Difference between revisions of "Osgeo6"
(→SSL certificates: add the friday night fun) |
(→SSL certificates: add the fun) |
||
Line 135: | Line 135: | ||
* LetsEncrypt was configured by [[Jeff McKenna]] on 2018-07-27 for mapserver.org, gdal.org, grass.osgeo.org, and lists.osgeo.org using certbot-auto | * LetsEncrypt was configured by [[Jeff McKenna]] on 2018-07-27 for mapserver.org, gdal.org, grass.osgeo.org, and lists.osgeo.org using certbot-auto | ||
− | ** careful: check the conf files in /etc/apache2/sites-enabled/ to make sure that the VirtualHost settings do not include something like | + | ** careful: check the conf files in /etc/apache2/sites-enabled/ to make sure that the VirtualHost settings do not include something like ''<VirtualHost _default_:443>'' and instead should point to the IP such as ''<VirtualHost 140.211.15.3:443>'' or else the certificate loaded will always default to mapserver.org |
− | |||
− | |||
− | |||
− | |||
** certbot-auto lives in /usr/local/sbin. | ** certbot-auto lives in /usr/local/sbin. | ||
** to add more sites, run the command:<blockquote>certbot-auto --apache -d mapserver.org -d www.mapserver.org</blockquote> | ** to add more sites, run the command:<blockquote>certbot-auto --apache -d mapserver.org -d www.mapserver.org</blockquote> |
Revision as of 18:20, 27 July 2018
Osgeo6 is a Debian 8 machine administered by SAC, hosted on OSU OSL servers since August 2015 (see also Hardware plan 2014).
It hosts several critical resources, projects web sites mail-transport and -lists, it is the successor of the ProjectsVM and the MailVM (this machine runs NO VMs instead).
The host is reachable by ssh at osgeo6.osgeo.osuosl.org.
Shell access
Anyone in the https://www.osgeo.org/cgi-bin/auth/ldap_shell.py has ssh access, and anyone in this group can add new people via the link. Sudo access can be provided by existing sudoer's by adding folks to the sudoers group in /etc/group, though it is normal practice to try and only extend sudo access to one user per project.
It is a shared environment and it is important that folks making changes on the system be aware of the impact they might have on other hosted services. Apache changes should be made carefully and needfully. Think about security!
See SAC#Communication in case of troubles or quick questions
Services hosted on osgeo6
Websites
All websites are served by Apache
site | path | contact | backup | comments |
---|---|---|---|---|
grass.osgeo.org | /var/www/grass/grass-cms | admined by User:Neteler, martinL | BackupOg6 bacula job | based on CMSMS; GRASS GIS infrastructure explained here, also enabled LetsEncrypt |
grasswiki.osgeo.org | /var/www/grass/grass-wiki | admined by User:Neteler, martinL | BackupOg6 bacula job | own MediaWiki |
www.geotools.org | /var/www/geotools/web | SAC !? | BackupOg6 bacula job | /home/geotools/ available, but corresponding OSGeo LDAP user account missing |
docs.geotools.org | /var/www/geotools/docs | SAC !? | BackupOg6 bacula job | /home/geotools/ available, but corresponding OSGeo LDAP user account missing |
old.geotools.org | /var/www/geotools/wiki | SAC !? | BackupOg6 bacula job | /home/geotools/ available, but corresponding OSGeo LDAP user account missing |
www.featureserver.org | /var/www/featureserver/website | admined by User:Warmerda | BackupOg6 bacula job | Not yet active, pending Python/GEOS issues |
geos.osgeo.org | /var/www/geos/geos-web | admined by User:Warmerda | BackupOg6 bacula job | Just a redirect to Trac |
www.tilecache.org | /var/www/tilecache/docs | SAC !? | BackupOg6 bacula job | |
www.gdal.org | /var/www/gdal/gdal-web/ | admined by User:Warmerda | BackupOg6 bacula job | CRON-job migrated as well, also enabled LetsEncrypt |
www.mapserver.org | /var/www/mapserver.org/ | admined by Jeff McKenna | BackupOg6 bacula job | also enabled LetsEncypt |
drone.osgeo.org | /var/www/drone.osgeo.org | admined by User:Strk | Continuous Integration for Gitea | reverse-proxy to Drone server server |
https://lists.osgeo.org | admin | Web interface for managing Mailman | also enabled LetsEncypt |
MySQL server
- used for GRASS GIS Wiki (maintained by Martin Landa and Markus Neteler)
- used for GRASS CMS ? (to be confirmed)
- backed up via bacula in BackupOg6 job (see /osgeo/backup)
- admin user credentials found in ~root/.my.cnf
Postfix SMTP server
- Central OSGeo MX running Postfix (includes @osgeo.org aliases in /etc/aliases)
# edit /etc/aliases # git diff # and git commit (please set GIT_AUTHOR_NAME/GIT_AUTHOR_EMAIL envs) # newaliases # postfix reload
Mailman
- SAC:Mailing Lists - mailman configuration for lists.osgeo.org.
