88 | | An internal backup program, nbackup, backs up a lot of directories (daily, rotated weekly), esp. under `/srv/`. For more details, see scheduled job named 'cronjob 6: nbackup' in the relevant section. The nightly backups are stored in `/srv/backup/a/` and automatically retrieved by a cronjob running as the `corpman` user from the host `lux08` at MPI-PL. The cronjob status is e-mailed to [[mailto:"Sander Maijers" <Sander.Maijers@mpi.nl>]] (because MPI-PL forbids communication with Google e-mail addresses, and sander@clarin.eu and by extension sysops@clarin.eu exposes them to Google). |
89 | | Such a status e-mail looks like this: |
90 | | {{{ |
91 | | Monday, February 22, 2016 7:32 AM |
92 | | retrieve_backups.retrieve_backups(backup_user_private_key_file_path = '/lat/tools/scripts/nbackup/ssh_keys/bekkup@ems04.mpi.nl__2012-12-11.rsa.priv', |
93 | | host_keys_file_path = '/lat/tools/scripts/nbackup/ssh_keys/known_hosts', |
94 | | host_to_back_up = 'ems04.mpi.nl', |
95 | | backup_Unix_user = 'bekkup', |
96 | | local_backups_directory_path = '/data/corpora/MPI_workspace/tla/backups/ems04.mpi.nl/', |
97 | | backups_subdirectory_path = 'a/', |
98 | | remote_delete_after_retrieval = True, |
99 | | local_backup_file_permissions = 0640) |
100 | | |
101 | | Retrieving backup file 'ems04.mpi.nl___2016-02-22T03:30Z.pax.lz.enc' ... |
102 | | |
103 | | rotate_backups.rotate_backups(backups_directory_path = '/data/corpora/MPI_workspace/tla/backups/ems04.mpi.nl/', |
104 | | host_to_back_up = 'ems04.mpi.nl', |
105 | | number_of_backups_to_keep = 7) |
106 | | |
107 | | Keeping backup at '/data/corpora/MPI_workspace/tla/backups/ems04.mpi.nl/ems04.mpi.nl___2016-02-22T03:30Z.pax.lz.enc' ... |
108 | | Keeping backup at '/data/corpora/MPI_workspace/tla/backups/ems04.mpi.nl/ems04.mpi.nl___2016-02-21T03:30Z.pax.lz.enc' ... |
109 | | Keeping backup at '/data/corpora/MPI_workspace/tla/backups/ems04.mpi.nl/ems04.mpi.nl___2016-02-20T03:30Z.pax.lz.enc' ... |
110 | | Keeping backup at '/data/corpora/MPI_workspace/tla/backups/ems04.mpi.nl/ems04.mpi.nl___2016-02-19T03:30Z.pax.lz.enc' ... |
111 | | Keeping backup at '/data/corpora/MPI_workspace/tla/backups/ems04.mpi.nl/ems04.mpi.nl___2016-02-18T03:30Z.pax.lz.enc' ... |
112 | | Keeping backup at '/data/corpora/MPI_workspace/tla/backups/ems04.mpi.nl/ems04.mpi.nl___2016-02-17T03:30Z.pax.lz.enc' ... |
113 | | Keeping backup at '/data/corpora/MPI_workspace/tla/backups/ems04.mpi.nl/ems04.mpi.nl___2016-02-16T03:30Z.pax.lz.enc' ... |
114 | | Removing backup at '/data/corpora/MPI_workspace/tla/backups/ems04.mpi.nl/ems04.mpi.nl___2016-02-15T03:30Z.pax.lz.enc' ... |
115 | | }}} |
| 88 | An internal backup program, nbackup, backs up a lot of directories (daily, rotated weekly), esp. under `/srv/`. |
| 89 | For more details, see scheduled job named 'cronjob 6: nbackup' in the relevant section. |
