Differenze tra le versioni di "Framadate/Technical documentation"

Da Wikimedia Italia.
Jump to navigation Jump to search
(update)
Riga 1: Riga 1:
 
{{Server|intreccio}}
 
{{Server|intreccio}}
Attenzione: servizio sospeso.
 
  
 
Brief documentation for system administrators of the [[Framadate]] instance in Wikimedia Italia.
 
Brief documentation for system administrators of the [[Framadate]] instance in Wikimedia Italia.
Riga 13: Riga 12:
  
 
* [[Infrastruttura]]
 
* [[Infrastruttura]]
 +
 +
== Admin ==
 +
 +
This is the admin panel:
 +
 +
* https://framadate.wikimedia.it/admin/
 +
 +
The admin credentials are stored in this file:<ref>This file MUST be owned by root and 600 of permissions.</ref>
 +
 +
cat /var/www/framadate/secret/htpasswd.cleartext
 +
 +
The admin credentials can be changed with this command:
 +
 +
htpasswd -c /var/www/framadate/secret/htpasswd admin
  
 
== Filesystem ==
 
== Filesystem ==
Riga 20: Riga 33:
 
<pre>
 
<pre>
 
# ls -l /var/www/framadate/production/
 
# ls -l /var/www/framadate/production/
total 412
+
total 484
drwxr-xr-x  2 root             root               4096 21 dic 11.50 action
+
drwxrwxr-x 16 root    root      4096 lug 19 08:23 .
drwxr-xr-x  2 root             root               4096 25 gen 09.59 admin
+
drwxr-xr-x  8 root    root      4096 lug 19 08:32 ..
-rw-r--r--  1 root             root             17997 21 dic 11.50 adminstuds.php
+
drwxrwxr-x  2 root     root       4096 mar 22 18:06 action
drwxr-xr-x  5 root             root               4096 21 dic 11.50 app
+
drwxrwxr-x  2 root     root       4096 mar 22 18:06 admin
-rw-r--r--  1 root             root               637 21 dic 11.50 AUTHORS.md
+
-rw-rw-r--  1 root     root     18091 mar 22 18:06 adminstuds.php
-rw-r--r--  1 root             root               3053 21 dic 11.50 bandeaux.php
+
drwxrwxr-x  5 root     root       4096 mar 22 18:06 app
-rw-r--r--  1 root             root               1439 21 dic 11.50 buildlang.php
+
-rw-rw-r--  1 root     root       637 mar 22 18:06 AUTHORS.md
-rw-r--r--  1 root             root             13754 21 dic 11.50 CHANGELOG.md
+
-rw-rw-r--  1 root     root       3053 mar 22 18:06 bandeaux.php
-rw-r--r--  1 root             root               1912 21 dic 11.50 compare.php
+
-rw-rw-r--  1 root     root       1439 mar 22 18:06 buildlang.php
-rw-r--r--  1 root             root               2209 21 dic 11.50 composer.json
+
-rw-rw-r--  1 root     root     13754 mar 22 18:06 CHANGELOG.md
-rw-r--r--  1 root             root             132735 21 dic 11.50 composer.lock
+
-rw-rw-r--  1 root     root       1912 mar 22 18:06 compare.php
-rw-r--r--  1 root             root             14340 21 dic 11.50 create_classic_poll.php
+
-rw-rw-r--  1 root     root       2206 giu 21 21:10 composer.json
-rw-r--r--  1 root             root               9810 25 gen 09.26 create_date_poll.php
+
-rw-rw-r--  1 root     root     169731 mar 22 18:06 composer.lock
-rw-r--r--  1 root             root             12614 21 dic 11.50 create_poll.php
+
-rw-rw-r--  1 root     root     14340 mar 22 18:06 create_classic_poll.php
drwxr-xr-x  3 root             root               4096 21 dic 11.50 css
+
-rw-rw-r--  1 root     root       9810 mar 22 18:06 create_date_poll.php
drwxr-xr-x  2 root             root               4096 21 dic 11.50 doc
+
-rw-rw-r--  1 root     root     12910 mar 22 18:06 create_poll.php
-rw-r--r--  1 root             root               3948 21 dic 11.50 exportcsv.php
+
drwxrwxr-x  3 root     root       4096 mar 22 18:06 css
-rw-r--r--  1 root             root               1150 21 dic 11.50 favicon.ico
+
drwxrwxr-x  2 root     root       4096 mar 22 18:06 doc
-rw-r--r--  1 root             root               2103 21 dic 11.50 find_polls.php
+
-rw-rw-r--  1 root    root        188 mar 22 18:06 .editorconfig
drwxr-xr-x  2 root             root               4096 21 dic 11.50 fonts
+
-rw-rw-r--  1 root     root       3948 mar 22 18:06 exportcsv.php
