[SAC] OSGeo4 status

This is just an overall status of where we are with OSGeo4 and ask for
suggestions etc.
In particular I'd like some suggestions on what to call the container (item
#4) people will hop thru to get to the other containers

What's been done:

1) I created a new gitea repo to house osgeo4 setup info (similar to the
osgeo7) locked down to just SAC-

https://git.osgeo.org/gitea/sac/osgeo4

2) I setup a ZFS pool called osgeo4_lxd - which consists of 4 of the 6
drives mirrored (sdc, sdd) mirror with (sde, sdf) - this is similar setup of
osgeo7 and patterned after that
There are 2 more drives - OSUOSL had used parts of those two for the RAID1
(non zfs) ext partition they setup so there is still a good chunk there to
use
I installed LXD (from snap) so it will always be same version as is on
osgeo7

3) I added osgeo7 as a remote host on osgeo4.

You'll see it listed if you do

lxc remote list

#with the remote host you can do pretty much all the commands you can do on
local.
For example, to see a list of images on osgeo7 from osgeo4 host, you'd do

lxc image list osgeo7:

To see list of containers on osgeo7:
lxc list osgeo7:

4) I created a new container using osgeo7 ldap image -- I called it dmz for
now (not sure that's the best name)
Using below command:
lxc launch osgeo7:debian9-base-ldap-ssh dmz

This is the container I will expose the port 22 on and will be the only one
with that port exposed - similar to how download.osgeo.org is used on osgeo7

Let me know what name you would prefer and also what we should make the DNS.

5) I setup nginx container which I called osgeo4-nginx (so not to be
confused with the osgeo7 one, as that one I'd probably have a nightly
snapshot of it in a stopped state)

6) I shut off the wordpess-dev on osgeo7 and copied it over to osgeo4.
I'm going to restore latest prod data on it and setup a script to copy
latest prod data so we can do some stress tests.
Eventually I'd like to move wordpress from web18a to osgeo7
I still need to proxy thru nginx and change the dns

#near future plans
1) I'll setup a nightly script that does a copy of latest snapshot of key
containers from osgeo7 to osgeo4 and keeps them in a stopped state.
So in case if anything happens to osgeo7, should not take much time to reset
up.
2) Start focusing on issues with wordpress
3) Migrate some of the stuff on osgeo3 to either osgeo4 or osgeo7. I'm
thinking things like old-adhoc, old-projects I'd move from osgeo7 to osgeo4

4) Setup a dronie agent on osgeo4

Thanks,
Regina

On Sat, Aug 31, 2019 at 03:39:33AM -0400, Regina Obe wrote:

3) I added osgeo7 as a remote host on osgeo4.

You'll see it listed if you do

lxc remote list

I don't see osgeo7 remote from osgeo4, nor osgeo4 from osgeo7

4) I created a new container using osgeo7 ldap image -- I called it dmz for
now (not sure that's the best name)
Using below command:
lxc launch osgeo7:debian9-base-ldap-ssh dmz

This is the container I will expose the port 22 on and will be the only one
with that port exposed - similar to how download.osgeo.org is used on osgeo7

Let me know what name you would prefer and also what we should make the DNS.

Can we access _all_ containers from that host ?

How about "hop", "jump" or "bastion" ? (I prefer short names, so I
vote for "hop").

5) I setup nginx container which I called osgeo4-nginx (so not to be
confused with the osgeo7 one, as that one I'd probably have a nightly
snapshot of it in a stopped state)

Can we have aliases, so like "prod-nginx" for the live one and
"backup-nginx" or some better name for the hot-swap ?

6) I shut off the wordpess-dev on osgeo7 and copied it over to osgeo4.
I'm going to restore latest prod data on it and setup a script to copy
latest prod data so we can do some stress tests.
Eventually I'd like to move wordpress from web18a to osgeo7
I still need to proxy thru nginx and change the dns

Would it make sense to try an upgrade before the stress-test ?

