e69664c42f95ad86a88e079a7e69c67d1012afe0
wiki/info/landscape/amazon-ec2.md
| ... | ... | @@ -60,6 +60,16 @@ The webserver is registered as target in various locations: |
| 60 | 60 | * as regular instance target in all load balancers' default rule's target group, such as ``DefDynsapsailing-com``, ``DNSMapped-0``, ``DNSMapped-1``, and so on; the names of the target groups are ``CentralWebServerHTTP-Dyn``, ``DDNSMapped-0-HTTP``, ``DDNSMapped-1-HTTP``, and so on, respectively. |
| 61 | 61 | * as target of the elastic IP address ``54.229.94.254`` |
| 62 | 62 | |
| 63 | +Changing the DNS entry especially for ``logfiles.internal.sapsailing.com`` requires re-mounting those NFS shares wherever they were used. Go to at least all instances tagged with ``sailing-analytics-server`` and, as user ``root``, execute the following commands: |
|
| 64 | + |
|
| 65 | +``` |
|
| 66 | + umount -l -f /var/log/old |
|
| 67 | + umount -l -f /home/scores |
|
| 68 | + mount -a |
|
| 69 | +``` |
|
| 70 | + |
|
| 71 | +This will re-mount those two essential NFS mounts and avoid, e.g., the set-up of new application processes to hang when trying to create symbolic links into ``/home/scores`` for the various file-based result importers. |
|
| 72 | + |
|
| 63 | 73 | Note that the elastic IP address ``54.229.94.254`` is in turn the target of the DNS record ``mail.sapsailing.com`` as well as the ``TXT`` DNS record for ``sapsailing.com`` for SPF e-mail validation. |
| 64 | 74 | |
| 65 | 75 | Furthermore, it is helpful to ensure that the ``/internal-server-status`` path will resolve correctly to the Apache httpd server status page. For this, the ``/etc/httpd/conf.d/001-events.conf`` file contains three rules at the very beginning: |
wiki/info/landscape/olympic-plan-for-paris-marseille-2024.md
| ... | ... | @@ -2,6 +2,18 @@ |
| 2 | 2 | |
| 3 | 3 | As a baseline we'll use the [Olympic Setup](/wiki/info/landscape/olympic-setup). The major change, though, would be that instead of running a local on-site master and a local on-site replica we would run two master instances locally on site where one is the "shadow" and the other one is the "production" master. |
| 4 | 4 | |
| 5 | +We captured a set of scripts and configuration files in out Git repository at ``configuration/on-site-scripts``, in particular also separately for the two laptops, in ``configuration/on-site-scripts/sap-p1-1`` and ``configuration/on-site-scripts/sap-p1-2``. |
|
| 6 | + |
|
| 7 | +Many of these scripts and configuration files contain an explicit reference to the replica set name (and therefore sub-domain name, DB name, tag values, etc.) ``tokyo2020``. With the test event up in July 2023 and the Paris Olympic Summer Games 2024 we should consider making this a parameter of these scripts so it is easy to adjust. We will need different sub-domains for the test event and the Games where the latter most likely will have ``paris2024.sapsailing.com`` as its domain name and hence ``paris2024`` as the replica set name. |
|
| 8 | + |
|
| 9 | +## VPCs and VPC Peering |
|
| 10 | + |
|
| 11 | +From Tokyo2020 we still have the VPCs around in five regions (``eu-west-3``, ``us-west-1``, ``us-east-1``, ``ap-northeast-1``, and ``ap-southeast-2``). But they are named ``Tokyo2020`` and our scripts currently depend on this. But VPCs can easily be renamed, and with that we may save a lot of work regarding re-peering those VPCs. We will, though need routes to the new "primary" VPC ``eu-west-3`` from everywhere because the ``paris2024-ssh.sapsailing.com`` jump host will be based there. Note the inconsistency in capitalization: for the VPC name and as part of instance names such as ``SL Tokyo2020 (Upgrade Replica)`` we use ``Tokyo2020``, for basically everything else it's ``tokyo2020`` (lowercase). When switching to a parameterized approach we should probably harmonize this and use the lowercase name consistently throughout. |
|
| 12 | + |
|
