kosmos/chef
kosmos/chef
8
3
Fork 0
程式碼 問題 29 合併請求 2 專案 2 動態

Move PostgreSQL to VMs and access via Zerotier #282

已合併
raucao 將 40 次提交從 feature/postgres_vms 合併至 master 2021-01-25 10:56:42 +00:00
對話內容 5 程式碼提交 40 檔案變動 64 +2406 -1146
raucao 已留言 2021-01-07 14:14:24 +00:00
擁有者
複製連結

Update Jan 24:

@greg and I have finished the migration of our PostgreSQL cluster from the host systems of Andromeda, Centaurus, and Draco, to new VMs on Centaurus and Draco.

Instead of the previous encfs setup, we now use standard full-disk encryption (LUKS/LVM) for the VMs to encrypt data at rest. So the decryption password has to be provided during the booting of the VM now.

The new setup also uses our Zerotier private network exclusively for database connections, and thus no public connections or TLS anymore.

In order to make both this migration seamless, as well make the switching of the primary node to a hot standby node much easier and quicker in the future as well, we have changed all database clients to use a custom /etc/hosts entry (pg.kosmos.local).

Then we created a script to run all the steps for switching the primary at once, both triggering the promotion of a standby node to primary, as well as stopping the old one, and updating the hosts entries without full Chef runs. This way, all clients will immediately re-connect to the new primary after promotion, which worked exactly as intended when we did it for this migration.

refs #280

***Update Jan 24:*** @greg and I have finished the migration of our PostgreSQL cluster from the host systems of Andromeda, Centaurus, and Draco, to new VMs on Centaurus and Draco. Instead of the previous encfs setup, we now use standard full-disk encryption (LUKS/LVM) for the VMs to encrypt data at rest. So the decryption password has to be provided during the booting of the VM now. The new setup also uses our Zerotier private network exclusively for database connections, and thus no public connections or TLS anymore. In order to make both this migration seamless, as well make the switching of the primary node to a hot standby node much easier and quicker in the future as well, we have changed all database clients to use a custom `/etc/hosts` entry (`pg.kosmos.local`). Then we created [a script to run all the steps for switching the primary at once](https://gitea.kosmos.org/kosmos/chef/src/commit/b1fea4b09ffe87c48b5b1d8b524cb0968c13fabf/scripts/postgresql/switch_primary.sh), both triggering the promotion of a standby node to primary, as well as stopping the old one, and updating the hosts entries without full Chef runs. This way, all clients will immediately re-connect to the new primary after promotion, which worked exactly as intended when we did it for this migration. refs #280
raucao 指派給自己 2021-01-08 08:14:10 +00:00
gregraucao 指派 2021-01-08 08:14:13 +00:00
raucao 已留言 2021-01-09 09:51:39 +00:00
作者
擁有者
複製連結

@greg I was thinking about the most simple, low-tech, and stable solution for updating the postgres master address, and my last idea was:

  • Configure clients to use a hostname instead of IP address for the master connection (the obvious first step)
  • Write a script (maybe just postgres client Chef recipe), which simply updates an /etc/hosts entry on all postgres client VMs

This way, we don't need our own DNS server at all, and there's no extra connection or caching to think about. WDYT?

@greg I was thinking about the most simple, low-tech, and stable solution for updating the postgres master address, and my last idea was: * Configure clients to use a hostname instead of IP address for the master connection (the obvious first step) * Write a script (maybe just postgres client Chef recipe), which simply updates an `/etc/hosts` entry on all postgres client VMs This way, we don't need our own DNS server at all, and there's no extra connection or caching to think about. WDYT?
greg 已留言 2021-01-09 12:54:50 +00:00
擁有者
複製連結

Yeah that seems like a good solution for now!

