[LON-CAPA-admin] Changing to new server

Stuart Raeburn raeburn at msu.edu
Fri Aug 18 08:11:01 EDT 2017 

Paul,

> We need to change to a new server.

Yes, a LON-CAPA node requires a static IP to operate correctly within  
the cross-institutional LON-CAPA network.

Furthermore, reverse DNS look-up for your public-facing IP address  
must return the hostname that is recorded for your particular LON-CAPA  
node in the authoritative cluster tables available from Academic  
Consortium servers at MSU, UIUC, and SFU (e.g.,  
https://s10.lite.msu.edu/adm/dns/hosts ), and forward DNS for that  
hostname must return the public-facing IP address.

Ports 80 and 443 must be open to inbound traffic on the LON-CAPA node  
from anywhere.

Port 5663 must be open to inbound traffic from IP addresses belonging  
to other nodes in the LON-CAPA network.  Each LON-CAPA server/VM  
itself will use iptables to control access to port 5663 (and rules are  
updated nightly automatically in response to changes in cluster  
membership).

Individual institutions may have also implemented firewall policies  
for their network border, whereby they whitelist specific IP addresses  
for incoming requests to port 5663, and block all others.  If that is  
the case then the institution will need to also implement a procedure  
for updating their whitelists of allowed IP addresses, when new nodes  
are added to the LON-CAPA network, or (the rare instance) when an  
existing node changes IP address.

For example, IT Security at Michigan State University (MSU) decided to  
implement whitelisting at the network border for access to port 5663  
on LON-CAPA nodes at MSU at the end of 2016.  As a result, if a new  
LON-CAPA domain needs access to content created by authors in the msu  
domain, I send a change request to the MSU Border Firewall team at  
least 48 hours ahead of the IP change, so the addresses whitelisted at  
MSU can be updated ahead of the change at the (non-MSU) LON-CAPA node  
itself.

The IP address (and, optionally the hostname) of a LON-CAPA node can  
be changed when changing the location of a particular LON-CAPA  
server/VM, e.g., when moving from a physical location within an  
academic department, (and on one subnet within an institution), to a  
different physical location within a central IT datacenter location  
(and on a different subnet within an institution).  Moving to a  
virtual machine in the cloud, would be an extension of that.

The next LON-CAPA release -- 2.12 -- has some additional options for  
managing connectivity from other domains in the network including:

(a) More granularity in the use of SSL certificates signed by the  
LON-CAPA certificate authority used to create a secure tunnel for  
exchange of an encryption key between nodes, when a LON-CAPA  
connection is being established between them.

(b) Use of client Apache/SSL certificates signed by the LON-CAPA  
certificate authority when a node requests the raw XML of a published  
LON-CAPA resource from another node.

(c) More granularity for a domain in choosing which types of LON-CAPA  
actions are supported for the domain's users on other nodes, and which  
types of LON-CAPA actions are supported on a domain's own nodes by  
users from other nodes.  This builds on the session hosting  
configuration options first added to LON-CAPA 2.10.

A motivation for these additional options is to permit individual  
domains to tailor their domain configurations for compliance with  
institutional policies on risk management.  One of the factors that a  
domain might consider in that assessment is whether a remote domain's  
nodes are hosted at the (remote) institution, or are hosted by a third  
party in the cloud.


Stuart Raeburn
LON-CAPA Academic Consortium


Quoting "Neubauer, Paul" <pneubauer at bsu.edu>:

> Hello,
>
> We need to change to a new server. As I recall, once the system is  
> built and ready to become the regular bsul1 node in the lon-capa  
> network, it will need to have the same static ip address as the  
> current system now has.
>
> However, our current server group wants to put the lon-capa server  
> on the Amazon cloud. This apparently will still allow it to have a  
> static ip, but instead of 147.226.7.121 that (I think) is the  
> current ip of lon-capa.bsu.edu, it (lon-capa.bsu.edu) will have a  
> 35.x.x.x ip address. Is this possible? If so, what do I need to do?
>
> Thanks,
> Paul
>
> Paul Neubauer
> pneubauer at bsu.edu
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org

More information about the LON-CAPA-admin mailing list