Notes from conversations with Alicia
Wrap up questions / future work
...
TODO
- override usernames in roles/housekeeping/defaults/main.yml
- determine / document how to write and execute a one-off ansible script
- determine / document which variables to change for creating staging, as opposed to production, and how to do this.
- add add'l keys for ubuntu user
- delete all instances (but keep backups)
- create virtual hosts stanza for 443
- generate self-signed certset up log rotation - done via ansible , store it in ansible-vault, manage it via ansible
- check log rotation for tomcat, solr. needs to be checked on after running for a bit. needs to be done for application logs.
- with nginx I ran into a max body upload size issue – is that a thing with apache or you've never seen a problem like that? - yes but it's like, she thinks 3G.
- monitoring:
website availability
- services
for security
user account creation
CPU / Memory monitoring can help identify security breaches, as well
Keep an eye on AWS; if we start seeing boxes we didn't create spin up there's a problem
- testing ansible – put in some asserts? http://docs.ansible.com/test_strategies.html
Changes I'd like to make
...
- set up log rotation for application logs.
- create google doc from alicia's report, integrate these notes into that!
Executing the scripts
# ansible config contains private data encrypted using ansible-vault; ask anna for the password
...
- Alicia tends to name this after the keypair.
- if on CentOS (which we are not) you must remember to make iptables match these rules
- do we still need to close port 8080 or has that been done in ec2 scripts? - done via console
User - can change access keys if these credentials are leaked
...
- the launch-ec2 one does the heavy lifting - creates the instance and then creates and attaches a volume
- then the ec2 role puts aws-specific tools on the box for backups - for obvious reasons, that had to come later in the process
- Backup script pulls the same variable used to create the backups, so it can vary by machine (i.e. the production machine could use "CHF-prod" and the staging machine "CHF-stage") and each machine will delete its own backups over time.
vault
The credentials in the vaulted files are all new. For backups, I generated a new IAM user, new credentials, and a policy that only has access to snapshots. For creating instances, I generated new credentials on the existing IAM user and turned off the old credentials (because they will be on GitHub now if you know how to find them).
...