[CKAN-support] Urgent request - Queensland Government CKAN config
Beal David
David.Beal at smartservice.qld.gov.au
Wed Feb 27 17:25:40 UTC 2013
Hi all
Appreciate all the discussions. It seems we have a number of options.
I am inclined to wait and make a call tomorrow on this.
We have a work around for our launch.
Cheers
David
David Beal
Director - Self Service
smartservice Queensland
0439 076 791
Sent from iPhone
On 28/02/2013, at 3:00 AM, "Darwin Peltan" <darwin.peltan at okfn.org> wrote:
> Hi,
>
> If you're going with option 2 one additional suggestion on this would be to reduce the TTL on the domain. This would allow the switchover to happen more quickly (as it would reduce the time that nameservers would cache the existing IP for).
>
> Best,
>
> Darwin
>
> Darwin Peltan
> Project Manager
>
> The Open Knowledge Foundation
> http://www.okfn.org
>
> Skype: darwinp
> Twitter: @darwin
>
>
> On 27 February 2013 16:46, Gavin Chait <gavin.chait at okfn.org> wrote:
> Hi,
>
>
>
> The nature of the problem of creating new IPv4 addresses is that Rackspace offers two, seemingly similar, cloud hosting choices: First Generation and New Generation. They cost the same and have slightly different VM configurations, but appear largely interchangeable. By default, Rackspace pushes you onto New Generation when you register a new account and that is where we ended up during the compressed time-frame for deployment in December.
>
>
>
> New Generation cloud servers do not offer additional IPv4 addresses. First Generation cloud servers offer a maximum of 5 IP addresses at $2/month for each additional address. There may be other differences, but this is the first real variance we’re coming across. (http://www.rackspace.com/knowledge_center/article/requesting-additional-ipv4-addresses)
>
>
>
> We have three options for serving an additional IP address:
>
>
>
> (1) Server Name Indication:
>
>
>
> · Pros: This is the simplest option with not much configuration to do; no extra services needed; no extra costs; no extra services to monitor; no downtime required;
>
> · Cons: These are extremely limiting as old browsers and operating systems (e.g. Windows XP and IE6) do not support it (http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers_with_support_for_TLS_server_name_indication.5B5.5D);
>
> · Setup time: 15-20 mins
>
> · Self-service: http://nginx.org/en/docs/http/configuring_https_servers.html#sni
>
> · Our charge: none
>
>
>
> (2) Migrate the existing Rackspace New Generation VM to a First Generation VM:
>
>
>
> · Pros: No extra load balancer needed; we can terminate multiple SSL sites in future as well; once complete, there are no extra costs (save for the $2/month/IP address) or configuration differences to maintain;
>
> · Cons: The existing IP address will change necessitating long downtime for switchover as the DNS transfer takes place; we would have to run both VM’s simultaneously until such time as the transfer has completed;
>
> · Setup time: 1-2 days estimate;
>
> · Self-service: Clone the existing Cleopatra site onto the new VM, test and ensure that all is as before; request additional IP from Rackspace as per above link; begin DNS migration;
>
> · Our-charge: We can perform the entire migration (1-2 days, at $1,120/day), or we can support the transfer as SSQ performs the cloning; there will be a small additional hosting cost while the two servers run side-by-side until we complete the migration;
>
>
>
> (3) Utilise Rackspace Cloud Load Balancer as additional SSL endpoint:
>
>
>
> · Pros: Less cost than setting up a second cloud instance, and less effort than performing a migration as the original IP address will be maintained;
>
> · Cons: Costs are higher as we pay per SSL termination - currently two; seems non-trivial to get running for SSL and manage; extra services to monitor;
>
> · Setup time: 1-2 days;
>
> · Self-service: Non-trivial and we’d suggest testing on the staging server;
>
> · Estimated costs: Our costs (at $1,120/day, if required) + additional $40-$50/month for the Cloud Load Balancers (based on estimated number of connections)
>
>
>
> Option 2 would appear to be best, even though it does result in the DNS transfer requirements. It would mean that we are protected in future should you require additional IP addresses (bearing in mind the hard limit of 5/VM).