-rw-r--r--  1 root             root               702 21 dic 11.50 htaccess.txt
+
-rw-rw-r--  1 root     root       1150 mar 22 18:06 favicon.ico
drwxr-xr-x  2 root             root               4096 21 dic 11.50 images
+
-rw-rw-r--  1 root     root       2103 mar 22 18:06 find_polls.php
-rw-r--r--  1 root             root               1774 21 dic 11.50 index.php
+
drwxrwxr-x  2 root     root       4096 mar 22 18:06 fonts
-rw-r--r--  1 root             root                 75 21 dic 11.50 INSTALL.md
+
-rw-rw-r--  1 root    root        242 mar 22 18:06 .gitignore
drwxr-xr-x  4 root             root               4096 21 dic 11.50 js
+
-rw-rw-r--  1 root    root      5318 mar 22 18:06 .gitlab-ci.yml
-rw-r--r--  1 root             root             22400 21 dic 11.50 LICENCE.fr.txt
+
-rw-rw-r--  1 root     root       702 mar 22 18:06 htaccess.txt
-rw-r--r--  1 root             root             21396 21 dic 11.50 LICENSE.en.txt
+
drwxrwxr-x  2 root     root       4096 mar 22 18:06 images
drwxr-xr-x  2 root             root               4096 21 dic 11.50 locale
+
-rw-rw-r--  1 root     root       2068 lug 19 08:22 index.php
-rw-r--r--  1 root             root               317 21 dic 11.50 locale.bat
+
-rw-rw-r--  1 root     root         75 mar 22 18:06 INSTALL.md
-rw-r--r--  1 root             root               896 21 dic 11.50 maintenance.php
+
drwxrwxr-x  4 root     root       4096 mar 22 18:06 js
-rw-r--r--  1 root             root               234 21 dic 11.50 Makefile
+
-rw-rw-r--  1 root     root     22400 mar 22 18:06 LICENCE.fr.txt
-rw-r--r--  1 root             root               230 21 dic 11.50 php.ini
+
-rw-rw-r--  1 root     root     21396 mar 22 18:06 LICENSE.en.txt
-rw-r--r--  1 root             root                 68 21 dic 11.50 phpunit.bat
+
drwxrwxr-x  2 root     root       4096 mar 22 18:06 locale
-rw-r--r--  1 root             root                 85 21 dic 11.50 phpunit.sh
+
-rw-rw-r--  1 root     root       317 mar 22 18:06 locale.bat
drwxr-xr-x  2 root             root               4096 21 dic 11.50 po
+
-rw-rw-r--  1 root     root       896 mar 22 18:06 maintenance.php
-rw-r--r--  1 root             root               295 21 dic 11.50 push-trad-to-zanata.sh
+
-rw-rw-r--  1 root     root       234 mar 22 18:06 Makefile
-rw-r--r--  1 root             root               2878 21 dic 11.50 README.md
+
-rw-rw-r--  1 root    root      1172 mar 22 18:06 .php_cs
-rw-r--r--  1 root             root                 77 21 dic 11.50 robots.txt
+
-rw-rw-r--  1 root     root       230 mar 22 18:06 php.ini
drwxr-xr-x  2 root             root               4096 21 dic 11.50 scripts
+
-rw-rw-r--  1 root     root         68 mar 22 18:06 phpunit.bat
-rw-r--r--  1 root             root             10834 21 dic 11.50 studs.php
+
-rwxrwxr-x 1 root     root         85 mar 22 18:06 phpunit.sh
drwxr-xr-x  6 root             root               4096 21 dic 11.50 tpl
+
drwxrwxr-x  2 root     root       4096 mar 22 18:06 po
drwxr-xr-x  2 apache-framadate apache-framadate   4096 24 gen 18.38 tpl_c
+
-rwxrwxr-x  1 root    root        275 mar 22 18:06 .po2json.sh
drwxr-xr-x 12 root             root               4096 21 dic 11.55 vendor
+
-rwxrwxr-x 1 root     root       295 mar 22 18:06 push-trad-to-zanata.sh
-rw-r--r--  1 root             root               333 21 dic 11.50 zanata.xml
+
-rw-rw-r--  1 root     root       2878 mar 22 18:06 README.md
 +
-rwxrwxr-x  1 root    root        815 mar 22 18:06 .renest_json.pl
 +
-rw-rw-r--  1 root     root         77 mar 22 18:06 robots.txt
 +
drwxrwxr-x  2 root     root       4096 mar 22 18:06 scripts
 +
-rw-rw-r--  1 root     root     10834 mar 22 18:06 studs.php
 +
drwxrwxr-x  6 root     root       4096 mar 22 18:06 tpl
 +
drwxrwxr-x  2 www-data www-data   4096 lug 19 08:47 tpl_c
 +
drwxr-xr-x 24 root     root       4096 lug 19 07:59 vendor
 +
-rw-rw-r--  1 root     root       333 mar 22 18:06 zanata.xml
 
