[CKAN-support] Urgent request - Queensland Government CKAN config

Darwin Peltan darwin.peltan at okfn.org
Wed Feb 27 17:00:01 UTC 2013


Hi,

If you're going with option 2 one additional suggestion on this would be to
reduce the TTL on the domain. This would allow the switchover to happen
more quickly (as it would reduce the time that nameservers would cache the
existing IP for).

Best,

Darwin

Darwin Peltan
Project Manager

The Open Knowledge Foundation
http://www.okfn.org

Skype: darwinp
Twitter: @darwin


On 27 February 2013 16:46, Gavin Chait <gavin.chait at okfn.org> wrote:

> Hi,****
>
> ** **
>
> The nature of the problem of creating new IPv4 addresses is that Rackspace
> offers two, seemingly similar, cloud hosting choices: First Generation and
> New Generation.  They cost the same and have slightly different VM
> configurations, but appear largely interchangeable.  By default, Rackspace
> pushes you onto New Generation when you register a new account and that is
> where we ended up during the compressed time-frame for deployment in
> December.****
>
> ** **
>
> New Generation cloud servers do not offer additional IPv4 addresses.
> First Generation cloud servers offer a maximum of 5 IP addresses at
> $2/month for each additional address. There may be other differences, but
> this is the first real variance we’re coming across.  (
> http://www.rackspace.com/knowledge_center/article/requesting-additional-ipv4-addresses
> )****
>
> ** **
>
> We have three options for serving an additional IP address:****
>
> ** **
>
> *(1) Server Name Indication:*
>
> ** **
>
> **·         ***Pros:* This is the simplest option with not much
> configuration to do; no extra services needed; no extra costs; no extra
> services to monitor; no downtime required;****
>
> **·         ***Cons:* These are extremely limiting as old browsers and
> operating systems (e.g. Windows XP and IE6) do not support it (
> http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers_with_support_for_TLS_server_name_indication.5B5.5D
> );****
>
> **·         ***Setup time:* 15-20 mins****
>
> **·         ***Self-service:*
> http://nginx.org/en/docs/http/configuring_https_servers.html#sni****
>
> **·         ***Our charge:* none****
>
> ** **
>
> *(2) Migrate the existing Rackspace New Generation VM to a First
> Generation VM:*
>
> ** **
>
> **·         ***Pros:* No extra load balancer needed; we can terminate
> multiple SSL sites in future as well; once complete, there are no extra
> costs (save for the $2/month/IP address) or configuration differences to
> maintain;****
>
> **·         ***Cons:* The existing IP address will change necessitating
> long downtime for switchover as the DNS transfer takes place; we would have
> to run both VM’s simultaneously until such time as the transfer has
> completed;****
>
> **·         ***Setup time*: 1-2 days estimate;****
>
> **·         ***Self-service*: Clone the existing Cleopatra site onto the
> new VM, test and ensure that all is as before; request additional IP from
> Rackspace as per above link; begin DNS migration;****
>
> **·         ***Our-charge: *We can perform the entire migration (1-2
> days, at $1,120/day), or we can support the transfer as SSQ performs the
> cloning; there will be a small additional hosting cost while the two
> servers run side-by-side until we complete the migration;**
>
> ** **
>
> *(3) Utilise Rackspace Cloud Load Balancer as additional SSL endpoint:*
>
> ** **
>
> **·         ***Pros:* Less cost than setting up a second cloud instance,
> and less effort than performing a migration as the original IP address will
> be maintained;****
>
> **·         ***Cons:* Costs are higher as we pay per SSL termination -
> currently two; seems non-trivial to get running for SSL and manage; extra
> services to monitor; ****
>
> **·         ***Setup time:* 1-2 days;****
>
> **·         ***Self-service:* Non-trivial and we’d suggest testing on the
> staging server;****
>
> **·         ***Estimated costs:* Our costs (at $1,120/day, if required) +
> additional $40-$50/month for the Cloud Load Balancers (based on estimated
> number of connections)****
>
> ** **
>
> *Option 2* would appear to be best, even though it does result in the DNS
> transfer requirements.  It would mean that we are protected in future
> should you require additional IP addresses (bearing in mind the hard limit
> of 5/VM).****
>
> ** **
>
> This has been a very unexpected problem and I imagine we haven’t come
> across it before because our other sites are on the First Generation cloud
> servers.****
>
> ** **
>
> Please could you advise as to how we should proceed.****
>
> ** **
>
> Thanks and regards****
>
> ** **
>
> Gavin****
>
> ** **
> ------------------------------
>
> *Gavin Chait** | **Head of Services* *| Open Knowledge Foundation
> *gavin.chait at okfn.org | M:  +44 (0) 78 9495 7090  | http://okfn.org/****
>
> ** **
>
> *From:* Cat [mailto:cat at abintra.com.au]
> *Sent:* 27 February 2013 13:59
> *To:* gavin.chait at okfn.org; 'Lawrence Howson'; joel.rebello at okfn.org
> *Cc:* david.beal at smartservice.qld.gov.au;
> callie.evans at smartservice.qld.gov.au; 'Cox Catherine'
> *Subject:* RE: [CKAN-support] Urgent request - Queensland Government CKAN
> config****
>
> ** **
>
> Thanks Gavin****
>
> ** **
>
> *From:* Gavin Chait [mailto:gavin.chait at okfn.org <gavin.chait at okfn.org>]
> *Sent:* Wednesday, 27 February 2013 11:57 PM
> *To:* 'Cat'; 'Lawrence Howson'; joel.rebello at okfn.org
> *Cc:* david.beal at smartservice.qld.gov.au;
> callie.evans at smartservice.qld.gov.au; 'Cox Catherine'
> *Subject:* RE: [CKAN-support] Urgent request - Queensland Government CKAN
> config****
>
> ** **
>
> Hi Cat,****