- monthly cronjob "OSGeo mailman server unique subscribers", run as root user with scripts in /home/neteler/osgeo_mailman_stats/*.sh
PostgreSQL server
As of April 2017 PostgreSQL 9.6 is installed from pgdg packages and a new cluster was added to host the database for the Drone service (in progress)
Drone service
See Drone
SSL certificates
- LetsEncrypt was configured by Jeff McKenna on 2018-07-27 for mapserver.org, gdal.org, grass.osgeo.org, and lists.osgeo.org using certbot-auto
- careful: check the conf files in /etc/apache2/sites-enabled/ to make sure that the VirtualHost settings do not include something like <VirtualHost _default_:443> and instead should point to the IP such as <VirtualHost 140.211.15.3:443> or else the certificate loaded will always default to mapserver.org
- certbot-auto lives in /usr/local/sbin.
- to add more sites, run the command:
certbot-auto --apache -d mapserver.org -d www.mapserver.org
- a cronjob (certbot-auto renew) was not yet created, to renew automatically
Backup strategy
As of Feb 2017 backup is performed by bacula, with the BackupOg6 job, which includes the whole /var/www, /etc, /osgeo, /var/lib/mysql and more files (see SAC:Backups for info about figuring out more).
A dump of each mysql database is also stored as a separate file under /osgeo (created during the backup phase).
Hardware
Details:
CPU: 2 x Intel Xeon E5-2620v3, 2.4 GHz (6-Core, HT, 15MB Cache, 85W) 22nm RAM: 128GB (8 x 16GB DDR4-2133 ECC Registered 2R 1.2V DIMMs) Operating at 2133 MT/s Max NIC: Dual Intel i210 Gigabit Ethernet Controllers - Integrated Management: Integrated IPMI 2.0 & KVM over LAN Controller: 10 Ports 6Gb/s SATA (Intel C612 Chipset) PCIe 3.0 x8: No Item Selected NOTE: Hot-swap and fixed drives will be connected to SATA3 controller (C612) unless otherwise specified Hot-Swap Drive - 1: 80GB Intel DC S3500 Series MLC (6Gb/s, 0.3 DWPD) 2.5" SATA SSD Hot-Swap Drive - 2: 80GB Intel DC S3500 Series MLC (6Gb/s, 0.3 DWPD) 2.5" SATA SSD Hot-Swap Drive - 3: 480GB Intel DC S3500 Series MLC (6Gb/s, 0.3 DWPD) 2.5" SATA SSD Hot-Swap Drive - 4: 480GB Intel DC S3500 Series MLC (6Gb/s, 0.3 DWPD) 2.5" SATA SSD Hot-Swap Drive - 5: 480GB Intel DC S3500 Series MLC (6Gb/s, 0.3 DWPD) 2.5" SATA SSD Hot-Swap Drive - 6: 480GB Intel DC S3500 Series MLC (6Gb/s, 0.3 DWPD) 2.5" SATA SSD Optical Drive: No Item Selected
3 year warranty starting on May 4,2015 ending on May 4,2018