Closed
Bug 832461
Opened 12 years ago
Closed 11 years ago
create production instance for balrog/aus4
Categories
(Infrastructure & Operations Graveyard :: WebOps: Product Delivery, task)
Infrastructure & Operations Graveyard
WebOps: Product Delivery
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: bhearsum, Assigned: cturra)
References
Details
(Whiteboard: [balrog])
No description provided.
Reporter | ||
Comment 1•12 years ago
|
||
(This is a placeholder to create a production instance for this project.)
Please create a production instance for {Website Name}.
== Date Needed By ==
* No hard deadline, sometime in the next month would be nice though.
== Language ==
* Language: Python
* Framework: Flask
== URL ==
* Production URL: https://aus4.mozilla.org, https://aus4-admin.mozilla.org
== HTTP Auth ==
* HTTP Auth is required to access the admin site.
* Please allow the same set of users access to this site as can access the dev site (aus4-admin-dev.allizom.org), with two exceptions:
** stage-ffxbld should NOT have access
** ffxbld should have access
== HTTP / HTTPS ==
* HTTPS only
== VPN ==
* aus4-admin.mozilla.org should only be accessible via mpt-vpn
== Code Repository ==
* Github Repo: https://github.com/mozilla/balrog/
== Database ==
* This site requires a MySQL database. Both applications share a single database.
== Settings ==
* Settings are read from /etc/aus/admin.ini (aus4-admin.mozilla.org) and /etc/aus/balrog.ini (aus4.mozilla.org)
* admin.ini:
** Requires rw dburi
** sentry_dsn needs to be set to an URL with a secret in it. How should I send that to you?
* balrog.ini
** Requires _ro_ dburi
** sentry_dsn needs to be set similar to the admin one
** specialforcehosts should be set to http://download.mozilla.org
== Cron ==
* No automatic updates of the app, please. Ideally, we should be able to do our own pushes with Chief or similar, but manual pushes are also fine for now.
We also require some binary python modules to be installed, specifically:
* MySQL-python 1.2.3
* Jinja2 2.5.5
* SQLAlchemy 0.7.1
* simplejson 2.0.9
For reference, here's the bugs that were involved in setting up the dev environment:
https://bugzilla.mozilla.org/show_bug.cgi?id=719581
https://bugzilla.mozilla.org/show_bug.cgi?id=685169
Assignee: nobody → server-ops-webops
Component: Release Engineering: Automation (General) → Server Operations: Web Operations
QA Contact: catlee → nmaul
Summary: set-up production environments for balrog apps → create production instance for balrog/aus4
Assignee | ||
Comment 2•11 years ago
|
||
moving this into the product delivery component so it's on the correct radar. i will run with this now. stay tuned for more details :)
Status: NEW → ASSIGNED
Component: Server Operations: Web Operations → WebOps: Product Delivery
Product: mozilla.org → Infrastructure & Operations
Comment 3•11 years ago
|
||
Additional requirement -- in the production environment, the "balrog admin app" needs to be deployed on a physically separate node per :psiinon. Per discussion with :jakem we believe we can use the adm node for that.
This will impact which hosts have access to the db r/w vip, and which can only access the r/o vip.
Comment 4•11 years ago
|
||
Similar to aus3.m.o, please purchase two SSL certificates for aus4.mozilla.org, issued by completely separate providers, so that we can continue to provide updates in the event of a compromise. Firefox does a kind of cert pinning, where the commonName and issuerName of the cert must be pref-configured values (see app.update.certs.* in about:config). Bug 913971 tracks adding the aus4 certs to the app.
