wiki:PuffinServer

Version 141 (modified by chris, 2 years ago) (diff)

mysql config changes section updated

Puffin

puffin.webarch.net is a 8GB RAM, 14 CPU core Debian Wheezy virtual server which replaced NewLiveServer and DevelopmentServer for running the Transition Network Drupal sites. It went live in early 2013.

This server was migrated to run off a ZFS server in October 2013, see ticket:593 and it was upgraded from Squeeze to Wheezy on 17th November 2013, see ticket:535.

It was agreed to call this server puffin at the ttech meeting on 22nd November 2012, see ticket:463. The install and initial configuration of this server was tracked on ticket:466, see also the other PuffinServer#migrationtickets. Other services from the old server were migrated to PenguinServer.

System updates were recorded on ticket:218 and are currently recorded on ticket:692. BOA update tickets are listed at PuffinServer#Upgradetickets.

Munin Stats

There are munin stats for the server available here

See ticket:555#comment:13 for the notes regarding the installation of the MySQL munin stats package. See ticket:677#comment:3 for the Redis plugin install notes.

Sometimes the IO State graph stops, this can be fixed by deleting the lock files, see ticket:555#IOstategraph.

Some BOA upgrades change the Redis password and then it needed to be copied from /etc/redis/redis.conf to /etc/munin/plugin-conf.d/munin-node and munin-node needed restarting, see ticket:730.

We did have a trial with New Relic in 2013, see ticket:586 but this isn't on-going.

HTTP Stats

The wiki:PiwikServer generates stats from the humans visiting the server and some of these stats have been made public on wiki:WebStats.

There are some notes on analysing the raw Nginx stats on wiki:WebServe?# ssl cert check 32 09 * * * sudo ssl-cert-check -qac "/etc/ssl/transitionnetwork.org/transitionnetwork.org.crt" -e "chris@…" rLogs and Webalizer stats for Puffin are available using the same username/password as this Trac site.

There is a wiki:ErrorCodeCheck script which emails the total number of HTTP errors each day, see ticket:483#comment:63 for a list of the total for August, September and October 2013.

Load Spikes

The documentation of the load spike suicides that the server suffered # ssl cert check 32 09 * * * sudo ssl-cert-check -qac "/etc/ssl/transitionnetwork.org/transitionnetwork.org.crt" -e "chris@…" from in 2013 has been archived to wiki:PuffinServerBoaLoadSpikes as that documentation is now out dated.

When the server was updated to BOA-2.2.3 on ticket:721 the scripts in /var/xdrago/ were changed, however the load spike issue hasn't been finally resolved, see ticket:670#comment:22.

Tickets

Most the "live server" tickets relate to puffin, but the older ones, prior to ticket number #466, are for previous servers.

Current live server tickets

Ticket Summary Owner Reporter
#924 Sheffield Server Shutdown Timetable? chris chris
#918 redirects? chris sam
#905 TN site down due to redis not running chris chris
#904 Issues to consider in the migration from Drupal to WordPress chris chris
#903 Large load spike on PuffinServer chris chris
#901 Enable SSH access to PuffinServer for Ade chris chris
#898 Fwd: Access to Drupal chris ade
#897 Hosting information/requirements for 2016 chris chris
#893 BOA Cron Jobs chris chris
#884 RE: http://news.transitionnetwork.org ade paul
#875 Free HTTPS certificates from Let's Encrypt chris chris
#859 Subscription emails broken paul sam
#847 Upgrade Servers to Debian Jessie chris chris
#836 "Date is invalid" on film content type paul sam
#834 Slovenian State info missing again paul sam
#824 Analysis of the 2014 maintenance ticket time chris chris
#814 Higher that usual loads on PuffinServer since early September chris chris
#812 space.transitionnetwork.org hacked? chris chris
#790 Annesley locked out of puffin chris chris
#763 Server Backups chris chris
#742 Stg site to play with paul sam
#716 Heartbleed chris chris
#692 Debian Updates chris chris
#689 Duplicate comments paul sam
#644 AWstats Nginx config breaks aegir chris jim
#626 Add redirect from an old CMS to a new URL chris ed
#587 Puffin MySQL Tuning chris chris

