[OSGeo] #3322: Request for VM to certify GeoServer

Committees SAC tickets
1

#3322: Request for VM to certify GeoServer
--------------------------+---------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Keywords:
--------------------------+---------------------------
Hi there

As per OGC Certification Services - OSGeo, and on
behalf of the GeoServer PSC, can I please request a VM to host a couple of
GeoServer containers for the purposes of reviving CITE testing &
certification?

Thank you

Peter
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3322&gt;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

2

#3322: Request for VM to certify GeoServer
--------------------------+----------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: |
--------------------------+----------------------------
Comment (by robe):

Peter,

1) Can this wait till January? I haven't yet built new images yet for
latest debian and Ubuntu and don't plan to before January

and I don't want to create a new OS Container or VM using an image that
would need immediate upgrading next year.

If you can't wait perhaps we can find an existing VM to put it on that
another project won't mind sharing.

2) What are the specs you need for this:

OS: We generally standardize on debian or ubuntu, installing another OS
would take a bit longer

3) Anything else you need you can install yourself once we give you admin
rights to the VM.

4) Our web apps all go thru an nginx proxy, so will need to know what
domain addresses you need exposed for this along with ports
the nginx proxy should listen for.
--
Ticket URL: <#3322 (Request for VM to certify GeoServer) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

3

#3322: Request for VM to certify GeoServer
--------------------------+----------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: |
--------------------------+----------------------------
Comment (by peterafrigis):

Hi Rob/robe

1. Yes, of course, I can continue with my personal VPS for now. Do you
have a target date in Jan?
2. Ubuntu is perfect, something small: 2-4 cores, 2-4 GB RAM, 50 GB HDD
3. Cool. Docker, PostGIS
4. I think you would need to tell me what the domain name would be, but
the host can be something like geoserver-cite, and you can expose any
range of 5 consecutive ports, e.g. 8081 - 8085 that will be mapped to the
containers.

My email address is gs at smythe/co/za for any credentials.

Thank you

Peter
--
Ticket URL: <#3322 (Request for VM to certify GeoServer) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

4

#3322: Request for VM to certify GeoServer
--------------------------+----------------------------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2025-I (robe)
Component: SysAdmin | Resolution:
Keywords: |
--------------------------+----------------------------------------------
Changes (by robe):

* milestone: Unplanned => Sysadmin Contract 2025-I (robe)

Comment:

I'm shooting for probably mid January. Might be able to get to it before
then but can't promise.

For domain how about cite.geoserver.org?
--
Ticket URL: <#3322 (Request for VM to certify GeoServer) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

5

#3322: Request for VM to certify GeoServer
--------------------------+----------------------------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2025-I (robe)
Component: SysAdmin | Resolution:
Keywords: |
--------------------------+----------------------------------------------
Comment (by peterafrigis):

Perfect, thank you Rob. Our next PSC meeting is 14 Jan, it would be
lovely to show the progress then.

Peter
--
Ticket URL: <#3322 (Request for VM to certify GeoServer) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

6

#3322: Request for VM to certify GeoServer
--------------------------+----------------------------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2025-I (robe)
Component: SysAdmin | Resolution:
Keywords: |
--------------------------+----------------------------------------------
Comment (by peterafrigis):

Hi Regina (sorry!), just checking in. I assume there's nothing further to
report to the PSC this evening?
--
Ticket URL: <#3322 (Request for VM to certify GeoServer) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

7

#3322: Request for VM to certify GeoServer
--------------------------+----------------------------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2025-I (robe)
Component: SysAdmin | Resolution:
Keywords: |
--------------------------+----------------------------------------------
Comment (by robe):

Replying to [comment:5 peterafrigis]:
> Hi Regina (sorry!), just checking in. I assume there's nothing further
to report to the PSC this evening?

I'm working on #3340 which is to build the new base image for OSGeo future
OS containers. After that building the VM for you should be quick. I'm
shooting for sometime this week early next.
--
Ticket URL: <#3322 (Request for VM to certify GeoServer) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

8

#3322: Request for VM to certify GeoServer
--------------------------+----------------------------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2025-I (robe)
Component: SysAdmin | Resolution: fixed
Keywords: |
--------------------------+----------------------------------------------
Changes (by robe):

* resolution: => fixed
* status: new => closed

Comment:

I have this up now.

I gave @peterafrigis and @jive both sudo and docker rights.

I have http://geoserver-cite:8081 mapped to https://cite.geoserver.org

Our external nginx is taking care of the https, so port 8081 should just
be running with http: protocol.

To access the server follow the directions here:
SAC Service Status - OSGeo

You both should have access to the server.

