Migration of Single Node 8.8.15 with NG Modules to 10 Daffodil

Ask questions about your setup or get help installing ZCS server (ZD section below).
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 871
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P38 NETWORK Edition

Re: Migration of Single Node 8.8.15 with NG Modules to 10 Daffodil

Post by JDunphy »

L. Mark Stone wrote: Fri Sep 22, 2023 12:24 am Hi Jim,

To avoid this issue we put the app banner and login logos on an S3 bucket that is open to the public. You can also use any https web server you like.

The locations of those files, both globally and on a per-domain basis, are stored in LDAP. You can indeed input a proper URL instead of a file system location in those attributes.

Doing so means you eliminate the above problem. :-)

Code: Select all

zimbra@mail:~$ zmprov gacf | grep zimbraSkinLogo | grep Banner
zimbraSkinLogoAppBanner: https://s3.amazonaws.com/public.xxx.yyy/AppBanner.png
zimbraSkinLogoLoginBanner: https://s3.amazonaws.com/public.xxx.yyy/LoginBanner.png
zimbra@mail:~$ 
Hi Mark,

Definitely, a superior solution than local filenames and eliminates that issue completely.

Thanks

Jim
liverpoolfcfan
Elite member
Elite member
Posts: 1085
Joined: Sat Sep 13, 2014 12:47 am

Re: Migration of Single Node 8.8.15 with NG Modules to 10 Daffodil

Post by liverpoolfcfan »

L. Mark Stone wrote: Fri Sep 22, 2023 12:24 am Doing so means you eliminate the above problem. :-)

Code: Select all

zimbra@mail:~$ zmprov gacf | grep zimbraSkinLogo | grep Banner
zimbraSkinLogoAppBanner: https://s3.amazonaws.com/public.xxx.yyy/AppBanner.png
zimbraSkinLogoLoginBanner: https://s3.amazonaws.com/public.xxx.yyy/LoginBanner.png
zimbra@mail:~$ 
Hope that helps,
Mark
Would doing that not allow a phisher to use your public logos to make their login/post-login screens look completely realistic?
Wouldn't that take away the benefit of training people to react if the logos looked strange?
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2782
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Migration of Single Node 8.8.15 with NG Modules to 10 Daffodil

Post by L. Mark Stone »

A bad actor can get your logo anyway just by browsing to your Zimbra login screen, your web site, etc.
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
hisfran
Posts: 31
Joined: Tue Apr 29, 2014 2:10 pm

Re: Migration of Single Node 8.8.15 with NG Modules to 10 Daffodil

Post by hisfran »

Speak to Zimbra Daffodil Support about that, they should be able to help you.
We are in the process of doing that, and it looks like we'd have to do a Single Server
Rolling upgrade using MMR LDAP Migration.
It's a bit scary for me as I've never done that, but they seem to be willing to help.

There is a short overview or the process in this Video: https://www.youtube.com/watch?v=n6EBZ640lGw
at 17:56 I suppose they will post more details on their Support or Wiki at one point.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 871
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P38 NETWORK Edition

Re: Migration of Single Node 8.8.15 with NG Modules to 10 Daffodil

Post by JDunphy »

gabaker wrote: Thu Sep 07, 2023 8:34 pm
dbayer wrote: Thu Sep 07, 2023 8:12 pm In the replies, they say there will be no extended support for 8.

I guess it's time to take another look at Carbonio.
Making us go through the work to do a major upgrade to 9.0 to get the extra year before also having to do another major upgrade to 10 is just silly and a waste of time.
Just wanted to mention that I looked into paying for carbonio last week as I have been running the open source version on a test server since it was announced. They don't mention price and trying to find information isn't always that easy for the commercial version. I asked about a small license for 25 users to see cost thinking that would be a good information point. Got back a message that they only sell in minimums of 200 and that it is multi-server infrastructure and not suitable for small infrastructure. Building zimbra FOSS if one had to seems a lot simpler and safer vs transitioning to a system in active development with unknown build/security and patch cycles. I imagine they also keep their commercial code private (Guess by me) so that would not be any different from what Zimbra has done other than they offer an official compiled FOSS build for carbonio and Zimbra after 8.8.15 that is no longer the case.