| 13 | +I've started with re-naming the VPCs and their routing tables from ``Tokyo2020`` to ``Paris2024``. I've also added VPC peering between Paris (``eu-west-3``) and California (``us-west-1``), Virginia (``us-east-1``), and Sydney (``ap-southeast-2``). The peering between Paris and Tokyo (``ap-northeast-1``) already existed because for Tokyo 2020, Paris hosted replicas that needed to access the jump host in the Tokyo region. |
|
| 14 | + |
|
| 15 | +I've also copied the "SAP Sailing Analytics 1.150" image to all five regions. |
|
| 16 | + |
|
| 5 | 17 | ## Master and Shadow Master |
| 6 | 18 | |
| 7 | 19 | We will use one laptop as production master, the other as "shadow master." The reason for not using a master and a local replica is that if the local master fails, re-starting later in the event can cause significant delays until all races have loaded and replicated again. |
wiki/info/landscape/olympic-setup.md
| ... | ... | @@ -404,7 +404,7 @@ The above configuration needs also to be set on the rabbitmq installations of th |
| 404 | 404 | |
| 405 | 405 | The primary AWS region for the tokyo2020 replica set is ap-northeast-1 (Tokyo). In order to provide low latencies for the RHBs we'd like to add replicas also in other regions. Since we want to not expose the RabbitMQ running ap-northeast-1 to the outside world, we plan to peer the VPCs of other regions with the one in ap-northeast-1. |
| 406 | 406 | |
| 407 | -The pre-requisite for VPCs to get peered is that their CIDRs (such as 172.31.0.0/16) don't overlap. The default VPC in each region always uses the same CIDR (172.31.0.0/16), and hence in order to peer VPCs all but one must be non-default VPC. To avoid confusion when lanuching instances or setting up security groups it can be adequate for those peering regions other than our default region eu-west-1 to set up non-default VPCs with peering-capable CIDRs and remove the default VPC. This way users cannot accidentally launch instances or define security groups for any VPC other than the peered one. |
|
| 407 | +The pre-requisite for VPCs to get peered is that their CIDRs (such as 172.31.0.0/16) don't overlap. The default VPC in each region always uses the same CIDR (172.31.0.0/16), and hence in order to peer VPCs all but one must be non-default VPC. To avoid confusion when launching instances or setting up security groups it can be adequate for those peering regions other than our default region ``eu-west-1`` to set up non-default VPCs with peering-capable CIDRs and remove the default VPC. This way users cannot accidentally launch instances or define security groups for any VPC other than the peered one. |
|
| 408 | 408 | |
| 409 | 409 | After having peered the VPCs, the VPCs default routing table must be extended by a route to the peered VPC's CIDR using the peering connection. |
| 410 | 410 | |
| ... | ... | @@ -418,7 +418,7 @@ The Route53 entry ``tokyo2020.sapsailing.com`` now is an alias A record pointing |
| 418 | 418 | |
| 419 | 419 | ### Geo-Blocking |
| 420 | 420 | |
| 421 | -While for Tokyo 2020 this was not requested, for Paris 2024 we heard rumors that it may. If it does, using the []AWS Web Application Firewall (WAF)](https://us-east-1.console.aws.amazon.com/wafv2/homev2/start) provides the solution. There, we can create so-called Web Access Control Lists (Web ACLs) which need to be created per region where an ALB is used. |
|
| 421 | +While for Tokyo 2020 this was not requested, for Paris 2024 we heard rumors that it may. If it does, using the [AWS Web Application Firewall (WAF)](https://us-east-1.console.aws.amazon.com/wafv2/homev2/start) provides the solution. There, we can create so-called Web Access Control Lists (Web ACLs) which need to be created per region where an ALB is used. |
|
| 422 | 422 | |
| 423 | 423 | A Web ACL consists of a number of rules and has a default action (typically "Allow" or "Block") for those requests not matched by any rule. An ACL can be associated with one or more resources, in particular with Application Load Balancers (ALBs) deployed in the region. |
| 424 | 424 |