Differenze tra le versioni di "LimeSurvey/Technical documentation"

Versione attuale delle 21:47, 13 feb 2023

Pagina legata al server ⚙️ intreccio

Brief documentation for system administrators of the LimeSurvey instance in Wikimedia Italia.

Server access

~~ssh fabula.wikimedia.it~~

ssh intreccio.wikimedia.it

To request access:

Infrastruttura#Contatti

Overview

The LimeSurvey application is just a PHP/MySQL application served by Apache mod_php.

Filesystem

The whole application is in read-only (writable only by root) apart from some temporary locations and the upload directory.

The while application is world-readable apart from the file config-secret.php and the directory for PHP sessions.

Before any update:

LIME=/var/www/limesurvey/production/
chown www-data: -R "$LIME"

After any update, harden the application:

LIME=/var/www/limesurvey/production/

# make the whole application read-only for everyone
chown root: -R "$LIME"

# allow to upload new logo from the backend interface
chown www-data: "$LIME"/upload/themes/survey/generalfiles

# generic temporary directory for PHP
chown -R www-data: "$LIME"/tmp
chmod -R o=        "$LIME"/tmp

# user uploads
chown -R www-data: "$LIME"/upload

# user configuration (required by installation wizard)
chown -R www-data: "$LIME"/application/config

Here an overview of the application directory.

# ls -l /var/www/limesurvey/production
total 84
drwxr-xr-x   2 root              root              4096 16 feb 10.50 admin
drwxr-xr-x  15 root              root              4096 21 feb 19.45 application
drwxr-xr-x   7 root              root              4096 16 feb 10.50 assets
-rw-r--r--   1 root              root              1131 16 feb 10.50 composer.json
-rw-r--r--   1 root              root              3273 16 feb 10.50 CONTRIBUTING.md
drwxr-xr-x   4 root              root              4096 16 feb 10.50 docs
drwxr-xr-x  19 root              root              4096 16 feb 10.50 framework
-rw-r--r--   1 root              root              6621 16 feb 10.50 index.php
drwxr-xr-x   5 root              root              4096 16 feb 10.50 installer
drwxr-xr-x 110 root              root              4096 16 feb 10.50 locale
-rw-r--r--   1 root              root                80 16 feb 10.50 manifest.yml
-rw-r--r--   1 root              root              1140 16 feb 10.50 phpci.yml
-rw-r--r--   1 root              root               984 16 feb 10.50 phpunit.xml
drwxr-xr-x   4 root              root              4096 16 feb 10.50 plugins
-rw-r--r--   1 root              root              2595 16 feb 10.50 README.md
drwxr-xr-x  13 root              root              4096 16 feb 10.50 tests
drwxr-xr-x   5 root              root              4096 16 feb 10.50 themes
drwxr-xr-x  37 root              root              4096 16 feb 10.50 third_party
drwxrwxr-x   5 apache-limesurvey apache-limesurvey 4096 17 feb 10.24 tmp
drwxrwxr-x   7 apache-limesurvey apache-limesurvey 4096 16 feb 10.50 upload

This is the configuration directory:

# ls -l /var/www/limesurvey/production/application/config
total 156
...
lrwxrwxrwx 1 root              root                 77 21 feb 19.44 config.php -> /etc/wmit-infrastructure/servers/fabula/projects/limesurvey/public-config.php
...

Dependencies

apt install -y php-zip php-imap php-gd

Admin

This is the admin panel:

https://survey.wikimedia.it/admin/

The enabled users are listed in:

LimeSurvey#Amministratori

Configuration

LimeSurvey configuration:

nano /var/www/limesurvey/production/application/config/config.php

Apache configuration:

nano /etc/httpd/sites-enabled/it-wikimedia-survey-ssl.conf
nano /etc/httpd/sites-enabled/it-wikimedia-survey-txt.conf

PHP-FPM configuration:

nano /etc/opt/rh/rh-php73/php-fpm.d/9002-limesurvey.conf

To publish whatever change in Wikimedia Phabricator please run this:

/root/scripts/commit.sh

Log

Generic Apache error log:

tail -f /var/log/apache2/error.log

Generic Apache access log:

tail -f /var/log/apache2/access_log

Service

To apply your changes you need to restart the services.

