FinanceServersMigrationPlan: Difference between revisions

From Newroco Tech Docs
Jump to navigationJump to search
No edit summary
 
(39 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Overview ==
== Overview ==
This page explains the necessary steps to follow to fully update timesheets, finance, hr and tenders VMs. These communicate with each other and other VMs through direct postgresql connections and also by Rabbit AMQP messages. They are high profile and require down time for users when this procedure is done, so it needs proper preparation before starting to limit the down time and to make sure they will work correctly after migration with minimal impact on users.


== Steps before down time==
== Steps before down time==
* Create the VMs according to their needs
* Create the VMs according to their needs
* Install all packages required
* Install all packages required
* Install and configure AMQP on Finance
* finance uses mysql driver to connect to website and intranet, so php-mysql needs to be installed
* Update session.gc_maxlifetime = 48480 in /etc/php/7.0/apache2/php.ini
* Copy all scripts on finance and install the same cron jobs
* Copy all scripts on finance and install the same cron jobs
* Update IPs and passwords in scripts
* Add sudoers command aliases on finance:
* Add sudoers command aliases on finance:
<pre>
<pre>
Line 21: Line 24:


* Take full DB dumps from the old VMs
* Take full DB dumps from the old VMs
* update all DB functions to use domain names when accessing remote DBs instead of IPs. Former IPs and what they should become:
* Restore dumps to new VMs
** create user admin with password '<admin password>';
** create database admin owner admin;
** create user financedbadministratorwith password '<financedbadministrator password>';
** create database finance owner financedbadministrator;
** create user timesheetadministrator password '<timesheetadministrator password>';
** create database timesheetsystem owner timesheetadministrator;
** create user humanresourcedbadministrator'<humanresourcedbadministrator password>';
** create database humanresource owner humanresourcedbadministrator;
** create user tenderdbadmin with password '<tenderdbadmin password>';
** create database tenders owner tenderdbadmin;
** pg_restore -Fc -d <database name> <database name>-backup.sql
* Take schema only dump from old VMs and update them:
** update passwords where necessary
** update amqp_XXX functions to use different routing_keys so messages from this one are not transmitted to LIVE archives DB. Use instead of ['database.administration.staff','database.administration.projects'] these ['database.administration.staff.test','database.administration.projects.test']
** in amqp.broker update host to rabbitmq.thehumanjourney.net instead of 10.0.10.107
** update all functions to use domain names when accessing remote DBs instead of IPs. Former IPs and what they should become:
** update hr_update_script user and use instead hrupdatescript
<pre>
<pre>
10.0.10.48 finance.thehumanjourney.net
10.0.10.48 finance.goo.thehumanjourney.net
10.0.10.23 timesheets.thehumanjourney.net
10.0.10.23 timesheets.goo.thehumanjourney.net
10.0.10.42 hrdb.thehumanjourney.net
10.0.10.42 humanresources.goo.thehumanjourney.net
10.0.10.63 tenders.thehumanjourney.net
10.0.10.63 tenders.goo.thehumanjourney.net
10.0.10.130 archives-db.thehumanjourney.net
10.0.10.130 archives-db.goo.thehumanjourney.net
192.168.98.24 mapdata.thehumanjourney.net
192.168.98.24 mapdata.goo.thehumanjourney.net
</pre>
</pre>
* Update passwords where necessary
 