>
> ** **
>
> Joel has confirmed he can use the SSL certificate already installed,
> however, we’re apparently hosting on Rackspace’s “Next Generation” cloud
> servers and this means that they cannot readily provide an additional IPv4
> address without additional load balancing.  They provide this as an
> extra-cost service and we’re busy confirming the price for this.****
>
> ** **
>
> We’ll get back to you as soon as we have further details.****
>
> ** **
>
> Regards****
>
> ** **
>
> Gavin****
>
> ** **
> ------------------------------
>
> *Gavin Chait** | Head of Services* *| Open Knowledge Foundation
> *gavin.chait at okfn.org | M:  +44 (0) 78 9495 7090  | http://okfn.org/****
>
> ** **
>
> *From:* Cat [mailto:cat at abintra.com.au <cat at abintra.com.au>]
> *Sent:* 27 February 2013 13:41
> *To:* 'Lawrence Howson'; joel.rebello at okfn.org
> *Cc:* gavin.chait at okfn.org; david.beal at smartservice.qld.gov.au;
> callie.evans at smartservice.qld.gov.au; 'Cox Catherine'
> *Subject:* RE: [CKAN-support] Urgent request - Queensland Government CKAN
> config****
>
> ** **
>
> Hi Guys****
>
> ** **
>
> I am not a tech person, so please bare with me as I get a better
> understanding. ****
>
> ** **
>
> The SSL certificate is already installed on Cleopatra for
> Publications.qld.gov.au. I am wondering if you can get the information
> that you need from there. Otherwise I will not be able to send these to you
> until I can talk to one of our developers in our morning. ****
>
> ** **
>
> If you can work with the SSL certificate already installed for
> publications on Cleopatra, what are the implications of rebooting the
> server? We have data.qld.gov.au instance of CKAN also installed on the
> same server. Would both products go down for that period of time. What is
> the expected (and worst case) downtime and is there any chance that this
> can be avoided. Also, are there any other risks involved. Would settings in
> Publications or data instances of CKAN be affected by the down time?****
>
> ** **
>
> Kind regards****
>
> ** **
>
> Cat****
>
> ** **
>
> *From:* Lawrence Howson [mailto:lawrence at xvt.com.au <lawrence at xvt.com.au>]
>
> *Sent:* Wednesday, 27 February 2013 10:35 PM
> *To:* cat
> *Subject:* Fwd: [CKAN-support] Urgent request - Queensland Government
> CKAN config****
>
> ** **
>
> Hi Catherine,****
>
> ** **
>
> Would you be able to supply the SSL cert as per below? Have a read of the
> Rackspace document, they are quite exacting in what they require.****
>
> ** **
>
> Thanks,****
>
> ** **
>
> Lawrence****
>
> ** **
>
> Begin forwarded message:****
>
> ** **
>
> *From: *Joel Rebello <joel.rebello at okfn.org>****
>
> *Subject: Re: [CKAN-support] Urgent request - Queensland Government CKAN
> config*****
>
> *Date: *27 February 2013 11:30:57 PM AEDT****
>
> *To: *Lawrence Howson <lawrence at xvt.com.au>****
>
> *Cc: *"support at ckan.org" <support at ckan.org>, Support <support at xvt.com.au>,
> Gavin Chait <gavin.chait at okfn.org>, Darwin Peltan <darwin.peltan at okfn.org>
> ****
>
> ** **
>
> Hey Lawrence,
>
> As per rackspace support and they will only add IP addresses to the
> server based on the points mentioned in this document -
>
> http://www.rackspace.com/knowledge_center/article/requesting-additional-ipv4-addresses
>
> This is mainly because of IPv4 address shortages, as per the doc they
> need us to provide the SSL certs for the site we intend to host on
> this new IP address. The addition of an IP will require a downtime for
> the server, although I'm checking with them if this downtime can be
> prevented.
>
> Please forward the SSL certs for the domain to be hosted on the new IP
> and details on when would a downtime for the server be ok, if
> Rackspace cannot avoid it.
>
>
> Regards,
> Joel Rebello
>
>
> On Wed, Feb 27, 2013 at 4:50 PM, Lawrence Howson <lawrence at xvt.com.au>
> wrote:****
>
> Hi,
>
> We received an urgent request from SmartServices Queensland as per below:
>
> Can we please as a matter of urgency request the following:
> ·         A new IP address that would point to the server Cleopatra that we
> can use for publications on port 80 and 443.
> ·         A new port open on the existing IP...preferably 444 if available.
> This request is due to a certificate error in IE that we need to resolve
> urgently.
>
>
>
> Could you advise on a timeframe to implement this?
>
> Thanks,
>
> Lawrence
>
>
> ________________________________
> This email and any files transmitted with it is confidential and intended
> solely for the use of the addressee. The unauthorised use, dissemination,
> forwarding, printing or copying of this communication is strictly
> prohibited. If you have received this communication in error please notify
> us immediately by reply email and destroy this communication. Any views and
> opinions presented in this email are solely those of the author and do not
> necessarily represent the views of XVT Solutions. The recipient should
> check
> this email and any attachments for viruses. XVT Solutions accepts no
> liability for the content of this email, and any damage caused by any
> viruses that could potentially be transmitted through this email.
>
> _______________________________________________
> CKAN-support mailing list
> CKAN-support at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/ckan-support****
>
> ** **
>
> _______________________________________________
> CKAN-support mailing list
> CKAN-support at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/ckan-support
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ckan-support/attachments/20130227/27ab1785/attachment-0003.html>


More information about the ckan-support mailing list