IRC Logs for #crimsonfu Thursday, 2018-12-06

*** jri has joined #crimsonfu00:08
*** jri has quit IRC00:13
*** prologic has quit IRC01:04
*** prologic has joined #crimsonfu01:06
*** jri has joined #crimsonfu02:09
*** jri has quit IRC02:13
*** jri has joined #crimsonfu04:24
*** jri has quit IRC04:29
*** pdurbin has quit IRC04:38
*** pdurbin has joined #crimsonfu04:39
*** pdurbin has quit IRC05:09
*** pdurbin has joined #crimsonfu05:22
*** jri has joined #crimsonfu06:40
*** jri has quit IRC06:45
*** jri has joined #crimsonfu08:16
*** jri has quit IRC16:28
pdurbinI'm using this script to spin up EC2 instances but they don't have a valid SSL cert and I'm wondering what my options are: http://guides.dataverse.org/en/4.9.4/developers/deployment.html#download-and-run-the-create-instance-script17:12
pdurbinWhat I'm used to is having a server with a static IP. Then I go get a free cert through Harvard.17:14
pdurbinI guess I have two use cases. My https://dev1.dataverse.org server is an example of a server with a static IP and a valid cert through Harvard. It's always (ok, usually) up and I deploy different code to it whenever I need to. That's one use case. A server that's always up with a valid SSL cert.17:16
beneuse a letsencrypt/acme client and grab a cert from them17:16
beneor use an ELB and have amazon create a valid cert for you17:17
benereading that ec2-create-instance script i can't actually tell what this project is for17:17
pdurbinThe other use case is a server with a valid SSL cert where the whole thing can be burned down after a day or a week or whatever. Burn down the server, burn down the cert.17:18
pdurbinbene: what project? What Dataverse is for?17:18
benei.e. it's a dev/test instance or the first step to a production install?17:18
beneno, that spin up script17:18
pdurbinwe have big dreams for that script17:19
pdurbinright now it's just dev/test17:20
pdurbinIt spins up an EC2 instance that doesn't have a valid cert. I'd like to fix this some day.17:34
benebased on the all-in-one-host approach you have, the letsencrypt method is probably the way you should go17:40
dotplusI like letsencrypt, but also consider an alternative approach if provisioning/deprovisioning instances is a common thing: Use Terraform for the whole process? Generate your cert locally for the dev instances, provide your Harvard-signed cert for prod. https://www.terraform.io/docs/providers/aws/r/iam_server_certificate.html17:43
benedo the ec2 instances in the harvard-linked accounts get dns names in the harvard.edu domain?18:59
benehow do you create dns names/certs for your harvard static IPs?19:00
pdurbinNo, they don't get DNS names in harvard.edu or dataverse.org. They get DNS names like ec2-18-232-90-63.compute-1.amazonaws.com.19:20
pdurbinFor static IPs we go into a weird Harvard tool to add a DNS entry. An other weird tool to apply for a cert. DNS updates right away. Usually we can get a cert the same day.19:21
beneso you can get an amazon cert for them if you use an ELB19:21
pdurbinOk. I don't see anything about ELB at https://github.com/IQSS/dataverse/blob/v4.9.4/scripts/installer/ec2-create-instance.sh19:22
pdurbinBut it sounds like you're saying we could sprinkle some ELB in there.19:22
beneit is one method19:24
pdurbincool19:24
benethe letsencrypt method is still probably easier19:24
beneand definitely cheaper19:24
benesince ELBs are not free19:24
benei'm off for a school pickup19:25
pdurbinI looked at https://hackernoon.com/easy-lets-encrypt-certificates-on-aws-79387767830b but it seemed a bit complicated.19:25
benewe should chat more about what you are trying to accomplish and i can probably make more helpful suggestions if i understood the overall goal better19:25
pdurbinsure, let's do lunch :)19:26
pdurbinall are welcome :)19:26
pdurbindotplus: the only think I know about Terraform is that this guy is or was looking into it: https://github.com/IQSS/dataverse-aws/issues/11#issuecomment-36898974119:28
*** melodie has joined #crimsonfu19:51
beneeverything i have read about the operations side of dataverse suggests that there is no concrete end goal for all these mini-efforts to automate/containerize/operationalize it20:20
