Maintenance Documentation for FSS
This document is deprecated in favor of https://cs.uwaterloo.ca/twiki/view/CFPrivate/NextCloud-vault and related pages
This document will attempt to contain, or link to, all information a sysadmin might need to maintain the FSS system.
Salt
Salt States should be adequately commented, should it be needed to edit it. More commonly, one should only need to change the Pillar variables.
Documentation for the Pillar variables is in the git repos, in the README.md file and in the pillar_example directory.
Nextcloud
All configuration here is managed through the nextcloud-formula at
https://git.uwaterloo.ca/salt_cs/nextcloud-formula unless otherwise mentioned.
Nextcloud is a PHP app which we run in Apache. Salt downloads a tarball from nextcloud.com and extracts it to /var/www/nextcloud.
We use SSL/TLS with Globalsign internal certs, therefore HAProxy needs the Globalsign intermediate cert in order to trust them. That is set in HAProxy's Pillar.
The Nextcloud containers are essentially stateless long-term, their only state is short-term TLS connections & login cookies.
Long-term state is kept in two places: the DFS mount where the files are stored, and a database on mysql.cs.
The location nextcloud expects it's storage is configured in Salt, but the mount itself is not currently, since Ceph cannot be mounted by containers, it is done on the host.
TODO: If we switch to gluster, we can do the mount in Salt, if we want. Potentially the host mount is more secure, preventing the container from accessing other DFS filesystems?
Nextcloud coordinates file locking and other state/clustering through the mysql database. There is an option to use a Redis server for Transactional File Locking, taking load off the DB and improving performance. There are partial Redis config options left in the nextcloud-formula, turned off. The reason for this is that Nextcloud does not currently support connecting to an HA cluster of Redis nodes, so there would be a single point of failure. Also, we do not expect performance problems in the near future.
--
NathanFish - 2017-01-05