Yeah that seems like a good solution for now!
raucao 加入了 1 個提交 2021-01-23 16:06:29 +00:00
greg 加入了 9 個提交 2021-01-23 16:12:01 +00:00 
It was created with an encfs volume inside a VM, we want full disk encryption
instead. I have deleted the VM from centaurus as well as its disk and
have also unauthorized its id from the zerotier controller
We want the host file to be written before database connections happen
I have also deleted the data directory (in /mnt/data)
greg 加入了 1 個提交 2021-01-23 16:35:27 +00:00
greg 加入了 1 個提交 2021-01-23 18:09:13 +00:00 
We connect through a Zerotier private IP
greg 加入了 1 個提交 2021-01-23 18:10:05 +00:00
greg 加入了 2 個提交 2021-01-23 18:15:14 +00:00 
Usage: scripts/postgresql/switch_primary.sh <old_primary_hostname> <new_primary_hostname>
greg 加入了 1 個提交 2021-01-23 18:26:02 +00:00
raucao 將標題從 WIP: Move PostgreSQL to VMs and access via Zerotier 改為 Move PostgreSQL to VMs and access via Zerotier 2021-01-23 18:30:06 +00:00
raucao 加入了
kredits-3
 標籤 2021-01-23 18:34:06 +00:00
raucao 請求了 Owners 來審核 2021-01-24 07:22:19 +00:00
greg 加入了 1 個提交 2021-01-24 09:11:53 +00:00
slvrbckt 已留言 2021-01-24 15:52:21 +00:00
擁有者
複製連結

I had a look, and it looks good to me, but I know absolutely zero about the ruby code, let alone the infrastructure. So take my approval for a grain of salt :)

EDIT: Also, I couldn't add my name to the reviewrs list

I had a look, and it looks good to me, but I know absolutely zero about the ruby code, let alone the infrastructure. So take my approval for a grain of salt :) EDIT: Also, I couldn't add my name to the reviewrs list
raucao 已留言 2021-01-24 16:32:17 +00:00
作者
擁有者
複製連結

EDIT: Also, I couldn't add my name to the reviewrs list

If you leave a comment using the review function on the changed-files tab (green button on the right), then you'll be added to the list, and also kredited by @galfert's new script.

> EDIT: Also, I couldn't add my name to the reviewrs list If you leave a comment using the review function on the changed-files tab (green button on the right), then you'll be added to the list, and also kredited by @galfert's new script.
slvrbckt 核可了這些變更 2021-01-24 16:47:39 +00:00
slvrbckt 留下了回應
擁有者
複製連結

LGTM!

LGTM!
raucao merged commit ad271e55d4 into master 2021-01-25 10:56:42 +00:00
raucao 刪除分支 feature/postgres_vms 2021-01-25 10:56:48 +00:00
登入 才能加入這對話。
審核者
No Reviewers
slvrbckt
標籤
清除已選取標籤
service
accounts
Kosmos Accounts
service
discourse
Kosmos Community Forums
service
drone-ci
Kosmos Drone CI
service
email
mail.kosmos.org
service
garage
S3-compatible object storage
service
gitea
Kosmos Gitea
service
ipfs
Kosmos IPFS
service
mastodon
kosmos.social
service
postgres
Database cluster
service
remotestorage
Portable data storage for the Web
service
wiki
Kosmos Wiki
service
xmpp
Kosmos Chat
bug
Something is not working
design
Graphic/visual design
dev environment
Config, builds, CI, deployment, etc.
docs
Documentation
duplicate
This issue or pull request already exists
enhancement
Improving existing functionality
feature
New functionality
good first issue
Dive in, and start contributing
idea
Something to consider
invalid
Not a bug
kredits-1
Small contribution
kredits-2
Medium contribution
kredits-3
Large contribution
on hold
Currently not actionable
ops
Manual IT ops activities
question
Looking for an answer
release
major
release
minor
release
patch
security
All your base are belong to us
ui/ux
User interface, process design, etc.
wontfix
This won't be fixed
未選擇標籤
kredits-3
里程碑
沒有項目
未選擇里程碑
專案
清除已選取專案
未選擇專案
負責人
清除負責人
bkero bumi fsmanuel galfert greg hueso raucao slvrbckt
沒有負責人 greg raucao
3 參與者
通知
截止日期
未設定截止日期。
先決條件

未設定先決條件。

參考: kosmos/chef#282
No description provided.
刪除分支「feature/postgres_vms」

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?