b782970690a312b4a36600283eb934bca833d3a6
configuration/on-site-scripts/paris2024/paris-ssh/autossh-port-forwards.service
| ... | ... | @@ -0,0 +1,12 @@ |
| 1 | +[Unit] |
|
| 2 | +Description=Establish RabbitMQ SSH tunnel with port forwards on 5673 and 15673 |
|
| 3 | +Wants=network-online.target |
|
| 4 | +After=network-online.target |
|
| 5 | + |
|
| 6 | +[Install] |
|
| 7 | +WantedBy=multi-user.target |
|
| 8 | + |
|
| 9 | +[Service] |
|
| 10 | +Type=oneshot |
|
| 11 | +RemainAfterExit=true |
|
| 12 | +ExecStart=/usr/local/bin/tunnels |
configuration/on-site-scripts/paris2024/paris-ssh/tunnels
| ... | ... | @@ -0,0 +1,5 @@ |
| 1 | +#!/bin/bash |
|
| 2 | +killall autossh |
|
| 3 | +sleep 2 |
|
| 4 | +# Tunnel to rabbit-eu-west-3.sapsailing.com |
|
| 5 | +autossh -M 20510 -f -A -N -L 15673:localhost:15672 -L 5673:localhost:5672 ec2-user@rabbit-eu-west-3.sapsailing.com |
wiki/info/landscape/paris2024/olympic-plan-for-paris-marseille-2024.md
| ... | ... | @@ -179,3 +179,8 @@ Combine the above scenarios: a failing production master (hardware or VM-only) w |
| 179 | 179 | * Create LetsEncrypt certificates for the NGINX installations for paris2024.sapsailing.com and security-service.sapsailing.com and install to the two on-site laptops' NGINX environments |
| 180 | 180 | * Ensure the MongoDB installations on both laptops use the ``paris2024`` replica set |
| 181 | 181 | * Adjust Athena queries to include all ALB logging buckets from all regions |
| 182 | + |
|
| 183 | +## Open Questions |
|
| 184 | + |
|
| 185 | +* Shall we obtain the tunnel scripts via symbolic links from the respective git repo at /home/sailing/code, there then under configuration/on-site-scripts/paris2024/sap-p1-[12]? Currently, they are copies that evolve independently from the git repo. |
|
| 186 | +* make sure the autossh tunnel from paris-ssh.sapsailing.com to rabbit-eu-west-3.sapsailing.com is established upon re-boot by providing the ``/etc/systemd/system/autossh-port-forwards.service`` in ``paris-ssh.sapsailing.com`` that launches a ``tunnels`` script |
wiki/info/landscape/paris2024/olympic-setup.md
| ... | ... | @@ -330,22 +330,20 @@ Both ``/backup`` folders have been mirrored to a S3 bucket called ``backup-sap-p |
| 330 | 330 | |
| 331 | 331 | ### Monitoring and e-Mail Alerting |
| 332 | 332 | |
| 333 | -To be able to use ``sendmail`` to send notifications via email it needs to be installed and configured to use the AWS SES as smtp relay: |
|
| 333 | +To be able to use ``mail`` to send notifications via email we use ``postfix`` which needs to be installed and configured to use the AWS SES as smtp relay: |
|
| 334 | 334 | ``` |
| 335 | -sudo apt install sendmail |
|
| 335 | +sudo apt install postfix |
|
| 336 | 336 | ``` |
| 337 | +During the installation process, select "Internet with smarthost", use ``sap-p1-[12].sapsailing.com`` as your system mail name, and for the SMTP relay host enter ``[email-smtp.eu-west-1.amazonaws.com]:588``. |
|
| 338 | + |
|
| 339 | +The problem with AWS SES is that it seems to work reliably only when used from EC2 instances. Even a telnet connection from a non-EC2 instance will not work properly. Therefore, SES mail sending needs to work through another SSH port forward which points to ``email-smtp.eu-west-1.amazonaws.com:587``. Furthermore, the ``postfix`` mail transfer agent must be able to reach that port using the correct hostname because otherwise the certificate used for STARTTLS won't match. Therefore, we add a port forward from localhost 588 to email-smtp.eu-west-1.amazonaws.com:587 in our tunnel scripts. |
|
| 340 | + |
|
| 341 | +Follow the instructions on [https://docs.aws.amazon.com/ses/latest/dg/postfix.html](https://docs.aws.amazon.com/ses/latest/dg/postfix.html) with the exception of the port number where instead of ``587`` you have to use ``588``, and use ``email-smtp.eu-west-1.amazonaws.com`` as the SMTP host. Furthermore, an entry in ``/etc/hosts`` is required, like this: |
|
| 337 | 342 | |
| 338 | -Follow the instructions on [https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-sendmail.html](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-sendmail.html) with one exception, the content that needs to be added to ``sendmail.mc`` looks like: |
|
| 339 | 343 | ``` |
| 340 | -define(`SMART_HOST', `email-smtp.eu-west-1.amazonaws.com')dnl |
|
| 341 | -define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl |
|
| 342 | -define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl |
|
| 343 | -FEATURE(`authinfo', `hash -o /etc/mail/authinfo.db')dnl |
|
| 344 | -MASQUERADE_AS(`sapsailing.com')dnl |
|
| 345 | -FEATURE(masquerade_envelope)dnl |
|
| 346 | -FEATURE(masquerade_entire_domain)dnl |
|
| 344 | +127.0.0.1 localhost email-smtp.eu-west-1.amazonaws.com |
|
| 347 | 345 | ``` |
| 348 | -The authentication details can be fetched from the content of ``/root/mail.properties`` of any running sailing EC2 instance. |
|
| 346 | +The authentication details that are required during the configuration of postfix according to the AWS documentation can be fetched from the content of ``/root/mail.properties`` of any running sailing EC2 instance. |
|
| 349 | 347 | |
| 350 | 348 | Both laptops, ``sap-p1-1`` and ``sap-p1-2`` have monitoring scripts from the git folder ``configuration/on-site-scripts`` linked to ``/usr/local/bin``. These in particular include ``monitor-autossh-tunnels`` and ``monitor-mongo-replica-set-delay`` as well as a ``notify-operators`` script which contains the list of e-mail addresses to notify in case an alert occurs. |
| 351 | 349 |