Differenze tra le versioni di "Framadate/Technical documentation"

Da Wikimedia Italia.
Jump to navigation Jump to search
(info su Framadate)
 
 
(30 versioni intermedie di uno stesso utente non sono mostrate)
Riga 1: Riga 1:
Brief documentation for system administrators of the [[Framadate]] instance in Wikimedia Italia.
+
{{Server|intreccio}}
 +
 
 +
Brief documentation for system administrators of the [[Framadate]] instance in [https://www.wikimedia.it/ Wikimedia Italia].
 +
 
 +
== Access ==
 +
 
 +
This is the public frontend access:
 +
 
 +
* https://framadate.wikimedia.it/
 +
 
 +
At the moment everyone is able to use the service without limitations, at its best effort.
 +
 
 +
== Admin ==
 +
 
 +
This is the private backend admin panel:
 +
 
 +
* https://framadate.wikimedia.it/admin/
 +
 
 +
; Credentials
 +
 
 +
The admin credentials are stored in this file:<ref>This file MUST be owned by root and 600 of permissions.</ref>
 +
 
 +
cat /var/www/framadate/secret/htpasswd.cleartext
 +
 
 +
; Change password
 +
 
 +
The admin credentials can be changed with this command:
 +
 
 +
htpasswd -c /var/www/framadate/secret/htpasswd admin
 +
 
 +
; Operations
 +
 
 +
From the admin panel you can:
 +
 
 +
* list polls
 +
* purge data
 +
* migrate
 +
* install check
  
 
== Server access ==
 
== Server access ==
 +
 +
Authorized people can access with SSH keys to the server {{Server link|intreccio}}:
  
 
<pre>
 
<pre>
ssh fabula.wikimedia.it
+
ssh intreccio.wikimedia.it
 
</pre>
 
</pre>
  
== Overview ==
+
To request access:
 +
 
 +
* [[Infrastruttura]]
 +
 
 +
== Filesystem ==
 +
 
 +
The whole application is in read-only (writable only by <code>root</code>). It seems that only the <code>tpl_c/</code> directory needs to be writable.
  
 
<pre>
 
<pre>
     ┌─────┐          ┌─────────────────┐          ┌───────────────┐
+
# ls -l /var/www/framadate/production/
     │Alice│          │Apache (:80 :443)│          │PHP-FPM (:9000)│
+
total 484
     └──┬──┘          └────────┬────────┘          └───────┬───────┘
+
drwxrwxr-x 16 root    root      4096 lug 19 08:23 .
               request       │                          │        
+
drwxr-xr-x  8 root    root      4096 lug 19 08:32 ..
        │<────────────────────>│                          │        
+
drwxrwxr-x  2 root    root      4096 mar 22 18:06 action
        │                      │                          │        
+
drwxrwxr-x  2 root    root      4096 mar 22 18:06 admin
         │                      │         request          │        
+
-rw-rw-r--  1 root    root     18091 mar 22 18:06 adminstuds.php
         │                      │<─────────────────────────>│       
+
drwxrwxr-x  5 root    root      4096 mar 22 18:06 app
     ┌──┴──┐          ┌────────┴────────┐          ┌───────┴───────┐
+
-rw-rw-r--  1 root    root        637 mar 22 18:06 AUTHORS.md
    │Alice│          │Apache (:80 :443)│          │PHP-FPM (:9000)│
+
-rw-rw-r--  1 root    root      3053 mar 22 18:06 bandeaux.php
    └─────┘          └─────────────────┘          └───────────────┘
+
-rw-rw-r--  1 root    root      1439 mar 22 18:06 buildlang.php
 +
-rw-rw-r--  1 root    root     13754 mar 22 18:06 CHANGELOG.md
 +
-rw-rw-r--  1 root    root      1912 mar 22 18:06 compare.php
 +
-rw-rw-r--  1 root    root      2206 giu 21 21:10 composer.json
 +
-rw-rw-r--  1 root    root    169731 mar 22 18:06 composer.lock
 +
-rw-rw-r--  1 root    root      14340 mar 22 18:06 create_classic_poll.php
 +
-rw-rw-r--  1 root    root      9810 mar 22 18:06 create_date_poll.php
 +
-rw-rw-r--  1 root    root     12910 mar 22 18:06 create_poll.php
 +
drwxrwxr-x  3 root    root      4096 mar 22 18:06 css
 +
drwxrwxr-x  2 root    root      4096 mar 22 18:06 doc
 +
-rw-rw-r--  1 root    root        188 mar 22 18:06 .editorconfig
 +
-rw-rw-r--  1 root    root      3948 mar 22 18:06 exportcsv.php
 +
-rw-rw-r--  1 root    root      1150 mar 22 18:06 favicon.ico
 +
-rw-rw-r--  1 root    root      2103 mar 22 18:06 find_polls.php
 +
drwxrwxr-x  2 root    root      4096 mar 22 18:06 fonts
 +
-rw-rw-r--  1 root    root        242 mar 22 18:06 .gitignore
 +
-rw-rw-r--  1 root    root      5318 mar 22 18:06 .gitlab-ci.yml
 +
-rw-rw-r--  1 root    root        702 mar 22 18:06 htaccess.txt
 +
drwxrwxr-x  2 root    root      4096 mar 22 18:06 images
 +
-rw-rw-r--  1 root    root      2068 lug 19 08:22 index.php
 +
-rw-rw-r--  1 root    root         75 mar 22 18:06 INSTALL.md
 +
drwxrwxr-x  4 root    root      4096 mar 22 18:06 js
 +
-rw-rw-r--  1 root    root      22400 mar 22 18:06 LICENCE.fr.txt
 +
-rw-rw-r--  1 root    root      21396 mar 22 18:06 LICENSE.en.txt
 +
drwxrwxr-x  2 root    root       4096 mar 22 18:06 locale
 +
-rw-rw-r--  1 root    root       317 mar 22 18:06 locale.bat
 +
-rw-rw-r--  1 root    root       896 mar 22 18:06 maintenance.php
 +
-rw-rw-r--  1 root    root       234 mar 22 18:06 Makefile
 +
-rw-rw-r--  1 root    root      1172 mar 22 18:06 .php_cs
 +
-rw-rw-r--  1 root    root       230 mar 22 18:06 php.ini
 +
-rw-rw-r--  1 root    root         68 mar 22 18:06 phpunit.bat
 +
-rwxrwxr-x  1 root    root         85 mar 22 18:06 phpunit.sh
 +
drwxrwxr-x  2 root    root      4096 mar 22 18:06 po
 +
-rwxrwxr-x  1 root    root        275 mar 22 18:06 .po2json.sh
 +
-rwxrwxr-x  1 root    root        295 mar 22 18:06 push-trad-to-zanata.sh
 +
-rw-rw-r--  1 root    root      2878 mar 22 18:06 README.md
 +
-rwxrwxr-x  1 root    root       815 mar 22 18:06 .renest_json.pl
 +
-rw-rw-r--  1 root    root         77 mar 22 18:06 robots.txt
 +
drwxrwxr-x  2 root    root      4096 mar 22 18:06 scripts
 +
-rw-rw-r--  1 root    root     10834 mar 22 18:06 studs.php
 +
drwxrwxr-x  6 root    root      4096 mar 22 18:06 tpl
 +
drwxrwxr-x  2 www-data www-data  4096 lug 19 08:47 tpl_c
 +
drwxr-xr-x 24 root    root      4096 lug 19 07:59 vendor
 +
-rw-rw-r--  1 root    root        333 mar 22 18:06 zanata.xml
 
</pre>
 
</pre>
  
([http://www.plantuml.com/plantuml/uml/SoWkIImgAStDuNBCoKnELR3HjLDGSYn8JCv8LT2miZ1Gi38nCTPKKh1IA4ejB4qjBk728WlH5U0HeEiMu0kKi3GmC43Huv2QbmAq0m00 refresh])
+
Here an overview of the parent directory.
  
== Filesystem ==
+
<pre>
 +
# ls -l /var/www/framadate
 +
total 32
 +
drwxr-xr-x  8 root    root    4096 lug 19 08:32 .
 +
drwxr-xr-x 13 root    root    4096 giu 21 21:08 ..
 +
drwxr-x---  2 root    www-data 4096 lug 19 08:43 config
 +
drwxrwxr-x 16 root    root    4096 lug 19 08:23 framadate-1.1.16
 +
drwxr-xr-x  2 root    root    4096 lug 19 08:41 images-wmi
 +
lrwxrwxrwx  1 root    root      16 giu 21 21:17 production -> framadate-1.1.16
 +
drwxr-xr-x  2 root    root    4096 lug 19 07:57 scripts
 +
drwxr-x---  2 root    www-data 4096 lug 19 07:55 secret
 +
drwxrwx---  2 www-data www-data 4096 giu 21 21:16 tmp
 +
</pre>
 +
 
 +
== Hardening ==
 +
 
 +
Procedure to be executed after any update:
  
 
<pre>
 
<pre>
# ls -l /var/www/framadate
+
chown -R root:    /var/www/framadate/production/
total 12
+
chown -R www-data: /var/www/framadate/production/tpl_c
drwxr-xr-x 16 apache apache 4096 21 dic 11.55 framadate-1.1.11
 
lrwxrwxrwx  1 apache apache  16 20 gen 18.48 production -> framadate-1.1.11
 
-rw-r--r--  1 apache apache  56 20 gen 17.24 README.txt
 
drwxr-xr-x  2 root  root  4096 20 gen 22.55 secret
 
 
</pre>
 
</pre>
 +
 +
== Installation ==
 +
 +
https://framagit.org/framasoft/framadate/framadate/-/wikis/Install/Database
  
 
== Configuration ==
 
== Configuration ==
 +
 +
Framadate configuration:
 +
 +
nano [[phabricator:diffusion/WIIN/browse/master/servers/fabula/projects/framadate/app/config.php|/var/www/framadate/config/config.php]]
 +
nano /var/www/framadate/config/config-secret.php
  
 
Apache configuration:
 
Apache configuration:
  
<pre>
+
nano [[phabricator:diffusion/WIIN/browse/master/servers/intreccio/projects/framadate/apache2/it-wikimedia-framadate-ssl.conf|/etc/apache2/sites-enabled/it-wikimedia-framadate-ssl.conf]]
nano /etc/httpd/sites-enabled/it-wikimedia-framadate-ssl.conf
+
nano [[phabricator:diffusion/WIIN/browse/master/servers/intreccio/projects/framadate/apache2/it-wikimedia-framadate-txt.conf|/etc/apache2/sites-enabled/it-wikimedia-framadate-txt.conf]]
nano /etc/httpd/sites-enabled/it-wikimedia-framadate-txt.conf
+
 
</pre>
+
== Log ==
 +
 
 +
Log of the application:
 +
 
 +
tail -f /var/log/framadate/stdout.log
  
PHP-FPM configuration:
+
Generic Apache error log:
  
<pre>
+
tail -f /var/log/httpd/error.log
nano /etc/php-fpm.d/9000-www.conf
 
</pre>
 
  
To publish whatever change please run this:
+
Generic Apache access log:
  
<pre>
+
tail -f /var/log/apache2/other_vhosts_access.log
/root/scripts/commit.sh
 
</pre>
 
  
 
== Service ==
 
== Service ==
Riga 70: Riga 179:
 
Service of the PHP-FPM backend webserver:
 
Service of the PHP-FPM backend webserver:
 
<pre>
 
<pre>
systemctl status  rh-php73-php-fpm.service
+
systemctl status  rh-php73-php-fpm
systemctl restart rh-php73-php-fpm.service
+
systemctl restart rh-php73-php-fpm
 
</pre>
 
</pre>
  
Riga 90: Riga 199:
 
5 rows in set (0.00 sec)
 
5 rows in set (0.00 sec)
 
</pre>
 
</pre>
 +
 +
== E-mail ==
 +
 +
Matomo uses an SMTP account <code>@wikimedia.it</code> with username <code>noreply</code>.
 +
 +
See [[#Configuration]].
 +
 +
See [[Associazione:Mail/Caselle tecniche|technical addresses]].
 +
 +
== Update ==
 +
 +
Before any update always backup [[#Database]] and [[#Filesystem]].
 +
 +
To update Framadate, see the official documentation:
 +
 +
https://framagit.org/framasoft/framadate/framadate/-/wikis/Maintenance/Updating
 +
 +
In short, download Framadate and make sure you have a directory like:
 +
 +
<pre>
 +
/var/www/framadate/framadate-$YOURVERSION/
 +
</pre>
 +
 +
Then update the configuration:
 +
 +
<pre>
 +
ln --symbolic /var/www/framadate/config/config.php /var/www/framadate/framadate-$YOURVERSION/app/inc/config.php
 +
</pre>
 +
 +
Then, make it online in production:
 +
 +
<pre>
 +
ln --force --symbolic /var/www/framadate/framadate-$YOURVERSION/ /var/www/framadate/production
 +
</pre>
 +
 +
Then run [[#Hardening]].
 +
 +
Then visit:
 +
 +
https://framadate.wikimedia.it/admin/migration.php
 +
 +
See [[#Admin]] to access to the above page.
 +
 +
Eventually see [[#Customize the homepage]].
 +
 +
If something does not work see [[#Log]]. Eventually see [[#Rollback]].
 +
 +
== Rollback ==
 +
 +
If you have any problem, you can revert your [[#Database]] from your backups.
 +
 +
You can also hot-change the production version to any previous version:
 +
 +
<pre>
 +
ln --force --symbolic /var/www/framadate/framadate-$YOURVERSION/ /var/www/framadate/production
 +
</pre>
 +
 +
== Customize the homepage ==
 +
 +
To add a privacy policy in the homepage you can edit this file:
 +
 +
./tpl/index.tpl
 +
 +
For example adding these lines somewhere:
 +
 +
<pre>
 +
  <ul>
 +
    <li><a href="https://www.wikimedia.it/privacy/">https://www.wikimedia.it/privacy/</a></li>
 +
    <li><a href="https://www.wikimedia.it/cookie-policy/">https://www.wikimedia.it/cookie-policy/</a></li>
 +
  </ul>
 +
</pre>
 +
 +
And then clean the cache with:
 +
 +
rm ./tpl/*index.*
  
 
== Phabricator ==
 
== Phabricator ==
  
 
* [[phabricator:search/query/bg9usEJ4EmN./#R|phabricator:search]] - search recent activity
 
* [[phabricator:search/query/bg9usEJ4EmN./#R|phabricator:search]] - search recent activity
* [[phabricator:diffusion/WIIN/browse/master/servers/fabula/projects/framadate/]] - public configuration
+
* [[phabricator:diffusion/WIIN/browse/master/servers/intreccio/projects/framadate/]] - public configuration
 +
 
 +
== Note ==
 +
<references />
 +
 
 +
[[Categoria:Documentazione tecnica]]

Versione attuale delle 11:13, 20 mar 2022

Pagina legata al server ⚙️ intreccio

Brief documentation for system administrators of the Framadate instance in Wikimedia Italia.

Access

This is the public frontend access:

At the moment everyone is able to use the service without limitations, at its best effort.

Admin

This is the private backend admin panel:

Credentials

The admin credentials are stored in this file:[1]

cat /var/www/framadate/secret/htpasswd.cleartext
Change password

The admin credentials can be changed with this command:

htpasswd -c /var/www/framadate/secret/htpasswd admin
Operations

From the admin panel you can:

  • list polls
  • purge data
  • migrate
  • install check

Server access

Authorized people can access with SSH keys to the server ⚙️ intreccio:

ssh intreccio.wikimedia.it

To request access:

Filesystem

The whole application is in read-only (writable only by root). It seems that only the tpl_c/ directory needs to be writable.

# ls -l /var/www/framadate/production/
total 484
drwxrwxr-x 16 root     root       4096 lug 19 08:23 .
drwxr-xr-x  8 root     root       4096 lug 19 08:32 ..
drwxrwxr-x  2 root     root       4096 mar 22 18:06 action
drwxrwxr-x  2 root     root       4096 mar 22 18:06 admin
-rw-rw-r--  1 root     root      18091 mar 22 18:06 adminstuds.php
drwxrwxr-x  5 root     root       4096 mar 22 18:06 app
-rw-rw-r--  1 root     root        637 mar 22 18:06 AUTHORS.md
-rw-rw-r--  1 root     root       3053 mar 22 18:06 bandeaux.php
-rw-rw-r--  1 root     root       1439 mar 22 18:06 buildlang.php
-rw-rw-r--  1 root     root      13754 mar 22 18:06 CHANGELOG.md
-rw-rw-r--  1 root     root       1912 mar 22 18:06 compare.php
-rw-rw-r--  1 root     root       2206 giu 21 21:10 composer.json
-rw-rw-r--  1 root     root     169731 mar 22 18:06 composer.lock
-rw-rw-r--  1 root     root      14340 mar 22 18:06 create_classic_poll.php
-rw-rw-r--  1 root     root       9810 mar 22 18:06 create_date_poll.php
-rw-rw-r--  1 root     root      12910 mar 22 18:06 create_poll.php
drwxrwxr-x  3 root     root       4096 mar 22 18:06 css
drwxrwxr-x  2 root     root       4096 mar 22 18:06 doc
-rw-rw-r--  1 root     root        188 mar 22 18:06 .editorconfig
-rw-rw-r--  1 root     root       3948 mar 22 18:06 exportcsv.php
-rw-rw-r--  1 root     root       1150 mar 22 18:06 favicon.ico
-rw-rw-r--  1 root     root       2103 mar 22 18:06 find_polls.php
drwxrwxr-x  2 root     root       4096 mar 22 18:06 fonts
-rw-rw-r--  1 root     root        242 mar 22 18:06 .gitignore
-rw-rw-r--  1 root     root       5318 mar 22 18:06 .gitlab-ci.yml
-rw-rw-r--  1 root     root        702 mar 22 18:06 htaccess.txt
drwxrwxr-x  2 root     root       4096 mar 22 18:06 images
-rw-rw-r--  1 root     root       2068 lug 19 08:22 index.php
-rw-rw-r--  1 root     root         75 mar 22 18:06 INSTALL.md
drwxrwxr-x  4 root     root       4096 mar 22 18:06 js
-rw-rw-r--  1 root     root      22400 mar 22 18:06 LICENCE.fr.txt
-rw-rw-r--  1 root     root      21396 mar 22 18:06 LICENSE.en.txt
drwxrwxr-x  2 root     root       4096 mar 22 18:06 locale
-rw-rw-r--  1 root     root        317 mar 22 18:06 locale.bat
-rw-rw-r--  1 root     root        896 mar 22 18:06 maintenance.php
-rw-rw-r--  1 root     root        234 mar 22 18:06 Makefile
-rw-rw-r--  1 root     root       1172 mar 22 18:06 .php_cs
-rw-rw-r--  1 root     root        230 mar 22 18:06 php.ini
-rw-rw-r--  1 root     root         68 mar 22 18:06 phpunit.bat
-rwxrwxr-x  1 root     root         85 mar 22 18:06 phpunit.sh
drwxrwxr-x  2 root     root       4096 mar 22 18:06 po
-rwxrwxr-x  1 root     root        275 mar 22 18:06 .po2json.sh
-rwxrwxr-x  1 root     root        295 mar 22 18:06 push-trad-to-zanata.sh
-rw-rw-r--  1 root     root       2878 mar 22 18:06 README.md
-rwxrwxr-x  1 root     root        815 mar 22 18:06 .renest_json.pl
-rw-rw-r--  1 root     root         77 mar 22 18:06 robots.txt
drwxrwxr-x  2 root     root       4096 mar 22 18:06 scripts
-rw-rw-r--  1 root     root      10834 mar 22 18:06 studs.php
drwxrwxr-x  6 root     root       4096 mar 22 18:06 tpl
drwxrwxr-x  2 www-data www-data   4096 lug 19 08:47 tpl_c
drwxr-xr-x 24 root     root       4096 lug 19 07:59 vendor
-rw-rw-r--  1 root     root        333 mar 22 18:06 zanata.xml

Here an overview of the parent directory.