Closed live server tickets

Ticket Summary Owner Reporter
#920 SSL weirdness? chris sam
#913 Drupal Site off-line chris chris
#900 Unusal High Load on Puffin chris chris
#896 Chive access to TN Drupal DB chris chris
#895 HTTPS wildcard *.transitionnnetwork.org expires on 22nd January 2016 chris chris
#889 BOA-2.4.7 ade chris
#872 BOA 2.4.6 chris chris
#864 BOA 2.4.5 chris chris
#863 BOA-2.4.4 chris chris
#862 Puffin locked ade chris
#854 BOA 2.4.3 chris chris
#846 Load Spikes on BOA PuffinServer chris chris
#845 Unneeded FTP server on PuffinServer chris chris
#844 Stable BOA 2.4.2 Release chris chris
#843 8.8.8.8 (US/United States/google-public-dns-a.google.com) blocked for port scanning chris chris
#839 Stable BOA-2.4.1 Release chris chris
#837 Iframe in a panel page ben sam
#831 Rob is having Image upload issues paul ade
#828 Site down due to massive load spike 2015-01-29 chris chris
#827 Stable BOA-2.4.0 Release chris chris
#820 *.transitionnetwork.org 2015 security certificate chris chris
#797 POODLE: SSLv3.0 vulnerability (CVE-2014-3566) chris chris
#795 SHA1 Deprecation: Regenerate all certs using SHA256 chris chris
#788 New BOA-2.3.3 Stable Edition available chris chris
#784 New BOA-2.3.0 chris chris
#779 Annesley locked out of puffin? chris chris
#775 New BOA-2.2.9 Stable Edition available chris chris
#769 Locked myself out of puffin again paul annesley
#765 New BOA-2.2.8 Stable Edition chris chris
#762 cannot log in to Puffin chris annesley
#760 New BOA-2.2.7 Stable Edition chris chris
#754 Can we upgrade from PHP 5.3? chris chris
#745 Upgrade to BOA-2.2.6 Stable Edition chris chris
#730 Redis Munin stats for puffin chris chris
#725 Upgrade to BOA-2.2.5 chris chris
#721 Upgrade to BOA-2.2.3 Stable Edition chris chris
#717 Heartbleed / Open SSL vunerability chris sam
#707 Upgrade to BOA-2.2.2 chris chris
#698 intransitionmovie.com returns 405 on submit sam sam
#685 SSL certificate about to expire? chris sam
#683 Create Aegir account for Paul jim sam
#678 transitionnetwork.org unavailable chris sam
#677 Spike in MyISAM (search) database activity, Redis unable to cache such requests chris chris
#674 Puffin locked up chris chris
#673 Install mosh - the mobile shell chris chris
#670 Roll back performance customisations and use stock BOA settings where possible jim jim
#629 Upgrade to BOA-2.1.3 Stable Edition chris chris
#612 Upgrade to BOA-2.1.1 Stable Edition chris chris
#610 Aegir database intensive (migrate, clone, restore) tasks hang for larger sites jim jim
#604 Times for admin tasks chris ed
#599 Server time drift chris chris
#593 Migrating Puffin to a ZFS file server chris chris
#591 Move MySQL temporary directory to tmpfs chris jim
#589 Blocking spammers at a firewall level chris chris
#588 RSS feed caching chris chris
#586 New Relic Monitoring for BOA chris chris
#585 TTech Meeting 5th September 2013 ed chris
#580 php5-fpm starting when puffin boots chris chris
#576 Site down chris ed
#574 EFF: How HTTPS Everywhere affects transitionnetwork.org chris chris
#573 MariaDB 5.5.32 is available for Puffin chris chris
#569 403s served to editors, admin very slow chris ed
#567 Update BOA for new Redis 2.6.14 chris chris
#563 503 Errors chris chris
#555 Load spikes causing the TN site to be stopped for 15 min at a time chris chris
#554 Site slow down and MySQL load increase chris chris
#552 Puffin Downtime 23rd May 2013 chris chris
#549 Support with publishing process mark ed
#547 New Barracuda BOA-2.0.9 Edition available chris chris
#545 Registration page: 502 chris ed
#544 CSF / LDF false positive blocks on Puffin chris chris
#543 Puffin Load Spike chris chris
#535 Upgrade Puffin, Penguin and Parrot from Debian Squeeze to Wheezy chris chris
