Commit | Line | Data |
---|---|---|
473a4431 CAW |
1 | .. MediaGoblin Documentation |
2 | ||
fd5c35e5 | 3 | Written in 2011, 2012, 2013 by MediaGoblin contributors |
473a4431 CAW |
4 | |
5 | To the extent possible under law, the author(s) have dedicated all | |
6 | copyright and related and neighboring rights to this software to | |
7 | the public domain worldwide. This software is distributed without | |
8 | any warranty. | |
9 | ||
10 | You should have received a copy of the CC0 Public Domain | |
11 | Dedication along with this software. If not, see | |
12 | <http://creativecommons.org/publicdomain/zero/1.0/>. | |
13 | ||
abe74178 WKG |
14 | .. _deploying-chapter: |
15 | ||
4e893b6e | 16 | ===================== |
17 | Deploying MediaGoblin | |
18 | ===================== | |
00fdc7bd | 19 | |
44db13fa JC |
20 | GNU MediaGoblin is fairly new, and so at the time of writing there aren't |
21 | easy package-manager-friendly methods to install it. However, doing a basic | |
22 | install isn't too complex in and of itself. Following this deployment guide | |
23 | will take you step-by-step through setting up your own instance of MediaGoblin. | |
56d507b6 | 24 | |
44db13fa JC |
25 | Of course, when it comes to setting up web applications like MediaGoblin, |
26 | there's an almost infinite way to deploy things, so for now, we'll keep it | |
27 | simple with some assumptions. We recommend a setup that combines MediaGoblin + | |
28 | virtualenv + fastcgi + nginx on a .deb- or .rpm-based GNU/Linux distro. | |
29 | ||
30 | Other deployment options (e.g., deploying on FreeBSD, Arch Linux, using | |
31 | Apache, etc.) are possible, though! If you'd prefer a different deployment | |
32 | approach, see our | |
33 | `Deployment wiki page <http://wiki.mediagoblin.org/Deployment>`_. | |
e260065a | 34 | |
076bf0cf WKG |
35 | .. note:: |
36 | ||
37 | These tools are for site administrators wanting to deploy a fresh | |
44db13fa | 38 | install. If you want to join in as a contributor, see our |
076bf0cf | 39 | `Hacking HOWTO <http://wiki.mediagoblin.org/HackingHowto>`_ instead. |
e260065a | 40 | |
44db13fa JC |
41 | .. note:: |
42 | ||
43 | Throughout the documentation we use the ``sudo`` command to indicate that | |
44 | an instruction requires elevated user privileges to run. You can issue | |
45 | these commands as the ``root`` user if you prefer. | |
46 | ||
47 | If you need help configuring ``sudo``, see the | |
48 | `Debian wiki <https://wiki.debian.org/sudo/>`_ or the | |
49 | `Fedora Project wiki <https://fedoraproject.org/wiki/Configuring_Sudo/>`_. | |
50 | ||
4d8a3cd8 | 51 | |
4e893b6e | 52 | Prepare System |
53 | -------------- | |
e260065a | 54 | |
4e893b6e | 55 | Dependencies |
56 | ~~~~~~~~~~~~ | |
e260065a | 57 | |
4e893b6e | 58 | MediaGoblin has the following core dependencies: |
e260065a | 59 | |
2acf47d8 | 60 | - Python 2.7 |
4e893b6e | 61 | - `python-lxml <http://lxml.de/>`_ |
62 | - `git <http://git-scm.com/>`_ | |
775ec9e8 | 63 | - `SQLite <http://www.sqlite.org/>`_/`PostgreSQL <http://www.postgresql.org/>`_ |
4e893b6e | 64 | - `Python Imaging Library <http://www.pythonware.com/products/pil/>`_ (PIL) |
65 | - `virtualenv <http://www.virtualenv.org/>`_ | |
4ec1af11 | 66 | - `nodejs <https://nodejs.org>`_ |
e260065a | 67 | |
4e893b6e | 68 | On a DEB-based system (e.g Debian, gNewSense, Trisquel, Ubuntu, and |
7798f911 | 69 | derivatives) issue the following command:: |
e260065a | 70 | |
44db13fa | 71 | sudo apt-get install git-core python python-dev python-lxml \ |
4ec1af11 | 72 | python-imaging python-virtualenv npm automake |
e260065a | 73 | |
4e893b6e | 74 | On a RPM-based system (e.g. Fedora, RedHat, and derivatives) issue the |
7798f911 | 75 | following command:: |
4e893b6e | 76 | |