Reporter | ||
Comment 5•11 years ago
|
||
Chris, here's the query we need to run to set-up an initial admin user that I mentioned:
INSERT INTO permissions VALUES ('admin', 'bhearsum@mozilla.com', NULL, 1)
Assignee | ||
Comment 6•11 years ago
|
||
done.
mysql> INSERT INTO permissions VALUES ('admin', 'bhearsum@mozilla.com', NULL, 1);
Query OK, 1 row affected (0.00 sec)
mysql> select * from permissions\G
*************************** 1. row ***************************
permission: admin
username: bhearsum@mozilla.com
options: NULL
data_version: 1
1 row in set (0.00 sec)
Reporter | ||
Comment 7•11 years ago
|
||
Chris, I know we talked earlier today and yo usaid that the only thing left to do was the ACLs, but I just realized that Nick's comment about SSL certificates hasn't been specifically addressed yet. Where do we stand here?
(In reply to Nick Thomas [:nthomas] from comment #4)
> Similar to aus3.m.o, please purchase two SSL certificates for
> aus4.mozilla.org, issued by completely separate providers, so that we can
> continue to provide updates in the event of a compromise. Firefox does a
> kind of cert pinning, where the commonName and issuerName of the cert must
> be pref-configured values (see app.update.certs.* in about:config). Bug
> 913971 tracks adding the aus4 certs to the app.
Flags: needinfo?(cturra)
Assignee | ||
Comment 8•11 years ago
|
||
:bhearsum - i will be purchasing a ssl certificate for aus4.mozilla.org today through digi cert. any additional ones we want can and will be done, but are probably not necessary for the initial launch. we can go ahead and have another issued through Thawte, just like we did a couple weeks back with aus3, for this secondary signed certificate.
Flags: needinfo?(cturra)
Reporter | ||
Comment 9•11 years ago
|
||
(In reply to Chris Turra [:cturra] from comment #8)
> :bhearsum - i will be purchasing a ssl certificate for aus4.mozilla.org
> today through digi cert. any additional ones we want can and will be done,
> but are probably not necessary for the initial launch. we can go ahead and
> have another issued through Thawte, just like we did a couple weeks back
> with aus3, for this secondary signed certificate.
Sounds good. I filed bug 919746 so we don't lose track.
Assignee | ||
Comment 10•11 years ago
|
||
ssl certificate from digicert now in place for aus4.mozilla.org..
$ openssl s_client -connect aus4.mozilla.org:443
CONNECTED(00000003)
depth=1 /C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
...
---
Certificate chain
0 s:/C=US/ST=CA/L=Mountain View/O=Mozilla Foundation/CN=aus4.mozilla.org
i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
...
additionally, as mentioned on irc, i have used the (internal) mozilla certificate authority to sign the ssl certificate on aus4-admin.mozilla.org since it will be an internal only service (and saves up a couple hundred bucks).
Assignee: server-ops-webops → cturra
Reporter | ||
Comment 11•11 years ago
|
||
Chris, with bug 920115 resolved I'm able to route to this fine now. It looks like the issuer chain is partly missing though:
aus4-admin.mozilla.org uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
The app appears functional if I click through that error, though. So close!
Flags: needinfo?(cturra)
Reporter | ||
Comment 12•11 years ago
|
||
(In reply to Ben Hearsum [:bhearsum] from comment #11)
> Chris, with bug 920115 resolved I'm able to route to this fine now. It looks
> like the issuer chain is partly missing though:
> aus4-admin.mozilla.org uses an invalid security certificate.
> The certificate is not trusted because no issuer chain was provided.
> (Error code: sec_error_unknown_issuer)
>
> The app appears functional if I click through that error, though. So close!
Nevermind - I just realized that this is because we're using the Mozilla Root here.
Flags: needinfo?(cturra)
Assignee | ||
Comment 13•11 years ago
|
||
closing this off now that we're in production with aus4 for nightly and all the monitoring is in place for this new service \o/
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 14•11 years ago
|
||
(In reply to Chris Turra [:cturra] from comment #13)
> closing this off now that we're in production with aus4 for nightly and all
> the monitoring is in place for this new service \o/
\o/!
Status: RESOLVED → VERIFIED
Updated•8 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•