I have no intention of moving away from network version of zimbra myself at this point now that I can build FOSS versions at will including 3rd party components. Ian's work with FOSS builds and scripts has really helped for that. His helper scripts are now removing files and repairing builds that Zimbra patches were doing. That provides me with peace of mind so that we don't lose our data should they cease to exist and with it our network version fails to start with an expired license. I will still need to verify this periodically but so far I am able to switch to FOSS and see our data.

BTW, I run both Zimbra 9 and Carbonio FOSS on the same RHEL 8 server. I use this script to do that.

Code: Select all

% cat switch_mail.sh 
#!/bin/bash 

#
# script to stop/start zimbra/cabonio installed on the same machine
# 11/22/2022 - jad
#
# Last tested with Carbonio Release 23.9.0
# note:%%%
#     carbonio is in active development so verify with a ps after each stop to make sure new services have not been added
#     WARNING: script will move cron entry for zextras or zimbra user out of the way with --stop. It assumes RHEL8 pathnames
#


usage() {
  echo "
    USAGE 
      switch_mail.sh [--stop|--start] [carbonio]

     stop - moves cron aside and stops any systemctl services
     start - moves everything back
     
     Caveat: Only one can be active at once.  In other words, issue a stop before issuing a start if changing.
  
   EXAMPLE

     # switch_mail.sh --stop zimbra
     # switch_mail.sh --start carbonio
     # switch_mail.sh --stop  zimbra
     # switch_mail.sh --start carbonio

   if zimbra was running and to switch to carbonio, the following action would accomplish this:

    % su - 
    # switch_mail.sh --stop zimbra
    # switch_mail.sh --start carbonio

   NOTE - if you issue stop, then it is no longer active and will not start up on boot

  CAVEOT:
     Can only have one active at a time
     needs to run as root
  "
}

doCarbonio() {
    cmd="$1"	# stop|start|disable|enable


systemctl $cmd carbonio-docs-editor-sidecar.service
systemctl $cmd carbonio-clamav-sidecar.service
systemctl $cmd carbonio-docs-connector
systemctl $cmd carbonio-docs-connector-sidecar.service                          
systemctl $cmd carbonio-clamav-signature-provider-sidecar.service
systemctl $cmd carbonio-docs-connector.service                                 
systemctl $cmd carbonio-files-db-sidecar.service                              
systemctl $cmd  carbonio-files-sidecar.service                                
systemctl $cmd  carbonio-files.service                                       
systemctl $cmd  carbonio-mailbox-sidecar.service                            
systemctl $cmd  carbonio-mta-sidecar.service                               
systemctl $cmd  carbonio-proxy-sidecar.service                            
systemctl $cmd  carbonio-storages-sidecar.service                        
systemctl $cmd  carbonio-storages.service                               
systemctl $cmd  carbonio-user-management-sidecar.service               
systemctl $cmd  carbonio-user-management.service                      
systemctl $cmd  carbonio-docs-editor.service
systemctl $cmd  service-discover.service                      
systemctl $cmd  carbonio-prometheus-node-exporter.service
systemctl $cmd  carbonio-prometheus-mysqld-exporter.service
systemctl $cmd  carbonio-prometheus-openldap-exporter.service
systemctl $cmd postgresql-12


}


freeze=0 	#default do nothing

args=$(getopt -l "help,stop,start" -o "hsg" -- "$@")
eval set -- "$args"

while [ $# -ge 1 ]; do
        case "$1" in
                --)
                    # No more options left.
		    shift
                    break
                   ;;
                -s|--stop)
                        freeze=1
                        ;;
                -g|--start)
                        freeze=0
                        ;;
                -h|--help)
                        usage
                        exit 0
                        ;;
        esac

        shift
done

mail="$*"

#echo "freeze: $freeze"
#echo "remaining args: $*"
#echo "mail is [$mail]"

