Steps to upgrade INDICO 2.x (postgres 9.6) to INDICO 3.X (postgres13) using nginx as web server

systemctl stop uwsgi.service httpd.service indico-celery.service

cd /opt

mv indico indico2X
yum install -y epel-release
rm -rf /etc/yum.repos.d/pgdg-redhat-all.repo
yum install -y epel-release
yum install -y centos-release-scl
yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm
yum install -y postgresql13 postgresql13-server postgresql13-libs postgresql13-devel postgresql13-contrib
yum install -y git gcc make redis nginx
yum install -y libjpeg-turbo-devel libxslt-devel libxml2-devel libffi-devel pcre-devel libyaml-devel zlib-devel bzip2 bzip2-devel readline-devel sqlite sqlite-devel openssl-devel xz xz-devel libffi-devel findutils libuuid-devel
systemctl stop postgresql-9.6.service

systemctl disable uwsgi.service httpd.service indico-celery.service

su postgres

---

cd

bash-4.2$ pwd /var/lib/pgsql

/usr/pgsql-13/bin/initdb --locale=en_US.UTF-8 -D /var/lib/pgsql/13/data/
/usr/pgsql-13/bin/pg_upgrade --old-datadir /var/lib/pgsql/9.6/data/ --new-datadir /var/lib/pgsql/13/data/ --old-bindir /usr/pgsql-9.6/bin/ --new-bindir /usr/pgsql-13/bin/

exit

---

systemctl enable postgresql-13

systemctl start postgresql-13.service

su postgres

/var/lib/pgsql/analyze_new_cluster.sh

---

systemctl restart redis.service

---

cat > /etc/uwsgi-indico.ini <<'EOF'
[uwsgi]
uid = indico
gid = nginx
umask = 027
processes = 4
enable-threads = true
chmod-socket = 770
socket = /opt/indico/web/uwsgi.sock
stats = /opt/indico/web/uwsgi-stats.sock
protocol = uwsgi
master = true
auto-procname = true
procname-prefix-spaced = indico
disable-logging = true
single-interpreter = true
touch-reload = /opt/indico/web/indico.wsgi
wsgi-file = /opt/indico/web/indico.wsgi
virtualenv = /opt/indico/.venv
vacuum = true
buffer-size = 20480
memory-report = true
max-requests = 2500
harakiri = 900
harakiri-verbose = true
reload-on-rss = 2048
evil-reload-on-rss = 8192
EOF

---

cat > /etc/systemd/system/indico-uwsgi.service <<'EOF'
[Unit]
Description=Indico uWSGI
After=network.target
[Service]
ExecStart=/opt/indico/.venv/bin/uwsgi --ini /etc/uwsgi-indico.ini
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
SyslogIdentifier=indico-uwsgi
User=indico
Group=nginx
UMask=0027
Type=notify
NotifyAccess=all
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=300
[Install]
WantedBy=multi-user.target
EOF

---

cat > /etc/nginx/conf.d/indico.conf <<'EOF'
server {
 listen 80;
 listen [::]:80;
 server_name %BROWN%pub1test.virgo.infn.it%ENDCOLOR%;
 return 301 https://$server_name$request_uri;
}
server {
 listen *:443 ssl http2;
 listen [::]:443 ssl http2 default ipv6only=on;
 server_name %BROWN%pub1test.virgo.infn.it%ENDCOLOR%;
ssl_certificate /etc/ssl/indico/indico.crt;
 ssl_certificate_key /etc/ssl/indico/indico.key;
 ssl_dhparam /etc/ssl/indico/ffdhe2048;
ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off;
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 ssl_prefer_server_ciphers off;
access_log /opt/indico/log/nginx/access.log combined;
 error_log /opt/indico/log/nginx/error.log;
if ($host != $server_name) {
 rewrite ^/(.*) https://$server_name/$1 permanent;
 }
location /.xsf/indico/ {
 internal;
 alias /opt/indico/;
 }
location ~ ^/(images|fonts)(.*)/(.+?)(__v[0-9a-f]+)?\.([^.]+)$ {
 alias /opt/indico/web/static/$1$2/$3.$5;
 access_log off;
 }
location ~ ^/(css|dist|images|fonts)/(.*)$ {
 alias /opt/indico/web/static/$1/$2;
 access_log off;
 }
location /robots.txt {
 alias /opt/indico/web/static/robots.txt;
 access_log off;
 }
location / {
 root /var/empty/nginx;
 include /etc/nginx/uwsgi_params;
 uwsgi_pass unix:/opt/indico/web/uwsgi.sock;
 uwsgi_param UWSGI_SCHEME $scheme;
 uwsgi_read_timeout 15m;
 uwsgi_buffers 32 32k;
 uwsgi_busy_buffers_size 128k;
 uwsgi_hide_header X-Sendfile;
 client_max_body_size 1G;
 }
}
EOF

---

cat > /etc/ssl/indico/ffdhe2048 <<'EOF'
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----
EOF

---

cat > /tmp/indico.cil <<'EOF'
; define custom type that logrotate can access
(type indico_log_t)
(typeattributeset file_type (indico_log_t))
(typeattributeset logfile (indico_log_t))
(roletype object_r indico_log_t)
; allow logrotate to reload systemd services
(allow logrotate_t init_t (service (start)))
(allow logrotate_t policykit_t (dbus (send_msg)))
(allow policykit_t logrotate_t (dbus (send_msg)))
; make sure the uwsgi socket is writable by the webserver
(typetransition unconfined_service_t usr_t sock_file "uwsgi.sock" httpd_sys_rw_content_t)
(filecon "/opt/indico/web/uwsgi\.sock" socket (system_u object_r httpd_sys_rw_content_t ((s0)(s0))))
; set proper types for our log dirs
(filecon "/opt/indico/log(/.*)?" any (system_u object_r indico_log_t ((s0)(s0))))
(filecon "/opt/indico/log/nginx(/.*)?" any (system_u object_r httpd_log_t ((s0)(s0))))
EOF

semodule -i /tmp/indico.cil

---

cat > /etc/systemd/system/indico-celery.service <<'EOF'
[Unit]
Description=Indico Celery
After=network.target
[Service]
ExecStart=/opt/indico/.venv/bin/indico celery worker -B
Restart=always
SyslogIdentifier=indico-celery
User=indico
Group=nginx
UMask=0027
Type=simple
KillMode=mixed
TimeoutStopSec=300
[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload

userdel -r indico
useradd -rm -g nginx -d /opt/indico -s /bin/bash indico
su - indico

---

curl -L https://github.com/pyenv/pyenv-installer/raw/master/bin/pyenv-installer | bash

cat >> ~/.bashrc <<'EOF'
export PATH="/opt/indico/.pyenv/bin:$PATH"
eval "$(pyenv init --path)"
eval "$(pyenv init -)"
EOF

source ~/.bashrc

pyenv install 3.9.6
pyenv global 3.9.6
python -m venv --upgrade-deps --prompt indico ~/.venv
source ~/.venv/bin/activate
export PATH="$PATH:/usr/pgsql-13/bin"
echo 'source ~/.venv/bin/activate' >> ~/.bashrc
pip install wheel
pip install uwsgi
pip install indico
pip install python-ldap
indico setup wizard

mkdir ~/log/nginx
chmod go-rwx ~/* ~/.[^.]*
chmod 710 ~/ ~/archive ~/cache ~/log ~/tmp
chmod 750 ~/web ~/.venv
chmod g+w ~/log/nginx
restorecon -R ~/
echo -e "\nSTATIC_FILE_METHOD = ('xaccelredirect', {'/opt/indico': '/.xsf/indico'})" >> ~/etc/indico.conf

pip install indico-plugins
indico db upgrade
indico db --all-plugins upgrade

cd /opt/indico/web/static/images

mv logo_indico_bw.png logo_indico_bw.png.orig
wget

cd /opt/indico/.venv/lib/python3.9/site-packages/indico/web/templates/
cp header.html header.html.orig

vim header.html

---

{% block logo %}
 {%- set logo_url = indico_config.LOGO_URL or (indico_config.IMAGES_BASE_URL + '/logo_indico_bw.png') -%}
 {%- set logo_white_url = indico_config.LOGO_URL or (indico_config.IMAGES_BASE_URL + '/logo_indico_white.png') -%}
 <div>
 <a style="min-height: 60px;" href="{{ url_for_index() }}">
 <img class="header-logo" src="{{ logo_url }}">
 </a>
 <a style="min-height: 60px;" href="{{ url_for_index() }}">
 <img class="header-logo" src="{{ logo_white_url }}">
 </a>
 <h1 style="color:white;display:inline-block;position:relative;top:-20px;margin-left:10px;">Test -> Conferences, workshops and meetings Management System </h1>
</div>
 {% endblock %}

---

exit

vim /opt/indico/etc/indico.conf

---

# General settings
SQLALCHEMY_DATABASE_URI = 'postgresql:///indico'
SECRET_KEY = b'\xf0\xb86\x1a\xcc\xd5\xffO&\xe0Pg\xc7\x94\x0f\x98\xbb\xbb/\n\xd5b?\xf0U\x0b>`\xc5\xc3\x0fy'
BASE_URL = 'https://pub1test.virgo.infn.it'
CELERY_BROKER = 'redis://127.0.0.1:6379/0'
REDIS_CACHE_URL = 'redis://127.0.0.1:6379/1'
DEFAULT_TIMEZONE = 'Europe/Rome'
DEFAULT_LOCALE = 'en_GB'
ENABLE_ROOMBOOKING = False
CACHE_DIR = '/opt/indico/cache'
TEMP_DIR = '/opt/indico/tmp'
LOG_DIR = '/opt/indico/log'
STORAGE_BACKENDS = {'default': 'fs:/opt/indico/archive'}
ATTACHMENT_STORAGE = 'default'
# Email settings
SMTP_SERVER = ('127.0.0.1', 25)
SMTP_USE_TLS = False
SMTP_LOGIN = ''
SMTP_PASSWORD = ''
SUPPORT_EMAIL = 'giuseppe.dibiase@ego-gw.it'
PUBLIC_SUPPORT_EMAIL = 'giuseppe.dibiase@ego-gw.it'
NO_REPLY_EMAIL = 'noreply@ego-gw.it'
STATIC_FILE_METHOD = ('xaccelredirect', {'/opt/indico': '/.xsf/indico'})
#Plugins settings
XELATEX_PATH = '/opt/texlive/bin/x86_64-linux/xelatex'
##PLUGINS = {'search','Search'}
#PLUGINS = {'payment_manual', 'payment_paypal', 'importer', 'importer_invenio'}
#Authentication settings
_ldap_config = {
 'uri': 'ldap://virgo.ego-gw.it',
 'bind_dn': 'CN=indicoldap,OU=Users_Servizio,OU=EGO_Users,DC=virgo,DC=ego-gw,DC=it',
 'bind_password': 'Ldap1ndico',
 'timeout': 30,
 'verify_cert': False,
 'page_size': 1500,
'uid': 'cn',
 'user_base': 'OU=EGO_Users,DC=virgo,DC=ego-gw,DC=it',
 'user_filter': '(objectCategory=user)',
'gid': 'cn',
 'group_base': 'OU=EGO_Groups,DC=virgo,DC=ego-gw,DC=it',
 'group_filter': '(objectCategory=group)',
 'member_of_attr': 'memberOf',
 'ad_group_style': True
}

AUTH_PROVIDERS = {
 'ldap': {
 'type': 'ldap',
 'title': 'Authentication by LDAP',
 'ldap': _ldap_config,
 'default': True
 }
}
IDENTITY_PROVIDERS = {
 'ldap': {
 'type': 'ldap',
 'title': 'LDAP',
 'ldap': _ldap_config,
 'mapping': {
 'first_name': 'givenName',
 'last_name': 'sn',
 'email': 'mail',
 'affiliation': 'company',
 'phone': 'telephoneNumber'
 },
 'trusted_email': True,
 'default_group_provider': True,
 'synced_fields': {'first_name', 'last_name', 'affiliation', 'phone', 'address'}
 }
}

---

chown -R indico.nginx /opt/texlive

remenber to modify also login_page:

/opt/indico/.venv/lib/python3.9/site-packages/indico/modules/auth/templates/login_page.html

systemctl restart nginx.service indico-celery.service indico-uwsgi.service
systemctl enable nginx.service indico-celery.service indico-uwsgi.service

Troubleshooting

indico db current -v

INFO [alembic.runtime.migration] Context impl PostgresqlImpl.
INFO [alembic.runtime.migration] Will assume transactional DDL.
Current revision(s) for postgresql:///indico:
Rev: 4e32f4d5ebe4
Parent: b37cbc4bb129
Path: /opt/indico/.venv/lib/python3.12/site-packages/indico/migrations/versions/20240314_1430_4e32f4d5ebe4_add_registration_id_to_designer_templates.py

Add registration_form_id to designer templates

Revision ID: 4e32f4d5ebe4
Revises: b37cbc4bb129
Create Date: 2024-03-14 10:42:45.632227

indico --version

Indico v3.3.4

(indico) [indico@pub1test ~]$ psql
psql (16.3)
Type "help" for help.

indico=> select * from alembic_version;
version_num
--------------
4e32f4d5ebe4
aba7935f9226
(2 rows)

In this case we can see 2 DB instance contemporarly active. And we have issue accessing Indico pages. To fix we need to remove the second one from db: aba7935f9226

indico=> DELETE FROM alembic_version WHERE version_num = 'aba7935f9226';
DELETE 1
indico=> quit;
(indico) [indico@pub1test ~]$ indico db upgrade
INFO [alembic.runtime.migration] Context impl PostgresqlImpl.
INFO [alembic.runtime.migration] Will assume transactional DDL.
INFO [alembic.runtime.migration] Running upgrade 4e32f4d5ebe4 → 67e92eeca34f, Add private registration form
INFO [alembic.runtime.migration] Running upgrade 67e92eeca34f → 16c9445951f4, Add Apple Wallet integration
INFO [alembic.runtime.migration] Running upgrade 16c9445951f4 → 85f58503310c, Fix reset revisions author
INFO [alembic.runtime.migration] Running upgrade 85f58503310c → 5fa92194c124, Add weekdays to bookable hours
INFO [alembic.runtime.migration] Running upgrade 5fa92194c124 → 0f7c3b642036, Set negative and zero-duration entries to a positive value
INFO [alembic.runtime.migration] Running upgrade 0f7c3b642036 → 75db3a4a4ed4, Add constraints to ensure positive durations
(indico) [indico@pub1test ~]$ indico db --all-plugins upgrade

as root

systemctl restart indico-celery.service