From bf4935fb608718334afb146ac08ce2a8cf61bff3 Mon Sep 17 00:00:00 2001 From: Alex Garel Date: Tue, 24 Sep 2024 18:37:34 +0200 Subject: [PATCH 1/8] =?UTF-8?q?docs:=20wip=20on=20ks1=C2=A0install?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...024-09-24-kimsufi-stor-ks1-installation.md | 141 +++++++++++++++++- docs/sanoid.md | 2 +- docs/zfs-overview.md | 16 ++ 3 files changed, 154 insertions(+), 5 deletions(-) diff --git a/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md b/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md index 1fffc28c..d0912a01 100644 --- a/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md +++ b/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md @@ -1,6 +1,6 @@ # Kimsufi STOR - ks1 installation -## Rationale for new server +## Rationale for new server We have performance issues on off1 and off2 that are becoming unbearable, in particular disk usage on off2 is so high that 60% of processes are in iowait state. @@ -8,11 +8,11 @@ We just moved today (24/09/2024) images serving from off2 to off1, but that just We are thus installing a new cheap Kimsufi server to see if we can move the serving of images to it. -## Server specs +## Server specs KS-STOR - Intel Xeon-D 1521 - 4 c / 8 t - 16 Gb RAM - 4x 6 Tb HDD + 500 Gb SSD -## Install +## Install We create a A record ks1.openfoodfacts.org to point it to the IP of the server: 217.182.132.133 In OVH's console, we rename the server to ks1.openfoodfacts.org @@ -22,7 +22,140 @@ On OVH console, we install Debian 12 Bookworm on the SSD. Once the install is complete, OVH sends the credentials by email. We add users for the admin(s) and give sudo access: - +```bash sudo usermod -aG sudo [username] +``` + +Set hostname `hostnamectl hostname ks1` + +I also manually runned the usual commands found in ct_postinstall. + +I also followed [How to have server config in git](../how-to-have-server-config-in-git.md) + + +## Install and setup ZFS + +### Install ZFS +```bash +sudo apt install zfsutils-linux +sudo /sbin/modprobe zfs +``` + +Added the `zfs.conf` file to `/etc/modprobe.d` + +### Create ZFS pool + +`lsblk` shows me existing disks. The 4 disks are available, system is installed on the NVME SSD. + +So I created the pool with them (see [How to create a zpool](../zfs-overview.md#how-to-create-a-zpool)) + +```bash +zpool create zfs-hdd /dev/sd{a,b,c,d} +``` + +## Install sanoid / syncoid + +I installed the sanoid.deb that I got from the off1 server. + +```bash +apt install libcapture-tiny-perl libconfig-inifiles-perl +apt install lzop mbuffer pv +dpkg -i /home/alex/sanoid_2.2.0_all.deb +``` + + +## Sync data + +After installing sanoid, I am ready to sync data. + +I sync them from OVH3 since it's the same data-center. + +I createed a ks1operator user on ovh3, following [creating operator on PROD_SERVER](../sanoid.md#creating-operator-on-prod_server) + +I also had to make a `ln -s /usr/sbin/zfs /usr/bin/zfs` on ovh3 + +Then I used: + +```bash + time syncoid --no-sync-snap --no-privilege-elevation ks1operator@ovh3.openfoodfacts.org:rpoo/off/images zfs-hdd/off-images +``` + +## Configure sanoid + +**FIXME** todo + +## Firewall + +As the setting will be simple (no masquerading / forwarding), we will use ufw. + +```bash +apt install ufw + +ufw allow OpenSSH +ufw allow http +ufw allow https +ufw default deny incoming +ufw default allow outgoing + +# verify +ufw show added +# go +ufw enable +``` + +fail2ban is already installed, but failing with: +``` +Failed during configuration: Have not found any log file for sshd jail +``` +This is because the sshd daemon logs into systemd-journald, not in a log file. +To fix that, I modified `/etc/fail2ban/jail.d/defaults-debian.conf` to be: +```ini +[sshd] +enabled = true +backend = systemd +``` + + +## NGINX + +### Install + +I installed nginx and certbot: +```bash +apt install nginx +apt install python3-certbot python3-certbot-nginx +``` + +### Configure + +Created `confs/ks1/nginx/sites-available/images-off` akin