</pre>
 
</pre>
  
Riga 71: Riga 92:
 
<pre>
 
<pre>
 
# ls -l /var/www/framadate
 
# ls -l /var/www/framadate
total 28
+
total 32
drwxr-xr-x 16 root             root             4096 24 gen 18.36 framadate-1.1.11
+
drwxr-xr-x 8 root     root     4096 lug 19 08:32 .
drwxrwx---  2 apache-framadate apache-framadate 4096 25 gen 09.52 log
+
drwxr-xr-x 13 root    root    4096 giu 21 21:08 ..
lrwxrwxrwx  1 root             root               16 25 gen 09.48 production -> framadate-1.1.11
+
drwxr-x---  2 root    www-data 4096 lug 19 08:43 config
-rw-r--r--  1 root             root               56 20 gen 17.24 README.txt
+
drwxrwxr-x 16 root     root     4096 lug 19 08:23 framadate-1.1.16
drwxr-xr-x  2 root             root             4096 20 gen 22.55 secret
+
drwxr-xr-x  2 root    root    4096 lug 19 08:41 images-wmi
drwxrwx---  2 apache-framadate apache-framadate 4096 25 gen 09.10 session
+
lrwxrwxrwx 1 root     root       16 giu 21 21:17 production -> framadate-1.1.16
drwxrwx---  2 apache-framadate apache-framadate 4096 24 gen 18.32 tmp
+
drwxr-xr-x  2 root     root     4096 lug 19 07:57 scripts
drwxr-xr-x  2 root            root            4096 24 gen 00.17 wmi-images
+
drwxr-x---  2 root    www-data 4096 lug 19 07:55 secret
 +
drwxrwx---  2 www-data www-data 4096 giu 21 21:16 tmp
 
</pre>
 
</pre>
  
== Admin ==
+
== Hardening ==
  
This is the admin panel:
+
Procedure to be executed after any update:
  
* https://framadate.wikimedia.it/admin/
+
<pre>
 
+
chown -R root:     /var/www/framadate/production/
The admin credentials are stored in this file:
+
chown -R www-data: /var/www/framadate/production/tpl_c
 
+
</pre>
cat /var/www/framadate/secret/password.clear
 
 
 
The admin credentials can be changed with this command:
 
 
 
htpasswd -c /var/www/framadate/secret/htpasswd admin
 
  
 
== Installation ==
 
== Installation ==
Riga 173: Riga 190:
 
5 rows in set (0.00 sec)
 
5 rows in set (0.00 sec)
 
</pre>
 
</pre>
 +
 +
== Unix ==
 +
 +
There is a dedicated Unix user able to read secret configurations and write some logs.
 +
 +
# id apache-framadate
 +
uid=1434(apache-framadate) gid=1434(apache-framadate) groups=1434(apache-framadate),48(apache)
  
 
== E-mail ==
 
== E-mail ==
Riga 181: Riga 205:
  
 
See [[Associazione:Mail/Caselle tecniche|technical addresses]].
 
See [[Associazione:Mail/Caselle tecniche|technical addresses]].
 
