From fe27af7a16d9bc56b0767f63d8f0490fcd2f13d1 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Thu, 22 Dec 2022 17:56:58 +0100 Subject: =?UTF-8?q?Migration=20des=20derniers=20documents=20depuis=20op=5F?= =?UTF-8?q?guide=20(d=C3=A9p=C3=B4t=20infrastructure)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- content/operations/deploiement/app.md | 32 -------- content/operations/deploiement/app/_index.md | 33 ++++++++ .../operations/deploiement/app/create_database.md | 34 ++++++++ content/operations/deploiement/grappe.md | 17 ---- content/operations/deploiement/grappe/_index.md | 19 +++++ content/operations/deploiement/grappe/stolon.md | 95 ++++++++++++++++++++++ 6 files changed, 181 insertions(+), 49 deletions(-) delete mode 100644 content/operations/deploiement/app.md create mode 100644 content/operations/deploiement/app/_index.md create mode 100644 content/operations/deploiement/app/create_database.md delete mode 100644 content/operations/deploiement/grappe.md create mode 100644 content/operations/deploiement/grappe/_index.md create mode 100644 content/operations/deploiement/grappe/stolon.md (limited to 'content/operations/deploiement') diff --git a/content/operations/deploiement/app.md b/content/operations/deploiement/app.md deleted file mode 100644 index 664b0b0..0000000 --- a/content/operations/deploiement/app.md +++ /dev/null @@ -1,32 +0,0 @@ -+++ -title = "Applications" -description = "Déploiement d'une application" -sort_by = "weight" -weight = 30 -+++ - - -# Empaqueter - -Packager avec nix un conteneur Docker, le publier - -# Secrets - -Créer les secrets avec `secretmgr` - -# Service - -Créer un service Nomad - -Voir les différentes déclarations : - - diplonat - - tricot - -# Sauvegardes - -Voir la section appropriée - -# Surveillance - -Voir la section appropriée - diff --git a/content/operations/deploiement/app/_index.md b/content/operations/deploiement/app/_index.md new file mode 100644 index 0000000..710e2e5 --- /dev/null +++ b/content/operations/deploiement/app/_index.md @@ -0,0 +1,33 @@ ++++ +title = "Applications" +description = "Déploiement d'une application" +sort_by = "weight" +date = 2022-12-22 +weight = 30 ++++ + + +# Empaqueter + +Packager avec nix un conteneur Docker, le publier + +# Secrets + +Créer les secrets avec `secretmgr` + +# Service + +Créer un service Nomad + +Voir les différentes déclarations : + - diplonat + - tricot + +# Sauvegardes + +Voir la section appropriée + +# Surveillance + +Voir la section appropriée + diff --git a/content/operations/deploiement/app/create_database.md b/content/operations/deploiement/app/create_database.md new file mode 100644 index 0000000..e5f8a72 --- /dev/null +++ b/content/operations/deploiement/app/create_database.md @@ -0,0 +1,34 @@ ++++ +title = "Créer une BDD" +description = "Création d'une base de données pour une nouvelle application" +date = 2022-12-22 +dateCreated = 2022-12-22 +weight = 11 ++++ + +## 1. Create a LDAP user and assign a password for your service + +Go to guichet.deuxfleurs.fr + + 1. Everything takes place in `ou=services,ou=users,dc=deuxfleurs,dc=fr` + 2. Create a new user, like `johny` + 3. Generate a random password with `openssl rand -base64 32` + 4. Hash it with `slappasswd` + 5. Add a `userpassword` entry with the hash + +This step can also be done using the automated tool `secretmgr.py` in the app folder. + +## 2. Connect to postgres with the admin users + +```bash +# 1. Launch ssh tunnel given in the README +# 2. Make sure you have postregsql client installed locally +psql -h localhost -U postgres -W postgres +``` + +## 3. Create the binded users with LDAP in postgres + the database + +```sql +CREATE USER sogo; +Create database sogodb with owner sogo encoding 'utf8' LC_COLLATE = 'C' LC_CTYPE = 'C' TEMPLATE template0; +``` diff --git