to off1 configuration. + +`ln -s /opt/openfoodfacts-infrastructure/confs/ks1/nginx/sites-available/images-off /etc/nginx/sites-enabled/images-off` + +### Certificates + +As I can't use certbot until having the DNS pointing to this server, +I copied the one from off1. + +```bash +ssh -A off1 +sudo -E bash +# see active certificates +ls -l /etc/letsencrypt/live/images.openfoodfacts.org/ +# here it's 19, copy them +scp /etc/letsencrypt/archive/images.openfoodfacts.org/*19* alex@ks1.openfoodfacts.org: +exit +exit +``` +On ks1: +```bash +mkdir -p /etc/letsencrypt/{live,archive}/images.openfoodfacts.org +mv /home/alex/*19* /etc/letsencrypt/archive/images.openfoodfacts.org/ +ln -s /etc/letsencrypt/archive/images.openfoodfacts.org/cert19.pem /etc/letsencrypt/live/images.openfoodfacts.org/cert.pem +ln -s /etc/letsencrypt/archive/images.openfoodfacts.org/chain19.pem /etc/letsencrypt/live/images.openfoodfacts.org/chain.pem +ln -s /etc/letsencrypt/archive/images.openfoodfacts.org/fullchain19.pem /etc/letsencrypt/live/images.openfoodfacts.org/fullchain.pem +ln -s /etc/letsencrypt/archive/images.openfoodfacts.org/privkey19.pem /etc/letsencrypt/live/images.openfoodfacts.org/privkey.pem +chown -R root:root /etc/letsencrypt/ +chmod go-rwx /etc/letsencrypt/{live,archive} \ No newline at end of file diff --git a/docs/sanoid.md b/docs/sanoid.md index 2d6e7ade..8b3d28f0 100644 --- a/docs/sanoid.md +++ b/docs/sanoid.md @@ -152,7 +152,7 @@ mkdir /home/$OPERATOR/.ssh vim /home/$OPERATOR/.ssh/authorized_keys # copy BACKUP_SERVER root public key -chown -R /home/$OPERATOR +chown $OPERATOR:$OPERATOR -R /home/$OPERATOR chmod go-rwx -R /home/$OPERATOR/.ssh ``` diff --git a/docs/zfs-overview.md b/docs/zfs-overview.md index 9f548f10..0951a349 100644 --- a/docs/zfs-overview.md +++ b/docs/zfs-overview.md @@ -51,6 +51,22 @@ We use sanoid / syncoid to sync ZFS datasets between servers (also to back them See [sanoid](./sanoid.md) +## How to create a zpool + +Ensure disks are not mounted and available (eg using `lsblk`). +You can eventually split them into different partitions if needed. + +Just create the pool with the resources: + +`zpool create ...` + +For pool name use something like zfs-something (zfs-hdd, zfs-nvme, etc.) + +For pool-type, use the one that's needed: none (no mention), mirror, raidz. + +You may add a [cache](https://openzfs.github.io/openzfs-docs/man/master/7/zpoolconcepts.7.html#Cache_Devices) and / or a [log device](https://openzfs.github.io/openzfs-docs/man/master/7/zpoolconcepts.7.html#log). + + ## How to NFS mount a zfs dataset ZFS directly integrate to NFS server. From c8747ef5d40e99726058f3bdd92539e9bdc73965 Mon Sep 17 00:00:00 2001 From: Alex Garel Date: Wed, 25 Sep 2024 15:57:04 +0200 Subject: [PATCH 2/8] =?UTF-8?q?docs:=C2=A0more=20zfs=20doc?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...024-09-24-kimsufi-stor-ks1-installation.md | 23 ++++++++++++++--- docs/zfs-overview.md | 25 ++++++++++++------- 2 files changed, 35 insertions(+), 13 deletions(-) diff --git a/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md b/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md index d0912a01..bc4e8f5e 100644 --- a/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md +++ b/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md @@ -42,6 +42,7 @@ sudo /sbin/modprobe zfs ``` Added the `zfs.conf` file to `/etc/modprobe.d` +Then run `update-initramfs -u -k all` ### Create ZFS pool @@ -53,6 +54,14 @@ So I created the pool with them (see [How to create a zpool](../zfs-overview.md# zpool create zfs-hdd /dev/sd{a,b,c,d} ``` +### Setup compression + +We want to enable compression on the pool. + +```bash +zfs set compression=on zfs-hdd +``` + ## Install sanoid / syncoid I installed the sanoid.deb that I got from the off1 server. @@ -68,16 +77,21 @@ dpkg -i /home/alex/sanoid_2.2.0_all.deb After installing sanoid, I am ready to sync data. -I sync them from OVH3 since it's the same data-center. +I first create a off dataset to have same