Skip to content

Migration steps to WebEOS and AlmaLinux 9 for sites hosted on AFS

Due to the upcoming decommissioning of WebAFS announced in OTG0147333, web sites hosted on AFS need to move to EOS in order to migrate to AlmaLinux 9 and new SSO.

Delete an AFS site

In case the web site is not needed anymore, or you'd like to start over a new site from scratch, below are some instructions to delete the AFS site. For migration instructions, continue to the next section.

Delete the AFS site from the webservices portal: click the name of the AFS site to open the management page in the old portal, then use the Delete <sitename> button under ToolBox on the left.

Deleting the AFS site leaves files as-is in AFS, but the deletion is not reversible since it is not possible to create an AFS site anymore. The full deletion takes about 1h, before the site's hostname can be re-used in a new site.

Gather properties of the AFS site

  1. Access the WebAFS management screen from the webservices portal, as described in: Getting to the site management screen
  2. NB: in case the AFS site has been deactivated, it will not show up anymore under "My sites". To reach the management of a deactivated site, click the site name in the deactivation planning page.
  3. Take note of some important site properties needed to create the EOS site:
  4. Description
  5. Archive
  6. CGI-enabled folders

An example of the AFS management screen: AFS Management Screen Click on Website configuration on the left to get a view attibutes of your site's subfolders. AFS WebSite Configuration Screen

On top of the screen, Current folder indicates the folder you are currently viewing. Navigate the subfolders and check which subfolders have Enable CGI execution checked. Note folders with CGI execution enabled.

Aliases and short URLs

The AFS management screen shows information about Aliases and short URLs (https://cern.ch/mysite). This information in the old web portal is obsolete: all short URLs have been moved to a new service. It is also the case for hostname aliases.

Deleting the AFS site has no impact on short URLs and redirections.

Creating an EOS web site with same name as an AFS web site

Here are a couple of options by increasing level of complexity. It is recommended to apply the first option compatible with the site's requirements.

Warning

Since OTG0148791, service accounts are not allowed anymore to own computing resources. Thus, the new EOS site must be created and owned by a person's primary CERN account. The owner may set an administrator group to allow multiple users (including service accounts) to manage the site.

Option 1 (self-service): create a "preview" EOS site in parallel with the AFS site

When to use: this option allows to prepare the new web site in EOS before deleting the AFS site, and is appropriate for most web sites. A "preview" EOS site will use a temporary URL while the original AFS site remains untouched, allowing to work on the EOS site until it works as expected. When the EOS site is ready, switching the site's URL to the new site takes only a couple of minutes.

Warning

The "preview" EOS site has the same name as the original AFS site, they are linked. Deleting the preview site also deletes the original AFS site! If for some reason you need to delete the preview site without deleting the original AFS site, please open a support ticket.

  1. Create a new WebEOS site using the same name but the webtest.cern.ch domain, e.g. if AFS site is mysite.web.cern.ch then create a WebEOS site also named mysite, but select the webtest.cern.ch domain (a warning explains that mysite.web.cern.ch is not available, since it's used by the original AFS site). We'll call the new mysite.webtest.cern.ch site the "preview site". Use the same Description as in AFS that was kept in Gather properties of an AFS site.
  2. Copy files into the EOS site's folder. lxplus provides access to both EOS and AFS filesystems. If needed, CERNBox provides a web interface to upload files to EOS.
  3. Follow the instructions to adapt AFS site configuration to EOS below. If case your site has CGI-enabled folders found in Gather properties of an AFS site, see CGI scripts.
  4. The preview site can be tested at will using URL https://mysite.webtest.cern.ch. When the new site is ready, perform the switch from the AFS site to the EOS site simply by changing the URL of the EOS "preview" site from mysite.webtest.cern.ch to mysite.web.cern.ch. Within a couple minutes, the old AFS site will be disabled (leaving files on AFS untouched) and the new EOS site will respond at https://mysite.web.cern.ch.

Warning

The switch only happens one-way. Changing the URL of the EOS site will not re-enable the AFS site.

Option 2 (with a ticket to IT support): semi-automated process for complex web sites

When to use: contacting IT support can be considered in the following cases:

  • for complex web sites (for instance having a large folder structure with many .htaccess configuration files), it may be challenging to review and adapt them to EOS. IT support can provide semi-automated configuration changes to facilitate the process.
  • creating a WebEOS site requires a pre-existing EOS workspace. For Personal sites, it is always possible to use one's EOS home directory; but when no EOS workspace is readily available to store the files for an Official site, IT support can provision a folder for the site in the special EOS workspace /eos/web.

Please open a support ticket to organize a coordinated migration. Please make sure to provide the AFS site name and the intended destination EOS folder (or for Official sites without an available EOS workspace, indicate you would like a new folder in /eos/web).

The process will be similar to Option 2: there will be a site preview to validate the new site before making the switch.

Adapting an AFS site configuration to an EOS site

Both AFS and EOS sites use the same .htaccess configuration files, but some changes may be necessary. Here are the main changes to take into account when moving from AFS to EOS:

CGI scripts

Very important: folders containing CGI scripts must be CGI-enabled in a different way in EOS sites. The "CGI-enabled" state is not carried over automatically from AFS. Failing to re-enable CGI as per these instructions can cause web site visitors to see the source of the CGI scripts rather than the result of their execution!

In addition, due to the change of operating system from CC7 in AFS sites to Alma9 in EOS sites, it may be necessary to adapt some CGI scripts (mostly Python): see what changes in AlmaLinux 9.

PHP scripts

In most cases, PHP scripts will keep working without requiring changes in configuration.

However, due to the change of operating system from CC7 in AFS sites to Alma9 in EOS sites, some adaptation may be necessary: see what changes in AlmaLinux 9.

Preserve old URLs

The webEOS infrastructure supports a shorter version of site URL: https://sitename.web.cern.ch (notice the absence of sitename at the end of the URL). On the other hand, in the old infrastructure access to URL https://sitename.web.cern.ch redirects to https://sitename.web.cern.ch/SiteName.

It is possible to preserve the exact same URLs in webEOS by adding two annotations to the site's UserProvidedDirectory resource using advanced configuration. Follow the instruction on how to add the annotations: Edit annotations or open a support ticket.

For the first annotation, set Key to webservices.cern.ch/webeos-legacybaseurl and Value to SiteName (case sensitive). For the second annotation, set Key to webservices.cern.ch/webeos-uselegacybaseurl and Value to true.

Authentication

If the site uses authentication (SSO), changes are required to move from the "old SSO" used on AFS sites to the "new CERN SSO" on the new site. For an overview, see instructions to set up access control.

Here is an example of typical changes to do in a .htaccess file to move from old to new SSO:

AFS SSO changes example

  • remove any SSLRequireSSL and Shib* directives
  • AuthType Shibboleth becomes AuthType openid-connect
  • Require shib-attr ADFS_GROUP my-egroup becomes Require claim cern_roles:my-egroup
  • For each group used for authorization, create a corresponding role in the new SSO.

General configuration

For EOS sites to behave the same as an AFS site, typically use the following settings in the webeos site management screen:

  • enable "Guest access"
  • enable "Use .htaccess files"
  • enable "Archive" if the AFS site has status "Archived"

Common errors

If the EOS site returns a 403 error:

  1. double-check that the EOS folder is shared with a:wwweos. See point 3 of the prerequisites.
  2. this could also happen if there is no default page in the site's folder (index.html)