2014 Server Migration: Difference between revisions

From WPLUG
Jump to navigation Jump to search
(Created page with "This page is to collect information about our current configuration and options for switching to a new server going forward. Please feel free to edit to add missing informati...")
 
(Added Comodo SSL link)
 
(61 intermediate revisions by 4 users not shown)
Line 3: Line 3:
== Server selection ==
== Server selection ==


We are currently hosting with [https://www.linode.com/pricing?r=30335eb136f2c5f7fa3429dce9f15bea836f81d3 Linode] on the $20/month plan. The new $10/month plan will halve our costs and still provide sufficient resources. We currently are located in the Atlanta datacenter. This is good because it is still in the Eastern time zone and is not too far away but should be remote from any disaster that might occur in Pittsburgh. The only downside is they block some ports, which means Monkeybot needs to be configured to use an alternative port to connect to Freenode IRC. The Newark datacenter would be closer and doesn't block ports. However, a large-scale power outage could affect both Pittsburgh and New Jersey.
On 2014-06-24, the WPLUG board decided to go with the $10/month [https://www.linode.com/pricing?r=30335eb136f2c5f7fa3429dce9f15bea836f81d3 Linode] plan, locating in their Atlanta datacenter. This plan will approximately halve our current costs and still provide sufficient resources.

Other options are possible; for example [https://www.digitalocean.com/pricing Digital Ocean] has a $5/month plan that has less horsepower but should still be sufficient for our needs. The main benefit is that costs would be halved again.

You can add your suggestions in this section. Note that web hosting is not sufficient; we need a virtual private server (VPS) or dedicated server to accommodate our mailing lists and IRC bot. Since we've been very happy with the service we've gotten from Linode and are comfortable with how it works, please support alternative suggestions with a compelling case for how they'd be an improvement.


== OS selection ==
== OS selection ==
Line 21: Line 17:
* Wiki (MediaWiki)
* Wiki (MediaWiki)
* Blog (Wordpress)
* Blog (Wordpress)
* Monkeybot IRC bot (infobot)
* Monkeybot IRC bot (infobot) - maybe consider different bot software that can import monkeybot's database?
* RSS aggregator (Tiny Tiny RSS, tt-rss)


Infrastructure software which supports the services above.
Infrastructure software which supports the services above.
Line 30: Line 27:
* Perl for Monkeybot
* Perl for Monkeybot
* MySQL for MediaWiki, Wordpress, and TT-RSS - likely possible to use MariaDB instead, other DBMS [http://www.mediawiki.org/wiki/Compatibility#Database not recommended] for use with MediaWiki
* MySQL for MediaWiki, Wordpress, and TT-RSS - likely possible to use MariaDB instead, other DBMS [http://www.mediawiki.org/wiki/Compatibility#Database not recommended] for use with MediaWiki
* Greylisting daemon (Postgrey)
* Fail2ban - could maybe use denyhosts instead
* Aide - could be used for intrusion detection


=== Support lifetime ===
=== Support lifetime ===


* CentOS 6 - [http://wiki.centos.org/FAQ/General#head-fe8a0be91ee3e7dea812e8694491e1dde5b75e6d 2020-11-30]
* CentOS 6 - [http://wiki.centos.org/FAQ/General#head-fe8a0be91ee3e7dea812e8694491e1dde5b75e6d 2020-11-30]
* CentOS 7 - not released yet, will probably match RHEL 7 support deadline of [https://access.redhat.com/site/support/policy/updates/errata/#Life_Cycle_Dates 2024-06-30]
* CentOS 7 - will probably match RHEL 7 support deadline of [https://access.redhat.com/site/support/policy/updates/errata/#Life_Cycle_Dates 2024-06-30]
* Debian 7 "wheezy" - [http://en.wikipedia.org/wiki/Debian#Security_updates one year after release of v. 8 "jessie"] ([http://ostatic.com/blog/early-plans-for-debian-8-0-jessie-emerge anticipated mid-2015]), possible [http://www.debian.org/News/2014/20140424.en.html unofficial long-term support] available after that
* Debian
* Ubuntu 14.04 LTS -
* Ubuntu 14.04 LTS - [http://en.wikipedia.org/wiki/Ubuntu_(operating_system)#Releases 2019-04-17]


