ntg.uni-muenster.de

This page describes the VM ntg.uni-muenster.de where the main project is hosted.

ntg.uni-muenster.de is a Debian stable VM in the WWU OpenStack cloud.

ApacheAPI serverPostgresUserActsPh 4ActsPh 5MarkPh 1.2MarkPh 2MarkPh 2.2JohnPh 1John FamPh 12SamPh 12SamPh 2CLPh 2JS ClientFilesConfigFileshttps://ntg.uni-muenster.de/https://ntg.uni-muenster.de/api//var/www/ntghttp://localhost:5000/api/~ntg/prj/ntg/ntg/instance/*.conf

Overview of VM

Apache

The Apache server has 2 functions:

  • to serve the javascript client files and

  • to proxy the public API endpoint to the local App server.

The javascript client files are served from /var/www/ntg/. The javascript client also needs to know where to find the world-visible API endpoint. That is configured in the file /var/www/ntg/api.conf.js:

var api_base_url = 'https://ntg.uni-muenster.de/api/';

Apache also proxies all api requests from the client to the API server. The world-visible API endpoint “https://ntg.uni-muenster.de/api/” is proxied to the internal “http://localhost:5000/api/” using mod_rewrite. Apache does all SSL stuff.

Note

This is not hardwired: as an alternative the API server could be made world-visible on an URL of its own, eg. “https://api.ntg.uni-muenster.de/” but that would require an extra DNS entry and certificate.

API Server

The API server loads its configuration from the ~ntg/prj/ntg/ntg/instance/ directory, one config file for each project. See API Server Configuration Files.

The API server runs as systemd service, owned by the user “ntg” and controlled by the file: /etc/systemd/system/ntg.service.

The user “ntg” has sudo rights to control the API server:

sudo /bin/systemctl start ntg
sudo /bin/systemctl stop ntg
sudo /bin/systemctl restart ntg
sudo /bin/systemctl status ntg
sudo /bin/journalctl -u ntg

Postgres

A standard PostgreSQL installation.

The Postgres server has one database for each project, plus the ntg_user database for user credentials.

Postgres data resides in its own filesystem mounted at /var/lib/postgresql.

Users

The user “ntg” owns:

  • the API server and has sudo rights to restart it,

  • all Postgres databases shown above,

  • the /var/www/ntg directory where the JS client files reside.

The user “postgres” is the database superuser.

Note

You have to be a database superuser to create new project databases because the mysql_fdw extension says so.

Developers

Developers have sudo rights on this VM, so they can gain user “ntg” or “postgres”.

Ideally you should always login using SSH public key authentication and no user password should be set on your account at all. To be able to sudo without a password you must forward your authentication agent when you ssh into this machine:

ssh -A username@ntg.uni-muenster.de

Then, if everything works, sudo should not ask you for a password.

Add a new developer to the VM

You need the new developer to send you their public SSH key and store it in the file /tmp/id_rsa.pub on your local machine. Then ssh into the VM and add the new user $NEWUSER setting a temporary password:

sudo adduser $NEWUSER

Open another shell on your local machine and say:

ssh-copy-id -f -i /tmp/id_rsa.pub $NEWUSER@ntg.uni-muenster.de

Close this shell and on the VM again, disable the temp password and add the developer to the sudoers. To give sudo rights to a user without password add their public key to the file /etc/security/authorized_keys.

sudo passwd -d -l $NEWUSER
sudo usermod -aG sudo $NEWUSER
sudo bash -c "cat ~$NEWUSER/.ssh/authorized_keys >> /etc/security/authorized_keys"

Backups

The editorial decisions for all active databases are backed up every night and the active databases are backed up weekly. See:

sudo -u ntg crontab -l

Active databases are those that are not set read-only. The active databases are configured in the file scripts/cceh/active_databases.

Also full server backups are scheduled with backup2l. See: /etc/backup2l.conf.

Backups reside in their own filesystem mounted at /backup.

Manual Backups

Do a manual backup of all editorial decisions:

sudo -u ntg ~ntg/prj/ntg/ntg/scripts/cceh/backup_active_edits.sh

Destination directory /backup/saved_edits/.

Do a manual backup of all active databases:

sudo -u ntg ~ntg/prj/ntg/ntg/scripts/cceh/backup_active_databases.sh

Destination directory /backup/saved_databases/.

Do a manual backup of all databases inclusive user database:

sudo -u postgres ~ntg/prj/ntg/ntg/scripts/cceh/backup_all_databases.sh

Destination directory /backup/postgres/.

Icinga

Icinga is a monitoring software. The VM is configured as Icinga satellite.

See under: /etc/icinga2/

OpenStack Cloud

To administer the VM in the cloud: add disks, memory, CPUs, snapshots, disaster recovery etc.

Point your browser to:

Select: DFN AAI Single Sign-On and go through the login process.

Then go to:

Project | Compute | Instances

You can now manage the VM.

For disaster recovery select Console from the Actions dropdown and login using the ‘debian’ user.

Note

There are issues with keyboard layout. It works best if you select the English (US) layout for your browser window. Some keys (<>|) still don’t work though.

Help chat: