Hi all,
From what I've heard is that the forum ansible role is mostly done, can we keep this migration moving? What's currently holding it back?
Also to which server do we move the forums? Greetings, Jelle
On Sun, Feb 10, 2019 at 12:14:52PM +0100, Jelle van der Waa <jelle@vdwaa.nl> wrote:
From what I've heard is that the forum ansible role is mostly done, can we keep this migration moving? What's currently holding it back?
Also to which server do we move the forums?
I believe that's the question that's mostly blocking this (and other stuff on luna). I think I'd be in favour of hetzner's cloud VMs, but then again I have no idea how large of a VM we'd need for the bbs. I'm also fine with getting a second server like apollo to replace luna with, but then we should get the migration done in a reasonable time frame so that we don't keep luna around forever and pay two boxes. Is anyone interested in working on either of those two solutions? Florian
On Sun, 10 Feb 2019 at 12:35, Florian Pritz via arch-devops < arch-devops@lists.archlinux.org> wrote:
On Sun, Feb 10, 2019 at 12:14:52PM +0100, Jelle van der Waa < jelle@vdwaa.nl> wrote:
From what I've heard is that the forum ansible role is mostly done, can we keep this migration moving? What's currently holding it back?
Also to which server do we move the forums?
I believe that's the question that's mostly blocking this (and other stuff on luna). I think I'd be in favour of hetzner's cloud VMs, but then again I have no idea how large of a VM we'd need for the bbs. I'm also fine with getting a second server like apollo to replace luna with, but then we should get the migration done in a reasonable time frame so that we don't keep luna around forever and pay two boxes. Is anyone interested in working on either of those two solutions?
Florian
I have some good experience with the Hetzner Cloud stuff and I generally think we should use those more going forward as it eases provisioning and general maintenance (as we don't have to write support to switch disks and other faulty hardware). I'd like to work on that with Jelle. We'll figure out how much space is required (and we can always upgrade). I suggest we use Terraform for the actual server acquisition.
On Sun, Feb 10, 2019 at 07:11:59PM +0100, Sven-Hendrik Haase <sh@lutzhaase.com> wrote:
I suggest we use Terraform for the actual server acquisition.
VMs and terraform sounds great! One more thing I just remembered: If we go with VMs, I'd also like to keep their backups on a storagebox. I'm using a storagebox with borg for my personal backups and apart from some manual setup to get the SSH key of the server into the hetzner config interface and create the subaccount on the storagebox, it works perfectly fine. If we could use storageboxes for our backups, we'd gain automatic, read-only snapshots, managed by hetzner, for free and we would not longer need to maintain vostok. I think it might even be cheaper. Using a storagebox is not really tied to the VMs, but if we set up new machines, it's a good time to improve our backups. Once the changes are stable, I'd like to move existing hosts over there too. Florian
On 02/24/19 at 05:11pm, Michael Singh via arch-devops wrote:
This sounds great where can I find the repository that the terraform work will be done? Sent via Migadu.com, world's easiest email hosting
Everything is on our Infrastructure git repo. [1] [1] https://git.archlinux.org/infrastructure.git/ -- Jelle van der Waa
Em fevereiro 10, 2019 9:14 Jelle van der Waa escreveu:
Hi all,
From what I've heard is that the forum ansible role is mostly done, can we keep this migration moving? What's currently holding it back?
Also to which server do we move the forums?
Greetings,
Jelle
Hi Jelle, The forum role is 95% complete. Last time I was working on it, I had issues with firewald, plus a few other roles. We really need to run the full playbook more often on the machines. We had agreed a long time ago to migrate everything web to apollo. I don't oppose moving them to VM's. That would also means that our roles are more easily tested. Heck, I already test all our roles on VM's, since I have no means to reproduce bare. Regards, Giancarlo Razzolini
On 11/02/2019 17.10, Giancarlo Razzolini via arch-devops wrote:
e had agreed a long time ago to migrate everything web to apollo. I don't oppose moving them to VM's.
As long as you exclude me from "us", because I raise that it's bad idea to host everything from one server every time it's mentioned. We also need to migrate Synapse, Kanboard and Quassel away from soyuz. Bartłomiej
On Mon, Feb 11, 2019 at 05:30:47PM +0100, Bartłomiej Piotrowski via arch-devops <arch-devops@lists.archlinux.org> wrote:
We also need to migrate Synapse, Kanboard and Quassel away from soyuz.
Kanboard is on apollo, not soyuz. Apart from that, yeah we should migrate those away so that soyuz is really only a build server. Florian
On 02/11/19 at 05:38pm, Florian Pritz via arch-devops wrote:
On Mon, Feb 11, 2019 at 05:30:47PM +0100, Bartłomiej Piotrowski via arch-devops <arch-devops@lists.archlinux.org> wrote:
We also need to migrate Synapse, Kanboard and Quassel away from soyuz.
Kanboard is on apollo, not soyuz. Apart from that, yeah we should migrate those away so that soyuz is really only a build server.