beneso you end up with a bunch of ad hoc, half complete "solutions" that don't really do anything well and have to be heavily customized for every user20:21
*** irclogger_do has joined #crimsonfu21:04
pdurbinbene: harsh, man. :) Have you read https://github.com/IQSS/dataverse/issues/5373 which was created yesterday? You should call in! :)21:28
pdurbinlarsks: you too. Please consider calling in. :)21:29
pdurbindotplus: sounds good. And I still use Vagrant. I like Mitchell. :)21:30
beneheh21:37
benethat wasn't my intent exactly21:37
beneyou're just in a place where you have limited resources, a niche customer base and they are getting the product for free21:37
beneso trying to tick too many boxes for all the edge cases is going to be a losing proposition21:38
benethe dataverse map says there are 35 known installations in the world?21:39
benewhich if true suggests that almost any resources you spend on the installer bits outside of decent documentation for the components and how to configure them is mostly a waste of resources21:48
benei read multiple references to "scaling" and how there was a need to containerize the components to "scale" dataverse21:49
benebut there's not much info on how much traffic you are actually serving or what you consider to be unacceptable performance21:50
beneyou've got a basic jvm-based web application server + a postgres db and some supporting bits hanging off the side (solr/R)21:51
beneit seems like you should be able to easily do 100-1000s hits per second without that much gear21:53
beneit all just *smells* like an academic software project to me :-)21:56
bearec2 + let's encrypt is very possible -- I often use them to get free certs for quick test or dev spinups22:03
bearpaired with nginx to handle the validation, you get a fairly pain free and free TLS setup22:03
bearif you are using terraform, then the configuration is all doable, you just need either a post-install event or a cronjob22:04
pdurbinbear: we're using apache rather than nginx but hopefully it doesn't matter. Thanks.22:40
bearyea, you just have to provide a route to the discovery files that let'sencrypt's bot will generate22:41
pdurbinbene: for 35 installations improving the installer would be a waste of resources? When does it stop being a waste of resources? At 350? At 3500?22:42
pdurbinbear: cool, doesn't sound too bad, I guess.22:43
bearit's not - there are some writeups in the indieweb space about doing it22:43
pdurbinI like that let's encrypt is the cheaper option. I guess I'm a little confused about if I need a static IP or not to use it.22:45
bearyou don't22:45
bearwith the discovery link - it will use your domain /.well-known/... path to vaidate ownership22:45
pdurbinperfect, for one of my use cases anyway, the ephemeral testing one22:45
pdurbinok, so maybe some initial investment in validating that I own a domain but then it "just works" after that22:46
bearthat's what the /.well-known/ validation method proves22:47
bearit visits http://example.com/.well-known/SOMESHA22:47
bearand when it sees the value that it expects it knows you own it - so you are then issued a cert22:48
pdurbinnice22:50
pdurbinWait, would let's encrypt work if I'm using http://ec2-18-232-90-63.compute-1.amazonaws.com for example? I thought you meant you have to control the DNS but it sounds like you're saying you only have to control the host.22:52
bearno, you have to control the DNS22:59
pdurbinok22:59
beari'm saying that something like DynDNS or a CNAME would work22:59
pdurbinYou have to control the DNS but a static IP address is not required.23:00
bearnot I know of23:02
pdurbincool23:14
pdurbinAnd if I don't care what the domain is (since for one of my use cases, I may terminate the EC2 instance the same day or same hour after testing) it sounds like I might be able to get a valid cert at https://ec2-18-232-90-63.compute-1.amazonaws.com for example with ELB.23:16

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!