case "$mail" in
     'carbonio')  
         echo "doing carbonio actions"
         if [ $freeze == 1 ]; then
              echo "****** zmcontrol stop"
              su - zextras -c "zmcontrol stop"
              mv /var/spool/cron/zextras /var/spool/cron/zextras-
              doCarbonio stop
              doCarbonio disable
              chkconfig --level 2345 carbonio off
         else
              echo "****** zmcontrol start"
              su - zextras -c "zmcontrol start"
              mv /var/spool/cron/zextras- /var/spool/cron/zextras
              doCarbonio enable
              doCarbonio start
              chkconfig --level 2345 carbonio on
         fi
         ;;
     'zimbra')  
         echo "doing zimbra actions"
         if [ $freeze == 1 ]; then
              echo "****** zmcontrol stop"
              su - zimbra -c "zmcontrol stop"
              mv /var/spool/cron/zimbra /var/spool/cron/zimbra-
              chkconfig --level 2345 zimbra off
         else
              echo "****** zmcontrol start"
              su - zimbra -c "zmcontrol start"
              mv /var/spool/cron/zimbra- /var/spool/cron/zimbra
              chkconfig --level 2345 zimbra on
         fi
         ;;
     *) 
         usage
         exit 0
         ;;
esac
Seems to get the job done so I can test, etc. I am sharing the same LE certificate between carbonio and zimbra... just a symlink ... I use a different deploy script for acme.sh depending on which server I am using so I am not regenerating a new cert each time. Maybe the script will be useful to others that want to do similar.

Jim
User avatar
dbayer
Advanced member
Advanced member
Posts: 82
Joined: Thu Oct 09, 2014 9:10 am
Location: Maine
ZCS/ZD Version: Zimbra 10.0.5
Contact:

Re: Migration of Single Node 8.8.15 with NG Modules to 10 Daffodil

Post by dbayer »

Hi Jim,

Thank you again for your detailed description of the things you've tried and worked on.

One question. On the FOSS version of Zimbra, you mention that add-ons are supported. Does that include Active-Sync?

Thanks,
Daniel
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 871
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P38 NETWORK Edition

Re: Migration of Single Node 8.8.15 with NG Modules to 10 Daffodil

Post by JDunphy »

dbayer wrote: Wed Oct 04, 2023 9:02 pm One question. On the FOSS version of Zimbra, you mention that add-ons are supported. Does that include Active-Sync?
Thanks,
Daniel
Hi Daniel,

Don't know the answer but "probably". I do not have very much experience with FOSS. My testing was really spotty - could I build nginx from thirdparty, etc.

Jim
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 871
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P38 NETWORK Edition

Re: Migration of Single Node 8.8.15 with NG Modules to 10 Daffodil

Post by JDunphy »

I wanted to test a few upgrade paths to 10.0 from version 9. We will wait to Dec 2024 but here is the first test. Single server with backupNG that went to Daffodil.

This is what I did. I have another scenario where I am using HSM with my secondary on my same disk as primary but these instructions were for the case of the only using NG Backups and nothing else. Previously in this thread, I went from 8.8.15P43 to 9.0.0P36. Now I am taking a 9.0.0P36 network server to 10.0.4 network. See previous posts in this thread on my update from 8.8.15 to see what modules I am using.

First I disabled BackupNG and removed the module.

Code: Select all

# su - zimbra
% zmprov ms `zmhostname` zimbraNetworkModulesNGEnabled FALSE
% zmprov ms `zmhostname` zimbraRedoLogEnabled TRUE
% zmprov ms `zmhostname` zimbraRedoLogDeleteOnRollover FALSE
% zmmailboxdctl restart
% exit
# yum remove zimbra-network-modules-ng
One probably doesn't have to remove the module if they override ng modules when invoking install.sh but I went looking to see why the warning message.

Next I install version 10

Code: Select all

# cd zcs-NETWORK-10.0.0_GA_4518.RHEL8_64.20230301065514
# install.sh
....
% zmcontrol -v
Release 10.0.2.GA.4518.RHEL8_64.20230301065514 NETWORK edition.
Next, I wanted 10.0.4 to display so did this:

Code: Select all

# dnf repoquery --whatprovides '*zimbra-patch*'
# dnf reinstall zimbra-patch-0:10.0.4.1694193513-2.r8.x86_64
Last metadata expiration check: 0:55:49 ago on Fri 06 Oct 2023 10:10:20 AM PDT.
zimbra-patch-0:10.0.0.1660982204.p0-2.r8.x86_64
zimbra-patch-0:10.0.1.1684843569-2.r8.x86_64
zimbra-patch-0:10.0.2.1688917154-2.r8.x86_64
zimbra-patch-0:10.0.3.1692275488-2.r8.x86_64
zimbra-patch-0:10.0.4.1694193513-# su - zimbra
Last login: Fri Oct  6 11:06:33 PDT 2023
[zimbra@mail ~]$ zmcontrol -v
Release 10.0.4.GA.4518.RHEL8_64.20230301065514 NETWORK edition.
Last, I wanted to verify backups and do they work. I removed the BackupNG files during the full backup but didn't remember the folders so to be safe moved stuff in old before realizing I could blow it all away.