structure as on other servers: +```bash +zfs create zfs-hdd/off +``` + +I 'll sync the data from OVH3 since it's the same data-center. -I createed a ks1operator user on ovh3, following [creating operator on PROD_SERVER](../sanoid.md#creating-operator-on-prod_server) +I created a ks1operator user on ovh3, following [creating operator on PROD_SERVER](../sanoid.md#creating-operator-on-prod_server) I also had to make a `ln -s /usr/sbin/zfs /usr/bin/zfs` on ovh3 Then I used: ```bash - time syncoid --no-sync-snap --no-privilege-elevation ks1operator@ovh3.openfoodfacts.org:rpoo/off/images zfs-hdd/off-images + time syncoid --no-sync-snap --no-privilege-elevation ks1operator@ovh3.openfoodfacts.org:rpool/off/images zfs-hdd/off/images ``` ## Configure sanoid @@ -158,4 +172,5 @@ ln -s /etc/letsencrypt/archive/images.openfoodfacts.org/chain19.pem /etc/letsenc ln -s /etc/letsencrypt/archive/images.openfoodfacts.org/fullchain19.pem /etc/letsencrypt/live/images.openfoodfacts.org/fullchain.pem ln -s /etc/letsencrypt/archive/images.openfoodfacts.org/privkey19.pem /etc/letsencrypt/live/images.openfoodfacts.org/privkey.pem chown -R root:root /etc/letsencrypt/ -chmod go-rwx /etc/letsencrypt/{live,archive} \ No newline at end of file +chmod go-rwx /etc/letsencrypt/{live,archive} +``` \ No newline at end of file diff --git a/docs/zfs-overview.md b/docs/zfs-overview.md index 0951a349..a333ae07 100644 --- a/docs/zfs-overview.md +++ b/docs/zfs-overview.md @@ -6,10 +6,17 @@ We use a lot ZFS for our data for it's reliability and incredible capabilities. ## Learning resources + To learn about ZFS, see [the onboarding made by Christian](reports/2023-02-24-zfs-introduction.md) -See also [OpenZFS official documentation](https://openzfs.github.io/openzfs-docs/) -and [Proxmox ZFS documentation](https://pve.proxmox.com/wiki/ZFS_on_Linux#sysadmin_zfs_special_device) +Also See [OpenZFS official documentation](https://openzfs.github.io/openzfs-docs/) +it's very complete, but it's a bit hard to navigate. +* [misc man page section](https://openzfs.github.io/openzfs-docs/man/master/7/index.html) contains a lot of useful information on properties and features +* [Basic Concepts](https://openzfs.github.io/openzfs-docs/Basic%20Concepts/index.html) is a good place to return to from time to time to grab concepts better +* [Man pages on system administration commands](https://openzfs.github.io/openzfs-docs/man/master/8/index.html) are really useful +* [Performance and Tuning](https://openzfs.github.io/openzfs-docs/Performance%20and%20Tuning/index.html) is also valuable to dig in some options + +[Proxmox ZFS documentation](https://pve.proxmox.com/wiki/ZFS_on_Linux#sysadmin_zfs_special_device) is another valuable resource. Tutorial about ZFS snapshots and clone: https://ubuntu.com/tutorials/using-zfs-snapshots-clones#1-overview @@ -18,18 +25,18 @@ A good cheat-sheet: https://blog.mikesulsenti.com/zfs-cheat-sheet-and-guide/ ## Some useful commands -* `zpool status` to see eventual errors -* `zpool list -v` to see all device +* [`zpool status`](https://openzfs.github.io/openzfs-docs/man/master/8/zpool-status.8.html) to see eventual errors +* [`zpool list -v`](https://openzfs.github.io/openzfs-docs/man/master/8/zpool-list.8.html) to see all device **Note**: there is a quirk with ALLOC which is different for mirror pools and raidz pools. On the first it's allocated space to datasets, on the second it's used space. -* `zfs list -r` to get all datasets and their mountpoints - 3. zpool list -v list all devices +* [`zfs list -r`](https://openzfs.github.io/openzfs-docs/man/master/8/zfs-list.8.html) to get all datasets and their mountpoints -* `zpool iostat` to see stats about read / write. `zpool iostat -vl 5` is particularly useful. +* [`zpool iostat`](https://openzfs.github.io/openzfs-docs/man/master/8/zpool-iostat.8.html) to see stats about read / write. `zpool iostat -vl 5` is particularly useful, + `zpool iostat -w` helps you understand the time taken by data to be read / written. -* `zpool history` list all operations done on a pool +* [`zpool history`](https://openzfs.github.io/openzfs-docs/man/master/8/zpool-history.8.html) list all operations done on a pool * `zpool list -o name,size,usedbysnapshots,allocated` see space allocated (equivalent to `df`) @@ -39,7 +46,7 @@ A good cheat-sheet: https://blog.mikesulsenti.com/zfs-cheat-sheet-and-guide/ zfs list -o zfs list -o name,used,usedbydataset,usedbysnapshots,available -r ``` -* `zdb` is also worth knowing (`zfd -s` for example) +* [`zdb`](https://openzfs.github.io/openzfs-docs/man/master/8/zdb.8.html) is also worth knowing (`zdb -s ` for example) ## Proxmox From 1c8334a0b14467fc485c6db2a9136a84c5acdde5 Mon Sep 17 00:00:00 2001 From: Alex Garel Date: Fri, 27 Sep 2024 15:30:31 +0200 Subject: [PATCH 3/8] =?UTF-8?q?docs:=C2=A0ks1=20install=20follow=20up?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/mail.md | 5 +- ...024-09-24-kimsufi-stor-ks1-installation.md | 67 ++++++++++++++++++- docs/sanoid.md | 2 +- 3 files changed, 69 insertions(+), 5 deletions(-) diff --git a/docs/mail.md b/docs/mail.md index f76fa12d..511a97b9 100644 --- a/docs/mail.md +++ b/docs/mail.md @@ -137,7 +137,8 @@ We normally keeps a standard `/etc/aliases`. We have specific groups to receive emails: `root@openfoodfacts.org` and `off@openfoodfacts.org` You may add some redirections for non standard users to one of those groups. -Do not forget to run `newaliases`, and [`etckeeper`](./linux-server.md#etckeeper). +Do not forget to run `newaliases`, and [`etckeeper`](./linux-server.md#etckeeper) +and restart the postfix service (`postfix.service` and/or `postfix@-.service`). ### Postfix configuration @@ -159,7 +160,7 @@ Run: `dpkg-reconfigure postfix`: **IMPORTANT:** On some system, the real daemon is not `postfix.service` but `postfix@-.service` -(so eg., if you touch `/etc/alias` (with after `sudo newaliases`) you need to `systemctl reload postfix@-.service` +So, for example, if you touch `/etc/alias` (with after `sudo newaliases`) you need to `systemctl reload postfix@-.service` ### Exim4 configuration diff --git a/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md b/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md index bc4e8f5e..6481f520 100644 --- a/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md +++ b/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md @@ -32,6 +32,45 @@ I also manually runned the usual commands found in ct_postinstall. I also followed [How to have server config in git](../how-to-have-server-config-in-git.md) +I also added the email on failure systemd unit. + +I edited `/etc/netplan/50-cloud-init.yaml` to add default search +```yaml +network: + version: 2 + ethernets: + eno3: + (...) + nameservers: + search: [openfoodfacts.org] +``` +and run `netplan try`. + +## Email + +Email is important to send alert on service failure. + +I also configured email by removing exim4 and installing postfix. +```bash +sudo apt purge exim4-base exim4-config && \ +sudo apt install postfix bsd-mailx +``` +and following [Server, postfix configuration](../.mail.md#postfix-configuration). + +I also had to had ks1 ip address to [forwarding rules on ovh1 to the mail gateway](../mail.md#redirects). +```bash +iptables -t nat -A PREROUTING -s 217.182.132.133 -d pmg.openfoodfacts.org -p tcp --dport 25 -j DNAT --to 10.1.0.102:25 +iptables-save > /etc/iptables/rules.v4.new +# control +diff /etc/iptables/rules.v4{,.new} +mv /etc/iptables/rules.v4{.new,} +etckeeper commit "added rule for ks1 email" +``` + +Test from ks1: +```bash +echo "test message from ks1" |mailx -s "test root ks1" -r alex@openfoodfacts.org root +``` ## Install and setup ZFS @@ -62,6 +101,9 @@ We want to enable compression on the pool. zfs set compression=on zfs-hdd ``` +Note: in reality it was not enabled from start, I enabled it after first snapshot sync, +as I saw is was taking much more space than on the original server. + ## Install sanoid / syncoid I installed the sanoid.deb that I