Department Web Hosting SLA

@ erooney:

2.1:
HTTPS should be a standard by which ALL UNM content is served. The service should include HTTPS by default.

[DONE, v2.0] Agreed. This will be added to 2.1. I believe that the current cPanel architecture has this already.

2.1.1 bullet 2:
Ensuring that the hosted web sites are secure and updated is a shared responsibility with end users responsible for things like secure code and keeping WordPress installations up-to-date and web infrastructure security a responsibility of the hosting provider.

[DONE, v2.0] Agreed. My proposed new language: “Ensure that hosted websites’ code, content, and installed web apps (such as WordPress) are secure and updated (compromised websites because of code, content, and/or installed web apps will be shut down at UNM IT’s discretion);”

2.2.2: The calculation for availability is vague. There should be specifics on the exact calculation used when determining availability.

Are network outages or degradation, as an example, part of the service and accounted for in the calculation? Are those outages part of the web service or excluded from the calculation.

Example:
YEARLY UPTIME CALCULATION = [(hours service up) / ((365.25*24) – (hours down for scheduled updates and maintenance[1]) – (hours down for emergency security updates[2]))] * 100

[1] Schedule updates and maintenance are posted at least 7 days prior to the update or occur during UNM IT’s scheduled maintenance windows described here:http://it.unm.edu/availability/index.html

[2] Patches and updates that are flagged as “critical” or higher by the vendor may be installed outside of the scheduled maintenance windows.

I think you should join our Agreements (SLAs, Standards) Review Team at IT. I will bring this back to IT Agreements for review.

3.2 bullet 8: This provision risks deleting code or work product that a department may have on cPanel servers if their backup was performed prior to the cPanel snapshot reversion. A customer could be performing backups at reasonable intervals and still be harmed by this provision of the SLA. Will UNM IT notify users when a snapshot reversion will take place allowing users to make backups?

Agreed, but as a complete restore from a snapshot is only done as a last measure to restore service, I am not certain if informing Users of the restore would help Users to do backups if the service is unavailable.

3.3 bullet 5: A department could store or host sensitive info on a non-UNM IT hosted service through a UNM IT hosted web site that would violate the spirit of this item.

I think that we are missing a bigger opportunity here where we could leverage enterprise web infrastructure, services and data (including existing institutional data assets) to allow departments to more securely collect and store sensitive information that may exist elsewhere on campus (Banner, ODS, etc.). It seems like a UNM enterprise service web service should strive to provide this environment where the end-goal is less duplication, better security, and a better understanding by the enterprise about where we are housing and storing, potentially, sensitive data.

Agreed. This is in planning – to make a more secure and restricted environment in which websites/web applications that touch sensitive data (such as Banner) can be hosted. This is a popular request, and IT will make reasonable efforts to accommodate this request.

• This reply was modified 8 years, 2 months ago by tbui.

@gfaustin

In reference to item 2.1.1, one of the bullet points references training. Now that cpanel is going into production soon, it would be beneficial to have an orientation session for all interested. I know not everyone goes to the information architects meeting but I know there are lot of website designer at UNM. So an orientation will create awareness and also some hands on practice on how use it.

[IN PROGRESS] Lovely idea! I will work with Cameron Goble and my folks to see if we can make it happen before or soon after go-live.

• This reply was modified 8 years, 2 months ago by tbui.

@gfaustin

A list of the Content Management Systems that would be hosted within cpanel would help. Maybe not in the SLA but could be added in the Web-hosting service catalog.

[IN PROGRESS] If by “Content Management Systems” you mean apps such as WordPress, Drupal, etc., then absolutely. We will add a list of Softaculous-enabled web apps on the siterequest.unm.edu.

• This reply was modified 8 years, 2 months ago by tbui.

@steely

Re: 2.1.2,  Bullet 4: I thought up to 1 GB of storage was available free of charge? 256 MB is significantly less. It would be very easy for even a minimal website to exceed this and incur a monthly charge for its department.

Sshhh, you’re not supposed to tell everyone about this sweet deal that was only offered to you!

On a more serious note, before the introduction of cPanel, departments were only allocated 50 MB initially on website request/creation with the option of requesting additional storage up to 1 GB for $0 cost. This was done this way because we wanted to avoid circumstances in which departments that only used 20-50 MB ending up with a whole 1 GB of much wasted storage – which can be provisioned elsewhere where the extra storage was needed.

With the implementation of cPanel, the project team lobbied and was given the permission to raise the initial 50 MB storage allocation to 256 MB. The final cost model is not finalized yet (soon), but when it is, it will be available on our website and announced at the various IT/IA group meetings.