| 90 | The nightly backups are stored in `/srv/backup/a/`. |
| 91 | '''They must be manually moved from this directory to [[clarinvm.ics.muni.cz]].''' |
124 | | {{{ |
125 | | ACCEPT net fw tcp 80 |
126 | | ACCEPT net fw tcp 443 |
127 | | ACCEPT net fw tcp 22 |
128 | | |
129 | | ## LDAP access |
130 | | ACCEPT net:131.211.143.186 fw tcp 10389 # (OLD) UU ICT & Media: www.clarin.eu, tst.clarin.eu |
131 | | ACCEPT net:131.211.143.212 fw tcp 10389 # UU ICT & Media: www.clarin.eu |
132 | | # ACCEPT net:131.211.143. fw tcp 10389 # UU ICT & Media: www-staging.clarin.eu |
133 | | ACCEPT net:131.211.143.211 fw tcp 10389 # UU ICT & Media: www-dev.clarin.eu |
134 | | ACCEPT net:147.228.242.146 fw tcp 10389 # stoor146, nexus.clarin.eu |
135 | | ACCEPT net:147.251.9.199 fw tcp 10389 # clarinvm for Sonatype Nexus |
136 | | # ACCEPT net:195.169.216.170 fw tcp 10389 # Workstation home sanmai, temporary |
137 | | |
138 | | ACCEPT net:172.16.16.67 fw tcp 10389 # lux17.mpi.nl |
139 | | ACCEPT net:134.94.32.21 fw tcp 10389 # Owncloud, Benedikt Von St. Vith |
140 | | ACCEPT net:134.94.199.71 fw tcp 10389 # Owncloud 2 (new server), Benedikt Von St. Vith |
141 | | ACCEPT net:172.16.17.200 fw tcp 10389 # tlatest08.mpi.nl |
142 | | |
143 | | ## LDAP <-> catalog CLARIN IdP |
144 | | ACCEPT net:192.87.79.171 fw tcp 10389 |
145 | | |
146 | | |
147 | | ACCEPT net:130.183.206.196 fw tcp 10389 |
148 | | ## idp2-clarin.esc.rzg.mpg.de |
149 | | ACCEPT net:130.183.206.33 fw tcp 10389 |
150 | | |
151 | | ## LDAP <-> dev-idp.clarin.eu |
152 | | ACCEPT net:130.183.206.39 fw tcp 10389 |
153 | | |
154 | | ACCEPT net fw icmp |
155 | | }}} |
| 103 | See `/etc/shorewall/rules`. |
159 | | ## As superuser ## |
160 | | {{{ |
161 | | #!sh |
162 | | |
163 | | SHELL=/bin/sh |
164 | | PATH=/usr/local/sbin/:/usr/local/bin/:/sbin:/bin/:/usr/sbin/:/usr/bin/:/root/bin/:/srv/apps/installations/xmlsectool-1.2.0/ |
165 | | MAILTO='sysops@clarin.eu' |
166 | | |
167 | | from_email='cronjobber_ems04@ems04' |
168 | | #sanmai_email='sander@clarin.eu' |
169 | | sysops_email='sysops@clarin.eu' |
170 | | cronjobber='/srv/apps/installations/cronjobber' |
171 | | checker='/srv/scripts/exec/cronjobber_checker.sh' |
172 | | cronjobs_state_directory_path='/srv/cronjobs_state/' |
173 | | nbackup_file_path='nbackup_wrapper.sh' |
174 | | spf_directory_path='/srv/Python/venvs/2014-11-20_SPF/' |
175 | | |
176 | | */15 * * * * "${cronjobber}" -n 'cronjob 1: cron.php refresh for Drupal 6' -x "${checker}" -a 7d -s "${cronjobs_state_directory_path}/1/" -c 'curl --verbose -f --compressed "https://user.clarin.eu/cron.php"' -F "${from_email}" -T "$MAILT |
177 | | O" |
178 | | |
179 | | # */25 * * * * "${cronjobber}" -n 'cronjob 2: Publish CMD files to infra.clarin.eu' -x "${checker}" -a 7d -s "${cronjobs_state_directory_path}/2/" -c '/srv/scripts/exec/update-cmd.sh' -T "${dietuyt_email}" -F "${from_email}" -T "$MAILTO" |
