain users
You're on your own, possibly  
 
If you use vhost or vhostDefault to configure your websites, you will need to set the WebPlaces environment variable to host them on shelob:
domain "yourdomain"
with
  vhostDefault where
    WebPlaces = [web_place_default "shelob"];
  with
    ...
  end;
end;Any dnsIP or dnsDefault records pointing toward navajos_ip or "69.90.123.70" need to be changed to point to shelob:
domain "yourdomain" with ... dnsDefault shelob_ip; end;
You may have webAt directives that need fixing up:
webAt "shelob" "www" with ... end;
Proxies and reverse proxies are similar: switch from bog to marsh.
web "www" with proxyPass "/" "http://marsh:50000/"; proxyPassReverse "/" "http://marsh:50000/"; ... end;
6.3. Proxied Servers
Will need to be moved to marsh, but will still work when connecting from the new webserver to bog. Connections will be going unencrypted over the Internet however!
todo: example of proxied server config and update.
7. Changes to Databases
7.1. Postgresql
Postgres users must take action! Due to our usage of gssapi and ident for authentication, we cannot set up a simple stunnel for secure connections between the datacenters. To ensure the security of your data, connections from one datacenter to the other will require ssl be enabled in postgres. Applications based on libpq ought to negotiate ssl automatically, but php applications using the PDO library will not automatically negotiate, and require sslmode=require be added to the connection string.
Postgresql is also being upgraded to 9.6 as 9.1 is not longer supported. There should be no major compatibility issues, and all databases will be automatically migrated. Postgres will still listen on port 5433; some time after migration is complete we will enable postgresql 11 on port 5432.
dbtool commands for postgres will now use version postgres-9 instead of postgres-9.1.
7.2. MySQL
The MySQL migration should be transparent. We are staying on Percona MySQL 5.6, and are using an stunnel to transparently/securely proxy connections between the datacenters during migration.
8. Changes to XMPP
We are now using ejabberd 18.06, which brings ...
9. Features Coming After Migration
Once migration is completed, a few features will be implemented as soon as feasible:
- PHP 7.2 support
- Postgresql 11.x support
- Automated integration with letsencrypt in DomTool. 
