Versions Compared

Old Version 49

changes.mady.by.user Adam Monsen

Saved on

compared with

New Version 50

changes.mady.by.user Adam Monsen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: update backuppc instructions

...

  • if converting an mfi from old infrastruture
    • Stop mifos instance
    • Dump database
    • Copy uploads/config in MIFOS_CONF
  • Create security group in EC2 (AWS UI)
  • SSH "gateways" setup/info
    • allows us to limit points of entry for our hosted machines
    • note hosts below in ec2-authorize commands... the gateways are currently birch.mifos.org (the whole Seattle GTC, actually) and cloudboss.mifos.org.
    • add to your .ssh/config (substituting MFINAME for something meaningful):
      No Format
      Host *MFINAME.mifos.org
   ProxyCommand ssh birch.mifos.org exec /bin/nc %h %p
  • one-time setup for EC2 physical firewall
    • manually change EC2_ACCOUNT_NUMBER with the 12-or-so digit number fetched from the AWS console
    • SSH via gateways only - also images will constantly change so you WILL see the "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED" often. You can verify the key if you want to with ec2-get-console-output or via the ec2 web ui.
    • 18980-18981 is for monitoring JMX over RMI via OpenNMS
    • Create security group first via web ui or cli
       
      No Format
      #!/bin/bash
# login through web console and create new security group, e.g. green-grameen
set -ex
SEC_GROUPS="digamber light-microfinance rise keef"
EC2_ACCOUNT_NUMBER=000000000000