>
>
>
> This has been a very unexpected problem and I imagine we haven’t come across it before because our other sites are on the First Generation cloud servers.
>
>
>
> Please could you advise as to how we should proceed.
>
>
>
> Thanks and regards
>
>
>
> Gavin
>
>
>
> Gavin Chait | Head of Services | Open Knowledge Foundation
> gavin.chait at okfn.org | M: +44 (0) 78 9495 7090 | http://okfn.org/
>
>
>
> From: Cat [mailto:cat at abintra.com.au]
> Sent: 27 February 2013 13:59
> To: gavin.chait at okfn.org; 'Lawrence Howson'; joel.rebello at okfn.org
> Cc: david.beal at smartservice.qld.gov.au; callie.evans at smartservice.qld.gov.au; 'Cox Catherine'
> Subject: RE: [CKAN-support] Urgent request - Queensland Government CKAN config
>
>
>
> Thanks Gavin
>
>
>
> From: Gavin Chait [mailto:gavin.chait at okfn.org]
> Sent: Wednesday, 27 February 2013 11:57 PM
> To: 'Cat'; 'Lawrence Howson'; joel.rebello at okfn.org
> Cc: david.beal at smartservice.qld.gov.au; callie.evans at smartservice.qld.gov.au; 'Cox Catherine'
> Subject: RE: [CKAN-support] Urgent request - Queensland Government CKAN config
>
>
>
> Hi Cat,
>
>
>
> Joel has confirmed he can use the SSL certificate already installed, however, we’re apparently hosting on Rackspace’s “Next Generation” cloud servers and this means that they cannot readily provide an additional IPv4 address without additional load balancing. They provide this as an extra-cost service and we’re busy confirming the price for this.
>
>
>
> We’ll get back to you as soon as we have further details.
>
>
>
> Regards
>
>
>
> Gavin
>
>
>
> Gavin Chait | Head of Services | Open Knowledge Foundation
> gavin.chait at okfn.org | M: +44 (0) 78 9495 7090 | http://okfn.org/
>
>
>
> From: Cat [mailto:cat at abintra.com.au]
> Sent: 27 February 2013 13:41
> To: 'Lawrence Howson'; joel.rebello at okfn.org
> Cc: gavin.chait at okfn.org; david.beal at smartservice.qld.gov.au; callie.evans at smartservice.qld.gov.au; 'Cox Catherine'
> Subject: RE: [CKAN-support] Urgent request - Queensland Government CKAN config
>
>
>
> Hi Guys
>
>
>
> I am not a tech person, so please bare with me as I get a better understanding.
>
>
>
> The SSL certificate is already installed on Cleopatra for Publications.qld.gov.au. I am wondering if you can get the information that you need from there. Otherwise I will not be able to send these to you until I can talk to one of our developers in our morning.
>
>
>
> If you can work with the SSL certificate already installed for publications on Cleopatra, what are the implications of rebooting the server? We have data.qld.gov.au instance of CKAN also installed on the same server. Would both products go down for that period of time. What is the expected (and worst case) downtime and is there any chance that this can be avoided. Also, are there any other risks involved. Would settings in Publications or data instances of CKAN be affected by the down time?
>
>
>
> Kind regards
>
>
>
> Cat
>
>
>
> From: Lawrence Howson [mailto:lawrence at xvt.com.au]
> Sent: Wednesday, 27 February 2013 10:35 PM
> To: cat
> Subject: Fwd: [CKAN-support] Urgent request - Queensland Government CKAN config
>
>
>
> Hi Catherine,
>
>
>
> Would you be able to supply the SSL cert as per below? Have a read of the Rackspace document, they are quite exacting in what they require.
