🎹 Piano | Tell — Hosting Updates

navindra · 2024-06-03T03:06:27+00:00

Update 1: 2 June 2024 If you’re following the feature requests thread, you might know that Hosting is at the top of my priority list. As background, PianoT...

BartK

navindra While I grew up on Linux and open source, I’m completely alien to these modern container concepts. Fortunately, it’s been a blast to learn and refresh. It's simply stunning to witness just how pervasive Linux has become today.

Nowadays it's even easier to scale up using Kubernetes, although a full k8s cluster might be overkill for your purposes. I work with cloud technology and can offer help when I have some free time.

navindra

BartK Awesome! Thank you, will keep this in mind. I'm not at the k8s stage yet... agree it might be overkill.

Gombessa Yes, indeed.

I'm definitely not going for overkill. I believe that PianoWorld is/was on a single physical server, PianoClack is on shared hosting (no root access), and the entirety of FreeFlarum is on a VPS, I think we'll also do fine with a single VPS + robust backups.

If PT goes down, it shouldn't take too much to get it back up on another server/host... for me that's one of the attractions of containerizing it, other than the fun and learning. 😃

keff

Thank you to all who keep PT running.

Gombessa

Thanks for sharing this update with everyone, Navindra. It's very interesting to see what goes into running and maintaining a modern forum today.

I was also completely floored by the "silent takeover" of virtual deployment. I've only had to make very basic home server decisions between bare metal, Docker, and Proxmox, and would just be lost at sea trying to figure out how to keep a public forum available and resilient. Good luck!

navindra

I'm going into the weekend with some significant tasks already accomplished. I guess I couldn't wait until I actually had time to work on this.

The main things I've addressed are:

I've found a mail solution which doesn't require the painful task of setting up a mail transfer agent (MTA) like Postfix and won't cause me to end up with a $100K bill from AWS.
- Configuring an MTA properly can be tricky and especially the encryption/authentication part can be laborious to get right. FreeFlarum has such a setup and still gets rejected by some mail providers.
- I found that I could just use an existing cloud provider like Gmail or Outlook.
- I already made the switch on Wednesday!
- That's time and money saved. Eventually I can look at an MTA if it's really needed but for now it's not a blocker.
We're on CloudFlare! Hooray!
- I definitely messed things up when I first set it up on Thursday night. forum.pianotell.com was looping infinitely. Not good, but all fixed now.
- When I switched DNS from Namecheap to CloudFlare, Namecheap decided it would no longer handle email for pianotell.com either. I fixed that by moving the MX records over to CloudFlare as well.
- We should be decently protected from bots now.
I also got an SSL certificate for *.pianotell.com from Let's Encrypt.

I figured out some interesting things:

Because we're on CloudFlare, I could have saved on the €0.50 Hetzner charge for IPV4... so monthly cost would have been €3.29 instead of €3.79. However I've got no native IPV6 at home and setting up Tunnelbroker is annoying enough that I may be painting myself in a corner.
I found rclone for cloud backups. It looks pretty awesome but unfortunately the official Docker container is silly beyond belief. I might just install rclone locally on the server but I'm motivated to find or create a saner container implementation.

As you might tell, I've been forging ahead pretty recklessly. On the other hand, there isn't a whole lot left to do!

I may switch to new hosting this weekend. If so, there will be some downtime, but I'll try to minimize it. Apologies in advance!

rogerch

Thanks for doing all this great work @navindra !

Animisha

Thank you so much Navindra! 💐

Taushi

Thank you for your work!!!

navindra

I only have incremental progress to report this weekend.

I rewrote the pianotell-web Docker container.

I ditched the shinsenter/PHP + nginx container and rebased on the official PHP containers + Caddy.

The shinsenter container is great to start with as it already solves a lot of problems you’re likely to encounter when starting from scratch. I discovered that the hard way and had to read up a bit on PHP production settings and also figure out how to properly install PHP extensions on Docker.