180 | | |
181 | | 0 */56 * * * "${cronjobber}" -n 'cronjob 3: /srv/www/drupal6/ and /srv/www/infra.clarin.eu/content/ (Apache httpd) file permissions' -x "${checker}" -a 7d -s "${cronjobs_state_directory_path}/3/" -c '/srv/scripts/exec/Apache_pub_file_per |
182 | | missions.sh' -F "${from_email}" -T "$MAILTO" |
183 | | |
184 | | */15 * * * * "${cronjobber}" -n 'cronjob 4: user.clarin.eu Drupal 6 <-> LDAP sync.' -x "${checker}" -a 4d -s "${cronjobs_state_directory_path}/4/" -c '/srv/scripts/exec/Drupal_6_to_LDIF.r' -F "${from_email}" -T sysops@clarin.eu |
185 | | |
186 | | ## 27-2-2016: Disabled backup for emergency disk space issues on /srv/. The /srv/ backup backed up the MySQL db as well now, resulting in too large backup files (2.2 GiB). |
187 | | ## 29-2-2016: Re-enabled after adding new virtual disk with uuid ec75d326-28d9-492c-af34-e5bab3a929bd and adding /srv/backup -> /mnt/backup. |
188 | | 30 4 * * * "${cronjobber}" -n 'cronjob 6: nbackup' -x "${checker}" -a 7d -s "${cronjobs_state_directory_path}/6/" -c "${nbackup_file_path} back_up -host_dumps_directory /srv/dumps_for_backup/ -SVN_repositories_base_directory /srv/subversion/ -Trac_installations_base_directory /srv/trac/ /srv/backup/a/ /etc/ /srv/LDAP/ /root/ /srv/scripts/ /srv/www/ /var/log/apache2/ /srv/cronjobs_state/ /home/ /var/lib/postgresql/ /srv/Python/ /srv/apps/" -F "${from_email}" -T sysops@clarin.eu |
189 | | |
190 | | 26 7-19/1 * * * "${cronjobber}" -n 'cronjob 11: SPF - pyFF' -x "${checker}" -a 7d -s "${cronjobs_state_directory_path}/11/" -c '(cd "/srv/Python/venvs/2014-11-20_SPF/etc/pyff_config/" && . ./control.sh && pyff_fetch_md ; pyff_activate && |
191 | | pyff_run job_a && pyff_run job_b && pyff_run job_c && pyff_run job_d && pyff_sign && pyff_verify_signatures && pyff_publish)' -T "$MAILTO" |
192 | | |
193 | | 0 0 * * * "${cronjobber}" -n 'cronjob 13: Piwik - process Apache httpd logs of yesterday (infra.clarin.eu:443)' -x "${checker}" -a 7d -s "${cronjobs_state_directory_path}/13/" -c '/srv/www/piwik/misc/log-analytics/import_logs.py --log-format-name=ncsa_extended --log-hostname=infra.clarin.eu --url=https://stats.clarin.eu/ --idsite=4 $(date --date=yesterday +/var/log/apache2/infra.clarin.eu:443-access@\%Y-\%m-\%d.log)' -T sander@clarin.eu |
194 | | |
195 | | 0 0 * * * "${cronjobber}" -n 'cronjob 14: Piwik - process Apache httpd logs of yesterday (infra.clarin.eu:80)' -x "${checker}" -a 7d -s "${cronjobs_state_directory_path}/14/" -c '/srv/www/piwik/misc/log-analytics/import_logs.py --log-format-name=ncsa_extended --log-hostname=infra.clarin.eu --url=https://stats.clarin.eu/ --idsite=4 $(date --date=yesterday +/var/log/apache2/infra.clarin.eu:80-access@\%Y-\%m-\%d.log)' -T sander@clarin.eu |