=== Software availability ===
=== Software availability ===
Line 46: Line 46:
* A: in an additional repository provided by the distro
* A: in an additional repository provided by the distro
* T: in a third-party repository
* T: in a third-party repository
* -: not available in any known repository
* ~: not available in any known repository
* ?: availability unknown
* ?: availability unknown

{| border="1"
!
!CentOS 6
!CentOS 7
!Debian 7
!Ubuntu 14.04
|-
|postfix
|B 2.6
|B 2.10
|B 2.9
|B 2.11
|-
|mailman
|B 2.1
|B 2.1
|B 2.1
|B 2.1
|-
|postgrey
|T 1.34<sup>rf, EPEL</sup>
|T 1.34<sup>EPEL</sup>
|B 1.34
|A 1.34
|-
|mediawiki
|T 1.19<sup>EPEL</sup>
|~
|B 1.19
|A 1.19
|-
|wordpress
|T 3.9<sup>EPEL</sup>
|T 3.9<sup>EPEL</sup>
|B 3.6
|A 3.8
|-
|infobot
|~
|~
|? (not B or A)
|~
|-
|tt-rss
|~
|~
|? (not B or A)
|A 1.11
|-
|apache
|B 2.2 / A 2.4
|B 2.4
|B 2.2
|B 2.4
|-
|nginx
|A 1.4
|?
|B 1.2
|B/A 1.4
|-
|php5
|B 5.3 / A 5.4, 5.5
|B 5.4, T 5.5.14<sup>Remi</sup>
|B 5.4
|B 5.5
|-
|python2
|B 2.6 / A 2.7
|B 2.7.5
|B 2.7
|B 2.7
|-
|python3
|A 3.3
|?
|B 3.2
|B 3.4
|-
|perl5
|B 5.10
|B 5.16
|B 5.14
|B 5.18
|-
|mysql
|B 5.1 / A 5.5
|?
|B 5.5
|B 5.5 / A 5.6
|-
|mariadb
|A 5.5
|B 5.5
|? (not B or A)
|A 5.5
|-
|fail2ban
|T 0.8.7<sup>rf</sup>, 0.8.11<sup>EPEL</sup>
|T 0.9<sup>EPEL</sup>, 0.8.7<sup>rf</sup>
|B 0.8.6
|A 0.8.11
|-
|denyhosts
|T 2.6<sup>rf, EPEL</sup>
|T 2.6<sup>rf</sup>
|B 2.6
|[https://launchpad.net/ubuntu/trusty/amd64/denyhosts ~]
|-
|aide
|B 0.14
|B 0.15.1
|?
|0.16a2
|}

Third-party repositories:
* EPEL - [http://fedoraproject.org/wiki/EPEL Extra Packages for Enterprise Linux]
* rf - [http://repoforge.org/ RepoForge] (formerly RPMForge/Dag Wieers)
* Remi - [http://dev.antoinesolutions.com/remi-repository Remi Repository]

