Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: Any Digital Ocean users?
jstubbs wrote #280580:
Diagnostics also reports that the following extensions are not enabled:
The following PHP functions (which may be necessary to run Textpattern) are disabled on your server: pcntl_alarm, pcntl_fork, pcntl_waitpid, pcntl_wait, pcntl_wifexited, pcntl_wifstopped, pcntl_wifsignaled, pcntl_wexitstatus, pcntl_wtermsig, pcntl_wstopsig, pcntl_signal, pcntl_signal_dispatch, pcntl_get_last_error, pcntl_strerror, pcntl_sigprocmask, pcntl_sigwaitinfo, pcntl_sigtimedwait, pcntl_exec, pcntl_getpriority, pcntl_setpriority,...
I think we can live without those, correct?
But all other hosting servers don’t report those missing, so is it a case that you have not installed the Full PHP instance?
…. texted postive
Offline
Re: Any Digital Ocean users?
jstubbs wrote #280579:
Jukka, one thing I did notice with the TXP installs after migration is that Diagnostics reports that Files, Images and Tmp are not writable, but each folder is set to 755.
If you are using Ubuntu/Debian, your Apache by default runs under www-data user. Setting a directory 755 gives write access just to the user owning the directory.
user: 7 = 4 (read) + 2 (write) + 1 (execute)
group: 5 = 4 + 1
world: 5 = 4 + 1
Now, you could set the permissions to 777 (I don’t really recommend that), or you could make so that the directories are owned by www-data
group, and make sure new files are uploaded with the group too. I personally do it like that. I add the users that are used to upload files to Apache’s used user group, and sticky the group of the directory hosting the VirtualHost.
$ usermod -a -G www-data someuser
$ chgrp -r www-data /path/to/server/document/root
$ chmod g+s /path/to/server/document/root
When dealing with permissions what you want to make sure, is that you accidentally don’t give Apache access to write over your files. Make sure the umask used when uploading (client-side setting), is at most 644 for files and 755 for directories.
I think we can live without those, correct?
They are most likely disabled in httpd specific PHP config. Those functions can not be used outside CLI, so the default PHP5 httpd config in Debian/Ubuntu, if I remember correctly, does that at least on some versions.
bici wrote #280582:
But all other hosting servers don’t report those missing, so is it a case that you have not installed the Full PHP instance?
Disabled are functions are explicitly disabled in PHP config, and it’s not related to them being installed or not. The Diagnostics report just lists the items specified disabled in the PHP config.
Last edited by Gocom (2014-05-04 17:59:47)
Offline
Re: Any Digital Ocean users?
Gocom wrote #280583:
If you are using Ubuntu/Debian, your Apache by default runs under www-data user. Setting a directory 755 gives write access just to the user owning the directory.
Yes, using LAMP on Ubuntu 12.04.
Now, you could set the permissions to 777 (I don’t really recommend that)
No chance!
..or you could make so that the directories are owned by
www-data
group, and make sure new files are uploaded with the group too. I personally do it like that. I add the users that are used to upload files to Apache’s used user group, and sticky the group of the directory hosting the VirtualHost.
Oh, chmod and permissions…my least favourite thing..! Yes, currently just using the root
user so that would be causing the TXP error notice with the /images
directory.
$ usermod -a -G www-data someuser
$ chgrp -r www-data /path/to/server/document/root
$ chmod g+s /path/to/server/document/root
So, with your example above, should I change that to:
$ usermod -a -G www-data root (I'm using the root user so far)
$ chgrp -r www-data /var/www/ (websites are all in the /var/www/ directory)
$ chmod g+s /var/www/
When dealing with permissions what you want to make sure, is that you accidentally don’t give Apache access to write over your files. Make sure the umask used when uploading (client-side setting), is at most 644 for files and 755 for directories.
Umm, you lost me here! Never heard of umask
before. I guess this Linux permissions article covers the topic. Need to read up on this..
Offline
Re: Any Digital Ocean users?
jstubbs wrote #280607:
Yes, using LAMP on Ubuntu 12.04.
Since it’s a new installation, you should update to the current LTS, 14.04. It’s available on DigitalOcean’s image options too. 14.04 offers closer to up-to-date packages.
I’m using the root user so far
www.youtube.com/watch?v=Eal4fep7pK4
First thing you should do, is to create your own user and disable log in through the root. I hope you aren’t running as a root with the random password DigitalOcean gave you. Your server can easily get compromised in few months if you are doing so. There is no rate limiting or protection going on by default.
Basic steps to securing SSH are:
- Change root password and create your own new admin user.
- Rate limit SSH with Fail2Ban
- Set up SSH keys and disable password login.
Oh, chmod and permissions…my least favourite thing..!
Access permissions is one of the best thing about Unix-like systems, tho.
