Changes between Version 38 and Version 39 of apachesolr


Ignore:
Timestamp:
Jun 6, 2011, 11:42:36 AM (10 years ago)
Author:
Bart
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • apachesolr

    v38 v39  
    99== Security ==
    1010
    11 Solr does not come with a generic authentification mechanism. The Solr installation on mirabal uses a two-level security system. The connection between the web and the Solr server is secured by ssh against attacks from the web. The instances (denoted by <sitename>) on the Solr server are protected by random admin paths (denoted by <sitepath>) from one another. Random admin paths are generated by 'core_' followed by
    12 {{{
    13 pwgen --secure 30
    14 }}}
     11Solr does not come with a generic authentification mechanism. The Solr installation on mirabal uses a two-level security system. The connection between the web and the Solr server is secured by ssh against attacks from the web. The instances (denoted by $SITENAME) on the Solr server are protected by random admin paths (denoted by $SITEPATH) from one another. The random admin paths are generated by 'core_' followed by {{{pwgen -1 --secure 30}}}
    1512
    1613== Reliability ==
    1714
    18 Sometimes Solr crashes Tomcat if there are too many requests at once. So we use [http://mmonit.com/monit/ monit] to monitor Solr and restart Tomcat [http://yoodey.com/how-auto-restart-tomcat-6-overload-using-monit-ubuntu-1010-maverick automatically] if it crashed.
    19 
    20 We are currently using [http://www.harding.motd.ca/autossh/ autossh] to connect the web servers and the Solr server. We'll eventually either combine autossh with [http://www.gnu.org/software/screen/ Gnu screen] or replace it with ssh monitored by [http://smarden.org/runit/ runit] in the future.
     15The ssh connections between the web and the Solr server is supervised by [http://smarden.org/runit/ runit]. If there is a problem ssh will end the connection and runit will restart ssh. Sometimes Solr crashes Tomcat if there are too many requests at once. So we use [http://mmonit.com/monit/ monit] to monitor Solr and restart Tomcat [http://yoodey.com/how-auto-restart-tomcat-6-overload-using-monit-ubuntu-1010-maverick automatically] if it crashed.
    2116
    2217== Web site Administrators ==
     
    2722 * lumumba.mayfirst.org
    2823 * june.mayfirst.org
    29  * bethemedia.org.uk (209.44.112.176)
     24 * sojourner.mayfirst.org
    3025 * at.indymedia.org
     26 * bethemedia.org.uk
    3127
    3228If your primary server is not listed, please open a [/newticket ticket] or [wiki:chat contact the support team] to request having your primary host added.
     
    4844Solr host name: localhost
    4945Solr port: 9080
    50 Solr path: /solr/<sitepath>
     46Solr path: /solr/$SITEPATH
    5147}}}
    5248
     
    6763=== On the primary server ===
    6864
    69 Create a new user on the server (called $SERVER from now on) with the user name solr-ssh and add:
     65Create a new user on the server (called $SERVERNAME with host $SERVERHOST from now on) with the user name solr-ssh and add:
    7066
    7167{{{
     
    7369}}}
    7470
    75 to the new user's ~/.ssh/authorized_keys file. mirabal will connect to $SERVER with these credentials and provide an ssh tunnel to the Apache Solr server.
     71to the new user's ''~/.ssh/authorized_keys'' file. mirabal will connect to $SERVERHOST with these credentials and provide an ssh tunnel to the Apache Solr server.
    7672
    7773=== On Mirabal  ===
    7874
    79 There are two things to do on mirabal.mayfirst.org: add a ssh tunnel to $SERVER and create a new Apache Solr site in Apache Tomcat.
     75There are two things to do on mirabal.mayfirst.org: add a ssh tunnel to $SERVER and create a new Apache Solr instance in Apache Tomcat.
     76
     77Below is an explanation of the high-level script. If you are interested in the details please have a look at the [wiki:apachesolrdetails]
    8078
    8179==== Create SSH tunnel ====
     