The server is called geoserver-cite.

So for example to connect, I do this:

{{{
ssh robe@osgeo3-geoserver-cite
}}}

It is currently set to allow anyone in the shell group (which both of you
are members of, to connect with password). If you want to close it off,
you can add your ssh pub keys directly to the server, and change the
/etc/ssh/sshd_config.d/60-cloudimg-settings.conf (set
PasswordAuthentication no)

Specs of it are as follows:

{{{

Ubuntu 24.04.1 with Docker
4 vCPU
4GB ram
100GB disk

}}}

I didn't bother installing PostgreSQL/PostGIS since I figured you might
want to run that using a PostGIS docker container of your choosing here -
https://hub.docker.com/r/postgis/postgis

I'm going to close this out, but feel free to reopen if you run into
issues.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3322#comment:7&gt;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

9

#3322: Request for VM to certify GeoServer
--------------------------+----------------------------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2025-I (robe)
Component: SysAdmin | Resolution: fixed
Keywords: |
--------------------------+----------------------------------------------
Comment (by peterafrigis):

Many thanks Regina, I am able to log into the geoserver-cite server
--
Ticket URL: <#3322 (Request for VM to certify GeoServer) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

10

#3322: Request for VM to certify GeoServer
--------------------------+----------------------------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2025-I (robe)
Component: SysAdmin | Resolution: fixed
Keywords: |
--------------------------+----------------------------------------------
Comment (by peterafrigis):

If possible, could you make `peterafrigis` a home directory on `hop` to
facilitate jumping to `geoserver-cite`?
--
Ticket URL: <#3322 (Request for VM to certify GeoServer) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

11

#3322: Request for VM to certify GeoServer
--------------------------+----------------------------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: reopened
Priority: normal | Milestone: Sysadmin Contract 2025-I (robe)
Component: SysAdmin | Resolution:
Keywords: |
--------------------------+----------------------------------------------
Changes (by peterafrigis):

* resolution: fixed =>
* status: closed => reopened

Comment:

> I have ​http://geoserver-cite:8081 mapped to ​https://cite.geoserver.org

Also, we need to host and expose a number of different GeoServer
containers, so could you please map, say ​http://geoserver-cite:8081 to
https://cite.geoserver.org:8081 all the way up to say 8089, for now? And
https://cite.geoserver.org:443 can be closed off, if desired.

Thank you

Peter
--
Ticket URL: <#3322 (Request for VM to certify GeoServer) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

12

#3322: Request for VM to certify GeoServer
--------------------------+----------------------------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: reopened
Priority: normal | Milestone: Sysadmin Contract 2025-I (robe)
Component: SysAdmin | Resolution:
Keywords: |
--------------------------+----------------------------------------------
Comment (by robe):

Can we do subdomains instead, would be preferred over having to open up
extra firewall ports.

So I'm thinking g1.cite.geoserver.org, g2.cite.geoserver.org,
gn.cite.geoserver.org or even 8089.cite.geoserver.org

Could alternatively do subpaths like https://cite.geoserver.org/g1 etc,
though I guess that might mess with your setup if it's expected to be
sitting on root.

Also I had a misconfiguration so that might have caused the site not
showing before. now I see a 404 page which I assume is expected.
--
Ticket URL: <#3322 (Request for VM to certify GeoServer) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

13

#3322: Request for VM to certify GeoServer
--------------------------+----------------------------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2025-I (robe)
Component: SysAdmin | Resolution: fixed
Keywords: |
--------------------------+----------------------------------------------
Changes (by robe):

* resolution: => fixed
* status: reopened => closed

Comment:

@peterafrigis,

Note hearing back from you I went ahead with the following mappings. I
haven't bothered doing an ssl for these additional ones since I wasn't
sure if you wanted to stick with these names, let me know if you need
that.

So mappings are as follows:

* geoserver-cite:8081 -> cite.geoserver.org (both http and https)
* geoserver-cite:8082 -> g2.cite.geoserver.org (only http)
* geoserver-cite:8083 -> g3.cite.geoserver.org (only http)
* geoserver-cite:8084 -> g4.cite.geoserver.org (only http)
* geoserver-cite:8085 -> g5.cite.geoserver.org (only http)

I'm going to close this out. Feel free to reopen if you need further
assistance.
--
Ticket URL: <#3322 (Request for VM to certify GeoServer) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

14

#3322: Request for VM to certify GeoServer
--------------------------+----------------------------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2025-I (robe)
Component: SysAdmin | Resolution: fixed
Keywords: |
--------------------------+----------------------------------------------
Comment (by peterafrigis):

@robe, sorry for not getting back to you earlier. Your approach is
perfect, thank you. Better than subpaths.

