DIG-1555 & DIG-1595: Update deployment documentation #707
Conversation
mshadbolt
commented
Aug 23, 2024
•
mshadbolt
commented
- Delete docs that are no longer relevant
- Added a new doc on how to back up data in CanDIG
- Added new doc about interacting with stack with Makefile
- Added new doc about production deployments
- Edits to install-candig doc
|
We should mention that production instances may want to keep any existing logs from tmp/logging in a safe place before wiping the system... |
mshadbolt
changed the title
mshadbolt
requested review from
OrdiNeu,
SonQBChau,
CourtneyGosselin and
DavidBrownlee
| Use the following steps to clean up running CanDIGv2 services in a docker-compose configuration. | ||
|
|
||
| > [!CAUTION] | ||
| > Note that these steps are destructive and will remove **ALL** logs, containers, secrets, volumes, networks, certs, and images. If you are using docker in a shared environment (i.e. with other non-CanDIGv2 containers running) please consider running the cleanup steps manually instead. |
There was a problem hiding this comment.
Er -- the only one of these that can affect things outside of CanDIG is the clean-images step; all of the rest of the steps are either cleaning up something in the temp directory (logs, secrets), or specifically target label=candigv2 (containers), dangling=true (volumes), or refer to the .env (compose)
There was a problem hiding this comment.
This is something that was already in the docs, are you able to suggest a change to it if it isn't correct?
| 3. When complete, build all containers again with `make build-all` | ||
|
|
||
|
|
||
| ## Troubleshooting |
There was a problem hiding this comment.
Is it possible to link to our debugging page (and make it public) here? https://candig.atlassian.net/wiki/spaces/CA/pages/684130305/Debugging
There was a problem hiding this comment.
Is this document up-to-date with the current stack?
There was a problem hiding this comment.
I have some concerns regarding potential issues with the production build, which are currently only documented in the production Confluence doc. It might be a good idea to move these details to the debugging doc, especially since Francis mentioned adding that section. Key points to include would be:
- The issue of having two proxies causing URL looping
- The need for an updated proxy to work with Python 3.10, as older versions may lead to cipher-related issues
Additionally, in the production Confluence doc, we discussed the province codes, which are currently found in the install-candig documentation. It could be more helpful to move this information to the production document, alongside the details on how to set up a site logo.
| waiting for x service to start ... | ||
| ``` | ||
|
|
||
| Use CTRL + c to exit the process then try running `make docker-volumes` and then try composing again with `make compose-<name of service>` |
There was a problem hiding this comment.
I keep meaning to add a bit to make compose that adds back any known external volumes...
|
|
||
| It is essential to setup a reverse proxy and firewall so that only specific ports are open to the internet. The software used for this is up to the deployer and is considered outside of the CanDIG stack. | ||
|
|
||
| Basically, the only ports that should be available are to tyk (443) and keycloak (80). |
There was a problem hiding this comment.
This might be me being very dumb, but isn't keycloak 8080? or do we redirect to that?
There was a problem hiding this comment.
I have seen different things in different docs and I don't understand the difference. @OrdiNeu ?
There was a problem hiding this comment.
Would be good to have confirmation whether or not this is correct
docs/production-candig.md
Outdated
|
|
||
| ### OpenStack security group & nginx - C3G | ||
|
|
||
| OpenStack security group that allows access to ports 80 and 443 acts as a Firewall. |
There was a problem hiding this comment.
Minor, but I'd rephrase to:
An OpenStack security group is applied as a firewall that allows ingress traffic to ports 80 and 443 only.
There was a problem hiding this comment.
Thanks for the feedback, I have reworded as suggested.
|
There may be some updates when I install the new stable release. The re-organization looks great! |
daisieh
force-pushed
the
mshadbolt/update-github-docs
branch
from
f51dc54
to
bc44ae3
Compare
Co-authored-by: OrdiNeu <OrdinaryNeumann@gmail.com>
| ``` | ||
|
|
||
|
|
||
| ## Connecting Keycloak to institutional LDAP |
There was a problem hiding this comment.
Is there any generic information we could add here for how people can connect their LDAP to keycloak? @OrdiNeu @SonQBChau ?