@ steely:

Re: 2.1.1:
Bullet 3: Does “Customer’s local IT support” refer to a UNM department’s own internal staff?
Bullet 4: It seems to me that web hosting with UNM IT should include automatic nightly backups without a separate charge. The charge could come in at a restoration of a snapshot.

Bullet 3: Yes. Example: a department’s admins that have access to use cPanel should consult with the department’s IT staff (can be primary admin or designated web developer, etc.) first before contacting IT as many problems are similar, repeated, and can be resolved much quicker locally. For departments without local IT staff, admins that have access to use cPanel should reach out to UNM IT directly.

Bullet 4: In other words, you suggest that UNM IT should hold your data hostage, and then ask you for a fee to restore it? I like it. I will bring this idea back for review.

Re: 3.2
Bullet 2: Please provide a link to “Pricing  and Billing” in the SLA.

I am not sure what you meant by this as “Pricing and Billing” is under section 8. And bullet 2 discusses analytics.

Re: 8
– Can web developers be notified of charges that will appear in the monthly bill detail in advance? (I understand that it is a department’s finance / admin personnel that can login to the IT Billing portal. Is that correct?)
– Are all communications with UNM IT for questions / tech support to be billed at $75 / hour?

– I do not know if it is possible to leverage cPanel’s view to let you see your charges. I will look into this.

– Yes, all communications with UNM IT for questions/tech support are billed at $75/hour. In fact, you will receive a bill tomorrow for the 2 hours I am spending writing my replies here… On a more serious note, communication with UNM IT for questions/tech support are not billed (to my knowledge). This provision refers to where “professional service” work is done. Example of professional services: web development (code writing), web support (making sure your WordPress is updated for you), etc.

@ aballo:

1 – “Department Admins” is not mentioned elsewhere in the document.

Good catch. This refers to “Web Admins and Developers” under 2.1.1

2.1.2 – Costs:

This points to Service Catalog for “Department Web Hosting” – but costs are not mentioned?

https://it.unm.edu/servicecatalog/asset_list.php?type=2&a_id=189 ?

However, in 8 – Additional storage references “Virtual Infrastructure Services” where is this listed like this in the Service Catalog?  Is it the same as “Virtual Servers LoboCloud” ?

Guilty as charged. We are also making updates to our services in our Service Catalog as we work on these SLAs. They will be updated.

3.1 – Service Manager should ensure that this service is meeting the Customer’s needs.

Yes.

5.2 Service Request Response:

* When requests fall outside of this range, what is the remedy for the Customer? Is it “contact the Service Owner” like in 4.3 (Escalation)

* What visibility does the Customer have when there is a breach in the Acknowledgement timeline of a ticket?

* “Campus Priorities” could be defined? What times of year specifically?

– Could you provide examples of requests that fall outside of this range? Requests are different than incidents.

– The only visibility mean that I am aware of today is to contact IT CSS. This is really good feedback, I will bring it back for review.

– I will also bring this back for clarification.

6.1 – Incident Reports:

Where is the hourly rate and what items constitute associated expenses and materials defined in section 6 ?

I believe this refers to different hourly rates based on the services consumed. I will bring this back for review and clarification.

7 – Maintenance

Maintenance windows should be defined in SLA. Maintenance performed outside of these agreed upon times should be communicated with the Customer in advance and if would cause significant negative impact , require their approval.

Could you provide reasons for your proposal to have the maintenance windows defined in the SLA as opposed to via a link provided today?

Agreed on the second part – that is how we operate today.

9.1 – Availability Reporting

Is this the Customer’s responsibility?  Why can’t sites be monitored by the Service Provider? Should this be part of the recommended enterprise services?

Yes, it is currently the Customer’s responsibility. Sites can be monitored by the Service Provider, but we do not have that monitoring service available yet. In my opinion, this absolutely should be a part of the recommended enterprise services.

9.2 – SLA Reviews

Needs to state “Yearly” – with the Customer.

Agreed. This will be included as part of the yearly service subscription renewal that Customer and UNM IT do.

@ ccovey01:

2.1 need link to backup and restore costs

I am not sure what “backup and restore costs” that is being referred to here is. Are you referring to the costs for UNM IT to assist with individual department’s backup and restore? If yes, then this is under Pricing and Billing – specifically under support coverage. If not, please elaborate.

3.2 – In the case of student organizations, is their local department responsible for their training?

If the student organizations go through their local departments to request this service, then yes. Reading jcapps’s feedback below this, I am thinking that a separate hosting service for official groups (non-department sponsored) is needed. I will bring this back for further discussion.

