[CKAN-support] Urgent request - Queensland Government CKAN config

Gavin Chait gavin.chait at okfn.org
Wed Feb 27 16:46:45 UTC 2013


Hi,

 

The nature of the problem of creating new IPv4 addresses is that Rackspace
offers two, seemingly similar, cloud hosting choices: First Generation and
New Generation.  They cost the same and have slightly different VM
configurations, but appear largely interchangeable.  By default, Rackspace
pushes you onto New Generation when you register a new account and that is
where we ended up during the compressed time-frame for deployment in
December.

 

New Generation cloud servers do not offer additional IPv4 addresses.  First
Generation cloud servers offer a maximum of 5 IP addresses at $2/month for
each additional address. There may be other differences, but this is the
first real variance we're coming across.
(http://www.rackspace.com/knowledge_center/article/requesting-additional-ipv
4-addresses)

 

We have three options for serving an additional IP address:

 

(1) Server Name Indication:

 

.         Pros: This is the simplest option with not much configuration to
do; no extra services needed; no extra costs; no extra services to monitor;
no downtime required;

.         Cons: These are extremely limiting as old browsers and operating
systems (e.g. Windows XP and IE6) do not support it
(http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers_with_support_f
or_TLS_server_name_indication.5B5.5D);

.         Setup time: 15-20 mins

.         Self-service:
http://nginx.org/en/docs/http/configuring_https_servers.html#sni

.         Our charge: none

 

(2) Migrate the existing Rackspace New Generation VM to a First Generation
VM:

 

.         Pros: No extra load balancer needed; we can terminate multiple SSL
sites in future as well; once complete, there are no extra costs (save for
the $2/month/IP address) or configuration differences to maintain;

.         Cons: The existing IP address will change necessitating long
downtime for switchover as the DNS transfer takes place; we would have to
run both VM's simultaneously until such time as the transfer has completed;

.         Setup time: 1-2 days estimate;

.         Self-service: Clone the existing Cleopatra site onto the new VM,
test and ensure that all is as before; request additional IP from Rackspace
as per above link; begin DNS migration;

.         Our-charge: We can perform the entire migration (1-2 days, at
$1,120/day), or we can support the transfer as SSQ performs the cloning;
there will be a small additional hosting cost while the two servers run
side-by-side until we complete the migration;

 

(3) Utilise Rackspace Cloud Load Balancer as additional SSL endpoint:

 

.         Pros: Less cost than setting up a second cloud instance, and less
effort than performing a migration as the original IP address will be
maintained;

.         Cons: Costs are higher as we pay per SSL termination - currently
two; seems non-trivial to get running for SSL and manage; extra services to
monitor; 

.         Setup time: 1-2 days;

.         Self-service: Non-trivial and we'd suggest testing on the staging
server;

.         Estimated costs: Our costs (at $1,120/day, if required) +
additional $40-$50/month for the Cloud Load Balancers (based on estimated
number of connections)

 

Option 2 would appear to be best, even though it does result in the DNS
transfer requirements.  It would mean that we are protected in future should
you require additional IP addresses (bearing in mind the hard limit of
5/VM).

 

This has been a very unexpected problem and I imagine we haven't come across
it before because our other sites are on the First Generation cloud servers.

 

Please could you advise as to how we should proceed.

 

Thanks and regards

 

Gavin

 

  _____  

Gavin Chait | Head of Services | Open Knowledge Foundation
 <mailto:gavin.chait at okfn.org> gavin.chait at okfn.org | M:  +44 (0) 78 9495
7090  |  <http://okfn.org/> http://okfn.org/

 

From: Cat [mailto:cat at abintra.com.au] 
Sent: 27 February 2013 13:59
To: gavin.chait at okfn.org; 'Lawrence Howson'; joel.rebello at okfn.org
Cc: david.beal at smartservice.qld.gov.au;
callie.evans at smartservice.qld.gov.au; 'Cox Catherine'
Subject: RE: [CKAN-support] Urgent request - Queensland Government CKAN
config

 

Thanks Gavin

 

From: Gavin Chait [mailto:gavin.chait at okfn.org] 
Sent: Wednesday, 27 February 2013 11:57 PM
To: 'Cat'; 'Lawrence Howson'; joel.rebello at okfn.org
Cc: david.beal at smartservice.qld.gov.au;
callie.evans at smartservice.qld.gov.au; 'Cox Catherine'
Subject: RE: [CKAN-support] Urgent request - Queensland Government CKAN
config

 

Hi Cat,

 

Joel has confirmed he can use the SSL certificate already installed,
however, we're apparently hosting on Rackspace's "Next Generation" cloud
servers and this means that they cannot readily provide an additional IPv4
address without additional load balancing.  They provide this as an
extra-cost service and we're busy confirming the price for this.