a/content/operations/deploiement/grappe.md b/content/operations/deploiement/grappe.md deleted file mode 100644 index b917005..0000000 --- a/content/operations/deploiement/grappe.md +++ /dev/null @@ -1,17 +0,0 @@ -+++ -title = "Grappe" -description = "Grappe" -weight = 20 -+++ - -# Installation - -Pointer vers le dépot nixcfg (précédemment le ansible de Deuxfleurs/infrastructure). - -Passer sur Wireguard, Nomad, Consul, Diplonat, (Tricot, Garage), etc. - -# Les secrets - -# Découverte des noeuds - - diff --git a/content/operations/deploiement/grappe/_index.md b/content/operations/deploiement/grappe/_index.md new file mode 100644 index 0000000..80de97d --- /dev/null +++ b/content/operations/deploiement/grappe/_index.md @@ -0,0 +1,19 @@ ++++ +title = "Grappe" +description = "Grappe" +weight = 20 +date = 2022-12-22 +sort_by = "weight" ++++ + +# Installation + +Pointer vers le dépot nixcfg (précédemment le ansible de Deuxfleurs/infrastructure). + +Passer sur Wireguard, Nomad, Consul, Diplonat, (Tricot, Garage), etc. + +# Les secrets + +# Découverte des noeuds + + diff --git a/content/operations/deploiement/grappe/stolon.md b/content/operations/deploiement/grappe/stolon.md new file mode 100644 index 0000000..4a683f4 --- /dev/null +++ b/content/operations/deploiement/grappe/stolon.md @@ -0,0 +1,95 @@ ++++ +title = "Stolon" +description = "Comment déployer Stolon" +date = 2022-12-22 +dateCreated = 2022-12-22 +weight = 11 ++++ + +Spawn container: + +```bash +docker run \ + -ti --rm \ + --name stolon-config \ + --user root \ + -v /var/lib/consul/pki/:/certs \ + superboum/amd64_postgres:v11 +``` + + +Init with: + +``` +stolonctl \ + --cluster-name chelidoine \ + --store-backend=consul \ + --store-endpoints https://consul.service.prod.consul:8501 \ + --store-ca-file /certs/consul-ca.crt \ + --store-cert-file /certs/consul2022-client.crt \ + --store-key /certs/consul2022-client.key \ + init \ + '{ "initMode": "new", + "usePgrewind" : true, + "proxyTimeout" : "120s", + "pgHBA": [ + "host all postgres all md5", + "host replication replicator all md5", + "host all all all ldap ldapserver=bottin.service.prod.consul ldapbasedn=\"ou=users,dc=deuxfleurs, dc=fr\" ldapbinddn=\"\" ldapbindpasswd=\"\" ldapsearchattribute=\"cn\"" + ] + }' + +``` + +Then set appropriate permission on host: + +``` +mkdir -p /mnt/{ssd,storage}/postgres/ +chown -R 999:999 /mnt/{ssd,storage}/postgres/ +``` + +(102 is the id of the postgres user used in Docker) +It might be improved by staying with root, then chmoding in an entrypoint and finally switching to user 102 before executing user's command. +Moreover it would enable the usage of the user namespace that shift the UIDs. + + + +## Upgrading the cluster + +To retrieve the current stolon config: + +``` +stolonctl spec --cluster-name chelidoine --store-backend consul --store-ca-file ... --store-cert-file ... --store-endpoints https://consul.service.prod.consul:8501 +``` + +The important part for the LDAP: + +``` +{ + "pgHBA": [ + "host all postgres all md5", + "host replication replicator all md5", + "host all all all ldap ldapserver=bottin.service.2.cluster.deuxfleurs.fr ldapbasedn=\"ou=users,dc=deuxfleurs,dc=fr\" ldapbinddn=\"cn=admin,dc=deuxfleurs,dc=fr\" ldapbindpasswd=\"\" ldapsearchattribute=\"cn\"" + ] +} +``` + +Once a patch is writen: + +``` +stolonctl --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 update --patch -f /tmp/patch.json +``` + +## Log + +- 2020-12-18 Activate pg\_rewind in stolon + +``` +stolonctl --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 update --patch '{ "usePgrewind" : true }' +``` + +- 2021-03-14 Increase proxy timeout to cope with consul latency spikes + +``` +stolonctl --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 update --patch '{ "proxyTimeout" : "120s" }' +``` -- cgit v1.2.3