#531 Disk usage on puffin chris chris
#530 New Barracuda BOA-2.0.8 Edition available chris chris
#529 New Barracuda BOA-2.0.7 Edition available chris chris
#522 Uninstall 'collectd' as redundant in face of Munin setup chris chris
#503 Widget owners cannot see project moderation tab jim ed
#500 Quince shutdown chris chris
#499 MySQL backup dump error on puffin chris chris
#489 Problems with SSL? chris ed
#487 robots.txt files for development sites jim chris
#483 Nginx 502 Bad Gateway Errors with BOA chris chris
#481 Puffin tweaks chris jim
#478 Import TN.org site from Quince to Puffin jim jim
#475 Generate a new SSL certificate chris chris
#472 Quince to Puffin rsync script chris chris
#471 Ttech Skype Meeting 17th December 2012 chris chris
#470 Penguin install and configuration chris chris
#468 Load problems on kiwi and quince chris chris
#466 Puffin install and configuration chris chris
#463 Ttech Skype Meeting 22nd November 2012 chris chris
#421 Subdomains: list from user: normal? chris ed
#420 Varnish Downtime chris chris
#417 Images issue on site chris laura
#409 HTTPS Security Issues chris chris
#408 MySQL InnoDB Changes chris chris
#405 Live server APC settings chris chris
#404 Wild card domain names - *.transitionnetwork.org chris chris
#403 Wild card domain names - *.transitionnetwork.org chris chris
#401 Intransitionmovie.com errors with Google and Paypal laura laura
#398 Host Upgrade to Debian Squeeze chris chris
#397 Live server RAM and disk upgrade chris chris
#396 Migrate MySQL Databases from MyISAM to InnoDB chris chris
#392 PSE Server Upgrade chris chris
#391 PSE tracking, moderation and security chris chris
#390 Apache pcre segfaults chris chris
#386 Domain redirect for the InTransitionmovie domain chris laura
#385 Install new SSL certificate on TN.org chris laura
#370 Problem with nightly MySQL backup load chris chris
#369 Drupal-level performance enhancements jim jim
#301 Upgrade LIVE server to Debian Squeeze chris jim
#287 Live Server Load chris chris
#227 Set up mirroring capability for core data types chris ed
#221 Adding Big Blue Button to TN.org: QUOTE PLEASE chris ed
#218 Debian upgrades and updates chris chris
#165 Security certificate warning on new server chris ed
#147 Migration of live server chris chris
#132 Documentation jim ed
#131 nodequeue: front page add broken jim ed
#130 Remove 'promote' function on items jim ed
#128 Design: links in some blocks wrong colour laura ed
#125 'Facilitator' and 'Speaker' to the user profile editing options jim ed
#124 Live database backups chris chris
#122 email alerts for moderation actions john ed
#121 email alerts for new projects and project updates john ed
#120 Patterns Directory: start a new directory jim ed
#119 Initiatives by number table needs UK *not* broken laura ed
#118 Newsletter - integrate MailChimp with Drupal name fields Content Profile fields jim ed
#117 Forum PathAuto settings not working jim jim
#116 Update all Drupal modules jim jim
#115 Update Drupal core to 6.19, plus the theme and modules to latest jim jim
#114 Change web host, use better Drupal stack, save CO2 with modern VPS + server setup Ed jim
#113 A forum list of all the latest topics jim ed
#112 Swap mollom for reCatpcha on registration jim ed
#111 Adding a map block for directory pages ed ed
#110 Remove RHS blocks from events calendar page jim ed
#109 Commenting process needs tidying up jim ed
#106 extra text for initiative addition form jim ed
#105 Initiative profile editors locked out of their profiles jim ed
#104 Media page: add map to listings jim ed
#103 Managing news install chris ed
#101 27th June 2010 Site Downtime chris chris
#97 Hardware upgrade to GH tier2 servers chris ed

