[Labs-l] RFC: Webtools setup

Tim Landscheidt tim at tim-landscheidt.de
Thu Feb 14 18:45:59 UTC 2013 

Hi,

some brainstorming about how to set up Webtools
(https://labsconsole.wikimedia.org/wiki/Nova_Resource:Webtools).
Please chime in.

A tool for the purpose of Webtools is a set of files and
scripts that form a logic unit that can't be split up sanely
any more, i. e. some PHP files accessed online, some PHP
scripts for maintenance, some data in files and/or a data-
base, perhaps some (static) icons, etc.

Each tool is separated from other tools so they cannot
change each other's data and any intrusion is limited to one
tool.

Tools have one or more developers/maintainers.  A developer
can work on several tools and needs more (or other) access
rights than his tool(s).

Dependencies of tools on other software are specified ex-
plicitely so that tools can be moved to other servers or
servers can be split by other software needed (i. e., a
server that only handles PHP, Ruby on Rails, etc.).  Depen-
dencies can be different for development (command line) and
deployment (web).

As much configuration as possible should be maintained with
Puppet and in Gerrit.

So my proposal is:

- Each tool has one user under which its web scripts (and
  perhaps cron jobs) are run.  That user's name should be
  identical to the tool name used in URLs & Co.

- Each tool has a user group that consists of the tool user
  and the developers.

- Each tool has a directory under /data/project/web, owned
  by the user and the group, writable by the user and the
  group.  In it, the subdirectory "htdocs" contains the web
  stuff ("htdocs/cgi-bin" for CGI), the rest of the direc-
  tory (structure) can be used for private data (including
  bot credentials), log files & Co.

- Each tool has a Puppet module à la:

  - webtools::TOOL::someuniqueserver:

    - ensure that the directory structure under
      /data/project/web/TOOL is set up

  - webtools::TOOL::loginserver:

    - user TOOL exists
    - group TOOL with members TOOL and developers exists
    - development dependencies for TOOL exist

  - webtools::TOOL::webserver:

    - user TOOL exists
    - group TOOL with members TOOL and developers exists
    - deployment dependencies for TOOL exist
    - configuration in /etc/apache2/conf.d/TOOL for
      URL "/TOOL/" -> directory
      "/data/project/web/TOOL/htdocs/" (plus CGI directory)

My (first :-)) questions are:

- Can glusterfs handle local users and groups on
  /data/project, or do we need to synchronize uids/gids?

- It's probable that some file beneath the "htdocs" direc-
  tory (or "public_html" or whatever) will at one point be
  owned by a developer, but they shouldn't be executed as
  his account.  Can we configure Apache to execute all
  scripts beneath "/data/project/web/TOOL/htdocs/" as TOOL?

Of course: Other ideas, criticism, etc. more than welcome.

TIA,
Tim

More information about the Labs-l mailing list