44db13fa | 77 | sudo yum install python-paste-deploy python-paste-script \ |
076bf0cf | 78 | git-core python python-devel python-lxml python-imaging \ |
4ec1af11 | 79 | python-virtualenv npm automake |
e260065a | 80 | |
775ec9e8 JW |
81 | Configure PostgreSQL |
82 | ~~~~~~~~~~~~~~~~~~~~ | |
83 | ||
84 | .. note:: | |
85 | ||
7798f911 WKG |
86 | MediaGoblin currently supports PostgreSQL and SQLite. The default is a |
87 | local SQLite database. This will "just work" for small deployments. | |
775ec9e8 | 88 | |
7798f911 WKG |
89 | For medium to large deployments we recommend PostgreSQL. |
90 | ||
91 | If you don't want/need postgres, skip this section. | |
92 | ||
44db13fa | 93 | These are the packages needed for Debian Jessie (stable):: |
775ec9e8 | 94 | |
44db13fa | 95 | sudo apt-get install postgresql postgresql-client python-psycopg2 |
c3075e91 JC |
96 | |
97 | These are the packages needed for an RPM-based system:: | |
98 | ||
44db13fa | 99 | sudo yum install postgresql postgresql-server python-psycopg2 |
c3075e91 | 100 | |
44db13fa | 101 | An rpm-based system also requires that you initialize the PostgresSQL database |
c3075e91 JC |
102 | with this command. The following command is not needed on a Debian-based |
103 | platform, however:: | |
104 | ||
44db13fa | 105 | sudo /usr/bin/postgresql-setup initdb |
775ec9e8 JW |
106 | |
107 | The installation process will create a new *system* user named ``postgres``, | |
c3075e91 | 108 | which will have privilegies sufficient to manage the database. We will create a |
775ec9e8 JW |
109 | new database user with restricted privilegies and a new database owned by our |
110 | restricted database user for our MediaGoblin instance. | |
111 | ||
112 | In this example, the database user will be ``mediagoblin`` and the database | |
113 | name will be ``mediagoblin`` too. | |
114 | ||
c3075e91 JC |
115 | We'll add these entities by first switching to the *postgres* account:: |
116 | ||
44db13fa | 117 | sudo su - postgres |
775ec9e8 | 118 | |
c3075e91 JC |
119 | This will change your prompt to a shell prompt, such as *-bash-4.2$*. Enter |
120 | the following *createuser* and *createdb* commands at that prompt. We'll | |
121 | create the *mediagoblin* database user first:: | |
775ec9e8 | 122 | |
44db13fa JC |
123 | # this command and the one that follows are run as the ``postgres`` user: |
124 | createuser -A -D mediagoblin | |
775ec9e8 | 125 | |
c3075e91 JC |
126 | Then we'll create the database where all of our MediaGoblin data will be stored:: |
127 | ||
44db13fa | 128 | createdb -E UNICODE -O mediagoblin mediagoblin |
775ec9e8 JW |
129 | |
130 | where the first ``mediagoblin`` is the database owner and the second | |
131 | ``mediagoblin`` is the database name. | |
132 | ||
44db13fa | 133 | Type ``exit`` to exit from the 'postgres' user account. |
c3075e91 | 134 | |
44db13fa JC |
135 | From here we just need to set the Postgres database to start on boot, and also |
136 | start it up for this particular session. If you're on a platform that does not | |
137 | use *systemd*, you can enter:: | |
138 | ||
139 | sudo chkconfig postgresql on && service postgresql start | |
c3075e91 JC |
140 | |
141 | Whereas users of *systemd*-based systems will need to enter:: | |
142 | ||
44db13fa | 143 | sudo systemctl enable postgresql && systemctl start postgresql |
c3075e91 | 144 | |
775ec9e8 JW |
145 | .. caution:: Where is the password? |
146 | ||
147 | These steps enable you to authenticate to the database in a password-less | |
148 | manner via local UNIX authentication provided you run the MediaGoblin | |
149 | application as a user with the same name as the user you created in | |
150 | PostgreSQL. | |
151 | ||
152 | More on this in :ref:`Drop Privileges for MediaGoblin <drop-privileges-for-mediagoblin>`. | |