On the other hand, shinsenter was too complex and had too many layers of scripts that got in my way. Every time I tried to change something straightforward, I had to chase down several layers of scripts to figure out why that caused something else to break.

However, the primary reason I made this change was to adopt Caddy for the web server instead of nginx. I was struggling a bit with nginx, but Caddy is such a breath of fresh air! Not only is it extremely easy to configure, it magically takes care of retrieving and updating TLS certificates on-demand.

So I solved a big problem by adopting Caddy — no need for me to implement Certbot afterall to manage the certificate. It would have have yet another thing to monitor, but Certbot is also a problem to properly test locally. I can easily test Caddy because it even issues self-signed certificates for localhost.

The other nice thing I achieved with the rewrite was to make my container and config definitions work both for my local laptop instance and for the production deployment. So on my laptop, the containers assume PianoTell is running on https://localhost/ but now the very same containers can handle https://forum.pianotell.com/ on the server. Including taking care of the certificate.

I had an assumption that I would need to build my Docker images for multiple platforms. For some reason, I thought the images I was using on my laptop were AMD64 (i.e. targeting Intel/AMD CPUs) but my chosen server runs on ARM64 (i.e. the stuff that powers many smartphones). After going down the route of enabling multi-platform builds, I realized that Docker was already using an ARM64 build of Linux locally because my Mac is on Apple silicon. That makes perfect sense, but I was confused because Linux seems to identify ARM64 as aarch64 internally and I didn’t connect the dots. So this work ended up be being unnecessary.

Finally, I added a proper healthcheck dependency on mariadb.

The backup story is a work in progress.

A long time ago, @rogerch had warned me that managing the SQL server would be the most challenging part of all this, and only now, at the end, do I understand.

There is certainly a lot to read and understand.

To over-simplify a bit, the best way for resilience here would be to have a secondary replica of the primary server that’s getting a constant stream of updates from the primary. If the primary dies, then the secondary can be made primary with a new secondary replica. The next best thing would be to have a streaming backup of every update that can be restored manually.

Finally, the simplest is to take a point in time snapshot backup and hope you never have to restore and potentially lose data given that the backup would only be periodical. There are other hacky and unreliable ways of backing up like copying the database files on the filesystem.

 It’s not an either/or situation, and there are a lot of nuances, but you get the idea.

I plan to take a periodic cloud backup to start — perhaps once every hour.

I looked at a few solutions like this one, but I wasn’t too comfortable with them for various reasons. The one I linked is quite excellent, but the client bits for MariaDB are out of date and MariaDB recommends using the same versions across the board.

So instead, I’m working on rolling my own solution based on the MariaDB official images. That way I’m in full control. I’ve created a backup user on the SQL server and I’ve figured out the mariadb-dump command that I’m going to use.

I prefer mariadb-dump instead of mariadb-backup because the backup format is human readable and very portable. It's so simple to understand.

Now I just need to add cron, rclone, and get it all working together.

This is the kind of silly stuff I find myself doing on the weekend now!:

FROM mariadb:11.1.5 AS cloudbackup-base

# we only need the MariaDB client components +
# we need cron for the scheduler and rclone for the cloud backup
RUN apt-get -y purge mariadb-server && apt -y autoremove && \
    apt-get update && apt-get -y --no-install-recommends install mariadb-client cron rclone && \
    rm -rf /var/cache/apt/archives /var/lib/apt/lists

# logic to set up the scheduler will go here
#COPY ./crontab /etc/crontab
#RUN crontab /etc/crontab
#RUN touch /var/log/cron.log

# a possibly futile attempt to reduce the final image size
FROM ubuntu:jammy
COPY --from=cloudbackup-base / /
CMD cron -f

Overall, I feel like I’m a little behind from where I wanted to be at this point.

My goals for this weekend were to deploy to the cloud and validate for a few days, but I want to focus on completing the backup part of the story before I start working on that.