Yes, currently just using the
root
user so that would be causing the TXP error notice with the/images
directory.
That should always happen, no matter the user ;-) Apache is almost without exception run under its own user. Otherwise Apache has access to all of your files, or could roam around as root.
Last edited by Gocom (2014-05-06 08:28:24)
Offline
Re: Any Digital Ocean users?
Gocom wrote #280612:
Since it’s a new installation, you should update to the current LTS, 14.04. It’s available on DigitalOcean’s image options too. 14.04 offers closer to up-to-date packages.
You mean * Ubuntu 14.04 x64 vmlinuz-3.13.0-24-generic
from Droplet > Settings > Kernel? Actually when creating a new Droplet, one can’t choose Ubuntu 14.04 ×64 and a Lamp stack from Applications. It only allows LAMP on Ubuntu 12.04.
Newbie question: Does updating to 14.04 change the Lamp stack in any way?
www.youtube.com/watch?v=Eal4fep7pK4
Ah, so you are saying using root
is a no-no, then? ;)
I hope you aren’t running as a root with the random password DigitalOcean gave you. Your server can easily get compromised in few months if you are doing so. There is no rate limiting or protection going on by default.
No, I use 1Password for all passwords and assigned a new one. Slowly creating new PW’s for all logins after Heartbleed.
Basic steps to securing SSH are:
Sigh. Some more work to be done then!
Offline
Re: Any Digital Ocean users?
jstubbs wrote #280614:
You mean
* Ubuntu 14.04 x64 vmlinuz-3.13.0-24-generic
from Droplet > Settings > Kernel? Actually when creating a new Droplet, one can’t choose Ubuntu 14.04 ×64 and a Lamp stack from Applications. It only allows LAMP on Ubuntu 12.04.
That’s the one. I would recommend sticking in the actual base image, and steering clear from those Applications. Those “Applications” are just images with few additional pre-installed packages. They are not configured in any way to be production safe, and even if you use one, you still have to update it, check conflicts and configure it.
Newbie question: Does updating to 14.04 change the Lamp stack in any way?
The initial set up takes a while. Minimum steps to set up a simple base server are:
- Configure hostname and DNS.
- Create SPF DNS record.
- Set up Fully Qualified Hostname correctly.
- Set up firewall to block ports. Block anything, but SSH (22), HTTP (80) and HTTPS (443).
- Set up MTA for mail delivery.
- Create swapfile to reduce crashes.
- Install Apache, MySQL and PHP.
- Optimize Apache performance by limiting child processes.
Ah, so you are saying using root is a no-no, then? ;)
I don’t know what you are talking about. That’s just a clip I wanted to share ;-P
Last edited by Gocom (2014-05-06 09:36:52)
Offline
Re: Any Digital Ocean users?
Hi Jukka,
Just going through your suggestions this afternoon with a new droplet running Ubuntu 14.04. Apart from the server setup, I’m wondering what you use for email?
Currently, I use Gandi for domain registrations and email, Mailjet for sending business emails (for the SPF and tracking delivery of the mails) and Cloudflare for caching and DNS (unfortunately on Cloudflare one can’t install an SSL certificate without paying).
I’m looking through the Postfix tutorial and wondering about email. I have one business site for which I’d like to have pretty solid backups, security and uptime.
Any experience with Fastmail or other service? I’m quite happy with Gandi but its limited to 5GB and seems to be down every now and then.
Offline
Re: Any Digital Ocean users?
jstubbs wrote #280710:
Just going through your suggestions this afternoon with a new droplet running Ubuntu 14.04. Apart from the server setup, I’m wondering what you use for email?
Google Apps, and any other reputable hosted service would work too, including FastMail.
I’m looking through the Postfix tutorial and wondering about email. I have one business site for which I’d like to have pretty solid backups, security and uptime.
You just need it for MTA (sending only, from Textpattern and so). Due to stability and added maintenance burden, I don’t recommend hosting email yourself.
Offline
Re: Any Digital Ocean users?
Thanks Jukka, I forgot about Postfix for internal emails, will set it up.