>
>
>
> Thanks,
>
>
>
> Lawrence
>
>
>
> Begin forwarded message:
>
>
>
> From: Joel Rebello <joel.rebello at okfn.org>
>
> Subject: Re: [CKAN-support] Urgent request - Queensland Government CKAN config
>
> Date: 27 February 2013 11:30:57 PM AEDT
>
> To: Lawrence Howson <lawrence at xvt.com.au>
>
> Cc: "support at ckan.org" <support at ckan.org>, Support <support at xvt.com.au>, Gavin Chait <gavin.chait at okfn.org>, Darwin Peltan <darwin.peltan at okfn.org>
>
>
>
> Hey Lawrence,
>
> As per rackspace support and they will only add IP addresses to the
> server based on the points mentioned in this document -
> http://www.rackspace.com/knowledge_center/article/requesting-additional-ipv4-addresses
>
> This is mainly because of IPv4 address shortages, as per the doc they
> need us to provide the SSL certs for the site we intend to host on
> this new IP address. The addition of an IP will require a downtime for
> the server, although I'm checking with them if this downtime can be
> prevented.
>
> Please forward the SSL certs for the domain to be hosted on the new IP
> and details on when would a downtime for the server be ok, if
> Rackspace cannot avoid it.
>
>
> Regards,
> Joel Rebello
>
>
> On Wed, Feb 27, 2013 at 4:50 PM, Lawrence Howson <lawrence at xvt.com.au> wrote:
>
> Hi,
>
> We received an urgent request from SmartServices Queensland as per below:
>
> Can we please as a matter of urgency request the following:
> · A new IP address that would point to the server Cleopatra that we
> can use for publications on port 80 and 443.
> · A new port open on the existing IP...preferably 444 if available.
> This request is due to a certificate error in IE that we need to resolve
> urgently.
>
>
>
> Could you advise on a timeframe to implement this?
>
> Thanks,
>
> Lawrence
>
>
> ________________________________
> This email and any files transmitted with it is confidential and intended
> solely for the use of the addressee. The unauthorised use, dissemination,
> forwarding, printing or copying of this communication is strictly
> prohibited. If you have received this communication in error please notify
> us immediately by reply email and destroy this communication. Any views and
> opinions presented in this email are solely those of the author and do not
> necessarily represent the views of XVT Solutions. The recipient should check
> this email and any attachments for viruses. XVT Solutions accepts no
> liability for the content of this email, and any damage caused by any
> viruses that could potentially be transmitted through this email.
>
> _______________________________________________
> CKAN-support mailing list
> CKAN-support at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/ckan-support
>
>
>
>
> _______________________________________________
> CKAN-support mailing list
> CKAN-support at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/ckan-support
>
>
_______________________________________________________
The contents of this electronic message and any attachments are intended
only for the addressee and may contain privileged or confidential
information. They may only be used for the purposes for which they were
supplied. If you are not the addressee, you are notified that any
transmission, distribution, downloading, printing or photocopying of the
contents of this message or attachments is strictly prohibited. The
privilege or confidentiality attached to this message and attachments is
not waived, lost or destroyed by reason of mistaken delivery to you. If
you receive this message in error please notify the sender by return
e-mail or telephone.
Please note: the Department of Science, Information Technology,
Innovation and the Arts (DSITIA) carries out automated scanning,
filtering and blocking of E-mails and attachments (including emails of a
personal nature) for detection of viruses, malicious code, SPAM,
executable programs or content it deems unacceptable. All reasonable
precautions will be taken to respect the privacy of individuals in
accordance with the Information Privacy Act 2009 (Qld). Personal
information will only be used for official purposes, e.g. monitoring
Departmental Personnel's compliance with Departmental Policies. Personal
information will not be divulged or disclosed to others, unless
authorised or required by Departmental Policy and/or law. _______________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ckan-support/attachments/20130228/c88b8285/attachment-0003.html>
More information about the ckan-support
mailing list