for SEC_GROUP in ${SEC_GROUPS}
do
ec2-authorize -P tcp -p 22-22 -s 75.149.167.24/32 ${SEC_GROUP}
ec2-authorize -P tcp -p 22-22 -s 10.252.50.116/32 ${SEC_GROUP}
ec2-authorize -P tcp -p 22-22 -s 184.72.240.48/32 ${SEC_GROUP}
ec2-authorize -P tcp -p 443-443 -s 0.0.0.0/0 ${SEC_GROUP}
ec2-authorize -P tcp -p 80-80 -s 0.0.0.0/0 ${SEC_GROUP}
ec2-authorize -P tcp -p 18980-18981 -s 10.252.50.116/32 ${SEC_GROUP}
ec2-authorize -P tcp -p 18980-18981 -s 184.72.240.48/32 ${SEC_GROUP}
ec2-authorize -P udp -p 161-161 -s 10.252.50.116/32 ${SEC_GROUP}
ec2-authorize -P udp -p 161-161 -s 184.72.240.48/32 ${SEC_GROUP}
ec2-authorize -P tcp -p 161-161 -s 10.252.50.116/32 ${SEC_GROUP}
ec2-authorize -P tcp -p 161-161 -s 184.72.240.48/32 ${SEC_GROUP}
ec2-authorize -P icmp -t -1:-1 -s 10.252.50.116/32 ${SEC_GROUP}
ec2-authorize -P icmp -t -1:-1 -s 184.72.240.48/32 ${SEC_GROUP}
ec2-authorize -o ${SEC_GROUP} -u ${EC2_ACCOUNT_NUMBER} ldap
done
  • Create RDS security group
    • Authorize EC2 security group for MFI
    • Authorize default EC2 security group temporarily to make importing existing database more straightforward, remove after importing
  • Create RDS instances as m1.small initially
    • v5.1.50
    • enable auto minor version upgrade
    • allocate 10GB
    • use MFI long name for MySQL instance (ie: "rise", "secdep")
    • initial user/pass can be anything simple, this will be changed later
    • leave Database Name blank
    • Db Parameter Group: "mifoscloud"
    • backup retention period: 8 days (best for PITR/binlogs)
    • backup window: 1600-1700 UTC (good for India/Philippines/Africa)
    • maintenance windows Saturday 1700-1800 UTC
    • example:
      No Format
      Engine: mysql
Engine Version: 5.1.50
Auto Minor Ver. Upgrade: Yes
DB Instance Class: db.m1.small
Multi-AZ Deployment: Yes
Allocated Storage: 10
DB Instance Identifier: rise
Master User Name: mifos
Master User Password: mifos
Database Name:
Database Port: 3306
Availability Zone: Using a Multi-AZ Deployment disables this preference.
DB Parameter Group: mifoscloud
DB Security Group(s):rise
Backup Retention Period: 8
Backup Window: 16:00-17:00
Maintenance Window: Saturday 17:00-Saturday 18:00
  • Create chef roles, base + test + prod + optional MFI specific recipe
    • look at an existing role
      • knife role show mifos_digamber
    • create a new role
      • knife role create mifos_rise
      • knife role create mifos_rise_test
        (look at mifos_digamber_prod, mifos_digamber_test for examples)
  • Create 2 EBS volumes 1 for test and prod each (storing uploads)
    for testing:
    No Format
    ec2-create-volume --snapshot snap-5abd2f36 -s 1 -z us-east-1d
ec2-create-tags -t Name=testing-digamber <vol-id>
    for prod:
    No Format
    ec2-create-volume --snapshot snap-5abd2f36 -s 1 -z us-east-1a
ec2-create-tags -t Name=digamber <vol-id>
  • Update DNS if required, this is typically required if this is a new mfi.
    • Allocate elastic ip
    • nslookup ip and get hostname
    • create CNAME in network solutions management console (use CNAME instead of A record so inter/intra-AZ data transfer will be charged at lower rate)
  • Create EC2 instances
    • get ami-id from hudson job: https://ci.mifos.org/hudson/view/cloud/job/cloud-mifos-image
    • latest ami-id for 2.0.2:ami-8a8d7fe3 (see at end: https://ci.mifos.org/hudson/view/cloud/job/cloud-mifos-image/44/console)
      No Format
      ec2-run-instances ami-8a8d7fe3 --instance-type m1.small -z us-east-1d -d '{ "run_list":  ["role[ldapclient]", "role[base]" ] }' --disable-api-termination -g rise
ec2-create-tags -t Name=testing-rise.mifos.org -t Service=Mifos INSTANCE_ID
    • on boot, the node will add itself to the chef server (see rc.local, imaging/create_image.py, cloud source code)
    • make sure you can login via SSH. If not, fetch console output (this is something you may have to do from time to time):
      No Format
      ec2-get-console-output INSTANCE_ID
    • attach ec2 volume
      No Format
      ec2-attach-volume -i INSTANCE_ID -d /dev/sdc1 vol-ee7e2386
    • knife node edit INSTANCE_ID.mifos.org, add "role[mifos_rise_test]" to run list section or do through http://manage.opscode.com
    • log into box and run sudo chef-client to see change immediately or wait 30 minutes or so
  • set up Mifos and Pentaho databases
    No Format
    sudo /etc/pentaho/system/mifos_pentaho_init.sql -u mifos -pmifos
    • change mifos password via AWS Web UI (Modify RDS instance, put a password generated with, for example, apg, in the "Master User Password" field)
  • add backup jobs to BackupPC
    • when adding new backup host, use the NEWHOST=COPYHOST syntax mentioned on the "edit hosts" page
    • edit ~backuppc/.ssh/config , disabling strict host checking
  • add monitoring of box to OpenNMS

...

  • Identify which situation, by checking if other nodes in the same AZ are available or not.
  • If hardware failure, simply launch a new instance with the appropriate AMI, add it to chef config, remap elastic ip, mount volumes, etc.
  • If an entire AZ is down then
    • create new volumes in alternate AZ, and retrieve from backuppc the uploads, custom reports etc.
      • only use "tar download" restore method, and only of /etc/mifos/uploads dir... download to local machine, then copy to remote host and untar as user "tomcat6"
    • relaunch each frontend into an alternate AZ, add to chef config, remap elastic ips, mount new volumes etc.

...