Overview
What needs to be migrated from quark to a new service,
Expect we can get better specs for a similar price (compared to echo) these days.
Concerns for the new service migration include
NB: Some services may go to echo while others go to a new host directly.Currently the plan is:
| Host | Intent | Profile | Notes |
| echo | production host for sairuk, hosts - gaming@tomb - foreverchat irc hub - XMPP service - echo mail additional items, echo information is handle on a separate wiki | CentOS7 selinux enforcing apache 2.4 php-fpm | echo needs to be rebuilt the installation is not fit for purpose and as a result (selinux) requires workaround to accomodate |
| quark | production host for dave production host for sairuk hosts - web services - usenet services - quark mail (secondary) - ftp | Intel(R) Atom(TM) CPU N2800 @ 1.86GHz (Quad Core) 4GB memory 2TB HDD CentOS6 python 2.6 apache 2.2 suphp | python 2.7 installed unofficially Struggled with some workload, system load was never much of problem but things did slow down during processing. We are migrating off this host. |
| HAL | 78.129.208.24 - Provide VMs | 1230 V2 CPU (8 core) 8gb ram 2 X 2TB HDD (mirrored) KVM | Virtualisation considerations: - esxi is mentioned in the overview section, my fault I asked a simple question at some point. - the free version 6.5 is behind mainline enterprise 6.7. - a full host outage will be required to patch because there is no redundant nodes - don't know if its getting updates inline with enterprise Stay with KVM, it is built into the linux mainline kernel. VMs to be deployed: - VM1, clean production system for web and mail (dave only) - VM2, docker (services) - VM3, lab system DISK: Storage spec was said to be 2x 2TB drives, can only see one in fdisk -l output RAM: a concern if we are running multiple VMs |
| XAVIER | 78.129.208.25 - clean production system for web and mail (dave only) | General Linux 64bit | Expected services: - apache + php (website hosting) - mysql for some websites - postfix (mail) + procmail + spamassassin - fail2ban (defensive measures) it may be wise to consider what services you need and then containerise them so you can expand at will. Where will you be hosting mysql for example? |
| TUPPER | 78.129.208.77 - docker for content services (Usenet) | Docker Host Linux 64bit Specific LVM Partitioning | Mostly wants some ram and cpu for decompression, need to review Using a specific LVM partition layout, most space is dedicated to /var/lib/docker * /vg/root * /vg/swap * /vg/var * /vg/var/lib/docker * /vg/home See Services below |
| ALBERT | 78.129.208.174 - lab system | General Linux 64bit | Start with 2CPUs x 2GB RAM Learning system May be used for PoC. May be reinstalled without notice Expected to be broken and rebooted at any point in time. If you run prod stuff here you are you're own worst enemy dave, darren, sai all have full access |
| Service | Host | Software | Notes | Migrated |
| web - tombstones | echo | |||
| web - lazarus | echo | |||
| web - manthorpe | echo | |||
| web - others | echo | |||
| web - gaming@tomb | echo | Wordpress | echo runs php-fpm | Yes |
| web - download@tomb | echo | Apache Index | echo runs php-fpm | |
| gaming@tomb servers | echo | Proprietary Servers | Running inside a single 32bit docker container | Yes |
| quark-mail | xavier | This could be intergated with the echo config if required but echo needs an outage to move the existing config around to accomodate | ||
| torrents | tupper | rtorrent+rutorrent | (COFFEE briefly used as an exploratory test using nginx to provide web frontend to rutorrent). Currently running as a named account off quark, but due to migrate. | Yes |
| usenet - sabnzbd | tupper | sabnzbd | ||
| usenet - sickgear | tupper | sickgear | ||
| usenet - couchpotato | tupper | couchpotato | ||
| usenet - lazylibrarian | - | lazylib | Will not be migrated | N/A |
| usenet - mylar | - | mylar | Will not be migrated | N/A |
| usenet - headphones | tupper | headphones | ||
| storage | tupper | (not sure what this is for - just FTP?) | ||
| ftp | tupper | pureftpd | Possibly migrate to tupper as it's content access that's needed here. |
| Type | Notes | |
| OS | There was some consideration of waiting for the centOS 8 release before rolling over but there are significant changes in the new 8 base that will directly impact OS based installation of services currently running on quark, therefore we will roll out centOS7 Impacting (RHEL 8) Changes * nftables replaces iptables as the default network filtering framework * Impacts Fail2Ban, sys-scan and ipset configurations * Python 3.6 is the default Python version in RHEL 8 * Software running on quark does not support Python 3 * PHP 7.2 comes with RHEL 8 * CentOS 7 host will run 7.3 from remi repos, this is mentioned only for record * Bash 4.4 invalidates/changes a number of bashisms that may require scripts to be ported | |
| Security | * ipset and iptables - recommended to use ipsets over iptables * selinux will be on CentOS7 (ORVILLE plus possible QUARK successor) * rkhunter will be installed * fail2ban? - recommend to use ipsets in conjunction with F2B | |
| Monitoring | monitoring (nagios/cacti/etc) | |
| Apache | * suPHP is no longer supported, there are alternatives (PHP-FPM) * Create dedicated web volume under /srv for sites only * Create site storage location on dedicated storage volume | |
| Mysql | Create dedicate storage volume for DB | |
| User Accounts | No more shared credentials (need to review this in the light of usenet and ut services) | |
| Library | * The git library serves as a historical record of all changes to monitored files * This needs will be transferred across to new server * Access is restricted to the staff group | |
| SSL | * Still using LetsEncrypt for customer facing services * Management access is controlled by the sslcerts group * Services will be added to the sslcerts-services group with read only access to /etc/letsencrypt/archive | |
| g@T | * * * * this has been migrated to echo entirely | |
| XOOPs | * at its current level will not run on php 7.x the new server at centos7/8 will be running 7.x (7.3) * all sites can be transferred to run for historical purposes within a self container a docker image but will be migrated to a WordPress-based CMS. * will be revproxied for access | |
| usenet | * simple user account with home dir * runs as usenet user * dedicated storage area * sudoers to start/stop/restart services |