Michael

It's probably on the order of 2-4 hours, so based what you said we should probably hold off for now. Just so you know I recently did this for another site, and it turns out that the tricky part is coordinating the switch from mongrel to passenger to keep downtime to a minimum.

I was hoping someone would chime in :)
Moving to passenger + ruby enterprise is a preemptive move to simplify things, so it is potentially reducing technical debt over the long term. Also I just checked the server and with 3 mongrels we are just barely eating into swap so things are running fine, but there is not much wiggle room. In regards to budget I haven't used much of my retainer hours recently so maybe this is a good use for those?

Partially true. I could add some rewrite rules to direct current subscribers to the feedburner urls. That still wouldn't tell us about users who subscribed, but have not updated their feeds since the rewrite rules were added.

no objections. done.

I've used feedburner in the past as well. We could probably scan the webserver logs to get feed stats, but that would require a fair amount of custom work, and feedburner is a free turnkey solution.

The main thing to understand is that a single s3 account is equivalent to a single user. So a user/account can modify any of his buckets and their contents. That being said you should be very careful with who gets to see your secret access key. It is obviously only on a need to know basis. Currently the application user (republic) and root have access to the secret key for backing up the database and avatars. I don't think it poses any additional security risk to allow the application to use s3 for attachments.

So now I guess the question is do we want to use S3 for hosting attachments. By attachments do you mean any user uploaded content including avatars? If so then I would vote yes. From a sys admin point of view it simplifies my life by removing the need to ever backup that content. From a user's perspecitive it will be a good thing too since the images will be served from a very speedy network connection. The only downside is having to pay for bandwidth, that would come for "free" from slicehost, but the bandwidth charges are pretty low. For example 1 month of storing 1GB with 20GB transfer in and 100GB transfer out would be $19.15.

I'll do some more testing this evening to see if I can find out what the root issue is.

We should probably have a monit script for this process.

I have tested this as much as possible without doing an actual reboot. It's probably a good idea to reboot the box at some point and make sure that everything is running as expected. Is their a good time to do this?

The other thing we want to do is setup DKIM(http://www.dkim.org/) which is an alternative anti-spam technology that some hosts use instead of or in addition to SPF. Setting up DKIM basically involves making changes to the mailserver configuration, but I am not sure how long it would take, since last time I tried to set it up I got stuck and never finished.

looks good!

Whoops I misspelled the domain. Still don't see any spf record with the correct spelling though:

mikehale:~ mikehale$ dig theconnectedrepublic.org txt

; <<>> DiG 9.4.2-P2 <<>> theconnectedrepublic.org txt
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55220
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;theconnectedrepublic.org. IN TXT

;; AUTHORITY SECTION:
theconnectedrepublic.org. 168 IN SOA ns0.dnsmadeeasy.com. dns.dnsmadeeasy.com. 2008010114 43200 3600 1209600 180

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Oct 20 12:46:01 2008
;; MSG SIZE rcvd: 101

According to DNS theconnectedrepublic.org does not have any txt records. Where did you create the SPF records?

dig theconectedrepublic.org txt

; <<>> DiG 9.4.2-P2 <<>> theconectedrepublic.org txt
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37400
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;theconectedrepublic.org. IN TXT

;; Query time: 34 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Oct 20 12:41:01 2008
;; MSG SIZE rcvd: 41

Sounds good. I'll probably end up adding a @reboot entry to republic's crontab (http://bloat.me/NOTZ).

Duff, where can I learn more about the h method?