Code: Select all

[zimbra@mail ~]$ crontab -l |grep -i backup
# Backups
# BACKUP BEGIN
#0 1 * * 6 /opt/zimbra/bin/zmbackup -f -a all --mail-report
#0 1 * * 0-5 /opt/zimbra/bin/zmbackup -i --mail-report
#0 0 * * * /opt/zimbra/bin/zmbackup -del 1m --mail-report
# BACKUP END

# su - zimbra
% /opt/zimbra/bin/zmbackup -f -a all
% cd /opt/zimbra/backup
% mkdir old
% mv * old/
% /bin/rm -rf old
% ls
accounts.xml  sessions  tmp
Ran through my patch scripts... hardly anything changed again. Logged into the admin interface then to an account. All looked good. My account had 2FA which was no problem and I chose classic from the login screen. I didn't test to see if my default classic theme would have happened anyway. Read some email, looked at filters, etc. Not much of any testing but quite fast for an update and not that difficult.

Note: I did open a ticket for support asking for guidance for moving from a single server in place upgrade for a rehearsal from version 9 to version 10 with only BackupNG being used but the ticket is still open with about 10 questions that came back that I need to answer about the system before I get any help. Almost as fast to give it a try so I did.

Next I need to explore HSM where my secondary contains compressed blobs on the same disk as my primary. I am thinking that I could just move all the files and then delete the secondary, remove the module and go for it.

Baby steps.

HTH,

Jim
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2782
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Migration of Single Node 8.8.15 with NG Modules to 10 Daffodil

Post by L. Mark Stone »

JDunphy wrote: Fri Oct 06, 2023 6:41 pm I wanted to test a few upgrade paths to 10.0 from version 9. We will wait to Dec 2024 but here is the first test. Single server with backupNG that went to Daffodil.
Hi Jim,

Curious why you would want to do this over the Rolling Upgrade method, other than for simplicity's sake?

There are also some risks here as re backups when you have data on like S3, which 8.8.15 and 9.0.0 can't read. So if you turn off the NG backups, OK, but better get up to 10 pretty quickly, because running Classic backups against an NG S3 store will work, but the blobs will be encrypted and unrestorable.

Like you said, baby steps...

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 871
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P38 NETWORK Edition

Re: Migration of Single Node 8.8.15 with NG Modules to 10 Daffodil

Post by JDunphy »

L. Mark Stone wrote: Fri Oct 06, 2023 6:54 pm
JDunphy wrote: Fri Oct 06, 2023 6:41 pm I wanted to test a few upgrade paths to 10.0 from version 9. We will wait to Dec 2024 but here is the first test. Single server with backupNG that went to Daffodil.
Curious why you would want to do this over the Rolling Upgrade method, other than for simplicity's sake?
Hi Mark,

Exactly that. 4 mins start to finish in the above in place upgrade.
L. Mark Stone wrote: Fri Oct 06, 2023 6:54 pm There are also some risks here as re backups when you have data on like S3, which 8.8.15 and 9.0.0 can't read. So if you turn off the NG backups, OK, but better get up to 10 pretty quickly, because running Classic backups against an NG S3 store will work, but the blobs will be encrypted and unrestorable.
That backup shown was zimbra 10 backup on a single server that has never had HSM enabled so no S3, no encryption, etc. I thought HSM NG allowed one to use S3, encryption, etc but if you did nothing (never configured it) then it was not used and all one had was a primary store. That is what I thought I was testing.

I do have a scenario I want to test next with HSM NG being used where a secondary store is on the same physical NVMe storage as the primary with the exception its blobs are compressed so pretty vanilla scenario.

Perhaps that will require a rolling upgrade as you mention. My initial thought was to migrate data back to primary store and delete the secondary. Effectively not using HSM NG. I don't know if that is necessary and I have forgotten almost everything associated with the HSM NG so I might be using the terminology incorrectly.

I think my take away from this exercise is that being on 8.8.15 and getting to version 9 or 10 isn't as scary as I initially thought from reading some of the struggles. Now I have probably jinxed myself.

I was fairly worried about moving away from 8.8.15 by Dec 2023. Not so much anymore.

Jim
Post Reply