#near future plans
1) I'll setup a nightly script that does a copy of latest snapshot of key
containers from osgeo7 to osgeo4 and keeps them in a stopped state.
So in case if anything happens to osgeo7, should not take much time to reset
up.
2) Start focusing on issues with wordpress
3) Migrate some of the stuff on osgeo3 to either osgeo4 or osgeo7. I'm
thinking things like old-adhoc, old-projects I'd move from osgeo7 to osgeo4

4) Setup a dronie agent on osgeo4

Thanks for the report, much appreciated !

--strk;

On Sat, Aug 31, 2019 at 03:39:33AM -0400, Regina Obe wrote:

3) I added osgeo7 as a remote host on osgeo4.

You'll see it listed if you do

lxc remote list

I don't see osgeo7 remote from osgeo4, nor osgeo4 from osgeo7

Well osgeo4 you wouldn't see from osgeo7 since I didn't add it as a remote, but that's probably good to do.

Hmm it seems it's a privilege problem as I had added the remote under root. Not sure how I setup osgeo7 - I wonder if I had installed lxd under tech_dev account on osgeo7

Try:

sudo lxc remote list

and you should see it then

4) I created a new container using osgeo7 ldap image -- I called it
dmz for now (not sure that's the best name) Using below command:
lxc launch osgeo7:debian9-base-ldap-ssh dmz

This is the container I will expose the port 22 on and will be the
only one with that port exposed - similar to how download.osgeo.org is
used on osgeo7

Let me know what name you would prefer and also what we should make the DNS.

Can we access _all_ containers from that host ?

You mean like if we call is osgeo4.osgeo.org port 22 (that would go to the hop container I am thinking)
And you would be able to ssh to all containers you have permissions to using the same hop setup we have on download.osgeo.org

How about "hop", "jump" or "bastion" ? (I prefer short names, so I vote for "hop").

dmz is as short as hop but I'm okay with that
More importantly what should the domain name be or is osgeo4.osgeo.org just fine but kinda confusing as it doesn't put you in the host itself but a container

5) I setup nginx container which I called osgeo4-nginx (so not to be
confused with the osgeo7 one, as that one I'd probably have a nightly
snapshot of it in a stopped state)

Can we have aliases, so like "prod-nginx" for the live one and "backup-nginx" or some better name for the hot-swap ?

Something about having prod in front of containers seems annoying to me. Especially when you ask "what is prod"

The script I put together -- I restore a backup of osgeo7 container as <container-name>-backup
So osgeo7 nginx comes over as nginx-backup.

With the idea being that if any disaster happens we rename nginx-backup -> nginx (with its own ip)
All the -backup get the -backup removed so that all the configs we have in nginx container just work

The nginx-osgeo4 is business as usual keeps proxying the containers its already set to proxy and no conflict with the nginx from osgeo7

Eventually we might want to consider VLANING the 2 networks but I didn't really want to mix the 2 that much - have osgeo4 beholden to osgeo7 or osgeo7 beholden to osgeo4 aside from basic disaster recovery.

From reading it sounded like we'd need to set one to be the DNS/DHCP assigner so we have a single local dns to access all the containers from either.

6) I shut off the wordpess-dev on osgeo7 and copied it over to osgeo4.
I'm going to restore latest prod data on it and setup a script to copy
latest prod data so we can do some stress tests.
Eventually I'd like to move wordpress from web18a to osgeo7 I still
need to proxy thru nginx and change the dns

Would it make sense to try an upgrade before the stress-test ?

Upgrade of what part OS/wordpress/or you mean member/cpu etc? Wordpress-dev is a snapshot of web18a (current production server for www)
And I capped it to the same number of cores/disk space etc.
So aside from security updates and data should be the same.