So today, we discussed it again on IRC and I'm not sure what we want to do. Move all small services to a VPS? If we do that, do we want to move to a separate DB hosted on a dedicated server (and what about HA). Some things which can easily be moved to a small server since it requires no postgres/mysql) - phrik (requires an sqlite db) - security.archlinux.org (only requires an sqlite.db) - grafana (not sure about it's load, I run it on a shitty intel atom 125 euro qaud core) Others require a real Database :-) PostgreSQL users: - archweb (5 GB) - patchwork (30M) - kanboard (13M) - zabbix (5GB) - quassel (dedicated ip for multiple irc connections iirc (ask heftig)) (5GB) - matrix/synapse (37GB, big user) MySQL: - aur (300 MB) - forum (~8GB) - bugtracker (400 MB) - wiki (~7 GB) I would suggest we keep the AUR on a dedicated server for it's Git repos, we could think of using a dedicated server for it's MySQL. That would sum up: (2 or 4x EX42?) - One MySQL DB server plus another for HA (dedicated) - One PostgreSQL server plus another for HA (dedicated) VPS plan: CX11 (~3-4?): - phrik - security.archlinux.org - grafana - quassel - zabbix - kanboard - archweb separate CX21: - forum - bugtracker - wiki - matrix? Dedicated server: (AX60?) - aur I'm probably over complicating things, please stop me :P -- Jelle van der Waa
On Tue, Feb 12, 2019 at 11:33:42AM +0100, Jelle van der Waa <jelle@vdwaa.nl> wrote:
So today, we discussed it again on IRC and I'm not sure what we want to do. Move all small services to a VPS? If we do that, do we want to move to a separate DB hosted on a dedicated server (and what about HA).
I'd say that we should keep the databases on the same systems as the services for now. That way, if a machine has problems or goes down, it only affects the services of that machine. It also limits potential load issues to fewer services. Note that I'm not opposed to having multiple services on a single machine in cases where it makes sense.
That would sum up: (2 or 4x EX42?)
Please only look at machines with ECC memory. I don't want another machine with bad memory like alderaan (I think?). We had a few weird database issues with that box before we figured our what it was. Not a pleasant experience.
VPS plan: CX11 (~3-4?): - phrik - security.archlinux.org - grafana - quassel - zabbix - kanboard - archweb
+ patchwork
separate CX21: - forum - bugtracker - wiki - matrix?
Not sure if we can fit matrix on 40gb disk space, but apart from that, the list looks fine. Missing from the list are git and mailman. Git can survive with a CX11. The mailman directory is around 18GB. Of that 12GB are the arch-commits archive. Do we need that or can we drop it? Nearly everything from that list is in the svn log anyways. Without the arch-commits archive, a CX11 would be enough. Otherwise we need another CX21. So the total tally would be (with some margin for error and rounded costs): 5 CX11 (your list + git), 2.50€ each, total 12.5€ 4 CX21 (your list + mailman), 5€ each, total 20€ 2 CX31 (matrix and AUR), 9€ each, total 18€ 1 CX41 (see below), 16€ grand total = 66.5€ (rounded) Did we forget anything? If not, that's a lot cheaper than what we have right now while still distributing services across multiple machines. Sounds good to me.
Dedicated server: (AX60?) - aur
Looking at resource usage on luna, that's a total overkill. I'd say a CX41 should be sufficient. That said, I do wonder why mysql uses so much CPU. Pretty much everything of luna's mysql cpu usage comes from the AUR. bbs is the next big thing with about 0.7-2%. The AUR has between 60 and 140. It might be possible to optimize that a bit more. Once we have a roughly complete list, I'd suggest that we talk to Aaron about the funds and then we start by migrating the services that are currently on luna/soyuz to their respective new homes. Afterwards we deal with apollo based services. PS: I just noticed that hetzner also offers dedicated block storage that can be attached to VMs. This may or may not be useful for mailman and matrix. Regarding matrix I'm not sure if the performance is sufficient, but it's likely perfectly fine for mailman. Florian
Em fevereiro 11, 2019 14:30 Bartłomiej Piotrowski via arch-devops escreveu:
As long as you exclude me from "us", because I raise that it's bad idea to host everything from one server every time it's mentioned.
Well, at the time it was decided mostly by me and Florian, so yes, you're not part of "us" in this context. And the effort was always focused on automating everything. The move part is relatively easy, if we need to move things out of apollo, or split things between machines, like archweb is split between apollo and orion.
We also need to migrate Synapse, Kanboard and Quassel away from soyuz.
Synapse and Quassel, sure. Kanboard is, and always was, as far as I know, on apollo. Regards, Giancarlo Razzolini
Hi list! On 11/02/2019 20:35, Jelle van der Waa wrote:
For security@archlinux.org the Security Team wants to setup a way for reporters to securely mail encrypted issues to our email address. Not actually questioning the motives but, is there really a *need* for this? From now on, I'll assume "yes" here.
* Cheapest Hetzner server 34 euro / month and 40 euro setup fees. * Hetzner auction server ~ 25 / month and no setup fees. * Different dedicated server hoster which allows custom usb devices.I would go with an auction server. They're reliable and cheap (had 2 personally already).
* Nitrokey is out of our control, but we trust Hetzner already (ie. they could easily hook up a malicious USB/BMC device already and gain root privileges). We can't be *that* paranoid (we actually can, but given the circumstances, I really don't see the need to)
* Server dies, the Nitrokey has to be moved to the new server. That's a bummer. Let's not forget downtime to this. How long does it take to Hetzner to move the key? *Who* is allowed to request it?
Questions: * Do we backup the key? Let someone have a separate nitrokey? I would vote for "yes" here. Let someone have a backup key that can be used it case the production one get's lost/broken/<insert_your_catastrophic_event_here>
participants (7)
-
Bartłomiej Piotrowski
-
Carlos Mogas da Silva
-
Florian Pritz
-
Giancarlo Razzolini
-
Jelle van der Waa
-
Michael Singh
-
Sven-Hendrik Haase