Context Navigation

#31 closed enhancement (fixed)

Preparation for deployment to new prod

Reported by:	mori	Owned by:	chris
Priority:	major	Milestone:	Maintenance
Component:	crin2	Version:
Keywords:		Cc:
Estimated Number of Hours:	0	Add Hours to Ticket:	0
Billable?:	yes	Total Hours:	0.65

Description

Hi Chris,

In order to run the CRIN production site under the new codebase, we need to go through a number of steps to set up and test the site. We need your help to accomplish this.

Overview: (please execute each step once we request you to do so through the comment)

Chris to create a new entry for the new prod site on CRIN2
Chris to create a new database for the new prod site on CRIN1
Code+ and CRIN to test the new prod site and sign off
Chris to update the nginx config so the new prod serves as the working prod

Rationale of the go-live process
Because of the reasons listed below, deploying the new code to the existing prod results in an extended period of downtime:

repository too large: cloning takes 10+ minutes
changes to directory structure requires the registry to be rebuilt
the new deployment process needs testing

Change History (5)

comment:1 Changed 3 years ago by mori

Hi Chris,

Can you please start with the first two items in the list

'Chris to create a new entry for the new prod site on CRIN2'

I've checked out the new codebase under /var/www/newprod/docroot. Please use it as the docroot of the new prod. The site should be accessible via newprod.crin.org

Chris to create a new database for the new prod site on CRIN1

Please create a new database newprod, along with a new user and its password. Can you create a file in CRIN4:/home/mori/ and store the username and password in there?

Thanks,

Mori

comment:2 Changed 3 years ago by chris

Add Hours to Ticket changed from 0 to 0.65
Total Hours set to 0.65

Sounds like a very sensible set of steps.

Creating the database on Crin1:

mysql> CREATE DATABASE newprod;
mysql> GRANT ALL ON newprod.* to 'newprod'@'crin2' identified by 'XXX' REQUIRE SSL;
mysql> FLUSH PRIVILEGES;

Test the MySQL database and user from Crin2:

mysql -unewprod -p -hcrin1 newprod

That works fine. DB details saved to /home/mori/newprod.txt on Crin4.

Creating the directory on Crin2:

mkdir -p /var/www/newprod/docroot/

Copy live Nginx config:

cd /etc/nginx/sites-available
cp crin.org newprod.crin.org

Change these lines for the port 80 config:

        listen 80;
        #listen 80 default_server;
        #server_name www.crin.org;
        server_name newprod.crin.org;
        root /var/www/newprod/docroot;

        access_log /var/log/nginx/newprod.crin.org.access.log;
        error_log  /var/log/nginx/newprod.crin.org.error.log info;

        # login redirect
        location ~ /user {
                #rewrite ^/(.*)$ https://www.crin.org/$1? permanent;
                rewrite ^/(.*)$ https://newprod.crin.org/$1? permanent;
                #rewrite ^/(.*)$ https://$server_name/$1? permanent;
                #rewrite ^/(.*)$ https://crin.web1.crin.webarch.net/$1? permanent;
        }

#server {
#       listen 80;
#        server_name crin.org;
#
#        access_log /var/log/nginx/crin.org.access.log;
#        error_log  /var/log/nginx/crin.org.error.log info;
#
#        location / {
#               return      301 http://www.crin.org$request_uri;
#       }
#
#}

And these for port 443:

        #listen 443 ssl spdy default_server;
        listen 443 ssl spdy;
        server_name newprod.crin.org;
        #server_name www.crin.org;
        root /var/www/newprod/docroot;

        access_log /var/log/nginx/newprod.crin.org.ssl_access.log;
        error_log  /var/log/nginx/newprod.crin.org.ssl_error.log info;

#server {
#       listen 443 ssl spdy;
#        server_name crin.org;
#       return      301 https://www.crin.org$request_uri;
#        ssl  on;
#        ssl_certificate     /etc/ssl/gandi/crin.org.chained.pem;
#        ssl_certificate_key /etc/ssl/gandi/crin.org.key.pem;
#        #ssl_certificate  /etc/ssl/cacert/web1.crin.webarch.net.chained.pem;
#        #ssl_certificate_key  /etc/ssl/cacert/web1.crin.webarch.net.key.pem;
#       ssl_dhparam /etc/ssl/gandi/dhparam.pem;
#        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; 
#        ssl_prefer_server_ciphers on;
#       #add_header Strict-Transport-Security max-age=15768000;
#       # 24 hours
#       #add_header Strict-Transport-Security max-age=86400;
#       ## Use a SSL/TLS cache for SSL session resume.
#       ssl_session_cache shared:SSL:60m;
#       ssl_session_timeout 30m;
#       # see https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
#
#        # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
#        add_header X-Frame-Options SAMEORIGIN;
#
#       # OCSP Stapling -- this needs a newer version of Nginx
#       # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
#       # https://packages.debian.org/wheezy-backports/nginx-extras
#       # fetch OCSP records from URL in ssl_certificate and cache them
#       #ssl_stapling on;
#       #ssl_stapling_verify on;
#       ## verify chain of trust of OCSP response using Root CA and Intermediate certs
#       #ssl_trusted_certificate /etc/ssl/gandi/gandi.pem;
#}

Enable new config:

cd /etc/nginx/sites-enabled
ln -s ../sites-available/newprod.crin.org 01-newprod.crin.org

Test:

service nginx configtest
Testing nginx configuration:.

Add the new DNS entry.

newprod 900 IN A 93.95.228.180

This will take some time to propagate.

Restart services on Crin2:

service nginx restart
service php5-fpm restart

I think that is everything I need to do for the first two steps?

comment:3 Changed 3 years ago by mori

Thanks Chris.

Can you please add a new env var 'newprod' as well, if you haven't already?

comment:4 Changed 3 years ago by chris

On Tue 11-Aug-2015 at 03:24:26PM -0000, CRIN Trac wrote:
> 
>  Can you please add a new env var 'newprod' as well, if you haven't
>  already?

Have done now, sorry to have missed that earlier.

comment:5 Changed 3 years ago by chris

Resolution set to fixed
Status changed from new to closed

Note: See TracTickets for help on using tickets.

Download in other formats: