diff options
Diffstat (limited to 'docs/source/siteadmin/production-deployments.rst')
| -rw-r--r-- | docs/source/siteadmin/production-deployments.rst | 159 |
1 files changed, 32 insertions, 127 deletions
diff --git a/docs/source/siteadmin/production-deployments.rst b/docs/source/siteadmin/production-deployments.rst index 681a3cda..511245f9 100644 --- a/docs/source/siteadmin/production-deployments.rst +++ b/docs/source/siteadmin/production-deployments.rst @@ -19,142 +19,48 @@ This document contains a number of suggestions for deploying MediaGoblin in actual production environments. Consider ":doc:`deploying`" for a basic overview of how to deploy MediaGoblin. -Deploy with paste ------------------ -The MediaGoblin WSGI application instance you get with ``./lazyserver.sh`` is -not ideal for a production MediaGoblin deployment. Ideally, you should be able -to use a Systemd service file or an init script to launch and restart the -MediaGoblin process. +Should I Keep Open Registration Enabled? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -We will explore setting up MediaGoblin Systemd service files and init scripts, -but first we need to create the directory that will store the MediaGoblin logs. +Unfortunately, in this current release of MediaGoblin we are suffering +from spammers registering to public instances en masse. As such, you +may want to either: +a) Disable registration on your instance and just make + accounts for people you know and trust (eg via the `gmg adduser` + command). You can disable registration in your mediagoblin.ini + like so:: -.. _create-log-file-dir: + [mediagoblin] + allow_registration = false -Create the directory for your log file: ---------------------------------------- +b) Enable a CAPTCHA plugin. But unfortunately, though some CAPTCHA + plugins exist, for various reasons we do not have any general + recommendations we can make at this point. -Production logs for the MediaGoblin application are kept in the -``/var/log/mediagoblin`` directory. Create the directory and give it the -proper permissions:: +We hope to have a better solution to this situation shortly. We +apologize for the inconvenience in the meanwhile. - sudo mkdir -p /var/log/mediagoblin && sudo chown -hR mediagoblin:mediagoblin /var/log/mediagoblin +Security Considerations +~~~~~~~~~~~~~~~~~~~~~~~ -.. _systemd-service-files: +.. warning:: -Use Systemd service files -------------------------- + The directory ``user_dev/crypto/`` contains some very + sensitive files. + Especially the ``itsdangeroussecret.bin`` is very important + for session security. Make sure not to leak its contents anywhere. + If the contents gets leaked nevertheless, delete your file + and restart the server, so that it creates a new secret key. + All previous sessions will be invalidated. -If your operating system uses Systemd, you can use Systemd ``service files`` -to manage both the Celery and Paste processes. Place the following service -files in the ``/etc/systemd/system/`` directory. - -The first file should be named ``mediagoblin-celeryd.service``. Be sure to -modify it to suit your environment's setup: - -.. code-block:: bash - - # Set the WorkingDirectory, Environment and ExecStart values to match your environment. - # If using Debian/Ubuntu, mkdir and chown are located in /bin/mkdir and /bin/chown, respectively. - # If using Fedora/CentOS/Red Hat, mkdir and chown are located in /usr/bin/mkdir and /usr/bin/chown, respectively. - - [Unit] - Description=MediaGoblin Celeryd - - [Service] - User=mediagoblin - Group=mediagoblin - Type=simple - WorkingDirectory=/srv/mediagoblin.example.org/mediagoblin - # Start mg-celeryd process as root, then switch to mediagoblin user/group - # (This is needed to run the ExecStartPre commands) - PermissionsStartOnly=true - # Create directory for PID (if needed) and set ownership - ExecStartPre=/bin/mkdir -p /run/mediagoblin - ExecStartPre=/bin/chown -hR mediagoblin:mediagoblin /run/mediagoblin - # Celery process will run as the `mediagoblin` user after start. - Environment=MEDIAGOBLIN_CONFIG=/srv/mediagoblin.example.org/mediagoblin/mediagoblin.ini \ - CELERY_CONFIG_MODULE=mediagoblin.init.celery.from_celery - ExecStart=/srv/mediagoblin.example.org/mediagoblin/bin/celery worker \ - --logfile=/var/log/mediagoblin/celery.log \ - --loglevel=INFO - PIDFile=/run/mediagoblin/mediagoblin-celeryd.pid - - [Install] - WantedBy=multi-user.target - - -The second file should be named ``mediagoblin-paster.service``: - - -.. code-block:: bash - - # Set the WorkingDirectory, Environment and ExecStart values to match your environment. - # If using Debian/*buntu, mkdir and chown are located in /bin/mkdir and /bin/chown, respectively. - # If using Fedora/CentOS/Red Hat, mkdir and chown are located in /usr/bin/mkdir and /usr/bin/chown, respectively. - [Unit] - Description=Mediagoblin - - [Service] - Type=forking - User=mediagoblin - Group=mediagoblin - Environment=CELERY_ALWAYS_EAGER=false - WorkingDirectory=/srv/mediagoblin.example.org/mediagoblin - # Start mg-paster process as root, then switch to mediagoblin user/group - PermissionsStartOnly=true - ExecStartPre=-/bin/mkdir -p /run/mediagoblin - ExecStartPre=/bin/chown -hR mediagoblin:mediagoblin /run/mediagoblin - - ExecStart=/srv/mediagoblin.example.org/mediagoblin/bin/paster serve \ - /srv/mediagoblin.example.org/mediagoblin/paste_local.ini \ - --pid-file=/var/run/mediagoblin/mediagoblin.pid \ - --log-file=/var/log/mediagoblin/mediagoblin.log \ - --daemon \ - --server-name=main - ExecStop=/srv/mediagoblin.example.org/mediagoblin/bin/paster serve \ - --pid-file=/var/run/mediagoblin/mediagoblin.pid \ - /srv/mediagoblin.example.org/mediagoblin/paste_local.ini stop - PIDFile=/var/run/mediagoblin/mediagoblin.pid - - [Install] - WantedBy=multi-user.target - - - -Enable these processes to start at boot by entering:: - - sudo systemctl enable mediagoblin-celeryd.service && sudo systemctl enable mediagoblin-paster.service - - -Start the processes for the current session with:: - - sudo systemctl start mediagoblin-paster.service - sudo systemctl start mediagoblin-celeryd.service - - -If either command above gives you an error, you can investigate the cause of -the error by entering:: - - sudo systemctl status mediagoblin-celeryd.service or - sudo systemctl status mediagoblin-paster.service - -The above ``systemctl status`` command is also useful if you ever want to -confirm that a process is still running. If you make any changes to the service -files, you can reload the service files by entering:: - - sudo systemctl daemon-reload - -After entering that command, you can attempt to start the Celery or Paste -processes again. .. _init-script: -Use an init script ------------------- +Alternative init scripts +------------------------ If your system does not use Systemd, you can use the following command as the basis for an init script: @@ -187,11 +93,6 @@ as the basis for your script: Members of the MediaGoblin community have provided init scripts for the following GNU/Linux distributions: -Debian - * `GNU MediaGoblin init scripts - <https://github.com/joar/mediagoblin-init-scripts>`_ - by `Joar Wandborg <http://wandborg.se>`_ - Arch Linux * `MediaGoblin - ArchLinux rc.d scripts <http://whird.jpope.org/2012/04/14/mediagoblin-archlinux-rcd-scripts>`_ @@ -209,6 +110,9 @@ one distribution to the next. Separate celery --------------- +":doc:`deploying`" describes a configuration with a separate Celery process, but +the following section covers this in more detail. + MediaGoblin uses `Celery`_ to handle heavy and long-running tasks. Celery can be launched in two ways: @@ -251,6 +155,7 @@ background. .. _sentry: + Set up sentry to monitor exceptions ----------------------------------- |