Primero “Tier 4” Local Server Deployment
Resources Allocation and Work Plan
Guidance:
- Programmatic Guidance
- Want to know if you are ready to host Primero: Hosting Requirements Checklist
- Self-hosting background and set up
- Installation Guidance
Architecture for partner-hosted server
Demo server hosted by UNICEF (Primero Team responsibilities):
- Implementation support including the implementation planning, documentation, forms mapping, configuration of the system, quality assurance, training for go-live and as the system scales up
- Role configuration and localization in any language
- Production support provided through the Support Hub
- Implementation of Primero including deployment of the system (deploys a secure kubernetes-based CPIMS+ Demo instance with a Primero URL) which is maintained with the most up-to-date releases and updates and support for user acceptance testing (if required)
- Hosting of the demo-instance by UNICEF’s ICTD (if required) with security, DNS, and GDPR features
- Once live, the demo environment is used for configuration testing and configuration promotion to the partner-hosted production environment
Production server hosted by local partners:
- Partners are responsible for all infrastructure including setting up servers, hosting, setting up monitoring and security measures, data durability/data storage, backups, DNS, and configuration of the alpha and production instance
- Partners are responsible for owning, protecting and securing the data
- Partners are responsible for the installation of Primero and are are able to access the open-source documentation on the Primero Github repository which has instructions on installing the system and have full access to the Primero Support Hub
- To verify the configuration has been promoted from the UNICEF-hosted demo server
Stakeholder Roles and Responsibilities:
Actors |
Focal Point |
Responsibility |
|
|
|
Setting Local Production Server
Checklist for local production server
From here
Hardware Requirement |
|
Software Requirement |
|
Networking Rules |
|
Security Requirements |
|
Data Backup and Disaster recovery |
|
DNS/TLS security certificate |
|
Support level agreement |
|
Hardware Requirements
- 8+ GM memory is preferred.
- 2 CPU cores (2.5GHz, Intel Xeon)
- Storage: 500GB or more
Software Requirements
- Ubuntu 20.04
Networking Rules
- Public accessible domain
- All permitted outbound traffic:
- Ubuntu/Canonical package repositories, Dockerhub, Azure Devops repos,optionally Let's Encrypt.
- Inbound traffic permitted on ports 80, 443
- Inbound traffic permitted on port 22 (can be from a whitelisted Azure domain)
- A passwordless non-root user with passwordless sudo privileges accessible only via SSH
Security Requirements:
Please find in detail and methods for checking here
- Operating system patches up to date
- Core dumps disabled
- All Unnecessary services should be made unavailable
- Disable system accounts
- Strong PAM password quality
- Password policy configured
- SSH Configuration hardened
- No Unauthorized world-writable files
- Mount options not hardened
- SUID core dumps should be disabled
- Dynamic network configuration
- NFS and/or RPC services disabled
- Networking hardening
- IPv6 support disabled
- Use TCPWrappers
- Server should send logs to a remote LogHost
- Strong log file permissions
- Syslog and log rotation configured properly
- Firewall
Data backups and disaster recovery
- External storage or Other methodology
DNS/TLS Security Certificate
-
Security certificate or Let’s Encrypt
Support Level Agreement
- It is mutually agreed that first level support (meaning that if the server faces any down time) the partner is responsible for trouble shooting at the first. If the issues has to be escalated, it will go through the support hub.
Ansible for promoting Configuration
Architecture for Interoperability
Openfunction Hosting Interoperability Requirements
OpenFN will provided 2 project webhooks
- Production webhook project
- Limiting only partner accessing the production site.
- Real data is utilized in the production server.
- It is connect to real API data
- Alpha webhook project
- Allowing related people access the alpha site for testing and developing purposes.
- Dummy data is not real so it is not violencing data confidentiality.
- It is connected to dummy API data
- OpenFN hosts all the interoperability for alpha site and production site.
- There are no resources acquired from UNICEF, and the Partner.