 

We'll get back to you as soon as we have further details.

 

Regards

 

Gavin

 

  _____  

Gavin Chait | Head of Services | Open Knowledge Foundation
 <mailto:gavin.chait at okfn.org> gavin.chait at okfn.org | M:  +44 (0) 78 9495
7090  |  <http://okfn.org/> http://okfn.org/

 

From: Cat [mailto:cat at abintra.com.au] 
Sent: 27 February 2013 13:41
To: 'Lawrence Howson'; joel.rebello at okfn.org
Cc: gavin.chait at okfn.org; david.beal at smartservice.qld.gov.au;
callie.evans at smartservice.qld.gov.au; 'Cox Catherine'
Subject: RE: [CKAN-support] Urgent request - Queensland Government CKAN
config

 

Hi Guys

 

I am not a tech person, so please bare with me as I get a better
understanding. 

 

The SSL certificate is already installed on Cleopatra for
Publications.qld.gov.au. I am wondering if you can get the information that
you need from there. Otherwise I will not be able to send these to you until
I can talk to one of our developers in our morning. 

 

If you can work with the SSL certificate already installed for publications
on Cleopatra, what are the implications of rebooting the server? We have
data.qld.gov.au instance of CKAN also installed on the same server. Would
both products go down for that period of time. What is the expected (and
worst case) downtime and is there any chance that this can be avoided. Also,
are there any other risks involved. Would settings in Publications or data
instances of CKAN be affected by the down time?

 

Kind regards

 

Cat

 

From: Lawrence Howson [mailto:lawrence at xvt.com.au] 
Sent: Wednesday, 27 February 2013 10:35 PM
To: cat
Subject: Fwd: [CKAN-support] Urgent request - Queensland Government CKAN
config

 

Hi Catherine,

 

Would you be able to supply the SSL cert as per below? Have a read of the
Rackspace document, they are quite exacting in what they require.

 

Thanks,

 

Lawrence

 

Begin forwarded message:

 

From: Joel Rebello <joel.rebello at okfn.org>

Subject: Re: [CKAN-support] Urgent request - Queensland Government CKAN
config

Date: 27 February 2013 11:30:57 PM AEDT

To: Lawrence Howson <lawrence at xvt.com.au>

Cc: "support at ckan.org" <support at ckan.org>, Support <support at xvt.com.au>,
Gavin Chait <gavin.chait at okfn.org>, Darwin Peltan <darwin.peltan at okfn.org>

 

Hey Lawrence,

As per rackspace support and they will only add IP addresses to the
server based on the points mentioned in this document -
http://www.rackspace.com/knowledge_center/article/requesting-additional-ipv4
-addresses

This is mainly because of IPv4 address shortages, as per the doc they
need us to provide the SSL certs for the site we intend to host on
this new IP address. The addition of an IP will require a downtime for
the server, although I'm checking with them if this downtime can be
prevented.

Please forward the SSL certs for the domain to be hosted on the new IP
and details on when would a downtime for the server be ok, if
Rackspace cannot avoid it.


Regards,
Joel Rebello


On Wed, Feb 27, 2013 at 4:50 PM, Lawrence Howson <lawrence at xvt.com.au>
wrote:

Hi,

We received an urgent request from SmartServices Queensland as per below:

Can we please as a matter of urgency request the following:
.         A new IP address that would point to the server Cleopatra that we
can use for publications on port 80 and 443.
.         A new port open on the existing IP...preferably 444 if available.
This request is due to a certificate error in IE that we need to resolve
urgently.



Could you advise on a timeframe to implement this?

Thanks,

Lawrence


________________________________
This email and any files transmitted with it is confidential and intended
solely for the use of the addressee. The unauthorised use, dissemination,
forwarding, printing or copying of this communication is strictly
prohibited. If you have received this communication in error please notify
us immediately by reply email and destroy this communication. Any views and
opinions presented in this email are solely those of the author and do not
necessarily represent the views of XVT Solutions. The recipient should check
this email and any attachments for viruses. XVT Solutions accepts no
liability for the content of this email, and any damage caused by any
viruses that could potentially be transmitted through this email.

_______________________________________________
CKAN-support mailing list
CKAN-support at lists.okfn.org
http://lists.okfn.org/mailman/listinfo/ckan-support

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ckan-support/attachments/20130227/de26a68c/attachment-0001.html>


More information about the ckan-support mailing list