Service of the apache frontend webserver:

apache2ctl configtest
apache2ctl graceful

Service of the PHP-FPM backend webserver:

systemctl status  rh-php73-php-fpm
systemctl restart rh-php73-php-fpm

Database

$ mysql limesurvey
> SHOW TABLES;
+-----------------------------------------------+
| Tables_in_limesurvey                          |
+-----------------------------------------------+
| lime_answers                                  |
| lime_assessments                              |
| lime_asset_version                            |
| lime_boxes                                    |
| lime_conditions                               |
| lime_defaultvalues                            |
| lime_expression_errors                        |
| lime_failed_login_attempts                    |
| lime_groups                                   |
| lime_labels                                   |
| lime_labelsets                                |
| lime_map_tutorial_users                       |
| lime_notifications                            |
| lime_old_survey_272925_20210218220912         |
| lime_old_survey_272925_20210218222604         |
| lime_old_survey_272925_20210218232807         |
| lime_old_survey_272925_20210219171305         |
| lime_old_survey_272925_timings_20210218220912 |
| lime_old_survey_272925_timings_20210218222604 |
| lime_old_survey_272925_timings_20210218232807 |
| lime_old_survey_272925_timings_20210219171305 |
| lime_participant_attribute                    |
| lime_participant_attribute_names              |
| lime_participant_attribute_names_lang         |
| lime_participant_attribute_values             |
| lime_participant_shares                       |
| lime_participants                             |
| lime_permissions                              |
| lime_plugin_settings                          |
| lime_plugins                                  |
| lime_question_attributes                      |
| lime_questions                                |
| lime_quota                                    |
| lime_quota_languagesettings                   |
| lime_quota_members                            |
| lime_saved_control                            |
| lime_sessions                                 |
| lime_settings_global                          |
| lime_settings_user                            |
| lime_survey_272925                            |
| lime_survey_272925_timings                    |
| lime_survey_856642                            |
| lime_survey_856642_timings                    |
| lime_survey_links                             |
| lime_survey_url_parameters                    |
| lime_surveymenu                               |
| lime_surveymenu_entries                       |
| lime_surveys                                  |
| lime_surveys_groups                           |
| lime_surveys_languagesettings                 |
| lime_template_configuration                   |
| lime_templates                                |
| lime_tutorial_entries                         |
| lime_tutorial_entry_relation                  |
| lime_tutorials                                |
| lime_user_groups                              |
| lime_user_in_groups                           |
| lime_users                                    |
+-----------------------------------------------+
58 rows in set (0.00 sec)

Created with:

# copy a password
pwgen 40

# create database
mysql
CREATE DATABASE limesurvey;
CREATE USER limesurvey@localhost IDENTIFIED BY '<omissis>';
GRANT ALL PRIVILEGES ON limesurvey.* TO limesurvey@localhost;

quit

E-mail

This application uses an SMTP account @wikimedia.it with username noreply.

See #Configuration.

See technical addresses.

Automatic update

Just visit this page:

https://survey.wikimedia.it/index.php/admin/update

If the key is not valid anymore, copy and paste this page to request another one and have more than 120 updates:

Microgrant/2021/Supporto WMI-LimeSurvey

After the update see #Logo.

Manual update

backup files
backup database
see #Filesystem to remove hardening
now:
1. Option 1 without command line
  1. You can use the ComfortUpdate from the web interface (but you need to pay the license - that is good to support LimeSurvey)
2. Option 2 with command line
  1. see #Deploy
  2. update the database:
    su www-data -s /bin/bash --command='php /var/www/limesurvey/production/application/commands/console.php updatedb'
see #Filesystem to restore hardening

Notes:

to see the new version online you can just replace the symbolic link at /var/www/limesurvey/production.
remember to copy the /application/config inside your new version (both config.php and secret.php)

Then follow the official guide.

https://manual.limesurvey.org/upgrading_from_a_previous_version

After the update see #Logo.