* Update IPs to DNS names and also passwords in all config.php files on any of the VMs
* Restore dumps to new VMs
* Edit /etc/hosts and add names and IPs to all VMs involved so they can be addressed by DNS rather than IPs:
* Edit /etc/hosts and add names and IPs to all VMs involved so they can be addressed by DNS rather than IPs:
<pre>
<pre>
10.0.10.49 finance.thehumanjourney.net
10.0.10.49 finance.goo.thehumanjourney.net
192.168.98.51 timesheets.thehumanjourney.net
192.168.98.51 timesheets.goo.thehumanjourney.net
10.0.10.43 hrdb.thehumanjourney.net
10.0.10.43 humanresources.goo.thehumanjourney.net
10.0.10.180 tenders.thehumanjourney.net
10.0.10.64 tenders.goo.thehumanjourney.net
10.0.10.130 archives-db.thehumanjourney.net
10.0.10.130 archives-db.goo.thehumanjourney.net
192.168.98.24 mapdata.thehumanjourney.net
192.168.98.24 mapdata.goo.thehumanjourney.net
10.0.10.107 rabbitmq.goo.thehumanjourney.net
</pre>
</pre>
* Open port 5432 on the firewall (IP restricted) for timesheets to access finance
* Copy and update pg_hba.conf and postgresql.conf files on each VM
* Open port 5432 on the firewall (IP restricted) for HRDB to access timesheets
* Update IPs in pg_hba.conf. For specific machine IPs, replace with goo domain name
* Open port 5432 on the firewall (IP restricted) for tenders to access mapdata
* Update the firewall to allow finance, timesheets and finance to send e-mails from their allocated .thehumajourney.net domains
* Test "pull time sheets" script on PMDB interface - this will test both ways finance - timesheets connection
* Copy vhost declaration(s)
* Test making changes to staff on PMDB interface - this will test HRDB connection to timesheets, admin, finance and also RabbitMQ sending messages from Finance to archives
* Copy code from OLD to NEW
* Test making changes to projects on PMDB interface - this will test finance RabbitMQ sending messages to archives
* Update paths in config.php
* Test making changes to an episode on Tenders interface and see if the changes were transmitted to mapdata into tenders table on oasites DB
* Update IPs to DNS names and also passwords in all config.php files on any of the VMs
* Test sending e-mails from timesheets and from finance
* On finance, update sychToWebsite.php with new IPs
* Test database backup procedures worked correctly
* Update website and intranet mysql with new privileges for the new IP
* Comment out phpCAS::setDebug(); so we don't keep huge login logs anymore
* Set proper permissions for all code
* Open port 5432 on the firewall (IP restricted)
** for timesheets to access finance
** for HRDB to access timesheets
** for tenders to access mapdata
* Install and configure RabbitMQ client on Finance
** Read the client part from [https://itwiki.oxfordarchaeology.com/RabbitMQ_Server_and_Client_Setup#Postgresql_AMQP_connection_setup this guide on OA wiki]
** but follow the steps from this [https://github.com/omniti-labs/pg_amqp official guide]
* Test everyhing works well:
** Test database backup procedures worked correctly
** Test "pull time sheets" script on PMDB interface - this will test both ways finance - timesheets connection
** Test making changes to staff on PMDB interface - this will test HRDB connection to timesheets, admin, finance and also RabbitMQ sending messages from Finance to archives
** Test making changes to projects on PMDB interface - this will test finance RabbitMQ sending messages to archives
** Test making changes to an episode or tender on Tenders interface and see if the changes were transmitted to mapdata into tenders table on oasites DB
** Test making changes to a tender on Tenders interface and see if the changes were transmitted to timesheets
** Test sending e-mails from timesheets and from finance
 
* When everything tests OKAY
** Change domain names for new VMs by removing "replacement" from the temporary name
** Update e-mail domains as well by removing "replacement" from the temporary name
** Move VMs to production hosts


== Steps during down time==
== Steps during down time==
* Stop apache on old VMs
* Take DB dumps for all old VMs
* Take DB dumps for all old VMs
* Restore only data to new VMs
* Restore only data to new VMs - this does not work, try instead a full restore and then again function update
* Stop DB engine and apache on all old VMs to prevent any external connections still trying the old VMs
* Change domain names for old VMs by adding "old"
* Stop old VMs, park them
* Update DNS records to point to new VMs
* Update DNS records to point to new VMs
** Proxy
** DNS
** OAN proxy and DNS
** external proxy
* update amqp_XXX functions to use the LIVE routing_keys so messages from finance can now be transmitted to LIVE archives DB. Use instead of ['database.administration.staff.test','database.administration.projects.test'] these ['database.administration.staff','database.administration.projects']


== Steps after down time==
== Steps after down time==
Line 65: Line 113:
** Make project changes on Finance and see if the change was propagated to Archives - this checks if RabbitMQ worked well
** Make project changes on Finance and see if the change was propagated to Archives - this checks if RabbitMQ worked well
* Monitor any support tickets related to any of these services and first find a cause in the migration done.
* Monitor any support tickets related to any of these services and first find a cause in the migration done.
* Check alerts are flowing normally from finance and TRS
* Inform Simon of the domain names to use with his ODBC connections

Latest revision as of 12:05, 22 June 2017

Overview

This page explains the necessary steps to follow to fully update timesheets, finance, hr and tenders VMs. These communicate with each other and other VMs through direct postgresql connections and also by Rabbit AMQP messages. They are high profile and require down time for users when this procedure is done, so it needs proper preparation before starting to limit the down time and to make sure they will work correctly after migration with minimal impact on users.

Steps before down time

  • Create the VMs according to their needs
  • Install all packages required
  • finance uses mysql driver to connect to website and intranet, so php-mysql needs to be installed
  • Update session.gc_maxlifetime = 48480 in /etc/php/7.0/apache2/php.ini
  • Copy all scripts on finance and install the same cron jobs
  • Update IPs and passwords in scripts
  • Add sudoers command aliases on finance:
# Cmnd alias specification
Cmnd_Alias FINANCESCRIPT= /home/finance/synchCommand.sh . /home/finance/midnightScripts.sh /home/finance/.financeLock
Cmnd_Alias PULLTSSCRIPT= /home/finance/synchCommand.sh . /home/finance/pullTimeSheets.sh * /home/finance/.financeLock
Cmnd_Alias SLIPEXPSCRIPT= /home/finance/synchCommand.sh . /home/finance/slipExpAndDatedProjects.sh /home/finance/.financeLock

# User www-data needs to run the above command as finance
www-data ALL=(finance) NOPASSWD:FINANCESCRIPT
www-data ALL=(finance) NOPASSWD:PULLTSSCRIPT
www-data ALL=(finance) NOPASSWD:SLIPEXPSCRIPT