However, I am struggling to access anything on
http://gN.cite.geoserver.org (both https:// and http://cite.geoserver.org
do still work) - I just get a Tomcat 404 error for anything else.

I am trying to debug it further, but ChatGPT says it is probably a nginx
config error, seeing as I can reach the mapped port from geoserver-cite:

{{{
root@geoserver-cite:/home/cite# curl -I
http://localhost:8084/geoserver/web
HTTP/1.1 302
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: base-uri 'self'; form-action 'self'; default-src
'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src
'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self';, frame-
ancestors 'self';
Set-Cookie: JSESSIONID=926EEBE9C3B410DB66E7A36C9224D3DC; Path=/geoserver;
HttpOnly
Location: /geoserver/web/
Date: Mon, 10 Feb 2025 16:35:10 GMT
}}}

Are you able to check if there is anything suspicious on nginx?

Or, since cite.geoserver.org works correctly, maybe let's adopt the naming
scheme
cite1.geoserver.org
cite2.geoserver.org
...
cite7

(BTW, I only need up to 7 container, please)

Thank you

Peter
--
Ticket URL: <#3322 (Request for VM to certify GeoServer) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

15

#3322: Request for VM to certify GeoServer
--------------------------+----------------------------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: reopened
Priority: normal | Milestone: Sysadmin Contract 2025-I (robe)
Component: SysAdmin | Resolution:
Keywords: |
--------------------------+----------------------------------------------
Changes (by peterafrigis):

* resolution: fixed =>
* status: closed => reopened

--
Ticket URL: <#3322 (Request for VM to certify GeoServer) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

16

#3322: Request for VM to certify GeoServer
--------------------------+----------------------------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: reopened
Priority: normal | Milestone: Sysadmin Contract 2025-I (robe)
Component: SysAdmin | Resolution:
Keywords: |
--------------------------+----------------------------------------------
Comment (by peterafrigis):

Replying to [comment:9 peterafrigis]:
> If possible, could you make `peterafrigis` a home directory on `hop` to
facilitate jumping to `geoserver-cite`?

Also @robe, would this be possible, please?
--
Ticket URL: <#3322 (Request for VM to certify GeoServer) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

17

#3322: Request for VM to certify GeoServer
--------------------------+----------------------------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: reopened
Priority: normal | Milestone: Sysadmin Contract 2025-I (robe)
Component: SysAdmin | Resolution:
Keywords: |
--------------------------+----------------------------------------------
Comment (by robe):

I think I might have forgot to trigger a nginx reload for the new sites to
be picked up.

try again these:

{{{

http://g2.cite.geoserver.org -- 503
http://g3.cite.geoserver.org -- 503
http://g4.cite.geoserver.org -- 404 but looks like it's coming from your
container
}}}

I'll set up an https for these and add g1, g5, g6, g7. The main reason I
went with g1 .. gn instead of cite1, cite2 etc. was so I could do a
wildcard *.cite.geoserver.org. I'm not sure I could a cite*.geoserver.org

You shouldn't need a home directory on hop. Cause that uses the ssh key
from your ldap account and has password access blocked already. but
anyrate I would expect it to be autocreated.

I think the confusing thing for you here is because you are being prompted
for a password. That password prompt is not coming from hop but from
geoserver-cite. For that create a .ssh folder for yourself in your home
and install your pub keys there.
Once you do that you won't be prompted for password again and you can also
unremark out the line /etc/ssh/sshd_config.d/50-cloudimg-settings.conf to
prevent other shell accounts from accessing the geoserver-cite server.

Make sure after that config change you do below for it to take effect

{{{
sudo systemctl restart ssh
}}}
--
Ticket URL: <#3322 (Request for VM to certify GeoServer) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.

18

#3322: Request for VM to certify GeoServer
--------------------------+----------------------------------------------
Reporter: peterafrigis | Owner: sac-tickets@…
     Type: task | Status: reopened
Priority: normal | Milestone: Sysadmin Contract 2025-I (robe)
Component: SysAdmin | Resolution:
Keywords: |
--------------------------+----------------------------------------------
Comment (by robe):

Okay all should be set up now

{{{
https://g1.cite.geoserver.org
:
https://g7.cite.geoserver.org
}}}

g1.cite.geoserver.org and cite.geoserver.org both point at geoserver-
cite:8081

Not sure you want to keep it that way or maybe just have an index page on
cite.geoserver.org that shows links to the others.
--
Ticket URL: <#3322 (Request for VM to certify GeoServer) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.