Security

Deploy

# info
latest_stable=https://download.limesurvey.org/lts-releases/limesurvey3.25.17+210309.zip
version=3.25.17

# download
mkdir -p /var/www/limesurvey
cd       /var/www/limesurvey
wget "$latest_stable" -O stable.zip

# checks
sha256sum stable.zip 
# e528de65e48bb30ccfa581f975d9e989b9eb3ee1b65ab43aa80ef7e02b713b65  stable.zip
md5sum stable.zip
# 492d553ed00911b8c0e7ccfb45be0830  stable.zip
du stable.zip 
# 77052	stable.zip

# extract
apt install --yes unzip
unzip stable.zip
rm stable.zip

# give a meaningful name
mv limesurvey limesurvey-"$version"

# create symlink
ln -fs limesurvey-"$version" production

# create temporary locations
mkdir -p tmp
chown www-data: tmp
chmod 770       tmp

Now see #Filesystem and #Database.

Also see #Logo.

Logo

You may need to change a couple of lines in this configuration file to change the logo:

/etc/apache2/sites-enabled/it-wikimedia-survey-ssl.conf

Here the lines:

#
# Update the logo
#
# https://commons.wikimedia.org/wiki/File:WikiSurvey_Logo_(lettering).svg
#
# https://phabricator.wikimedia.org/T275919
#
#    cd /var/www/limesurvey/wmi-images/
#    wget "https://upload.wikimedia.org/wikipedia/commons/thumb/0/03/WikiSurvey_Logo_(lettering).svg/350px-WikiSurvey_Logo_(lettering).svg.png"
#
#                 ↓ CHANGE THIS
Alias /tmp/assets/369bd233/survey_list_header.png /var/www/limesurvey/wmi-images/350px-WikiSurvey_Logo_(lettering).svg.png
Alias /tmp/assets/11637359/logo.png               /var/www/limesurvey/wmi-images/350px-WikiSurvey_Logo_(lettering).svg.png

After you have done, just reload apache:

apachectl graceful

Phabricator

phabricator:search - search recent activity
phabricator:diffusion/WIIN/browse/main/servers/fabula/projects/limesurvey/ - public configuration