== Install ==
 
 
Install dependencies:
 
 
<pre>
 
apt install php-mbstring php-xml
 
</pre>
 
 
https://framagit.org/framasoft/framadate/framadate/-/wikis/Install/Install
 
  
 
== Update ==
 
== Update ==
Riga 200: Riga 214:
 
* [[phabricator:search/query/bg9usEJ4EmN./#R|phabricator:search]] - search recent activity
 
* [[phabricator:search/query/bg9usEJ4EmN./#R|phabricator:search]] - search recent activity
 
* [[phabricator:diffusion/WIIN/browse/master/servers/fabula/projects/framadate/]] - public configuration
 
* [[phabricator:diffusion/WIIN/browse/master/servers/fabula/projects/framadate/]] - public configuration
 +
 +
== Note ==
 +
<references />
  
 
[[Categoria:Documentazione tecnica]]
 
[[Categoria:Documentazione tecnica]]

Versione delle 10:00, 19 lug 2021

Pagina legata al server ⚙️ intreccio

Brief documentation for system administrators of the Framadate instance in Wikimedia Italia.

Server access

ssh intreccio.wikimedia.it

To request access:

Admin

This is the admin panel:

The admin credentials are stored in this file:[1]

cat /var/www/framadate/secret/htpasswd.cleartext

The admin credentials can be changed with this command:

htpasswd -c /var/www/framadate/secret/htpasswd admin

Filesystem

The whole application is in read-only (writable only by root). It seems that only the tpl_c/ directory needs to be writable.

# ls -l /var/www/framadate/production/
total 484
drwxrwxr-x 16 root     root       4096 lug 19 08:23 .
drwxr-xr-x  8 root     root       4096 lug 19 08:32 ..
drwxrwxr-x  2 root     root       4096 mar 22 18:06 action
drwxrwxr-x  2 root     root       4096 mar 22 18:06 admin
-rw-rw-r--  1 root     root      18091 mar 22 18:06 adminstuds.php
drwxrwxr-x  5 root     root       4096 mar 22 18:06 app
-rw-rw-r--  1 root     root        637 mar 22 18:06 AUTHORS.md
-rw-rw-r--  1 root     root       3053 mar 22 18:06 bandeaux.php
-rw-rw-r--  1 root     root       1439 mar 22 18:06 buildlang.php
-rw-rw-r--  1 root     root      13754 mar 22 18:06 CHANGELOG.md
-rw-rw-r--  1 root     root       1912 mar 22 18:06 compare.php
-rw-rw-r--  1 root     root       2206 giu 21 21:10 composer.json
-rw-rw-r--  1 root     root     169731 mar 22 18:06 composer.lock
-rw-rw-r--  1 root     root      14340 mar 22 18:06 create_classic_poll.php
-rw-rw-r--  1 root     root       9810 mar 22 18:06 create_date_poll.php
-rw-rw-r--  1 root     root      12910 mar 22 18:06 create_poll.php
drwxrwxr-x  3 root     root       4096 mar 22 18:06 css
drwxrwxr-x  2 root     root       4096 mar 22 18:06 doc
-rw-rw-r--  1 root     root        188 mar 22 18:06 .editorconfig
-rw-rw-r--  1 root     root       3948 mar 22 18:06 exportcsv.php
-rw-rw-r--  1 root     root       1150 mar 22 18:06 favicon.ico
-rw-rw-r--  1 root     root       2103 mar 22 18:06 find_polls.php
drwxrwxr-x  2 root     root       4096 mar 22 18:06 fonts
-rw-rw-r--  1 root     root        242 mar 22 18:06 .gitignore
-rw-rw-r--  1 root     root       5318 mar 22 18:06 .gitlab-ci.yml
-rw-rw-r--  1 root     root        702 mar 22 18:06 htaccess.txt
drwxrwxr-x  2 root     root       4096 mar 22 18:06 images
-rw-rw-r--  1 root     root       2068 lug 19 08:22 index.php
-rw-rw-r--  1 root     root         75 mar 22 18:06 INSTALL.md
drwxrwxr-x  4 root     root       4096 mar 22 18:06 js
-rw-rw-r--  1 root     root      22400 mar 22 18:06 LICENCE.fr.txt
-rw-rw-r--  1 root     root      21396 mar 22 18:06 LICENSE.en.txt
drwxrwxr-x  2 root     root       4096 mar 22 18:06 locale
-rw-rw-r--  1 root     root        317 mar 22 18:06 locale.bat
-rw-rw-r--  1 root     root        896 mar 22 18:06 maintenance.php
-rw-rw-r--  1 root     root        234 mar 22 18:06 Makefile
-rw-rw-r--  1 root     root       1172 mar 22 18:06 .php_cs
-rw-rw-r--  1 root     root        230 mar 22 18:06 php.ini
-rw-rw-r--  1 root     root         68 mar 22 18:06 phpunit.bat
-rwxrwxr-x  1 root     root         85 mar 22 18:06 phpunit.sh
drwxrwxr-x  2 root     root       4096 mar 22 18:06 po
-rwxrwxr-x  1 root     root        275 mar 22 18:06 .po2json.sh
-rwxrwxr-x  1 root     root        295 mar 22 18:06 push-trad-to-zanata.sh
-rw-rw-r--  1 root     root       2878 mar 22 18:06 README.md
-rwxrwxr-x  1 root     root        815 mar 22 18:06 .renest_json.pl
-rw-rw-r--  1 root     root         77 mar 22 18:06 robots.txt
drwxrwxr-x  2 root     root       4096 mar 22 18:06 scripts
-rw-rw-r--  1 root     root      10834 mar 22 18:06 studs.php
drwxrwxr-x  6 root     root       4096 mar 22 18:06 tpl
drwxrwxr-x  2 www-data www-data   4096 lug 19 08:47 tpl_c
drwxr-xr-x 24 root     root       4096 lug 19 07:59 vendor
-rw-rw-r--  1 root     root        333 mar 22 18:06 zanata.xml