153 | ||
154 | ||
775ec9e8 JW |
155 | .. _drop-privileges-for-mediagoblin: |
156 | ||
4e893b6e | 157 | Drop Privileges for MediaGoblin |
158 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
17c71230 | 159 | |
fd5c35e5 | 160 | MediaGoblin does not require special permissions or elevated |
1b4a9f26 CAW |
161 | access to run. As such, the preferred way to run MediaGoblin is to |
162 | create a dedicated, unprivileged system user for the sole purpose of running | |
fd5c35e5 JC |
163 | MediaGoblin. Running MediaGoblin processes under an unpriviledged system user |
164 | helps to keep it more secure. | |
165 | ||
166 | The following command (entered as root or with sudo) will create a | |
167 | system account with a username of ``mediagoblin``. You may choose a different | |
168 | username if you wish.:: | |
169 | ||
44db13fa | 170 | sudo useradd -c "GNU MediaGoblin system account" -d /home/mediagoblin -U -m -r mediagoblin |
fd5c35e5 JC |
171 | |
172 | No password will be assigned to this account, and you will not be able | |
9a1ba0e8 | 173 | to log in as this user. To switch to this account, enter:: |
fd5c35e5 | 174 | |
44db13fa | 175 | sudo su mediagoblin -s /bin/bash |
fd5c35e5 JC |
176 | |
177 | You may get a warning similar to this when entering these commands:: | |
178 | ||
9b604868 | 179 | warning: cannot change directory to /home/mediagoblin: No such file or directory |
fd5c35e5 JC |
180 | |
181 | You can disregard this warning. To return to your regular user account after | |
182 | using the system account, just enter ``exit``. | |
183 | ||
fd5c35e5 JC |
184 | .. _create-mediagoblin-directory: |
185 | ||
186 | Create a MediaGoblin Directory | |
187 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
17c71230 | 188 | |
4e893b6e | 189 | You should create a working directory for MediaGoblin. This document |
076bf0cf | 190 | assumes your local git repository will be located at |
fd5c35e5 JC |
191 | ``/srv/mediagoblin.example.org/mediagoblin/``. |
192 | Substitute your prefered local deployment path as needed. | |
193 | ||
194 | Setting up the working directory requires that we first create the directory | |
195 | with elevated priviledges, and then assign ownership of the directory | |
196 | to the unpriviledged system account. | |
17c71230 | 197 | |
fd5c35e5 JC |
198 | To do this, enter either of the following commands, changing the defaults |
199 | to suit your particular requirements:: | |
17c71230 | 200 | |
44db13fa | 201 | sudo mkdir -p /srv/mediagoblin.example.org && sudo chown -hR mediagoblin: /srv/mediagoblin.example.org |
fd5c35e5 | 202 | |
c3075e91 | 203 | .. note:: |
fd5c35e5 | 204 | |
c3075e91 JC |
205 | Unless otherwise noted, the remainder of this document assumes that all |
206 | operations are performed using this unpriviledged account. | |
17c71230 | 207 | |
4e893b6e | 208 | |
e260065a | 209 | Install MediaGoblin and Virtualenv |
4e893b6e | 210 | ---------------------------------- |
e260065a | 211 | |
44db13fa JC |
212 | We will now switch to our 'mediagoblin' system account, and then set up |
213 | our MediaGoblin source code repository and its necessary services. | |
214 | You should modify these commands to suit your own environment. | |
17c71230 | 215 | |
fd5c35e5 JC |
216 | Change to the MediaGoblin directory that you just created:: |
217 | ||
44db13fa | 218 | sudo su mediagoblin -s /bin/bash # to change to the 'mediagoblin' account |
9a1ba0e8 | 219 | $ cd /srv/mediagoblin.example.org |
17c71230 | 220 | |
d3b1fd2e | 221 | Clone the MediaGoblin repository and set up the git submodules:: |
e260065a | 222 | |
a35b7c7f | 223 | $ git clone git://git.savannah.gnu.org/mediagoblin.git -b stable |
9a1ba0e8 JC |
224 | $ cd mediagoblin |
225 | $ git submodule init && git submodule update | |