On Sat, Aug 31, 2019 at 04:48:53AM -0400, Regina Obe wrote:

On Sat, Aug 31, 2019 at 03:39:33AM -0400, Regina Obe wrote:
> 3) I added osgeo7 as a remote host on osgeo4.
>
> You'll see it listed if you do
>
> lxc remote list

> I don't see osgeo7 remote from osgeo4, nor osgeo4 from osgeo7

Try:
sudo lxc remote list

Yes, that does it.

> Can we access _all_ containers from that host ?

You mean like if we call is osgeo4.osgeo.org port 22 (that would go to the hop container I am thinking)
And you would be able to ssh to all containers you have permissions to using the same hop setup we have on download.osgeo.org

Yes, so I can replace "download" with "hop" for the jump host
in ssh config.

> How about "hop", "jump" or "bastion" ? (I prefer short names, so I vote for "hop").

dmz is as short as hop but I'm okay with that

I'm fine with dmz as well, but OSGeo is not "militarized" so there's
nothing to de-militarize

More importantly what should the domain name be or is osgeo4.osgeo.org
just fine but kinda confusing as it doesn't put you in the host itself
but a container

I think hop.osgeo.org or dmz.osgeo.org would be nice

> 5) I setup nginx container which I called osgeo4-nginx (so not to be
> confused with the osgeo7 one, as that one I'd probably have a nightly
> snapshot of it in a stopped state)

> Can we have aliases, so like "prod-nginx" for the live one and "backup-nginx" or some better name for the hot-swap ?

Something about having prod in front of containers seems annoying to me. Especially when you ask "what is prod"

The script I put together -- I restore a backup of osgeo7 container as <container-name>-backup
So osgeo7 nginx comes over as nginx-backup.

I'm ok with "<service>" as the production (online) service and
"<service>-backup" as the hotswap/backup.

> Would it make sense to try an upgrade before the stress-test ?

Upgrade of what part OS/wordpress/or you mean member/cpu etc? Wordpress-dev is a snapshot of web18a (current production server for www)
And I capped it to the same number of cores/disk space etc.
So aside from security updates and data should be the same.

I meant wordpress version upgrade, with whatever it takes
(is OS upgrade required?)

--strk;

> > Can we access _all_ containers from that host ?
Yes, so I can replace "download" with "hop" for the jump host in ssh config.

Okay I think I misunderstood your question. You can't access the osgeo7 containers via ssh from osgeo4
You can only access them thru the lxc api. So that's why I wanted osgeo4 in the name

> How about "hop", "jump" or "bastion" ? (I prefer short names, so I vote for "hop").

dmz is as short as hop but I'm okay with that

I'm fine with dmz as well, but OSGeo is not "militarized" so there's nothing to de-militarize

Gosh you take all the fun out of open source. Can't we pretend to be militarized

More importantly what should the domain name be or is osgeo4.osgeo.org
just fine but kinda confusing as it doesn't put you in the host itself
but a container

I think hop.osgeo.org or dmz.osgeo.org would be nice

As mentioned above right now unless we VLAN them you can only go thru osgeo4 to get to osgeo4 containers
And osgeo7 to get to osgeo7 containers.

How about hop.osgeo4.osgeo.org?

> Would it make sense to try an upgrade before the stress-test ?

Upgrade of what part OS/wordpress/or you mean member/cpu etc?
Wordpress-dev is a snapshot of web18a (current production server for www) And I capped it to the same number of cores/disk space etc.
So aside from security updates and data should be the same.

I meant wordpress version upgrade, with whatever it takes (is OS upgrade required?)

--strk;

OS Upgrade is not required. Yes we can do that first after I setup the script to copy data and database from prod nightly.
Before the upgrade though I'd like to see what speed is like - osgeo4 staging site feels faster (and osgeo7 felt so as well), but might be because of older data
Or less traffic or something changed since I ported the system a while back that makes it faster

https://staging.www.osgeo.org

At anyrate I think we are about ready to host it on our own servers again. So perhaps just moving it to osgeo7 might do the trick.

Thanks,
Regina