  • Take full DB dumps from the old VMs
  • Restore dumps to new VMs
    • create user admin with password '<admin password>';
    • create database admin owner admin;
    • create user financedbadministratorwith password '<financedbadministrator password>';
    • create database finance owner financedbadministrator;
    • create user timesheetadministrator password '<timesheetadministrator password>';
    • create database timesheetsystem owner timesheetadministrator;
    • create user humanresourcedbadministrator'<humanresourcedbadministrator password>';
    • create database humanresource owner humanresourcedbadministrator;
    • create user tenderdbadmin with password '<tenderdbadmin password>';
    • create database tenders owner tenderdbadmin;
    • pg_restore -Fc -d <database name> <database name>-backup.sql
  • Take schema only dump from old VMs and update them:
    • update passwords where necessary
    • update amqp_XXX functions to use different routing_keys so messages from this one are not transmitted to LIVE archives DB. Use instead of ['database.administration.staff','database.administration.projects'] these ['database.administration.staff.test','database.administration.projects.test']
    • in amqp.broker update host to rabbitmq.thehumanjourney.net instead of 10.0.10.107
    • update all functions to use domain names when accessing remote DBs instead of IPs. Former IPs and what they should become:
    • update hr_update_script user and use instead hrupdatescript
10.0.10.48 finance.goo.thehumanjourney.net
10.0.10.23 timesheets.goo.thehumanjourney.net
10.0.10.42 humanresources.goo.thehumanjourney.net
10.0.10.63 tenders.goo.thehumanjourney.net
10.0.10.130 archives-db.goo.thehumanjourney.net
192.168.98.24 mapdata.goo.thehumanjourney.net
  • Edit /etc/hosts and add names and IPs to all VMs involved so they can be addressed by DNS rather than IPs:
10.0.10.49 finance.goo.thehumanjourney.net
192.168.98.51 timesheets.goo.thehumanjourney.net
10.0.10.43 humanresources.goo.thehumanjourney.net
10.0.10.64 tenders.goo.thehumanjourney.net
10.0.10.130 archives-db.goo.thehumanjourney.net
192.168.98.24 mapdata.goo.thehumanjourney.net
10.0.10.107 rabbitmq.goo.thehumanjourney.net
  • Copy and update pg_hba.conf and postgresql.conf files on each VM
  • Update IPs in pg_hba.conf. For specific machine IPs, replace with goo domain name
  • Update the firewall to allow finance, timesheets and finance to send e-mails from their allocated .thehumajourney.net domains
  • Copy vhost declaration(s)
  • Copy code from OLD to NEW
  • Update paths in config.php
  • Update IPs to DNS names and also passwords in all config.php files on any of the VMs
  • On finance, update sychToWebsite.php with new IPs
  • Update website and intranet mysql with new privileges for the new IP
  • Comment out phpCAS::setDebug(); so we don't keep huge login logs anymore
  • Set proper permissions for all code
  • Open port 5432 on the firewall (IP restricted)
    • for timesheets to access finance
    • for HRDB to access timesheets
    • for tenders to access mapdata
  • Install and configure RabbitMQ client on Finance
  • Test everyhing works well:
    • Test database backup procedures worked correctly
    • Test "pull time sheets" script on PMDB interface - this will test both ways finance - timesheets connection
    • Test making changes to staff on PMDB interface - this will test HRDB connection to timesheets, admin, finance and also RabbitMQ sending messages from Finance to archives
    • Test making changes to projects on PMDB interface - this will test finance RabbitMQ sending messages to archives
    • Test making changes to an episode or tender on Tenders interface and see if the changes were transmitted to mapdata into tenders table on oasites DB
    • Test making changes to a tender on Tenders interface and see if the changes were transmitted to timesheets
    • Test sending e-mails from timesheets and from finance
  • When everything tests OKAY
    • Change domain names for new VMs by removing "replacement" from the temporary name
    • Update e-mail domains as well by removing "replacement" from the temporary name
    • Move VMs to production hosts

Steps during down time

  • Stop apache on old VMs
  • Take DB dumps for all old VMs
  • Restore only data to new VMs - this does not work, try instead a full restore and then again function update
  • Change domain names for old VMs by adding "old"
  • Stop old VMs, park them
  • Update DNS records to point to new VMs
    • Proxy
    • DNS
    • OAN proxy and DNS
    • external proxy
  • update amqp_XXX functions to use the LIVE routing_keys so messages from finance can now be transmitted to LIVE archives DB. Use instead of ['database.administration.staff.test','database.administration.projects.test'] these ['database.administration.staff','database.administration.projects']

Steps after down time

  • Test all interfaces work well
  • Test special functions that might no longer work
    • Make staff changes in HRDB and check if the change was propagated to TRS, Finance, Admin DB on Finance VM, Tenders, Archives
    • Make project changes on Finance and see if the change was propagated to Archives - this checks if RabbitMQ worked well
  • Monitor any support tickets related to any of these services and first find a cause in the migration done.
  • Check alerts are flowing normally from finance and TRS
  • Inform Simon of the domain names to use with his ODBC connections