== Migration steps ==

* <strike>Obtain [https://library.linode.com/networking/ipv6#sph_ipv6-address-pools IPv6 address pool] from Linode (support ticket needed)</strike>
** <strike>/etc/sysconfig/network-scripts/ifcfg-eth0 edited, reboot needed to apply - 2600:3c02:e000:0047::2/64 assigned</strike>
* <strike>Explore what software to use to help harden up the installation (fail2ban, etc.)</strike> ''Decided to use fail2ban-firewalld''
* <strike>Deploy new CentOS 7 instance</strike>
* (optional) Set up [https://library.linode.com/remote-access#sph_adding-private-ip-addresses private IPv4 addresses] for transfer between old and new VPS (avoids bandwidth charges)
* <strike>Set up SSH (edit sshd_config to tighten up security)</strike>
* <strike>Migrate current users to new server</strike>
* <strike>Ensure NTP is running, and set timezone to EDT</strike>
* <strike>Set up the firewall (either using firewalld, or else [https://fedoraproject.org/wiki/FirewallD?rd=FirewallD/#Using_static_firewall_rules_with_the_iptables_and_ip6tables_services installing iptables and using the old rules])</strike>
* <strike>Install Apache, and edit httpd.conf appropriately</strike>
* <strike>Install PHP, edit php.ini appropriately, and make sure all needed modules are installed</strike>
* <strike>Install MariaDB, add appropriate user(s)/permissions, and edit my.cnf appropriately</strike>
* <strike>Install/configure Postgrey</strike>
* <strike>Install/configure Postfix</strike>
* <strike>Install/configure Mailman</strike>
** <strike>archives copied over</strike>
* <strike>Install/configure monkeybot</strike>
* <strike>Install/configure Tiny Tiny RSS</strike>
* <strike>Migrate any other files that must be moved</strike>
* <strike>Export current MySQL and import into new MariaDB (be sure to dump/restore final DB before switchover...)</strike>
* <strike>Install/configure MediaWiki</strike>
* <strike>Set up repeating jobs (log rotation, etc.) via systemd/cron</strike>
** <strike>Copy over 'at' job to remind about domain registration expiration</strike>
** <strike>Migrate over monkeybot cron jobs</strike> ''Waiting to see if logrotate runs overnight, as we are not sure that run-parts is being run by anything on the new system.''
** <strike>Configure log rotation</strike>
* <strike>Cut over DNS (or [https://library.linode.com/remote-access#sph_swapping-ip-addresses swap IPv4 addresses])</strike>
* Other steps not mentioned above

=== Nice-to-haves ===

We have an archive of static web pages from the pre-2007 server "penguin" - it would be nice to make this history available somehow.
$9/year Comodo SSL certificate through Namecheap: [https://www.namecheap.com/security/ssl-certificates/comodo.aspx]

=== Installation Notes ===
[https://www.centos.org/forums/viewtopic.php?f=48&t=47284 Installing fail2ban on CentOS 7]

[[Category:Migration]]

Latest revision as of 00:02, 24 August 2014

This page is to collect information about our current configuration and options for switching to a new server going forward. Please feel free to edit to add missing information or correct errors.

Server selection

On 2014-06-24, the WPLUG board decided to go with the $10/month Linode plan, locating in their Atlanta datacenter. This plan will approximately halve our current costs and still provide sufficient resources.

OS selection

The WPLUG server currently runs on CentOS 5. This is still supported, but it would make sense to choose a newer distro while we're doing the server switch.

Service enumeration

Services that are currently running on the WPLUG Linode server. These should include things that are user-facing only, not infrastructure.

  • E-mail (Postfix)
  • Mailing lists (Mailman)
  • Wiki (MediaWiki)
  • Blog (Wordpress)
  • Monkeybot IRC bot (infobot) - maybe consider different bot software that can import monkeybot's database?
  • RSS aggregator (Tiny Tiny RSS, tt-rss)

Infrastructure software which supports the services above.

  • Web server (Apache) - it would be possible to use Nginx instead, but I (Vance) am not familiar with setting it up
  • PHP (Apache mod_php) for MediaWiki, Wordpress, and TT-RSS
  • Python for Mailman
  • Perl for Monkeybot
  • MySQL for MediaWiki, Wordpress, and TT-RSS - likely possible to use MariaDB instead, other DBMS not recommended for use with MediaWiki
  • Greylisting daemon (Postgrey)
  • Fail2ban - could maybe use denyhosts instead
  • Aide - could be used for intrusion detection

Support lifetime

Software availability

This table is to track, for the different distros under consideration, whether the software we need is available within its repositories. We want to minimize the number of applications which have to be maintained manually.