# ls -l /var/www/framadate
total 32
drwxr-xr-x  8 root     root     4096 lug 19 08:32 .
drwxr-xr-x 13 root     root     4096 giu 21 21:08 ..
drwxr-x---  2 root     www-data 4096 lug 19 08:43 config
drwxrwxr-x 16 root     root     4096 lug 19 08:23 framadate-1.1.16
drwxr-xr-x  2 root     root     4096 lug 19 08:41 images-wmi
lrwxrwxrwx  1 root     root       16 giu 21 21:17 production -> framadate-1.1.16
drwxr-xr-x  2 root     root     4096 lug 19 07:57 scripts
drwxr-x---  2 root     www-data 4096 lug 19 07:55 secret
drwxrwx---  2 www-data www-data 4096 giu 21 21:16 tmp

Hardening

Procedure to be executed after any update:

chown -R root:     /var/www/framadate/production/
chown -R www-data: /var/www/framadate/production/tpl_c

Installation

https://framagit.org/framasoft/framadate/framadate/-/wikis/Install/Database

Configuration

Framadate configuration:

nano /var/www/framadate/config/config.php
nano /var/www/framadate/config/config-secret.php

Apache configuration:

nano /etc/apache2/sites-enabled/it-wikimedia-framadate-ssl.conf
nano /etc/apache2/sites-enabled/it-wikimedia-framadate-txt.conf

Log

Log of the application:

tail -f /var/log/framadate/stdout.log

Generic Apache error log:

tail -f /var/log/httpd/error.log

Generic Apache access log:

tail -f /var/log/apache2/other_vhosts_access.log

Service

To apply your changes you need to restart the services.

Service of the apache frontend webserver:

apache2ctl configtest
apache2ctl graceful

Service of the PHP-FPM backend webserver:

systemctl status  rh-php73-php-fpm
systemctl restart rh-php73-php-fpm

Database

$ mysql framadate
> SHOW TABLES;
+------------------------+
| Tables_in_framadate    |
+------------------------+
| fd_comment             |
| fd_framadate_migration |
| fd_poll                |
| fd_slot                |
| fd_vote                |
+------------------------+
5 rows in set (0.00 sec)

E-mail

Matomo uses an SMTP account @wikimedia.it with username noreply.

See #Configuration.

See technical addresses.

Update

Before any update always backup #Database and #Filesystem.

To update Framadate, see the official documentation:

https://framagit.org/framasoft/framadate/framadate/-/wikis/Maintenance/Updating

In short, download Framadate and make sure you have a directory like:

/var/www/framadate/framadate-$YOURVERSION/

Then update the configuration:

ln --symbolic /var/www/framadate/config/config.php /var/www/framadate/framadate-$YOURVERSION/app/inc/config.php

Then, make it online in production:

ln --force --symbolic /var/www/framadate/framadate-$YOURVERSION/ /var/www/framadate/production

Then run #Hardening.

Then visit:

https://framadate.wikimedia.it/admin/migration.php

See #Admin to access to the above page.

Eventually see #Customize the homepage.

If something does not work see #Log. Eventually see #Rollback.

Rollback

If you have any problem, you can revert your #Database from your backups.

You can also hot-change the production version to any previous version:

ln --force --symbolic /var/www/framadate/framadate-$YOURVERSION/ /var/www/framadate/production

Customize the homepage

To add a privacy policy in the homepage you can edit this file:

./tpl/index.tpl

For example adding these lines somewhere:

  <ul>
    <li><a href="https://www.wikimedia.it/privacy/">https://www.wikimedia.it/privacy/</a></li>
    <li><a href="https://www.wikimedia.it/cookie-policy/">https://www.wikimedia.it/cookie-policy/</a></li>
  </ul>

And then clean the cache with:

rm ./tpl/*index.*

Phabricator

Note

  1. This file MUST be owned by root and 600 of permissions.