Thanks for listening to my gibberish! It helps me document my decisions, where I’m at, and clarify my own understanding on the next steps!

twocats

navindra I'm glad you're finding this fun and challenging! 🙂

Sophia

Nice update! As for CloudFlare, you might want to look into utilizing their tunnel solution. It eliminates any need for ssl certificates or open ports. It can be run in a Docker container as well.

I changed our NAS that runs Plex etc and it's eliminated all intruder attempts because CloudFlare seems to catch m all 😃

navindra

Sophia As for CloudFlare, you might want to look into utilizing their tunnel solution. It eliminates any need for ssl certificates or open ports. It can be run in a Docker container as well.

Wow! I did not know about that option and at first I was confused. 😃

It's very interesting indeed. I need to research a bit into the pros and cons of CloudFlare Tunnel vs CloudFlare Proxy, but this is very cool.

Thanks a lot!

Sophia

Yeah it's like magic... it is almost as if you are running TailScale or WireGuard but without the need for clients... best of all worlds! The Docker container is as simple as

#
# CloudFlare - Zero Trust Cloudflare tunnel
#
  tunnel:
    image: cloudflare/cloudflared:latest
    container_name: cloudflare-tunnel
    restart: unless-stopped
    command: tunnel run
    environment: 
      - TUNNEL_TOKEN=yourtokenhere
    networks:
      - yournetwork

Then all you need to do is point your CloudFlare domain (or subdomains, if you plan on adding more sites) to the corresponding port. Done!

Actually I only found out about this because I thought our ISP doesn't allow port 80/443 and I wanted to run a site. AFTER I set up the CF tunnel on our NAS, I learned that we are allowed any port now. Still... we haven't had a single intruder attempt since, so we're not complaining! 😃

rogerch

Sophia Very cool!

navindra

Sophia This sent me down some interesting investigation paths.

I realized that I could probably host the entirety of PianoTell on a home server safely using this CloudFlare tunnel. Of course, I wouldn't do that for various reasons, but interesting thought.
Even more interesting, I realized that an asynchronous replica setup was very much doable via the tunnel idea.

So even if I don't host the live version of PianoTell at home, I can still host the replica database (on a Raspberry Pi with Docker even) using similar tunneling technology from Tailscale. Of course, the replica can actually be anywhere, like on some cloud service where I have free credits... the possibilities are intriguing.

Thanks very much for this idea!

Sophia

Yes, that's one of the beauties... no need to run any service like No-IP even if you have a dynamic IP. And as you said, as long as you have a replica, switching to it is as easy as disabling the CF container on the one server and enabling it on the other. Not that I have done that, but in theory that should work - and it should make maintaining your server that much easier 🙂

I saw that Tailscale has a similar service now, but I think CF is a little more forgiving when it comes to resource hungry applications. Plus it's so much easier to set up - no need to fuss with Caddy or LetsEncrypt etc. No need for a reverse proxy like Nginx or Traefik either. Apparently, you can even use it with SSH, but I would imagine that won't be possible with your VPS or you'd be locked out the moment something goes wrong 🙂

Please keep us updated, I'm very interested 😃

navindra

I’m going into the weekend with quite a bit accomplished. In fact, I believe I now have a minimum viable implementation of PianoTell!

On top of the pianotell-web and pianotell-database containers, I implemented pianotell-cloudbackup and pianotell-tunnel.

pianotell-cloudbackup does exactly what the name says. It backs up PianoTell to the cloud every 15 minutes if anything has changed. I believe this is a pretty robust backup story. Let me rephrase that, pianotell-cloudbackup is nothing short of pure magic! 😉
pianotell-tunnel is based on an idea from @Sophia! It allows Cloudflare to communicate with the PianoTell server over a tunnel, no matter where it lives. I deployed PianoTell on a test domain and Cloudflare served it straight from my laptop, from a private network, as if it was any other public website. Pretty awesome!

Other than pianotell-tunnel, I can also run PianoTell via normal Cloudflare proxy functionality. Although I needed to poke a hole in my firewall so that Cloudflare could reach my laptop, the proxy works great as well.

