Tails

#1 Updated by intrigeri 2017-10-11 05:42:55

• Blueprint set to https://tails.boum.org/blueprint/survey_platform/#limesurvey-requirements

#2 Updated by intrigeri 2017-10-11 08:33:36

• Status changed from Confirmed to In Progress
• Assignee changed from intrigeri to sajolida
• % Done changed from 0 to 10
• QA Check set to Info Needed

I’ve set up the VM according to your specs and https://survey.tails.boum.org/ is now a thing! :)

I need more info:

• You didn’t specify the OS so you’ve got our default one i.e. Debian Stretch.
• You didn’t specify a web server on the blueprint but IIRC you’ve mentioned Apache earlier so I’ve installed it.
• How do you want to run the PHP webapp? mod_php, FPM, anything else? FPM is probably a bit more complex but it would perhaps make it easier to run multiple instances later if needed (e.g. to test a new version of the code before deploying it to production). We can/should of course start with the simplest thing that can possibly work and adjust later though. For now libapache2-mod-php7.0 is installed.
• Where do you want to install the code (run by PHP) and static data (served directly by Apache)? What I usually do is static data in /var/www/limesurvey/ and code in /var/lib/limesurvey/webapp, but if you want to use the vhost shipped in the upstream tarball it might not work for you i.e. perhaps you want everything in /var/www/limesurvey?
• You wrote “I didn’t have to edit the VHost on my prototype machine” but I’m not sure which vhost you’re talking about. Assuming you’re talking about an example vhost shipped in the upstream tarball, what I usually do is to create an empty file that you can edit (so you can copy the upstream one) and symlink /etc/apache2/sites-available/000-default.conf to it. Would that work for you?
• I’ve enabled MySQL strict mode (NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION,STRICT_ALL_TABLES), let me know if this causes problems down the road.
• I’ve installed libapache2-mod-removeip, let me know if that’s a problem.
• I don’t think you really meant you want a MySQL user called “piwik”, so it’s called “limesurvey” instead :) I’ve sent you your credentials over email.
• SSH access info is in internal.git.
• Wrt. “Be able to trigger a backup before the update and be able to restore it if it fails. I can also do that myself using rsync and mysqldump”, you have full access to your DB so you should be able to dump/restore it yourself via whatever manual means you want, but for your convenience:
  • I’ve allowed you to run /usr/sbin/backupninja --now --debug --run /etc/backup.d/10.mysql as root, which backups all the databases.
  • I’ve allowed you to run /bin/zcat /var/backups/mysql/sqldump/limesurvey.sql.gz as root, which gives you access to the content of the last backup; you can redirect stdout to a file and from there do whatever you want using the mysql client.

FYI the main config lives there https://git-tails.immerda.ch/puppet-tails/tree/manifests/limesurvey.pp (+ some other pieces in other files but you probably don’t care about them, except perhaps https://git-tails.immerda.ch/puppet-tails/tree/files/limesurvey/sudo/limesurvey-admin that defines your sudo credentials). Pull requests welcome if you need to run more commands as root :)

#4 Updated by sajolida 2017-10-11 11:39:49

• Assignee changed from sajolida to intrigeri

I think I answered everything.

#5 Updated by intrigeri 2017-10-11 14:33:18

• Assignee changed from intrigeri to sajolida
• QA Check changed from Info Needed to Ready for QA

>> * Where do you want to install the code (run by PHP) and static data (served directly by Apache)? What I usually do is static data in /var/www/limesurvey/ and code in /var/lib/limesurvey/webapp, but if you want to use the vhost shipped in the upstream tarball it might not work for you i.e. perhaps you want everything in /var/www/limesurvey?

> On my prototype I have everything in /var/www/limesurvey/, yes.

>> * You wrote “I didn’t have to edit the VHost on my prototype machine” but I’m not sure which vhost you’re talking about. Assuming you’re talking about an example vhost shipped in the upstream tarball, what I usually do is to create an empty file that you can edit (so you can copy the upstream one) and symlink /etc/apache2/sites-available/000-default.conf to it. Would that work for you?

> I used the default vhost of Apache and LimeSurvey didn’t require additional configuration.

With these two answers I suspect that at least one of those applies:

• Your prototype was serving the webapp with URLs that all started with /limesurvey/; given we have a dedicated hostname here, I guess you want to tweak the Apache config to drop this part of the URL (done, see below).
• You had already modified your Apache config earlier: the default vhost on Stretch has DocumentRoot /var/www/html so what you describe is simply not possible in my book with a pristine Apache (FTR it’s better to start from a clean new VM — or reset to a clean VM snapshot — when the goal is to find out what modifications are needed from the pristine state).

Anyway, whatever, because:

> So I guess that what you are proposing will work for me: I understand that it will give me read-write access to the default vhost of Apache so that should work out-of-the-box and also allow me to modify it if I need at some point.

Yes, except you would get read-write access to an empty Apache default vhost. Given the above, I’m pretty sure you will need to adjust it, so:

1. I’ve copied the default vhost shipped in the Debian package to the file you can modify: /var/lib/limesurvey/config/apache-vhost.conf
2. I’ve replaced DocumentRoot /var/www/html with DocumentRoot /var/www/limesurvey
3. I’ve turned /etc/apache2/sites-available/000-default.conf into a symlink to your vhost file
4. I’ve protected the whole thing behind basic HTTP auth since it seems to give anyone who knows about the URL admin access out-of-the-box; I’ve sent you the credentials over email. Please comment out the relevant config snippet once you’ve secured the webapp (I suspect you’ll need it again in the future for similar reasons, so it might be worth keeping it around).

/var/lib/limesurvey/config/apache-vhost.conf is in your realm i.e. it’s not managed by Puppet, you can modify it by hand and from now on it’s your job (i.e. it’s part of the service administration, not of the system administration). We’ll back it up though.

I think I’ve finished doing my job on this ticket, let me know if something is missing or broken.

#7 Updated by sajolida 2017-10-11 15:31:45

• Status changed from In Progress to Resolved
• Assignee deleted (sajolida)
• QA Check deleted (Ready for QA)

#8 Updated by sajolida 2017-10-16 14:07:24

• Parent task changed from Feature #14474 to Feature #14540