@@ Riga 1: / Riga 1: @@
-{{Server|fabula}}
+{{Server|intreccio}}
 Brief documentation for system administrators of the [[LimeSurvey]] instance in [https://www.wikimedia.it/ Wikimedia Italia].
@@ Riga 16: / Riga 16: @@
 == Overview ==
-This was the legacy configuration in the destroyed {{Server link|fabula}}:
+The LimeSurvey application is just a PHP/MySQL application served by Apache <code>mod_php</code>.
-<pre>
-     ┌─────┐          ┌─────────────────┐          ┌───────────────┐
-     │Alice│          │Apache (:80 :443)│          │PHP-FPM (:9002)│
-     └──┬──┘          └────────┬────────┘          └───────┬───────┘
-        │       request        │                           │
-        │<────────────────────>│                           │
-        │                      │                           │
-        │                      │         request           │
-        │                      │<─────────────────────────>│
-     ┌──┴──┐          ┌────────┴────────┐          ┌───────┴───────┐
-     │Alice│          │Apache (:80 :443)│          │PHP-FPM (:9002)│
-     └─────┘          └─────────────────┘          └───────────────┘
-</pre>
-([http://www.plantuml.com/plantuml/uml/SoWkIImgAStDuNBCoKnELR3HjLDGSYn8JCv8LT2miZ1Gi38nCTPKKh1IA4ejB4qjBk728WlH5U0HeEiMu0kKi3GmC4BHuv2QbmAq0m00 refresh])
-The configuration in server {{Server link|intreccio}} is just with Apache.
 == Filesystem ==
@@ Riga 45: / Riga 27: @@
 <pre>
-chown www-data: -R /var/www/limesurvey/production
+LIME=/var/www/limesurvey/production/
+chown www-data: -R "$LIME"
 </pre>
@@ Riga 51: / Riga 34: @@
 <pre>
-# to upload new logo from the backend interface
+LIME=/var/www/limesurvey/production/
-chown www-data: /var/www/limesurvey/production/upload/themes/survey/generalfiles
+# make the whole application read-only for everyone
+chown root: -R "$LIME"
+# allow to upload new logo from the backend interface
+chown www-data: "$LIME"/upload/themes/survey/generalfiles
 # generic temporary directory for PHP
-chown -R www-data: /var/www/limesurvey/production/tmp
+chown -R www-data: "$LIME"/tmp
-chmod -R o=        /var/www/limesurvey/production/tmp
+chmod -R o=        "$LIME"/tmp
 # user uploads
-chown -R www-data: /var/www/limesurvey/production/upload
+chown -R www-data: "$LIME"/upload
 # user configuration (required by installation wizard)
-chown -R www-data: /var/www/limesurvey/production/application/config
+chown -R www-data: "$LIME"/application/config
 </pre>
@@ Riga 122: / Riga 110: @@
 LimeSurvey configuration:
-  nano [[phabricator:diffusion/WIIN/browse/master/servers/fabula/projects/limesurvey/public-config.php|/var/www/limesurvey/production/application/config/config.php]]
+  nano [[phabricator:diffusion/WIIN/browse/main/servers/fabula/projects/limesurvey/public-config.php|/var/www/limesurvey/production/application/config/config.php]]
 Apache configuration:
-  nano [[phabricator:diffusion/WIIN/browse/master/servers/fabula/projects/limesurvey/apache2/it-wikimedia-survey-ssl.conf|/etc/httpd/sites-enabled/it-wikimedia-survey-ssl.conf]]
+  nano [[phabricator:diffusion/WIIN/browse/main/servers/fabula/projects/limesurvey/apache2/it-wikimedia-survey-ssl.conf|/etc/httpd/sites-enabled/it-wikimedia-survey-ssl.conf]]
-  nano [[phabricator:diffusion/WIIN/browse/master/servers/fabula/projects/limesurvey/apache2/it-wikimedia-survey-txt.conf|/etc/httpd/sites-enabled/it-wikimedia-survey-txt.conf]]
+  nano [[phabricator:diffusion/WIIN/browse/main/servers/fabula/projects/limesurvey/apache2/it-wikimedia-survey-txt.conf|/etc/httpd/sites-enabled/it-wikimedia-survey-txt.conf]]
 PHP-FPM configuration:
-  nano [[phabricator:diffusion/WIIN/browse/master/servers/fabula/projects/limesurvey/php-fpm/9002-limesurvey.conf|/etc/opt/rh/rh-php73/php-fpm.d/9002-limesurvey.conf]]
+  nano [[phabricator:diffusion/WIIN/browse/main/servers/fabula/projects/limesurvey/php-fpm/9002-limesurvey.conf|/etc/opt/rh/rh-php73/php-fpm.d/9002-limesurvey.conf]]
 To publish whatever change in Wikimedia Phabricator please run this:
@@ Riga 140: / Riga 128: @@
 == Log ==
-Application error log:
- tail -f /var/log/php-fpm/limesurvey-error.log
 Generic Apache error log:
-  tail -f /var/log/httpd/error_log
+  tail -f /var/log/apache2/error.log
 Generic Apache access log:
