[Labs-l] RFC: Webtools setup
Tim Landscheidt
tim at tim-landscheidt.de
Thu Feb 14 18:45:59 UTC 2013
Hi,
some brainstorming about how to set up Webtools
(https://labsconsole.wikimedia.org/wiki/Nova_Resource:Webtools).
Please chime in.
A tool for the purpose of Webtools is a set of files and
scripts that form a logic unit that can't be split up sanely
any more, i. e. some PHP files accessed online, some PHP
scripts for maintenance, some data in files and/or a data-
base, perhaps some (static) icons, etc.
Each tool is separated from other tools so they cannot
change each other's data and any intrusion is limited to one
tool.
Tools have one or more developers/maintainers. A developer
can work on several tools and needs more (or other) access
rights than his tool(s).
Dependencies of tools on other software are specified ex-
plicitely so that tools can be moved to other servers or
servers can be split by other software needed (i. e., a
server that only handles PHP, Ruby on Rails, etc.). Depen-
dencies can be different for development (command line) and
deployment (web).
As much configuration as possible should be maintained with
Puppet and in Gerrit.
So my proposal is:
- Each tool has one user under which its web scripts (and
perhaps cron jobs) are run. That user's name should be
identical to the tool name used in URLs & Co.
- Each tool has a user group that consists of the tool user
and the developers.
- Each tool has a directory under /data/project/web, owned
by the user and the group, writable by the user and the
group. In it, the subdirectory "htdocs" contains the web
stuff ("htdocs/cgi-bin" for CGI), the rest of the direc-
tory (structure) can be used for private data (including
bot credentials), log files & Co.
- Each tool has a Puppet module à la:
- webtools::TOOL::someuniqueserver:
- ensure that the directory structure under
/data/project/web/TOOL is set up
- webtools::TOOL::loginserver:
- user TOOL exists
- group TOOL with members TOOL and developers exists
- development dependencies for TOOL exist
- webtools::TOOL::webserver:
- user TOOL exists
- group TOOL with members TOOL and developers exists
- deployment dependencies for TOOL exist
- configuration in /etc/apache2/conf.d/TOOL for
URL "/TOOL/" -> directory
"/data/project/web/TOOL/htdocs/" (plus CGI directory)
My (first :-)) questions are:
- Can glusterfs handle local users and groups on
/data/project, or do we need to synchronize uids/gids?
- It's probable that some file beneath the "htdocs" direc-
tory (or "public_html" or whatever) will at one point be
owned by a developer, but they shouldn't be executed as
his account. Can we configure Apache to execute all
scripts beneath "/data/project/web/TOOL/htdocs/" as TOOL?
Of course: Other ideas, criticism, etc. more than welcome.
TIA,
Tim
More information about the Labs-l
mailing list