I’ve just reached the Install LAMP stage for the droplet, and wondering about PHP modules. Seems most of them need to manually installed:
php5-cgi - server-side, HTML-embedded scripting language (CGI binary)
php5-cli - command-line interpreter for the php5 scripting language
php5-common - Common files for packages built from the php5 source
php5-curl - CURL module for php5
php5-dbg - Debug symbols for PHP5
php5-dev - Files for PHP5 module development
php5-gd - GD module for php5
php5-gmp - GMP module for php5
php5-json - JSON module for php5
php5-ldap - LDAP module for php5
php5-mysql - MySQL module for php5
php5-odbc - ODBC module for php5
php5-pgsql - PostgreSQL module for php5
php5-pspell - pspell module for php5
php5-readline - Readline module for php5
php5-recode - recode module for php5
php5-snmp - SNMP module for php5
php5-sqlite - SQLite module for php5
php5-tidy - tidy module for php5
php5-xmlrpc - XML-RPC module for php5
php5-xsl - XSL module for php5
libphp5-embed - HTML-embedded scripting language (Embedded SAPI library)
php5-adodb - Extension optimising the ADOdb database abstraction library
php5-apcu - APC User Cache for PHP 5
php5-enchant - Enchant module for php5
php5-exactimage - fast image manipulation library (PHP bindings)
php5-fpm - server-side, HTML-embedded scripting language (FPM-CGI binary)
php5-gdcm - Grassroots DICOM PHP5 bindings
php5-gearman - PHP wrapper to libgearman
php5-geoip - GeoIP module for php5
php5-gnupg - wrapper around the gpgme library
php5-imagick - ImageMagick module for php5
php5-imap - IMAP module for php5
php5-interbase - interbase/firebird module for php5
php5-intl - internationalisation module for php5
php5-lasso - Library for Liberty Alliance and SAML protocols - PHP 5 bindings
php5-librdf - PHP5 language bindings for the Redland RDF library
php5-mapscript - php5-cgi module for MapServer
php5-mcrypt - MCrypt module for php5
php5-memcache - memcache extension module for PHP5
php5-memcached - memcached extension module for PHP5, uses libmemcached
php5-midgard2 - Midgard2 Content Repository - PHP5 language bindings and module
php5-ming - Ming module for php5
php5-mongo - MongoDB database driver
php5-msgpack - PHP extension for interfacing with MessagePack
php5-mysqlnd - MySQL module for php5 (Native Driver)
php5-mysqlnd-ms - MySQL replication and load balancing module for PHP
php5-oauth - OAuth 1.0 consumer and provider extension
php5-pinba - Pinba module for PHP 5
php5-ps - ps module for PHP 5
php5-radius - PECL radius module for PHP 5
php5-redis - PHP extension for interfacing with Redis
php5-remctl - PECL module for Kerberos-authenticated command execution
php5-rrd - PHP bindings to rrd tool system
php5-sasl - Cyrus SASL Extension
php5-stomp - Streaming Text Oriented Messaging Protocol (STOMP) client module for PHP 5
php5-svn - PHP Bindings for the Subversion Revision control system
php5-sybase - Sybase / MS SQL Server module for php5
php5-tokyo-tyrant - PHP interface to Tokyo Cabinet's network interface, Tokyo Tyrant
php5-vtkgdcm - Grassroots DICOM VTK PHP bindings
php5-xcache - Fast, stable PHP opcode cacher
php5-xdebug - Xdebug Module for PHP 5
php5-xhprof - Hierarchical Profiler for PHP5
I guess they all need to be installed like so sudo apt-get install name of the module
– but thought I should check with an expert first!
Offline
Re: Any Digital Ocean users?
jstubbs wrote #280713:
I guess they all need to be installed like so
sudo apt-get install name of the module
– but thought I should check with an expert first!
Yes, as outlined in the guide. Only install the stuff you need, tho. In addition to the packages installed in the guide, Textpattern requires cURL, GD and JSON extensions:
$ sudo apt-get install php5-curl php5-gd php5-json
You may also want/need php5-fpm instead of the Apache module, depending on what you are serving from the server and whether you want to run nginx instead. The Apache module in general performs faster than FastGCI, but every Apache process will require more memory, leading into higher memory usage if the server is used to serve non-PHP generated pages (i.e. flat files).
I personally also use memcached (via rah_memcached) for fast in memory caching:
$ sudo apt-get install memcached php5-memcached
Last edited by Gocom (2014-05-11 12:31:12)
Offline
Re: Any Digital Ocean users?
I don’t see a guide to the packages required – the tutorial talks about the list of modules and how to install them. Did I miss something?
At the moment, I’m not able to access my_ip_number/info.php
(I get a 404) which is quite frustrating, I can’t check the current PHP setup.
Offline
Re: Any Digital Ocean users?
jstubbs wrote #280715:
I don’t see a guide to the packages required – the tutorial talks about the list of modules and how to install them. Did I miss something?
Those are packages, and you install them as any other packages. In the guide you specifically install php5, mcrypt extension and mod_php module for Apache that then loads PHP in Apache, and is responsible processing served .php files.
At the moment, I’m not able to access
my_ip_number/info.php
(I get a 404) which is quite frustrating, I can’t check the current PHP setup.
If you get 404, then the server is responding properly, but file requested does not exist. Checking PHP configuration doesn’t involve Apache or creating files, tho. E.g.
$ php -i
Offline