Versions Compared

Old Version 6

changes.mady.by.user Anna Headley

Saved on

compared with

New Version 7

changes.mady.by.user Anna Headley

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Notes from conversations with Alicia

Wrap up questions / future work

...

TODO

  • override usernames in roles/housekeeping/defaults/main.yml
  • determine / document how to write and execute a one-off ansible script
  • determine / document which variables to change for creating staging, as opposed to production, and how to do this.
  • add add'l keys for ubuntu user
  • delete all instances (but keep backups)
  • create virtual hosts stanza for 443
  • generate self-signed certset up log rotation - done via ansible , store it in ansible-vault, manage it via ansible
  • check log rotation for tomcat, solr. needs to be checked on after running for a bit. needs to be done for application logs.
  • with nginx I ran into a max body upload size issue – is that a thing with apache or you've never seen a problem like that? - yes but it's like, she thinks 3G.
  • monitoring:

    • website availability

    • services

    • for security

      • user account creation

      • CPU / Memory monitoring can help identify security breaches, as well

      • Keep an eye on AWS; if we start seeing boxes we didn't create spin up there's a problem

  • testing ansible – put in some asserts? http://docs.ansible.com/test_strategies.html

Changes I'd like to make

...

  • set up log rotation for application logs.
  • create google doc from alicia's report, integrate these notes into that!

Executing the scripts

# ansible config contains private data encrypted using ansible-vault; ask anna for the password

...

  • Alicia tends to name this after the keypair.
  • if on CentOS (which we are not) you must remember to make iptables match these rules
  • do we still need to close port 8080 or has that been done in ec2 scripts? - done via console

User - can change access keys if these credentials are leaked

...

  • the launch-ec2 one does the heavy lifting - creates the instance and then creates and attaches a volume
  • then the ec2 role puts aws-specific tools on the box for backups - for obvious reasons, that had to come later in the process
  • Backup script pulls the same variable used to create the backups, so it can vary by machine (i.e. the production machine could use "CHF-prod" and the staging machine "CHF-stage") and each machine will delete its own backups over time.

vault

The credentials in the vaulted files are all new. For backups, I generated a new IAM user, new credentials, and a policy that only has access to snapshots. For creating instances, I generated new credentials on the existing IAM user and turned off the old credentials (because they will be on GitHub now if you know how to find them).

...