-  tail -f /var/log/httpd/access_log
+  tail -f /var/log/apache2/access_log
 == Service ==
@@ Riga 255: / Riga 239: @@
 </pre>
-== Unix ==
+== E-mail ==
-There is a dedicated Unix user in server {{Server link|fabula}} able to read secret configurations and write some logs.
+This application uses an SMTP account <code>@wikimedia.it</code> with username <code>noreply</code>.
- # id apache-limesurvey
+See [[#Configuration]].
- uid=1438(apache-limesurvey) gid=1438(apache-limesurvey) groups=1438(apache-limesurvey),48(apache)
-TODO: Actually this user is not in use because I don't want to experiment in production and now I don't have time to do otherwise. But please update the PHP-FPM [[#Configuration]] to adopt this separated user.
+See [[Associazione:Mail/Caselle tecniche|technical addresses]].
-== E-mail ==
+== Automatic update ==
+Just visit this page:
+https://survey.wikimedia.it/index.php/admin/update
-This application uses an SMTP account <code>@wikimedia.it</code> with username <code>noreply</code>.
+If the key is not valid anymore, copy and paste this page to request another one and have more than 120 updates:
-See [[#Configuration]].
+* [[Microgrant/2021/Supporto WMI-LimeSurvey]]
-See [[Associazione:Mail/Caselle tecniche|technical addresses]].
+After the update see [[#Logo]].
-== Update ==
+== Manual update ==
-During an update try to do not use the web interface (because the application is in read-only on the filesystem) but download instead the new version in <code>/var/www/limesurvey</code>.
+# backup files
+# backup database
+# see [[#Filesystem]] to remove hardening
+# now:
+## Option 1 without command line
+### You can use the ComfortUpdate from the web interface (but you need to pay the license - that is good to support LimeSurvey)
+## Option 2 with command line
+### see [[#Deploy]]
+### update the database:
+###: <code>su www-data -s /bin/bash --command='php /var/www/limesurvey/production/application/commands/console.php updatedb'</code>
+# see [[#Filesystem]] to restore hardening
-To see the new version online you can just replace the <code>/var/www/limesurvey/production</code> symbolic link.
+Notes:
-Remember to copy the <code>/application/config</code> inside your new version.
+* to see the new version online you can just replace the symbolic link at <code>/var/www/limesurvey/production</code>.
+* remember to copy the <code>/application/config</code> inside your new version (both config.php and secret.php)
 Then follow the official guide.
 https://manual.limesurvey.org/upgrading_from_a_previous_version
+After the update see [[#Logo]].
 == Security ==
-Some initiatives to improve the security of LimeSurvey itself:
+* [[Infrastruttura#Sicurezza]]
+* [[phabricator:T275574]]
-* '''(Italian)''' https://gitlab.com/ItalianLinuxSociety/brainstorm/-/issues/27
 == Deploy ==
@@ Riga 328: / Riga 327: @@
 Now see [[#Filesystem]] and [[#Database]].
+Also see [[#Logo]].
+== Logo ==
+You may need to change a couple of lines in this configuration file to change the logo:
+<pre>
+/etc/apache2/sites-enabled/it-wikimedia-survey-ssl.conf
+</pre>
+Here the lines:
+<pre>
+#
+# Update the logo
+#
+# https://commons.wikimedia.org/wiki/File:WikiSurvey_Logo_(lettering).svg
+#
+# https://phabricator.wikimedia.org/T275919
+#
+#    cd /var/www/limesurvey/wmi-images/
+#    wget "https://upload.wikimedia.org/wikipedia/commons/thumb/0/03/WikiSurvey_Logo_(lettering).svg/350px-WikiSurvey_Logo_(lettering).svg.png"
+#
+#                 ↓ CHANGE THIS
+Alias /tmp/assets/369bd233/survey_list_header.png /var/www/limesurvey/wmi-images/350px-WikiSurvey_Logo_(lettering).svg.png
+Alias /tmp/assets/11637359/logo.png               /var/www/limesurvey/wmi-images/350px-WikiSurvey_Logo_(lettering).svg.png
+</pre>
+After you have done, just reload apache:
+<pre>
+apachectl graceful
+</pre>
 == Phabricator ==
 * [[phabricator:search/query/EefnawXAoEzx/#R|phabricator:search]] - search recent activity
-* [[phabricator:diffusion/WIIN/browse/master/servers/fabula/projects/limesurvey/]] - public configuration
+* [[phabricator:diffusion/WIIN/browse/main/servers/fabula/projects/limesurvey/]] - public configuration
 [[Categoria:LimeSurvey]]
+[[Categoria:Documentazione tecnica|LimeSurvey]]