4837
Comment: explain moving basic web sites
|
6420
a bit more on postgres
|
Deletions are marked like this. | Additions are marked like this. |
Line 71: | Line 71: |
If you use `vhost` or `vhostDefault` to configure your websites, you will need to set the Web``Places environment variable to host them on navajos: {{{ dom "yourdomain" with vhostDefault where WebPlaces = [web_place_default "navajos"]; with ... end; end; }}} |
|
Line 79: | Line 92: |
If you are using php4, you must upgrade to php5. | If you are using php4, you must upgrade to php5. === Moin Moin === Don't panic if your `moinMoin` or `addMoinMoin` directives are now suffixed with `Old`; ClintonEbadi updated your config for you. The `Old` variants of both install your wiki onto mire, using its local machine copy. To support saner upgrades in the future, we haved moved our moin install into afs, upgrading from 1.7 to 1.9.5 in the process. Follow the instructions at [[MemberManual/WebApplications/MoinMoin#Moin1.7.x]] and remove the `Old` to upgrade. === SSL === If you have requested access to the default HCoop SSL certificate your SSL vhosts will move with no special effort. If you have an IP Address allocated for SSL, you will need to coordinate with the admins to have the address moved from `mire` to `navajos`. [[https://bugzilla.hcoop.net/enter_bug.cgi|File a bug]] under the "_Misc" category and we'll help you. We do not yet support SNI, but since OpenSSL on `navajos` is new enough, we should be able to once mire is decommissioned to avoid complication. |
Line 85: | Line 110: |
Postgres users will need to dump their databases and upgrade to 9.1. New dbtool "database" `postgres-9.1`. If any trouble is encountered, file a bug under SQL DBs. | We are now offering PostgreSQL 9.1 instead of 8.1. Administration is performed using a new dbtool "database" named `postgres-9.1`. Seethe [[http://wiki.hcoop.net/MemberManual/Databases#PostgreSQL|postgresql member manual section]] for full details. You can still connect to your 8.1 databases from navajos, but 8.1 is officially deprecated so you should dump and re-create your databases. If any trouble is encountered, file a bug under SQL DBs. |
A guide to migrating your services to navajos and bog.
This document refers to the new shell server, bog, but bog has not yet been created. This note will disappear once it has.
Contents
1. Explanation of New Machines
Our current machines are hopelessly obsolete, in particular mire. Members may have noticed their sites running slowly for the last few months, things like php are so out of date modern software no longer works, and there are so many warts in the setup upgrading to a newer Debian is impossible.
And so, using fritz's virtualization capabilities, we've created new KernelVirtualMachines running Debian squeeze on 64-bit x86 and with access to roughly four times the processing power as mire.
We've also closed one of our biggest security flaws: the new servers restore the FirewallRules system we had before migrating to Peer1. This means all incoming and outgoing traffic is blocked by default, with access only granted as requested (don't worry, firewall exceptions are granted liberally; the main goal is to prevent malicious outsiders from gaining access via an exploited web service).
Because of openafs and kerberos, this isn't really a "migration": all accounts and data are available automatically on the new nodes. This time around all you have to do is flip a few domtool flags to serve your sites with the new server, and ssh into a different host for shell access. Except for the 32-bit to 64-bit architecture change and newer software, it's the same environment you're used to.
2. Firewall
With the restrictive firewall in place, you will have to request rules if you need to access Internet resources from your cgi programs, or want to use irc or similar from bog.
3. Moving Web Sites
Static web sites will work on navajos without any special effort.
Don't be surprised if any CGI programs do not run as expected initially; the new systems have not had many packages installed, and so you will probably have to request packages on node navajos.
Examining your log files using domtool-tail should reveal the missing software (see the member manual for more information). If you still can't figure it out, please file a bug under "Misc UNIX" requesting assistance.
3.1. Easy Domain Users
If you are using the dom (Easy Domain) type, trying out the new web server is easy.
To test that your site will work, you can add an empty webAt action, which will use the same configuration as your default domain. If you are setting the WWW environment variable you must also add a couple of lines to include that configuration. Likewise, you can simply copy and paste any web directives as webAt "navajos" "TESTSUBDOMAIN" to test if they work.
dom "yourdomain" where ... with ... webAt "navajos" "TESTSUBDOMAIN" with (* The following lines are only needed if you set the WWW environment variable to customize the default vhost *) www : [Vhost] <- WWW; www end; end
After you've ensured that things are working (or if you like to jump off of cliffs for fun), set DefaultWebNode = "navajos" in your dom config to migrate everything. Note that it may take up to 36 hours for the dns changes to propagate. You may also change calls to web into webAt "mire" if you need to run part of your website on mire temporarily (if you are using e.g. php4 scripts, 32-bit proxied server binaries, postgresql 8.1).
dom "yourdomain" where ... DefaultWebNode = "navajos"; with ... (* To keep a particular subdomain on mire *) webAt "mire" "SUBDOMAIN" where ... with ... end; end;
3.2. Low-level domain users
You're on your own
If you use vhost or vhostDefault to configure your websites, you will need to set the WebPlaces environment variable to host them on navajos:
dom "yourdomain" with vhostDefault where WebPlaces = [web_place_default "navajos"]; with ... end; end;
3.3. Proxied Servers
Proxied servers must be run on bog. Request ProxiedServer firewall rule. Cron permissions for starting at reboot.
If you are running your own instance of Apache on mire, please file a bug report explaining why you are doing so. If it's just to run a newer version than available on mire, you can probably just switch to the system-wide version. If you need modules or directives not supported by DomTool, any that can be supported securely will be added during migration.
3.4. PHP
If you are using php4, you must upgrade to php5.
3.5. Moin Moin
Don't panic if your moinMoin or addMoinMoin directives are now suffixed with Old; ClintonEbadi updated your config for you. The Old variants of both install your wiki onto mire, using its local machine copy. To support saner upgrades in the future, we haved moved our moin install into afs, upgrading from 1.7 to 1.9.5 in the process. Follow the instructions at MemberManual/WebApplications/MoinMoin#Moin1.7.x and remove the Old to upgrade.
3.6. SSL
If you have requested access to the default HCoop SSL certificate your SSL vhosts will move with no special effort.
If you have an IP Address allocated for SSL, you will need to coordinate with the admins to have the address moved from mire to navajos. File a bug under the "_Misc" category and we'll help you.
We do not yet support SNI, but since OpenSSL on navajos is new enough, we should be able to once mire is decommissioned to avoid complication.
4. Databases
MySQL users should not need to do anything.
We are now offering PostgreSQL 9.1 instead of 8.1. Administration is performed using a new dbtool "database" named postgres-9.1. Seethe postgresql member manual section for full details.
You can still connect to your 8.1 databases from navajos, but 8.1 is officially deprecated so you should dump and re-create your databases.
If any trouble is encountered, file a bug under SQL DBs.
5. Using the New Shell Server
Just ssh $user@bog.hcoop.net
6. HCoop Services
Document temporary squirrelmail/roundcube addresses