3.2 bullet 9 – local department cannot be held financially responsible for any Web Hosting arrangement that a student organization initiated and maintains

• thus need to make distinction between personal/affiliated Web Hosting and true department hosting

Good feedback. See answer above. I will bring this back for review.

3.3 suggest requirement for use of functional email address, or secondary FTE contact to ensure the site is not deleted if say the primary contact graduates or separates from UNM

Amazing feedback. I will bring this back for consideration.

• This reply was modified 8 years, 2 months ago by tbui.

@ jcapps:

2.1.1 Is the local IT responsible for training of student run sites such as student organizations? The School of Law has 24 student organizations as well as 3 student run journals.

If the student organizations go through their local departments to request this service, then yes. I will bring this back for consideration of setting up a separate hosting service for official groups that are not sponsored by departments.

3.3 Is there are warning when customer is about to exceed default allocations?

I believe this (notification as quota is getting close to limit) is a setting in cPanel. I will double check.

@ gogogo:

2.1.1 – First bullet – Provide a link to UCAM’s standards, please.

Ok.

2.1.1 – Third bullet – This is a vague. What level of expertise is expected of ‘local IT support’? Can we expect that tickets opened at IT by departmental users will be tossed back to the departmental IT if central IT deems them to be too basic?

We expect that departments’ local IT can provide “reasonable” first triage. The idea behind having departments’ local IT providing initial triage support is to help with turn-around time as many problems are similar, repeated, and can be resolved much quicker locally. This is not meant to “punish” departments’ local IT. And no, UNM IT will not toss tickets back to local IT – we might forward them all to gogogo@unm.edu though.

2.1.1 – Fourth bullet – Back up and recovery should be part of the basic service.

I will bring this back for review and consideration.

2.1.1 – Include titles of policies, please (not just the numbers).
– Link to 2500 is broken
– The inclusion of Policy 7215 seems to indicate that payments can be managed on the department websites server. What, if anything, is IT doing to support that feature? Is accepting CC payments something that can be set up in CPanel? Or is that handled by a separate web server (or other software) tuned for that purpose?

– I think there was a reason why the titles were left out. I’ll double check. If there wasn’t a reason, I’ll make sure the titles are added in.

– Link will be fixed, thanks for finding this.

– Good point. I will bring this back for review.

2.1.2 – First bullet. I’m unclear about the purpose of this item. It doesn’t list things like Java applets, XML, JSON, REST services, SOAP services, AJAX services. It seems like things like that should be included in the list? Or is it a list of back-end technologies? But then why does it mention HTML, CSS and JavaScript? If I am serving XML, for example, does that mean that I’m in violation of the SLA?

– Your guess was right: limited by back-end technology. HTML, CSS, and JavaScript will be removed.

3.2 – 9th bullet (Bring to the Customers’ attention…)
This seems somewhat arbitrary to me. How is Customer fault determined, and how are IT fixes vetted by Customers? How do Customers report problems that arise due to IT activities (config changes, software (OS, php, database) updates)?

I propose to change this to: “Bring to the Customers’ attention any situation in which extra time is required of UNM IT staff to support this service. With Customers’ approval and request, UNM IT staff will engage in the agreed upon support activities. In these situations, UNM IT reserves the right to bill at the professional service rate outlined under Pricing and Billing for these activities.” Thoughts?

6.1 – Again, how is the determination that something was caused by a Customer made? What recourse does a Customer have to refute such claims? For example what if a site was extremely popular and began to utilize enough resources that it affected other sites? Would that be construed as being the Customer’s fault and the site would then be shut down? While I understand that P1 events need to be dealt with ASAP, there should be a way for Clients to arbitrate, especially if fault is going to be assigned by IT.

Good point on arbitration. I will bring this back for clarification.

9.2 – What’s the mechanism for gathering feedback and input from stakeholders?

This SLA is reviewed with departments annually via email when departments sign up for service subscription renewal.

Suggestions:
IT should probably offer specifics on what’s enabled (or disabled) in php.conf, mysql.conf (or equivalent), and httpd.conf. I don’t believe that there are security issues with revealing details like that, but such things could very well determine whether a Customer can actually utilize the service for some specific application. In addition, such details will make it easier to create local development environments that are similar to IT’s.

I will bring this back for review by Security. If approved, yup.

IT should provide a generalized outage page so that scheduled and unscheduled (if possible) maintenance doesn’t result in users getting no response at all. So, all traffic to the departmental web server(s) should be shunted to a page indicating that scheduled maintenance is occurring, if possible, while the service is down.