Barracuda Octopus Ageir

The server is using Octopus to manage Ageir and also the updates to the Transition Network Drupal site, this system is installed and upgraded using Barracuda, the Barracuda Octopus Aegir combination is documented on the BOA wiki.

The initial BOA install script output has been saved on ticket:466#comment:22 and the updates are now documented on tickets listed at PuffinServer#Upgradetickets.

MariaDB

The MySQL root password is available in /root/.my.cnf.

Tuning of the MySQL server is being tracked on ticket:587.

We have set MySQL to use a RAM disk for temp tables, see ticket:591.

BOA installs MariaDB as the MySQL server using the debs from the MariaDB site, see /etc/apt/sources.list.d/mariadb.list, these are the current (2013-01-13) packages which are installed (note the config files only remain for php5-mysql as PHP in now installed from source code by BOA):

dpkg -l | grep -i mysql
ii  libdbd-mysql-perl                       4.021-1+b1                    amd64        Perl5 database interface to the MySQL database
ii  libmysqlclient16                        5.1.72-2                      amd64        MySQL database client library
ii  libmysqlclient18                        5.5.34+maria-1~wheezy         amd64        Virtual package to satisfy external depends
ii  mariadb-common                          5.5.34+maria-1~wheezy         all          MariaDB database common files (e.g. /etc/mysql/conf.d/mariadb.cnf)
ii  mysql-common                            5.5.34+maria-1~wheezy         all          MariaDB database common files (e.g. /etc/mysql/my.cnf)
ii  mytop                                   1.6-6                         all          top like query monitor for MySQL
rc  php5-mysql                              5.3.27-1~dotdeb.0             amd64        MySQL module for php5
ii  python-mysqldb                          1.2.3-2                       amd64        Python interface to MySQL

Nginx

BOA did use Nginx from dotdeb but now it compiles it from source, the dotdeb config files remain:

dpkg -l | grep -i nginx
rc  nginx-common                            1.4.1-1~dotdeb.0              all          small, powerful, scalable web/proxy server - common files

The only changes made to the default nginx configuration during the initial install was to move the key and cert it was using out of the way and symlink to the *.transitionnetwork.org ones, see ticket:466#comment:25 and also ticket:707#comment:21.

The other change made from the default BOA config are to enable Munin graphs, see wiki:PuffinServer#nginxconfigchanges

php-fpm

Please note that the version of php-fpm that the http://transitionnetwork.org/ site needs to be running to work properly is:

/etc/init.d/php53-fpm 

The config file for it is /opt/local/etc/php53-fpm.conf and when it is running it is listed in top and ps as php-fpm:

ps -lA | grep php
1 S     0 29482     1  0  80   0 - 188067 -     ?        00:00:00 php-fpm
5 S    33 29483 29482  2  80   0 - 205351 -     ?        00:01:32 php-fpm
5 S    33 29484 29482  2  80   0 - 199726 -     ?        00:01:28 php-fpm
...

Please note the settings that we changed from the default BOA ones in /opt/local/etc/php53-fpm.conf below.

When the server boots another version of php-fpm was also started, which is listed in top and ps as php5-fpm, this one:

/etc/init.d/php5-fpm

Which is configured via files in /etc/php5/fpm/. This version should be stopped if it is found to be running:

/etc/init.d/php5-fpm stop

It was stopped from running at runlevel 2 by deleting this symlink (see ticket:560#comment:17):

/etc/rc2.d/S01php5-fpm -> ../init.d/php5-fpm

But that didn't solve the problem, see ticket:580.

