libravatar-fans team mailing list archive

[clime <clime7@xxxxxxxxx>]

Hello Francois!

On Thu, 7 Feb 2019 at 04:37, Francois Marier <francois@xxxxxxxxxxxxxx>
wrote:

> Overall, that sounds good to me. Here are a few comments.
>
> On 2019-02-06 at 19:45:27, clime wrote:
> > There is section "Preparing the new server" in the beginning, which I
> would
> > imagine happens on 17th Feb Sunday. What I need there is:
> >
> > 1) ssl httpd certificates copied to /mnt/data/libravatar-certs at the new
> > server (libravatar.fedorainfracloud.org) so that I can prepare httpd
> > configs** with them that will be switched for the current ones a while
> > before the actual DNS switch happens on 18th Feb
> >
> > 2) data exported by
> >
> https://git.linux-kernel.at/oliver/ivatar/blob/libravatar_export/exportaccounts.py
> > present in /mnt/data/libravatar-export - i will try to import them on
> 17th
> > to test things out and the similar procedure should then happen for real
> > during the migration (section "Migrating the servers") on 18th Feb
>
> Do you have root access on the existing server? I know that ofalk does, if
> you don't, you should get it now so that you can extract the data you need
> ahead of time. I would suggest you test this out in the next week or so in
> order to find and resolve any problems.
>

We have already done some testing on the data, I would probably go for
one more round on 17th and then getting the "final" data for import on 18th.

I don't have access to the existing/old server. I would appreciate if
somebody
else could dump the data and store them at /mnt/data/... on the new server
where
I just fetch them and continue from there. The same for the certs.


>
> Just to be extra clear: clime or ofalk will be responsible for this part.
>
> > **also postfix configs for email encryption
>
> What exactly do you mean? Emails are not encrypted or DKIM-signed
> currently.
>
>
I mean TLS encryption between then new libravatar server and another SMTP
server
(https://blog.kruyt.org/postfix-and-tls-encryption/). At least gmail now
shows a warning
when a messages is sent in an unencrypted manner so I figured we might want
this.


> > When the migration starts on 18th, the old server will be switched to
> > read-only mode, I should get a fresh dump of libravatar's data that I
> will
> > import and I will switch (or have it switched already) all the configs to
> > use the current libravatar ssl certs and the libravatar.org URL.
>
> My plan here is to switch the old server to maintenance mode before I go to
> sleep on the 17th. Which means that by the time you wake up to start the
> migration, you'll be able to do a final dump of the data and prepare/test
> everything.
>
>
sounds good.


> > I imagine fmarier will be then responsible for the actual DNS switch of A
> > record to the new instance at the right time.
>
> I'm happy to do that after I wake up on the 18th and confirm with you that
> the new server is go. I'll get the old server proxying to the new one as
> well to help with DNS servers that insist on ignoring TTLs.
>
> > There is no public AAAA IP for the new server so I guess we will drop
> IPv6
> > record. The public IPv4 for the new server is: 209.132.184.237.
>
> Ok, I will purge the AAAA IP address ahead of time to help clear DNS
> caches.
>
> > When the migration is done, we will continue with the domain transfer to
> > the shared Gandi account.
>
> Sounds good to me.
>
> Thanks for getting our planning started early!
>
> Francois
>
> --
> https://fmarier.org/
>
> _______________________________________________
> Mailing list: https://launchpad.net/~libravatar-fans
> Post to     : libravatar-fans@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~libravatar-fans
> More help   : https://help.launchpad.net/ListHelp
>