got from the off1 server. @@ -72,7 +114,6 @@ apt install lzop mbuffer pv dpkg -i /home/alex/sanoid_2.2.0_all.deb ``` - ## Sync data After installing sanoid, I am ready to sync data. @@ -94,9 +135,29 @@ Then I used: time syncoid --no-sync-snap --no-privilege-elevation ks1operator@ovh3.openfoodfacts.org:rpool/off/images zfs-hdd/off/images ``` +It took 3594 minutes, that is 60 hours or 2.5 days. + +I removed old snapshots (old style) from ks1, as they are not needed here): +```bash +for f in $(zfs list -t snap -o name zfs-hdd/off/images|grep "images@202");do zfs destroy $f;done +``` +the other snapshot will normally be pruned by sanoid. + ## Configure sanoid -**FIXME** todo +I created the sanoid and syncoid configuration. + +I added ks1operator on off2. + +Finally I also installed the standard sanoid / syncoid systemd units and the sanoid_check unit. + +and enable them: + +```bash +systemctl enable --now sanoid.timer +systemctl enable syncoid.service +systemctl enable --now sanoid_check.timer + ## Firewall @@ -140,6 +201,8 @@ apt install nginx apt install python3-certbot python3-certbot-nginx ``` +I also added the nginx.service.d override to email on failure. + ### Configure Created `confs/ks1/nginx/sites-available/images-off` akin to off1 configuration. diff --git a/docs/sanoid.md b/docs/sanoid.md index 8b3d28f0..12dbdce3 100644 --- a/docs/sanoid.md +++ b/docs/sanoid.md @@ -169,7 +169,7 @@ On BACKUP_SERVER, test ssh connection: ```bash OPERATOR=${BACKUP_SERVER}operator -ssh $OPERATOR@ +ssh $OPERATOR@ ``` #### config syncoid From 1b61998d4a3e4dc8e4867a35c312e6d47e202a02 Mon Sep 17 00:00:00 2001 From: Alex Garel Date: Fri, 27 Sep 2024 19:03:52 +0200 Subject: [PATCH 4/8] docs: testing ks1 --- .../2024-09-24-kimsufi-stor-ks1-installation.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md b/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md index 6481f520..50af960b 100644 --- a/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md +++ b/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md @@ -236,4 +236,18 @@ ln -s /etc/letsencrypt/archive/images.openfoodfacts.org/fullchain19.pem /etc/let ln -s /etc/letsencrypt/archive/images.openfoodfacts.org/privkey19.pem /etc/letsencrypt/live/images.openfoodfacts.org/privkey.pem chown -R root:root /etc/letsencrypt/ chmod go-rwx /etc/letsencrypt/{live,archive} +``` + +## Testing + +On my host I modified /etc/hosts to have: +```hosts +217.182.132.133 images.openfoodfacts.org +``` +and visited the website with my browser, with developer tools open. + +I can also use curl: +```bash +curl --resolve images.openfoodfacts.org:443:217.182.132.133 https://images.openfoodfacts.org/images/products/087/366/800/2989/front_fr.3.400.jpg --output /tmp/front_fr.jpg -v +xdg-open /tmp/front_fr.jpg ``` \ No newline at end of file From 49164d80f3cbb020affafe5d8d5ba1062dfa6b39 Mon Sep 17 00:00:00 2001 From: Alex Garel Date: Fri, 27 Sep 2024 19:08:52 +0200 Subject: [PATCH 5/8] chore: fix links --- docs/reports/2024-06-05-off1-reverse-proxy-install.md | 2 +- docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/reports/2024-06-05-off1-reverse-proxy-install.md b/docs/reports/2024-06-05-off1-reverse-proxy-install.md index cdec28a9..4f9325c6 100644 --- a/docs/reports/2024-06-05-off1-reverse-proxy-install.md +++ b/docs/reports/2024-06-05-off1-reverse-proxy-install.md @@ -26,7 +26,7 @@ Network: name=eth0,bridge=vmbr1,ip=10.1.0.100/24,gw=10.0.0.1 I then simply install `nginx` using apt. -I also [configure postfix](../mail#postfix-configuration) and tested it. +I also [configure postfix](../mail.md#postfix-configuration) and tested it. ### Adding the IP diff --git a/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md b/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md index 50af960b..5b595d59 100644 --- a/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md +++ b/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md @@ -55,7 +55,7 @@ I also configured email by removing exim4 and installing postfix. sudo apt purge exim4-base exim4-config && \ sudo apt install postfix bsd-mailx ``` -and following [Server, postfix configuration](../.mail.md#postfix-configuration). +and following [Server, postfix configuration](../mail.md#postfix-configuration). I also had to had ks1 ip address to [forwarding rules on ovh1 to the mail gateway](../mail.md#redirects). ```bash From 51fe3e78a4b1dcf75b7c43c8823eecde3a70cbc9 Mon Sep 17 00:00:00 2001 From: Pierre Slamich Date: Fri, 27 Sep 2024 19:11:22 +0200 Subject: [PATCH 6/8] ci: Update labeler.yml --- .github/labeler.