Here an overview of the parent directory.

# ls -l /var/www/framadate
total 32
drwxr-xr-x  8 root     root     4096 lug 19 08:32 .
drwxr-xr-x 13 root     root     4096 giu 21 21:08 ..
drwxr-x---  2 root     www-data 4096 lug 19 08:43 config
drwxrwxr-x 16 root     root     4096 lug 19 08:23 framadate-1.1.16
drwxr-xr-x  2 root     root     4096 lug 19 08:41 images-wmi
lrwxrwxrwx  1 root     root       16 giu 21 21:17 production -> framadate-1.1.16
drwxr-xr-x  2 root     root     4096 lug 19 07:57 scripts
drwxr-x---  2 root     www-data 4096 lug 19 07:55 secret
drwxrwx---  2 www-data www-data 4096 giu 21 21:16 tmp

Hardening

Procedure to be executed after any update:

chown -R root:     /var/www/framadate/production/
chown -R www-data: /var/www/framadate/production/tpl_c

Installation

https://framagit.org/framasoft/framadate/framadate/-/wikis/Install/Database

Configuration

Framadate configuration:

nano /var/www/framadate/production/app/inc/config.php
nano /var/www/framadate/production/app/inc/config-secret.php

Apache configuration:

nano /etc/httpd/sites-enabled/it-wikimedia-framadate-ssl.conf
nano /etc/httpd/sites-enabled/it-wikimedia-framadate-txt.conf

PHP-FPM configuration:

nano /etc/opt/rh/rh-php73/php-fpm.d/9001-framadate.conf

To publish whatever change in Wikimedia Phabricator change please run this:

/root/scripts/commit.sh

Log

Log of the application:

tail -f /var/www/framadate/log/stdout.log

Log of the PHP-FPM pool:

tail -f /var/log/php-fpm/framadate-error.log

Generic Apache error log:

tail -f /var/log/httpd/error_log

Generic Apache access log:

tail -f /var/log/httpd/access_log

Service

To apply your changes you need to restart the services.

Service of the apache frontend webserver:

apache2ctl configtest
apache2ctl graceful

Service of the PHP-FPM backend webserver:

systemctl status  rh-php73-php-fpm
systemctl restart rh-php73-php-fpm

Database

$ mysql framadate
> SHOW TABLES;
+------------------------+
| Tables_in_framadate    |
+------------------------+
| fd_comment             |
| fd_framadate_migration |
| fd_poll                |
| fd_slot                |
| fd_vote                |
+------------------------+
5 rows in set (0.00 sec)

Unix

There is a dedicated Unix user able to read secret configurations and write some logs.

# id apache-framadate
uid=1434(apache-framadate) gid=1434(apache-framadate) groups=1434(apache-framadate),48(apache)

E-mail

Matomo uses an SMTP account @wikimedia.it with username noreply.

See #Configuration.

See technical addresses.

Update

https://framagit.org/framasoft/framadate/framadate/-/wikis/Maintenance/Updating

Phabricator

Note

  1. This file MUST be owned by root and 600 of permissions.