Redis

Tickets related to Redis issues:

  • ticket:730 Redist Munin stats stop working after BOA upgrade
  • ticket:554 Site slow down and MySQL load increase
  • ticket:677 Spike in MyISAM (search) database activity, Redis unable to cache such requests

Redis Munin graphs:

Upgrading BOA

The steps are documented in UPGRADE.txt, to upgrade everything run these commands, this process can take around 30 mins:

sudo -i
screen
cd
wget -q -U iCab http://files.aegir.cc/BOA.sh.txt
bash BOA.sh.txt
barracuda up-stable
octopus up-stable all

Useful links:

Note also the new hotfix tool (around line 102 of CHANGELOG.txt at time of writing) that allows post release fixes and system tweaks to be applied between full stable releases - i.e. without doing a full update to HEAD.

Upgrade tickets

The time each upgrade takes has been collected here due to concerns about how long the upgrades were taking, see ticket:629#comment:11

Munin config changes

BOA resets the Redis password on some upgrades, so it needs copying from /etc/redis/redis.conf to /etc/munin/plugin-conf.d/munin-node and munin-node needed restarting, see ticket:730.

nginx config changes

To get the php-fpm munin stats working the following code starting with the comment needs adding to /var/aegir/config/server_master/nginx.conf in the nginx default server section:

#######################################################
###  nginx default server
#######################################################

server {
  limit_conn   limreq 32; # like mod_evasive - this allows max 32 simultaneous connections from one IP address
  listen       *:80;
  server_name  _;
  location / {
     expires 60s;
     add_header Cache-Control "public, must-revalidate, proxy-revalidate";
     add_header Access-Control-Allow-Origin *;
     root   /var/www/nginx-default;
     index  index.html index.htm;
  }
}

server {
  listen       *:80;
  server_name 127.0.0.1;
  location /nginx_status {
    stub_status on;
    access_log off;
    allow 127.0.0.1;
    deny all;
  }
  # chris 2014-04-14
  location ~ ^/fpm-(status|ping)$ {
    fastcgi_pass 127.0.0.1:9090;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_intercept_errors on;
    include fastcgi_params;
    access_log off;
    allow 127.0.0.1;
    allow 81.95.52.103;
    deny all;
  }
}

Logs for analysis on penguin, see wiki:WebServerLogs are generated via the following being added to the http section of the /etc/nginx/nginx.conf file:

  # log for awstats
  log_format apache '$remote_addr - $remote_user [$time_local] "$request" '
                     '$status $body_bytes_sent "$http_referer" '
                     '"$http_user_agent"';
  access_log         /var/log/nginx/awstats.log apache;

mysql config changes

Settings in /etc/mysql/my.cnf are no longer changed from the default, see ticket:670 and ticket:587.

System Updates

We don't use the BOA tool for updating packages:

barracuda up-stable system

As it's very slow and after running the above command to update the system you also need to follow the steps documented above at PuffinServer#UpgradingBOA for php-fpm to get the Munin stats working again.

Nginx and PHP are complied from source code so the above command should be run when these need updating, for other updates use the wiki:AptitudeUpdateScript script and document the updates on ticket:692.

See also ticket:548#comment:33 for the steps that need to be followed after this to get BOA to work with the Session443 plugin.

CSF / LDF

To restart the firewall script:

csf -r

We have set the following variable in /root/.barracuda.cnf to ensure that the CSF / LDF changes are not clobbered by BOA:

_CUSTOM_CONFIG_CSF=YES

We could do with a link here to the ticket on which the CSF / LDF configuration had a lot of work done. Some changed to the load level alerting was made on ticket:707#comment:37

False positives

BOA installs CSF / LDF and automatically blocks IP addresses after too many failed SSH login attempts, if someone is blocked who shouldn't be then they can be unblocked like this:

csf -dr 81.95.52.66

To check if a IP address is blocked:

csf -g 81.95.52.66

See this ticket for problems caused by CSF / LDF blocking the monitoring server: ticket:544

Blocklists

Blocklists are configured in /etc/csf/csf.blocklists and some were enabled on ticket:589

Console and SSH Access

There is a Xen shell available for console access, see wiki:XenShell.