Oh, you mean a customized 404 or 503 page for maintenance/non-maintenance outages. Great idea. I will bring this back for review.

Edit: What about this page? http://mysos.unm.edu/

• This reply was modified 8 years, 2 months ago by tbui.

Using the phrase “academic unit” is actually more limiting in my opinion.  There are many “administrative units” and “student organizations” that use this service as well. An alternative phrase that can encompass the different campus groups might be more appropriate.

I think a definition of terms should appear at the top of the document that would define such phrases used throughout the SLA document. For example, “User” could be interpreted as the User of the service or the visitor to a website. It is sort of defined in the General Overview so that may not be the best example.

@susier:
Recommend replacing “Department” with the more general “academic unit” throughout.
We do intend to provide this service to all departments and not just academic units.

$75/hour charge should be a link to a separate schedule that will be updated periodically, rather than being hardwired into the SLA.
[IN PROGRESS] Our Agreements made the same feedback – referencing the Service Catalog page. This will be changed.

Hi Elisha.  I’ll attempt to respond to a couple of your comments:

“This is a general question related to all of the SLAs, but I’m especially interested in the answer as it pertains to this one. The KSA report defined “Enterprise” as something that is “Exclusively offered by a Central Entity.” Does adoption of this SLA, then, force adoption of Central IT hosting for all websites, or is this SLA an attempt to describe a service that is currently offered as an option for departments? Some definition of that in the scope would be helpful. ”

UNM IT intends to complete SLAs for all of our services whether enterprise or supplemental so that users can better understand the service we are offering.  Per the President’s timeline, our immediate focus is on enterprise SLAs identified through the KSA review (and that is the nature of your question).  As of this moment there has not been a directive to exclusively use those services classified by KSA as enterprise, whether provided by IT or another unit.   We have only been asked to document the service and collect and incorporate feedback for review by executive leadership.  Any steps beyond that are to be determined.  Certainly the articulation of  the service and input from the community will better inform any next steps.    

“4.3 Escalation – What recourses are available to the customer beyond contacting the service owner?”

We will work on the language in this section to better articulate.  Thanks.

Tuan will follow up on other open items.

My thanks as well for taking the time to reply to all of these responses, in detail, and for being receptive to the suggestions made – Chad
Chad, thanks for the kind words! All of us here at IT realized very quickly how amazing discuss.unm.edu was soon after it went live as it allowed us to received feedback like yours and others.

With regard to your praise for “being receptive,” just wait until you see me put my foot down.

My assumption based both on discussions and this SLA is that the goal is to move all sites currently hosted on IT’s departmental web servers to the cPanel servers.  My question is related to the 256mb space limit provided, somewhat mirroring Sharon’s comments above.

1.  Has an audit been conducted looking at the size/quota of websites currently hosted on the Departmental web servers?  I know of and work with many departments that have quotas well over the 256 amount.  I would be curious to know the ranges and averages (mean , median and mode).
We have not done an official audit, but we do collect that metric on websites.unm.edu (this website has restricted access) – big thanks to Farid Hamjavar at IT for maintaining it. It lists all 900+ websites on Dept2, and their quotas and usages. I can provide mean/median/etc. at a later date.

2.  The idea of cPanel is great in terms of easily managing multiple sites under a single account.  For example, we currently host 30+ sites in a single NetID account.  That account has a significant quota.  I feel the limiting of disk space per account will encourage users to simply create a new NetID when space is an issue and they have multiple sites.  This creates more NetID and cPanels account that need to be managed on the IT side of things. However, I would prefer to manage everything in one account.
(IN PROGRESS) Agreed to both points. Though, I do not have a good answer at this point due to the model in which cPanel is designed with. I will bring back to the implementation team for feedback.

The phrasing of the second bullet in 3.2 seems misleading to me:
“Track websites’ and visitors’ activity and provide Users with access to this data;”

I assume what you are saying here is the IT will maintain web server access logs.  Tracking visitor’s activity could mean something much more “NSA” to some reading it.

Good point. The tool is tracking stats similar to Google Analytics. Perhaps a better wording would be: “Track visitors’ pageviews, sessions, and visits using system logs, and provide Users with this data.” The pageviews, etc. were examples as cPanel uses different terms than Google Analytics.

Policy 2570 should be referenced somehwere in the SLA.
Policy 2570: Official University Webpages –
https://policy.unm.edu/university-policies/2000/2570.html
Agreed. I think this should be included under Web Admins/Developers Responsibilities per policy’s:
“Staff, faculty, students, and contractors authorized to develop official webpages for any administrative or academic unit of the University, including webpages of the Health Sciences Center and branch campuses, should comply with the requirements of this policy.”

@ erooney:
This draft of the SLA states that departmental/local IT will be the first line of support. Will there be any Operating Level Agreements (OLAs) between the centralized provider and local IT to support the customer? If a customer is going to rely on this agreement, then the central provider and the departmental IT group need to be in sync in terms of support. How will this agreement be structured for customers without departmental IT expertise for this service?
(IN PROGRESS) Having OLAs in place between central IT support and departmental IT local support is a great idea. I’m not sure if we are there yet though. I will bring this question up at this Friday IT Agreements meeting for feedback.
For departments without departmental IT expertise for this service, IT would provide support directly.

• This reply was modified 8 years, 2 months ago by tbui.

@ gogogo:

Currently, I believe that IT has Zend_Framework code stored in a centralized location so that users don’t have to consume quota for that. It would be great if that service was mentioned in the SLA.
I like this idea, and I would like to explore expanding the language to state “shared libraries” instead of limiting it to just Zend. I will bring this back for review.

In addition, it might be useful to have something like /path/to/zend/1/latest that’s a symlink that always points to the latest version, whatever that is. So, in for the examples I gave above:

/path/to/zend/1/latest -> /path/to/zend/1.2.15
/path/to/zend/2/latest -> /path/to/zend/2.4.9

In your experience, is it possible to link to Zend via http? I’m thinking architecture-wise, for websites sitting on different cPanel boxes, it is better to have Zend hosted on a central box that websites on all of the other cPanel boxes can refer to without resorting to shared drives. If Zend can only be included locally as your example stated, then each cPanel box would have to have Zend on there somewhere.

Hi Greg,

Regarding other libraries: Indeed. I’m Zend-centric, but that’s by tradition. It might be worthwhile to consider PECL and PEAR, as well.

Regarding using URLs for paths to the Zend library: this could be possible. php has the ability to read files from http URLs, but I don’t know if the autoloader code can deal with them. Zend_Framework (and all other php libraries that I know of) use a method of naming classes that will help an Autoloader to find and then include files. This emulates Java’s class loader but is much less formalized. So, for example, suppose that I evoke an object: $cool = new Zend_Cool_Class(). The Autoloader starts looking through the path variable for zend/cool/class.php, which must then contain a class Zend_Cool_Class(). Essentially, it’s replacing underscores with slashes with some rules to make it easier for developers.

In addition, the framework allows users to create their own namespaces, for example ‘UNM_Extlearn_’, along with an optional path ‘users/el/Sites/application/modules/unm/extlearn/’. In that case if I evoke an object: $person = new UNM_Extlearn_Person(), then the framework’s Autoloader will know to look for the class code in ‘users/el/Sites/application/modules/unm/extlearn/Person.php’. The framework assumes a number of paths that are used by convention, and users are free to modify those (at their own risk) or add others. This functionality makes it easy to include other libraries, as well, and as you can see, since classes must be named correctly, namespacing is automatic.

So, it’s a tangled web and elegant in its way. I would say the bottom line is that it’s probably best to use actual filesystem paths.

I believe that this can be done, but it will be less elegant than what we had in the past. The Dept-Web environment uses NFS which allows our 6 web servers to share the same storage. The cPanel environment are siloed – i.e., websites are spread across multiple servers. As we are moving our systems to vCloud Air, shared storage is discouraged in new environments. One option that we can do to enable shared libraries across the websites is to have a local copy of the libraries on each cPanel server. There might be other more graceful solutions. I’ll bring the topic up for discussion at the next IA-meeting (March, 2016).

Hi Greg.  Hopefully the response just posted to Elisha’s comment helps to clarify.  With regards to the follow on questions:

“If the IT service is optional, and units choose to use their own internal resources to provide the service for their own use, are they also required to abide by the SLA?  If a unit chooses to partner with another unit to provide these services, will both units be required to implement and abide by the IT SLA?”  

Much as we have been asked to work on SLAs for those services categorized by KSA as enterprise, we have also been asked to work on standards for those services categorized by KSA as supplemental.  The standards would be the relevant resource and guide for any unit providing a service in those supplemental areas.

• This reply was modified 8 years, 1 month ago by darruti.

Along those same lines, are there any discussions about what the Enterprise service offerings should be rather than just wrapping an SLA around existing services that may or may not meet campus needs? There were a couple of responses that dismissed SLA feedback as “not an SLA question” (not in the Web Hosting SLA thread), but if there are gaps or fundamental problems with the service offering this is an opportune time to engage an already-engaged community.