    8381Log as solr-ssh into $SERVER from solr-ssh on mirabal.mayfirst.org
    8482{{{
    85 sudo -u solr-ssh ssh -p $SERVER_SSH_PORT solr-ssh@$SERVER
     83sudo -u solr-ssh ssh -p $SERVER_SSH_PORT solr-ssh@$SERVERHOST
    8684}}}
    8785End the connection with ''exit''
    8886
    89 On mirabal, add a SSH tunnel by adding the login credentials (-p $SERVER_SSH_PORT solr-ssh@$SERVER) to
     87On mirabal, add a SSH tunnel by using ''solr_addssh'' (see ''solr_addssh --man'' for help and more options)
    9088{{{
    91 /etc/default/solr-autossh
    92 }}}
    93 
    94 Restart the script with
    95 {{{
    96 service solr-autossh restart
     89solr_addssh -p $SERVER_SSH_PORT $SERVERNAME $SERVERHOST
    9790}}}
    9891
     
    10194Check with
    10295{{{
    103 service solr-autossh status
     96sv status solr-ssh-$SERVERNAME
    10497}}}
    105 that the tunnel exists.
     98that the tunnel exists (i.e. the status is ''up'').
    10699
    107 Log as solr-ssh into $SERVER and download with
     100Log as solr-ssh into $SERVERHOST and try
    108101{{{
    109 wget localhost:9080
     102curl http://localhost:9080
    110103}}}
    111 the Apache Tomcat welcome page from mirabal.mayfirst.org.
     104to see the Apache Tomcat welcome page from mirabal.mayfirst.org.
    112105
    113106==== Create new Solr configuration ====
    114107
    115 Use {{{solr_addsite}}} to create a new Solr instance:
     108Use {{{solr_addsite}}} to create a new Solr instance names $SITENAME:
    116109
    117 {{{solr_addsite <sitename>}}}
     110{{{solr_addsite $SITENAME}}}
    118111
    119 The script will output the Solr admin path for the new site.
    120 
    121 ===== Explanation of solr_addsite =====
    122 
    123 You can access the man page via
    124 
    125 {{{solr_addsite --man}}}
    126 
    127 The script creates a directory for the new Solr core
    128 {{{
    129 mkdir /usr/share/solr/<sitename>
    130 }}}
    131 
    132 Then it copies an existing Solr core
    133 {{{
    134 cp -a /etc/solr/testsite /etc/solr/<sitename>
    135 }}}
    136 
    137 If you need a different configuration than the [http://drupal.org/project/apachesolr Apache Solr Drupal module] provides you probably have to change at least ''schema.xml'' and ''solrconfig.xml'' in {{{/etc/solr/<sitename>/conf}}}.
    138 
    139 And it changes the symbolic link to the new configuration directory
    140 {{{
    141 ln -sf /etc/solr/<sitename>/conf /usr/share/solr/<sitename>
    142 }}}
    143 
    144 Afterwards, the script creates a new data directory
    145 {{{
    146 mkdir /var/lib/solr/data/<sitename>
    147 }}}
    148 
    149 It changes ownership to tomcat6
    150 {{{
    151 chown -R tomcat6:tomcat6 /var/lib/solr/data
    152 }}}
    153 
    154 And it changes the symbolic link to the new data directory
    155 {{{
    156 ln -sf /var/lib/solr/data/<sitename> /usr/share/solr/<sitename>/data
    157 }}}
    158 
    159 Finally, the script registers a new core
    160 {{{
    161 <core name="<sitepath>" instanceDir="<sitename>" />
    162 }}}
    163 in
    164 {{{
    165 /etc/solr/solr-multicore.xml
    166 }}}
     112The script will output the Solr admin path (the $SITEPATH) for the new Solr instance.
    167113
    168114==== Restart Apache Tomcat ====
     
    177123Check that the new core is accessible with:
    178124{{{
    179 curl http://localhost:8080/solr/<sitepath>/admin/.
     125curl http://localhost:8080/solr/$SITEPATH/admin/.
    180126}}}