For developers and sysadmins there is SSH access, contact chris@… if you need an account creating.

The server is also running Mosh : the mobile shell which is very handy when you internet connection is poor, for example on a train. Mosh was installed on ticket:673.

Cron

BOA controls the root crontab and any changes made there will be overwritten, so things that would normally be in the root crontab need to go into users ones and use sudo, these are the ones in chris' crontab:

# delete metche backups which are more than a day old
# see https://tech.transitionnetwork.org/trac/ticket/531
28      11      *       *       *       sudo /usr/local/bin/metche-clean -d     
# set the clock after a reboot
# see /trac/ticket/599
@reboot sudo rdate -s ntp.demon.co.uk
# create a tmp dir on the ram disk for mysql
# see /trac/ticket/591
@reboot sudo mkdir /run/shm/mysql ; sudo chown mysql:mysql /run/shm/mysql
# ssl cert check
32 09 * * * sudo ssl-cert-check -qac "/etc/ssl/transitionnetwork.org/transitionnetwork.org.crt" -e "chris@webarchitects.co.uk"

To edit chris' crontab after logging in as another user:

sudo -i
export EDITOR=vim
crontab -e -u chris

Backupninja

backupninja has been installed and two backup tasks have been configured in /etc/backup.d/, 10.sys which does backups of system settings and 20.mysql which dumps all the mysql databases into /var/backups/mysql and uses /etc/mysql/debian.cnf for authentication.

In October 2013 we switched the servers filesystem to a ZFS server on the network, see ticket:593#comment:5 and now filesystem backups are done via ZFS snapshots so the rsync backup was disabled, see ticket:535#comment:22

Postfix

Two changes were made the the default postfix install, it was set to send root emails out, see ticket:466#comment:23 and it was configured to use TLS with the transition network cert, see ticket:466#comment:25.

Handy commands

There are some Bash aliases to quickly get around the system added by JK...

For root:

alias cdtn='cd /data/disk/tn/' # cd to tn directory
alias totn='su -s /bin/bash tn' # log into the tn user

# show file usages
alias duf='du -sk * | sort -n | perl -ne '\''($s,$f)=split(m{\t});for (qw(K M G)) {if($s<1024) {printf("%.1f",$s);print "$_\t$f"; last};$s=$s/1024}'\'

For tn

alias la='ls -Al --color=auto'
alias lc='ls -ltcr --color=auto'
alias lk='ls -lSr --color=auto'
alias ll='ls -la --group-directories-first --color=auto'
alias lr='ls -lR --color=auto'
alias ls='ls -hF --color=auto'
alias lt='ls -ltr --color=auto'
alias lu='ls -ltur --color=auto'
alias lx='ls -lXB --color=auto'

Vim config

To make vim the default editor for root the following was added to /root/.bashrc:

export EDITOR="vim"

To make config files nicer to read in vim the following was added to /root/.vimrc:

syntax on

And a /root/.vim/filetype.vim files was created with the following in it:

au BufRead,BufNewFile /etc/mysql/my.cnf, set ft=mycnf
autocmd BufRead,BufNewFile /etc/php5/fpm/* set syntax=dosini
autocmd BufRead,BufNewFile /opt/local/etc/php53-fpm.conf set syntax=dosini
au BufRead,BufNewFile /etc/nginx/*,/etc/nginx/conf.d/*,/var/aegir/config/server_master/nginx/*/* set ft=nginx
au BufRead,BufNewFile /data/disk/tn/config/server_master/nginx/vhost.d/* set ft=nginx

And a /root/.vim/syntax/ directory was created and mycnf.vim was created in it by downloading it from http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/vim-syntax-mycnf/ and nginx.vim was downloaded from http://www.vim.org/scripts/script.php?script_id=1886

Migration Tickets

Tickets created during the migration of the http://www.transitionnetwork.org/ site from NewLiveServer to this server: