@opentermsarchive/engine 0.16.0 → 0.17.0

package/ops/README.md

@@ -1,280 +0,0 @@
-# Open Terms Archive Ops
-
-Recipes to set up the infrastructure of and deploy Open Terms Archive.
-
-## Requirements
-
-1. Install [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html).
-2. Install [Vagrant](https://www.vagrantup.com/downloads).
-3. Install [VirtualBox](https://www.virtualbox.org/wiki/Downloads) to manage virtual machines. If you prefer Docker, or have an Apple Silicon machine, install [Docker](https://docs.docker.com/get-docker/) instead.
-4. Create a dedicated SSH key with no password: `ssh-keygen -f ~/.ssh/ota-vagrant -q -N ""`. This key will be automatically used by Vagrant.
-
-> VirtualBox is not compatible with Apple Silicon (M1…) processors. If you have such a machine, you will need to use the Docker provider. Since MongoDB cannot be installed on ARM, it is skipped in the infrastructure installation process. This means you cannot test the MongoDB storage repository with Vagrant with an Apple Silicon processor.
-
-## Usage
-
-**You should never apply changes to production from your machine.** We use continuous deployment to apply changes. To avoid making changes on the production server by mistake, we use [Vagrant](https://www.vagrantup.com) to describe and spawn virtual machines. By default all commands will only affect the Vagrant development virtual machine (VM).
-
-### Launch
-
-If you’re on an Apple Silicon processor or want to use Docker instead of VirtualBox, use `vagrant up --provider=docker`.
-
-In all other cases, use `vagrant up` 🙂
-
-You can then deploy the code to the running machine with all the options described below.
-
-### Main commands
-
-- To set up a full [(phoenix)](https://martinfowler.com/bliki/PhoenixServer.html) server:
-
-```
-ansible-playbook ops/site.yml
-```
-
-- To setup the infrastructure only:
-
-```
-ansible-playbook ops/infra.yml
-```
-
-- To setup the `Open Terms Archive` app only:
-
-```
-ansible-playbook ops/app.yml
-```
-
-### Vagrant quick reference
-
-#### Connect to the virtual machine
-
-```
-vagrant up
-vagrant ssh  # use "vagrant" as password
-```
-
-#### Start again with a clean virtual machine
-
-```
-vagrant halt  # stop machine
-vagrant destroy  # remove machine
-vagrant up
-```
-
-#### Troubleshooting: Remote host identification has changed
-
-In case you get that kind of error:
-
-```
-fatal: [127.0.0.1]: UNREACHABLE! => changed=false
-  msg: |-
-    Failed to connect to the host via ssh: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
-    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
-    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
-    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
-    …
-  unreachable: true
-```
-
-It may be because you already have a `known_host` registered with the same IP and port. To solve this, remove it from the entries using `ssh-keygen -R [127.0.0.1]:2222`.
-
-#### Troubleshooting: Connection refused
-
-If you have the following error:
-
-```
-Failed to connect to the host via ssh: ssh: connect to host 127.0.0.1 port 2222: Connection refused
-```
-
-You may have a collision on the default port `2222` used by Vagrant to forward SSH commands.
-Run the following command to know which ports are forwarded for the virtual machine:
-
-```
-vagrant port
-```
-
-It should display something like that:
-
-```
-The forwarded ports for the machine are listed below. Please note that
-these values may differ from values configured in the Vagrantfile if the
-provider supports automatic port collision detection and resolution.
-
-    22 (guest) => 2200 (host)
-```
-
-Modify the Ansible SSH options in the `ops/inventories/dev.yml` file with the proper `ansible_ssh_port`:
-
-```
-all:
-  children:
-    vagrant:
-      hosts:
-        127.0.0.1:
-          […]
-          ansible_ssh_port: 2200
-          […]
-```
-
-### Logs
-
-You can obtain logs from the process manager over SSH:
-
-```
-ssh <user>@<instance_hostname> pm2 logs ota
-```
-
-### Tags
-
-Some tags are available to refine what will happen, use them with `--tags`:
-
-- `setup`: to only setup system dependencies required by the app (cloning repo, installing app dependencies, all config files, and so on…)
-- `start`: to start the app
-- `stop`: to stop the app
-- `restart`: to restart the app
-- `update`: to update the app (pull code, install dependencies and restart app)
-- `update-declarations`: to update services declarations (pull declarations, install dependencies and restart app)
-
-For example, if you have changes to the core engine to deploy but no infrastructure changes, you can update the app only by running:
-
-```
-ansible-playbook ops/app.yml --tags update --limit <instance_name>
-```
-
-## Production
-
-### Applying changes
-
-To test locally your changes to the playbook before opening a pull request:
-
-- Remove all traces of previous tests to ensure that your changes do not work by coincidence: `vagrant destroy && vagrant up`.
-- Start by applying your changes on the virtual machine: `ansible-playbook ops/site.yml`.
-- Connect through SSH to the virtual machine and check that everything works as intended: `vagrant ssh`, `pm2 logs`…
-- Open a pull request and wait for it to be reviewed and merged. The continuous deployment process will take care of applying your changes to every production instance.
-
-### Deploying manually from your machine
-
-**You should not be doing this.** If something terrible is happening in production, did you try just stopping the instance? Any fix should be applied through a PR and deployed in CD to ensure reproducibility.
-
-Note that executing the playbook on the `production` inventory will affect **all** production servers. Unless you know exactly what you are doing, you should always execute a playbook on a specific server only, add the `--limit` option with the instance name defined in `ops/inventories/production.yml` as parameter:
-
-```
-ansible-playbook --inventory ops/inventories/production.yml ops/site.yml --limit <instance_name>
-```
-
-### Allowed keys
-
-Setting up the production infrastructure for publishing on the shared versions repository entails decrypting a private key managed with [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html). It is decrypted with a password stored in the passwords database.
-
-In case the instance you're deploying on is operated by the Core team, you should use the `OTA-bot` SSH private key instead of your personal one. You can thus run any of the commands with the `--private-key` option, passing it the path to the bot SSH private key. This key can be found in the passwords database.
-
-### Commands examples
-
-- Check deployment without actually applying changes for the `dating` instance:
-
-```
-ansible-playbook --inventory ops/inventories/production.yml ops/app.yml --limit dating --check --diff
-```
-
-- Update the Open Terms Archive application only on the `dating` instance, without applying changes to the infrastructure:
-
-```
-ansible-playbook --inventory ops/inventories/production.yml ops/app.yml --limit dating --tag update
-```
-
-- Update services declarations only on the `france` instance:
-
-```
-ansible-playbook --inventory ops/inventories/production.yml ops/app.yml --limit france --tag update-declarations
-```
-
-- Stop the Open Terms Archive application only on the `france` instance:
-
-```
-ansible-playbook --inventory ops/inventories/production.yml ops/app.yml --limit france --tag stop
-```
-
-- Update the infrastructure and the Open Terms Archive application on all servers:
-
-```
-ansible-playbook --inventory ops/inventories/production.yml ops/site.yml
-```
-
-## Set up a new instance
-
-### Provision a server
-
-#### With [OVH Horizon](https://horizon.cloud.ovh.net/project/instances/)
-
-Click on the `Launch Instance` button. Then fill in at least the following fields:
-
-- `Instance name`.
-- `Source`. Suggested: `Debian 11`.
-- `Flavor`. Suggested: `b-7-flex`.
-- `Key pair`. Suggested: Your own personal SSH key, to allow you to connect to the freshly created server.
-
-#### Recommended specs
-
-The following setup is sufficient to track 20 services:
-
-- 1 vCore @ 1.8GHz
-- 2 GB RAM
-- 1 MBps bandwidth
-- 20 GB disk space
-
-The major factor for performance is bandwidth.
-
-Disk space is used up linearily with time as the archive grows. The number of services, their frequency of change and the chosen storage mechanism will all influence the speed at which disk space is used. You can start with 20GB but will have to consider expansion in the future. You should be safe for a longer time period with 100GB.
-
-We suggest using a dedicated attached volume for storage, independently from the main VM drive, so that you can more easily upgrade or format it.
-
-### Define host
-
-Add an entry to the production inventory file `ops/inventories/production.yml` for the created host with the server address and proper variables.
-
-The host name can not contain dashes. Use snake_case.
-
-### Configure instance
-
-Create a JSON file in the `config` folder with the name of the instance.
-
-### Create repositories
-
-Create the `snapshot` and `version` repositories, with:
-
-- A `main` branch.
-- The `main` branch should be the default branch.
-- At least one commit on this branch with some content (`README.md` and `LICENSE`).
-
-Templates are provided to that end, for [declarations](https://github.com/OpenTermsArchive/template-declarations/), [snapshots](https://github.com/OpenTermsArchive/template-snapshots/) and [versions](https://github.com/OpenTermsArchive/template-versions/).
-
-### Set up permissions
-
-The @OTA-Bot GitHub user should have write access to all three (declarations, snapshots, versions) repositories, so it can publish data, create issues, and publish dataset releases.
-
-Each instance should have a responsible entity, which we currently model as a [“team” in the @OpenTermsArchive](https://github.com/orgs/OpenTermsArchive/teams) GitHub organisation. Each team has write access to the three repositories, and @OTA-Bot should be added to that team along with the human maintainers.
-
-## Optimise performance
-
-### MongoDB
-
-If you use MongoDB as storage, hosting the database on an XFS-formatted volume significantly improves performance.
-
-The following instructions assume [OVH Horizon](https://horizon.cloud.ovh.net/project/instances/) for volume creation, but can be adapted for any cloud provider.
-
-#### Mounting
-
-- Create a volume with the highest speed possible.
-- Attach the volume to the server that runs your Open Terms Archive instance.
-- On the machine, check what is your volume with `lsblk` (it should be one with no partition).
-- Then use `sudo fdisk /dev/sd$N` (where `$N` is the identifier of the volume) and answer `n`, `p`, `1`, `w`.
-- Install XFS utilities `sudo apt-get install xfsprogs`
-- Format the disk to XFS: `sudo mkfs.xfs -f /dev/sd$N1`/
-- Finally, create a folder (for example in `/mnt`) and mount the volume in it: `sudo mount -t auto /dev/sd$N1 /mnt/disk`.
-
-#### Unmounting
-
-To remove a volume:
-
-- Unmount it with `sudo umount /mnt/disk`.
-- Unattach it from the Horizon console.
-- Remove the volume from the Horizon console.

package/ops/app.yml

@@ -1,5 +0,0 @@
----
-- name: Set up Open Terms Archive app and databases
-  hosts: all
-  roles:
-    - ota

package/ops/infra.yml

@@ -1,6 +0,0 @@
----
-- name: Set up Open Terms Archive infrastructure
-  hosts: all
-  become: yes
-  roles:
-    - infra

package/ops/inventories/dev.yml

@@ -1,7 +0,0 @@
-vagrant:
-  hosts:
-    127.0.0.1:
-      ansible_user: vagrant
-      ansible_port: 2222
-      ansible_python_interpreter: /usr/bin/python3
-      ansible_ssh_private_key_file: ~/.ssh/ota-vagrant

package/ops/inventories/production.yml

@@ -1,27 +0,0 @@
-contrib:
-  hosts:
-    198.244.153.104:
-      ed25519_fingerprint: AAAAC3NzaC1lZDI1NTE5AAAAIITN8hTCst7+6mHNzeo465crCZwHrc/SzUL1410mb9Lv
-dating:
-  hosts:
-    vps-99ae1d89.vps.ovh.net:
-      ed25519_fingerprint: AAAAC3NzaC1lZDI1NTE5AAAAIClFdaZhaXFmxdQI+rNSOsZaSlrgPlK9UzyGvi66u88V
-france:
-  hosts:
-    198.244.142.9:
-      ed25519_fingerprint: AAAAC3NzaC1lZDI1NTE5AAAAIKH7P9SCnnSiVOhGMNvHIjWw5+3TYlmgmTK45Y9d1aCu
-pga:
-  hosts:
-    134.102.58.70:
-      ansible_user: pga
-      ed25519_fingerprint: AAAAC3NzaC1lZDI1NTE5AAAAIDmKHW4LMOEIxnBHkdNzwvSrzjmfhQkx5n2lFtJdraOy
-p2b_compliance:
-  hosts:
-    vps-463f0baf.vps.ovh.net:
-      ansible_user: ota
-      ed25519_fingerprint: AAAAC3NzaC1lZDI1NTE5AAAAIDOrkEl2aR2gJe0XmLy4j+0/51G/kAlkupfU4S2Qv0dJ
-      config_file_name: p2b-compliance
-
-all:
-  vars:
-    ansible_user: debian

package/ops/roles/infra/defaults/main.yml

@@ -1,2 +0,0 @@
-instance_name: '{{ group_names[0] }}'
-config_file_name: '{{ instance_name }}'

package/ops/roles/infra/files/.gitconfig

@@ -1,3 +0,0 @@
-[user]
-	email = bot@opentermsarchive.org
-	name = Open Terms Archive Bot

package/ops/roles/infra/files/mongod.conf

@@ -1,18 +0,0 @@
-# For documentation of all options, see: http://docs.mongodb.org/manual/reference/configuration-options/
-
-storage:
-  dbPath: /mnt/disk/mongodb
-  journal:
-    enabled: true
-
-systemLog:
-  destination: file
-  logAppend: true
-  path: /var/log/mongodb/mongod.log
-
-net:
-  port: 27017
-  bindIp: 127.0.0.1
-
-processManagement:
-  timeZoneInfo: /usr/share/zoneinfo

package/ops/roles/infra/files/ota-bot-key.private_key

@@ -1,26 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-62323034623265653135396533383461663035373132353462393965626661663763616338663364
-6137323531393331613165656234623365393531343136310a313439336336663337663838386465
-61376563313330653330313232656262386439666364363436316561323934313064643333323365
-3663616163636133610a363332616537366535343737646332373239663434646339333561653365
-32346630323336373035323435343733383539663661316166383065316334616165353166386532
-38363233646537353566623536353561663839313564363833623835663139616430643637373439
-30663634653466353862326333363663376634343838343262323039363165653336616666613461
-34646430393031376163646334353438383439383164616338373961356361333534383565303164
-36373663623630356338356239376265616632313933353332643036343134366534363066363039
-34323532386631643861616162376438343835656264366334666562303337303333623335343739
-33303138636665363061633733666538326664313561363834646562323066353532316363393132
-36306565363165653637613435323234656361336535343164396339343330666263656636326339
-66346132346363633664643763326638366331623232616430393838653631623233303865316437
-37363039376131316134306264383332663839633130616364636461366131323835323237636261
-61633232646533633131363461383239653732373530333131376265663832636464396134303961
-34336435396131303531616666376666643762386438623732386634316465383938356233646436
-62376532663136323137336365343064383137333739666433323365616638343661346564636362
-37613436353662656137323332343936613134306133653361336135366532626338633363306664
-30366566323965623262383266663331386565326461643566383938333266343366353730373232
-31346434613463653261313430326634323931333062663836333933333635393265616232363031
-36376239326137636430373564633534393830386463376632383731333537366533343030373937
-66396366613331623838316533623163333662313430666562306639353665616430303735356163
-30643738383366616633393438366235666631393033616639613938363939646138323934396631
-36633734313936383566393934316263636363616231343139633164303864646164306337643063
-34343664333031303737646232346234643131306565333265373539616537373864

package/ops/roles/infra/tasks/main.yml

@@ -1,78 +0,0 @@
----
-- name: Load app config
-  ansible.builtin.include_vars:
-    name: app_config
-    file: '../config/{{ config_file_name }}.json'
-
-- name: Install common required packages
-  apt:
-    pkg:
-      - build-essential
-      - curl
-      - git
-      - zip
-    update_cache: yes
-    state: latest
-
-- name: Add the NodeSource repository to the system
-  shell: curl -sL https://deb.nodesource.com/setup_16.x | sudo bash -
-
-- name: Install NodeJS and NPM
-  apt:
-    name: nodejs
-    update_cache: yes
-    state: latest
-
-- name: Update NPM to latest version
-  command: npm install -g npm
-
-- name: Install pm2
-  command: npm install -g pm2 --production=true
-
-- name: Add global git config
-  copy:
-    src: .gitconfig
-    dest: '/home/{{ ansible_user }}/.gitconfig'
-
-- name: Add GitHub bot account SSH key
-  copy:
-    src: ota-bot-key.private_key
-    dest: '/home/{{ ansible_user }}/.ssh/ota-bot-key'
-    owner: '{{ ansible_user }}'
-    group: '{{ ansible_user }}'
-    mode: 0600
-
-- name: Configure SSH to use GitHub bot account key on github.com
-  template:
-    src: ssh_config.j2
-    dest: '/home/{{ ansible_user }}/.ssh/config'
-    owner: '{{ ansible_user }}'
-    group: '{{ ansible_user }}'
-    mode: 0644
-
-- name: Install Chromium — Debian
-  apt:
-    pkg:
-      - chromium
-    update_cache: yes
-    state: latest
-  when: ansible_distribution == 'Debian'
-
-- name: Install Chromium — Ubuntu
-  apt:
-    pkg:
-      - chromium-browser
-    update_cache: yes
-    state: latest
-  when: ansible_distribution == 'Ubuntu'
-
-  # See https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md#recommended-enable-user-namespace-cloning
-- name: Enable user namespace cloning to allow running Chromium in a sandbox
-  command: sysctl -w kernel.unprivileged_userns_clone=1
-  when: ansible_facts['architecture'] != 'aarch64'
-
-- include_tasks: mongo.yml
-  when:
-    - (app_config.recorder.versions.storage.type is defined and app_config.recorder.versions.storage.type == 'mongo') or (app_config.recorder.snapshots.storage.type is defined and app_config.recorder.snapshots.storage.type == 'mongo')
-    # Skip Debian 11 with ARM architecture as it is not currently supported by MongoDB. See https://www.mongodb.com/docs/manual/installation/#supported-platforms
-    - ansible_distribution != 'Debian' or (ansible_distribution == 'Debian' and ansible_facts['architecture'] != 'aarch64')

package/ops/roles/infra/tasks/mongo.yml

@@ -1,40 +0,0 @@
----
-# See https://docs.mongodb.com/manual/tutorial/install-mongodb-on-debian/
-- name: Import the MongoDB public key used by the package management system
-  shell: wget -qO - https://www.mongodb.org/static/pgp/server-5.0.asc | sudo apt-key add -
-
-- name: Create an apt list file for MongoDB — Debian
-  shell: echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/5.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-5.0.list
-  when: ansible_distribution == 'Debian'
-
-- name: Create an apt list file for MongoDB — Ubuntu
-  shell: echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-5.0.list
-  when: ansible_distribution == 'Ubuntu'
-
-- name: Install MongoDB
-  apt:
-    name: mongodb-org
-    update_cache: yes
-    state: latest
-
-- name: Add mongod.conf
-  copy:
-    src: mongod.conf
-    dest: '/etc/mongod.conf'
-
-- name: Create data directory
-  file:
-    path: /mnt/disk/mongodb
-    state: directory
-
-- name: Set database files permissions
-  ansible.builtin.file:
-    path: /mnt/disk/mongodb
-    owner: mongodb
-    group: mongodb
-    recurse: yes
-
-- name: Start MongoDB service
-  service:
-    name: mongod
-    state: restarted

package/ops/roles/infra/templates/ssh_config.j2

@@ -1,5 +0,0 @@
-{{ ansible_managed | comment }}
-
-Host github.com
-IdentityFile /home/{{ ansible_user }}/.ssh/ota-bot-key
-IdentitiesOnly yes

package/ops/roles/ota/defaults/main.yml

@@ -1,14 +0,0 @@
-# Try out experimental features by deploying alternative versions of the engine, configuration or databases
-ota_repository: https://github.com/ambanum/OpenTermsArchive.git
-ota_branch: main
-declarations_branch: main
-snapshots_branch: main
-versions_branch: main
-config_file_name: '{{ instance_name }}'
-
-# Avoid collisions in case of multi-tenancy (running several instances on the same hosts)
-instance_name: '{{ group_names[0] }}'  # assume there is only one named group per host; override if a single server runs several instances
-ota_directory: ota
-declarations_directory: declarations
-snapshots_directory: snapshots
-versions_directory: versions

package/ops/roles/ota/files/.env

@@ -1,21 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-65653333633465346264373663643062363265383439323061633338323166393262663332646534
-3034646331313536623831616466653564396663636166650a643831383438613765323264386266
-37383663326333636366653537383339636231313261323239663164393933366535623730313337
-3230323166306336630a646239643135326335393364366534663535316334333531353431323331
-62376464333830643539333764646534613935386263633634623962653537363139363265353864
-34623031333535313930633964626438343432363366633263396466323830323035343333373763
-31303962353238383666343834653539663536623561393966373763393535663038333833396433
-61326137363133373861343732336335373037613134336362396563653563646364376438366363
-61613437393364396332313833356138303835633739653937656631313737623762346235316164
-30353961393663663635393630653535353064353031623962333038366638376333646130663263
-35346637303534663639613537316538663134356166323566613333343236383631653563643433
-65373533656236613631653665383039303564613830343530363130663462343665343865666637
-61353766623634303537326163623564663433343835366463613837303361393538656365633365
-64306532626533373561633066616336663439653734313832366333323461383065326166313635
-38343261656638396235326266376531633662343235633336363361313266643166346433356539
-38363833336562623631306432656531326465306535623164353035366339336663626161613364
-39616539616532643935623939313834343964303035383334666261363336303034346439316663
-65306530333965353766363336386564383932333234303334633438333839316362666533363330
-34336232623333353366363232656461646236383061383634653137623661376639323162383162
-38653230353662316366

package/ops/roles/ota/tasks/database.yml

@@ -1,65 +0,0 @@
-- name: Check if {{ name }} base data has already been obtained from {{ repository }}
-  git:
-    repo: '{{ repository }}'
-    version: '{{ branch }}'
-    dest: '/home/{{ ansible_user }}/{{ directory }}'
-    clone: no
-    update: no
-    accept_hostkey: yes
-    key_file: '/home/{{ ansible_user }}/.ssh/ota-bot-key'
-  register: existing_repository # the `before` property of the return value can tell us if the repository has been cloned already or not, see <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/git_module.html#return-values>
-  tags:
-    - restart
-    - start
-    - update
-    - setup
-
-- name: Obtain {{ name }} initial data from branch {{ branch }} of {{ repository }}
-  git:
-    repo: '{{ repository }}'
-    version: '{{ branch }}'
-    dest: '/home/{{ ansible_user }}/{{ directory }}'
-    accept_hostkey: yes
-    key_file: '/home/{{ ansible_user }}/.ssh/ota-bot-key'
-  when: existing_repository.before is defined and not existing_repository.before # if existing_repository.before is null, then the repository is new
-  tags:
-    - setup
-
-- name: Remove existing locks in {{ name }}
-  file:
-    path: '/home/{{ ansible_user }}/{{ directory }}/.git/index.lock'
-    state: absent
-  tags:
-    - restart
-    - start
-    - update
-
-- name: Get latest data from {{ repository }}
-  command:
-    cmd: git fetch origin
-    chdir: '/home/{{ ansible_user }}/{{ directory }}'
-  tags:
-    - restart
-    - start
-    - update
-    - setup
-
-- name: Clean {{ name }} local copy
-  command:
-    cmd: git reset --hard origin/{{ branch }}
-    chdir: '/home/{{ ansible_user }}/{{ directory }}'
-  tags:
-    - restart
-    - start
-    - update
-    - setup
-
-- name: Ensure {{ name }} is on branch {{ branch }}
-  command:
-    cmd: git checkout {{ branch }}
-    chdir: '/home/{{ ansible_user }}/{{ directory }}'
-  tags:
-    - restart
-    - start
-    - update
-    - setup