196 | | |
197 | | 44 0 * * * "${cronjobber}" -n 'cronjob 15: Compress old daily timestamped logs in /var/log/apache2/' -x "${checker}" -a 7d -s "${cronjobs_state_directory_path}/15/" -c 'find /var/log/apache2/ -type f -name "*.log" -mtime +2 -exec gzip -9 "{}" \;' -T "$MAILTO" |
198 | | |
199 | | 0 */1 * * * "${cronjobber}" -n 'cronjob 16: Remove old /tmp/tmp.* and /tmp/opendj-checkinstance-*.log files and /tmp/tmp*/ directories' -x "${checker}" -a 7d -s "${cronjobs_state_directory_path}/16/" -c 'find "/tmp/" -mindepth 1 -maxdepth 1 -mtime 1 \( -type f -name "tmp.*" -o -type f -name "opendj-checkinstance-*.log" -o -type d -name "tmp*" \) -exec rm -rf "{}" \+' -T "$MAILTO" |
200 | | }}} |
201 | | |
202 | | ## As `www-data` ## |
203 | | {{{ |
204 | | #!sh |
205 | | |
206 | | SHELL=/bin/sh |
207 | | PATH='/usr/local/sbin/:/usr/local/bin/:/sbin/:/bin/:/usr/sbin/:/usr/bin/' |
208 | | MAILTO='sysops@clarin.eu' |
209 | | |
210 | | from_email='cronjobber_ems04@ems04' |
211 | | sanmai_email='sander@clarin.eu' |
212 | | sysops_email='sysops@clarin.eu' |
213 | | cronjobber='/srv/apps/installations/cronjobber' |
214 | | checker='/srv/scripts/exec/cronjobber_checker.sh' |
215 | | cronjobs_state_directory_path='/srv/cronjobs_state/' |
216 | | nbackup_file_path='/root/bin/nbackup_wrapper.sh' |
217 | | spf_directory_path='/srv/Python/venvs/2014-11-20_SPF/' |
218 | | |
219 | | 5 * * * * "${cronjobber}" -n 'cronjob 12: Piwik archiving' -x "${checker}" -a 7d -s "${cronjobs_state_directory_path}/12/" -c '/usr/bin/php5 /srv/www/piwik/console core:archive --url=https://stats.clarin.eu/' -T sander@clarin.eu |
220 | | |
221 | | 30 7-19/1 * * * "${cronjobber}" -n 'cronjob 17: SPF - Retrieve, normalize and split out SAML metadata about SPs as registered with identity federations according to the Centre Registry, and compare metadata about each SPF SP with the per |
222 | | tinent control version. ' -x "${checker}" -a 7d -s "${cronjobs_state_directory_path}/17/" -c '(cd /srv/scripts/exec/SPF_SAML_metadata_processor/ && python3 -Wall SPF_SAML_metadata_processor.py download_all_saml_metadata_from_identity_fede |
223 | | rations,split_identity_federation_saml_metadata_batches_and_diff_entities /srv/www/infra.clarin.eu/aai/sps_at_identity_federations/)' -T sander@clarin.eu |
224 | | |
225 | | */25 * * * * "${cronjobber}" -n 'cronjob 2: Publish CMD files to infra.clarin.eu' -x "${checker}" -a 7d -s "${cronjobs_state_directory_path}/2/" -c '/srv/scripts/exec/update-cmd.sh' -T 'sysops@clarin.eu' |
226 | | }}} |
227 | | |
| 107 | There are numerous important crontobs running under uids for `root` and `www-data`. |
| 108 | A utility called `cronjobber` manages this and stores cron job output/state under `/srv/cronjobs_state/`. |
| 109 | Issue e.g. `sudo -u www-data crontab -u` to view the current status. |