Key:

  • B: in distro's base repository
  • A: in an additional repository provided by the distro
  • T: in a third-party repository
  • ~: not available in any known repository
  • ?: availability unknown
CentOS 6 CentOS 7 Debian 7 Ubuntu 14.04
postfix B 2.6 B 2.10 B 2.9 B 2.11
mailman B 2.1 B 2.1 B 2.1 B 2.1
postgrey T 1.34rf, EPEL T 1.34EPEL B 1.34 A 1.34
mediawiki T 1.19EPEL ~ B 1.19 A 1.19
wordpress T 3.9EPEL T 3.9EPEL B 3.6 A 3.8
infobot ~ ~ ? (not B or A) ~
tt-rss ~ ~ ? (not B or A) A 1.11
apache B 2.2 / A 2.4 B 2.4 B 2.2 B 2.4
nginx A 1.4 ? B 1.2 B/A 1.4
php5 B 5.3 / A 5.4, 5.5 B 5.4, T 5.5.14Remi B 5.4 B 5.5
python2 B 2.6 / A 2.7 B 2.7.5 B 2.7 B 2.7
python3 A 3.3 ? B 3.2 B 3.4
perl5 B 5.10 B 5.16 B 5.14 B 5.18
mysql B 5.1 / A 5.5 ? B 5.5 B 5.5 / A 5.6
mariadb A 5.5 B 5.5 ? (not B or A) A 5.5
fail2ban T 0.8.7rf, 0.8.11EPEL T 0.9EPEL, 0.8.7rf B 0.8.6 A 0.8.11
denyhosts T 2.6rf, EPEL T 2.6rf B 2.6 ~
aide B 0.14 B 0.15.1 ? 0.16a2

Third-party repositories:

Migration steps

  • Obtain IPv6 address pool from Linode (support ticket needed)
    • /etc/sysconfig/network-scripts/ifcfg-eth0 edited, reboot needed to apply - 2600:3c02:e000:0047::2/64 assigned
  • Explore what software to use to help harden up the installation (fail2ban, etc.) Decided to use fail2ban-firewalld
  • Deploy new CentOS 7 instance
  • (optional) Set up private IPv4 addresses for transfer between old and new VPS (avoids bandwidth charges)
  • Set up SSH (edit sshd_config to tighten up security)
  • Migrate current users to new server
  • Ensure NTP is running, and set timezone to EDT
  • Set up the firewall (either using firewalld, or else installing iptables and using the old rules)
  • Install Apache, and edit httpd.conf appropriately
  • Install PHP, edit php.ini appropriately, and make sure all needed modules are installed
  • Install MariaDB, add appropriate user(s)/permissions, and edit my.cnf appropriately
  • Install/configure Postgrey
  • Install/configure Postfix
  • Install/configure Mailman
    • archives copied over
  • Install/configure monkeybot
  • Install/configure Tiny Tiny RSS
  • Migrate any other files that must be moved
  • Export current MySQL and import into new MariaDB (be sure to dump/restore final DB before switchover...)
  • Install/configure MediaWiki
  • Set up repeating jobs (log rotation, etc.) via systemd/cron
    • Copy over 'at' job to remind about domain registration expiration
    • Migrate over monkeybot cron jobs Waiting to see if logrotate runs overnight, as we are not sure that run-parts is being run by anything on the new system.
    • Configure log rotation
  • Cut over DNS (or swap IPv4 addresses)
  • Other steps not mentioned above

Nice-to-haves

We have an archive of static web pages from the pre-2007 server "penguin" - it would be nice to make this history available somehow. $9/year Comodo SSL certificate through Namecheap: [1]

Installation Notes

Installing fail2ban on CentOS 7