I spent several hours getting pianotell-tunnel to work. Despite that, or probably because of that, I’m more inclined to go with the simpler proxy option.

The tunnel is too closely coupled with my PianoTell implementation. I feel like PianoTell should work independently of Cloudflare with Cloudflare being an extra level of protection. I shouldn't need to deploy and configure a Cloudflare binary on my network for primary functions.
The tunnel configuration can be quite tricky. I had to chase down various settings and enable debug logs at various levels to figure out why things were not working as expected.
The tunnel seems like too much overhead, introduces the potential for bugs, and is one more thing that can fail in the system. Compare this with simply opening some ports on a firewall.
Cloudflare also creates a very strange looking CNAME DNS entry to make the tunnel work. Maybe this doesn’t matter to anyone but me, but I want the PianoTell DNS entry to look legit. 🙂
I had to force Caddy to create self-signed certificates with the tunnel, but Caddy can get legit certificates just fine in the proxy configuration.

The tunnel certainly has advantages once it’s been set up. I don’t have to worry about direct access to my server. For the proxy solution, I need to configure the firewall to only accept connections from Cloudflare.

 The are various network oddities that I had to deal with as a consequence of running Caddy in a Docker container. This makes locking down direct access to the server even more important. Fortunately, there’s a script for that.

I have this sleek Mac mini from the Intel days that is lying idle at home. I plan to set this up as an asynchronous replica database and also as a second backup site for PianoTell. I might be able to use pianotell-tunnel to help with this. This is more of a future project though and not a blocker.

All in all, I’m quite pleased with where things are at now! I have to focus a bit more on validation and then summon up some courage to take the plunge.

There would be no going back to FreeFlarum.

Pallas

navindra Amazing! That all sounds so intricate and interesting, and I'm so grateful that you're doing this work. Thank you!

Sophia

I'm very excited about the backup solution! Congratulations on everything you accomplished in such a short time 😊

navindra

I think this is it. PianoTell is ready to graduate to new hosting.

I created pianotell-primary-01 on Hetzner Cloud on Friday. Hetzner is beyond amazing as a hosting service and have exceeded my expectations. I’m very impressed by how fast and easy everything is. Linux on ARM64 is a dream.

I installed Docker and pulled down the new pianotell-* containers and everything just worked! Mostly.

For one, the networking is less strange than on Mac, but that meant I needed to make some changes to accommodate Cloudflare. I built a new Caddy with Cloudflare support and that’s all working now. For cloudbackup, I had to refresh some tokens, but that’s not too unexpected.

The primary issue that caused me the most distress is the security model between the host and the containers. This isn’t evident on Mac because it only hosts the containers indirectly via Linux on VM.

Without Mac in the picture, the containers appear to be much less isolated from the host than I had expected. The root user in the container appears to have many similar privileges to root in the host. So I invested quite a bit of time in terms of fixing ownerships, privileges, and such. It’s mostly an incomplete patch job, with the real solution being to run Docker in rootless mode. Unfortunately, that is exactly the kind of custom work I was trying to avoid on the host in the first place — Docker should just install that way by default.

I’ll live.

All of that was before I could even get to what I thought would be my primary task this weekend — configure the Hetzner firewall so that only Cloudflare can proxy the traffic. Fortunately, this was very easy to do.

And that’s it! I’ve been running a test version of PianoTell on Hetzner Cloud since Friday and it’s been great!

I still have to decide when I’ll make the switch. Ideally, it would have been at the beginning of the weekend rather than the end.

When ready, I will take down PianoTell for about an hour with a redirect message. This is to allow all traffic to drain and make sure I have the latest copy of the database. Then I’ll update Cloudflare so that the new server starts taking traffic.

And hopefully that will be it!

Sophia

navindra configure the Hetzner firewall so that only Cloudflare can proxy the traffic

Yay! My biggest paranoia is break-ins, so I'm really pleased you found a way 🙂 Sorry you had the run around with the tunnel suggestion, but then again one can never learn too much, right?