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index b087d5df..0779df02 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -25,6 +25,10 @@ off1: - changed-files: - any-glob-to-any-file: '**/*off1*' +ks1: +- changed-files: + - any-glob-to-any-file: '**/*ks1*' + ovh1: - changed-files: - any-glob-to-any-file: '**/*ovh1*' From 892b87e88c8df6057c45be46524602aac2ea31d0 Mon Sep 17 00:00:00 2001 From: Alex Garel Date: Mon, 30 Sep 2024 22:46:39 +0200 Subject: [PATCH 7/8] Update 2024-09-24-kimsufi-stor-ks1-installation.md --- docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md b/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md index 5b595d59..95480022 100644 --- a/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md +++ b/docs/reports/2024-09-24-kimsufi-stor-ks1-installation.md @@ -19,6 +19,8 @@ In OVH's console, we rename the server to ks1.openfoodfacts.org On OVH console, we install Debian 12 Bookworm on the SSD. +**IMPORTANT:** this was not an optimal choice, we should have reserved part of the SSD to use it as a cache drive for the ZFS pool. + Once the install is complete, OVH sends the credentials by email. We add users for the admin(s) and give sudo access: @@ -104,6 +106,10 @@ zfs set compression=on zfs-hdd Note: in reality it was not enabled from start, I enabled it after first snapshot sync, as I saw is was taking much more space than on the original server. +### Fine tune zfs + +Set `atime=off` et `relatime=no` on the ZFS dataset `zfs-hdd/off/images` to avoid writting. + ## Install sanoid / syncoid I installed the sanoid.deb that I got from the off1 server. @@ -190,6 +196,7 @@ enabled = true backend = systemd ``` +Addendum: after Christian installed Munin node, I added port 4949 ## NGINX @@ -250,4 +257,4 @@ I can also use curl: ```bash curl --resolve images.openfoodfacts.org:443:217.182.132.133 https://images.openfoodfacts.org/images/products/087/366/800/2989/front_fr.3.400.jpg --output /tmp/front_fr.jpg -v xdg-open /tmp/front_fr.jpg -``` \ No newline at end of file +``` From b15c956600f3632fc34bdf39f333e64ee2dd4ecd Mon Sep 17 00:00:00 2001 From: Alex Garel Date: Wed, 16 Oct 2024 17:56:07 +0200 Subject: [PATCH 8/8] docs: enhance sanoid.md --- docs/sanoid.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/sanoid.md b/docs/sanoid.md index 12dbdce3..a1e64211 100644 --- a/docs/sanoid.md +++ b/docs/sanoid.md @@ -158,6 +158,7 @@ chmod go-rwx -R /home/$OPERATOR/.ssh Adding needed permissions to pull zfs syncs ```bash +# choose the right dataset according to your needs zfs allow $OPERATOR hold,send zfs-hdd zfs allow $OPERATOR hold,send zfs-nvme zfs allow $OPERATOR hold,send rpool @@ -187,4 +188,7 @@ Use `--recursive` to also backup subdatasets. Don't forget to create a sane retention policy (with `autosnap=no`) in sanoid on $BACKUP_SERVER to remove old data. -**Note:** because of the 6h timeout, if you have big datasets, you may want to do the first synchronization before enabling the service. \ No newline at end of file +**Note:** because of the 6h timeout, if you have big datasets, you may want to do the first synchronization before enabling the service. + +**Important:** try to have a good hierarchy of datasets, and separate what's from the server and what's from other servers. +Normally we put other servers backups in a off-backups dataset. It's important not to mix it with backups dataset which is for the server itself. \ No newline at end of file