e260065a | 226 | |
9fa1e602 CAW |
227 | .. note:: |
228 | ||
229 | The MediaGoblin repository used to be on gitorious.org, but since | |
230 | gitorious.org shut down, we had to move. We are presently on | |
231 | Savannah. You may need to update your git repository location:: | |
232 | ||
44db13fa | 233 | $ git remote set-url origin git://git.savannah.gnu.org/mediagoblin.git |
e260065a | 234 | |
41dbb27a | 235 | Set up the hacking environment:: |
3b8251f3 | 236 | |
9a1ba0e8 | 237 | $ ./bootstrap.sh && ./configure && make |
f0e137ab | 238 | |
4e893b6e | 239 | The above provides an in-package install of ``virtualenv``. While this |
240 | is counter to the conventional ``virtualenv`` configuration, it is | |
241 | more reliable and considerably easier to configure and illustrate. If | |
242 | you're familiar with Python packaging you may consider deploying with | |
c356dc16 | 243 | your preferred method. |
e260065a | 244 | |
076bf0cf WKG |
245 | Assuming you are going to deploy with FastCGI, you should also install |
246 | flup:: | |
99192f24 | 247 | |
9a1ba0e8 | 248 | $ ./bin/easy_install flup |
71ef2007 | 249 | |
4e893b6e | 250 | This concludes the initial configuration of the development |
8d9aa03f | 251 | environment. In the future, when you update your |
076bf0cf | 252 | codebase, you should also run:: |
e260065a | 253 | |
9a1ba0e8 JC |
254 | $ git submodule update && ./bin/python setup.py develop --upgrade && ./bin/gmg dbupdate |
255 | ||
256 | .. note:: | |
e260065a | 257 | |
9a1ba0e8 JC |
258 | Note: If you are running an active site, depending on your server |
259 | configuration, you may need to stop it first or the dbupdate command | |
260 | may hang (and it's certainly a good idea to restart it after the | |
261 | update) | |
9d5cd0b9 CAW |
262 | |
263 | ||
4e893b6e | 264 | Deploy MediaGoblin Services |
265 | --------------------------- | |
e260065a | 266 | |
a7d2a892 ST |
267 | Edit site configuration |
268 | ~~~~~~~~~~~~~~~~~~~~~~~ | |
269 | ||
041d2fd7 CAW |
270 | A few basic properties must be set before MediaGoblin will work. First |
271 | make a copy of ``mediagoblin.ini`` for editing so the original config | |
272 | file isn't lost:: | |
a7d2a892 | 273 | |
44db13fa | 274 | $ cp mediagoblin.ini mediagoblin_local.ini |
a7d2a892 | 275 | |
041d2fd7 CAW |
276 | Then: |
277 | - Set ``email_sender_address`` to the address you wish to be used as | |
278 | the sender for system-generated emails | |
279 | - Edit ``direct_remote_path``, ``base_dir``, and ``base_url`` if | |
280 | your mediagoblin directory is not the root directory of your | |
281 | vhost. | |
a7d2a892 ST |
282 | |
283 | ||
775ec9e8 JW |
284 | Configure MediaGoblin to use the PostgreSQL database |
285 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
286 | ||
7798f911 WKG |
287 | If you are using postgres, edit the ``[mediagoblin]`` section in your |
288 | ``mediagoblin_local.ini`` and put in:: | |
775ec9e8 JW |
289 | |
290 | sql_engine = postgresql:///mediagoblin | |
291 | ||
292 | if you are running the MediaGoblin application as the same 'user' as the | |
293 | database owner. | |
294 | ||
7798f911 | 295 | |
775ec9e8 JW |
296 | Update database data structures |
297 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
298 | ||
7798f911 | 299 | Before you start using the database, you need to run:: |
775ec9e8 | 300 | |
44db13fa | 301 | $ ./bin/gmg dbupdate |
775ec9e8 JW |
302 | |
303 | to populate the database with the MediaGoblin data structures. | |
304 | ||
305 | ||
4e893b6e | 306 | Test the Server |
307 | ~~~~~~~~~~~~~~~ | |
e260065a | 308 | |
4e893b6e | 309 | At this point MediaGoblin should be properly installed. You can |
076bf0cf | 310 | test the deployment with the following command:: |
e260065a | 311 | |
44db13fa | 312 | $ ./lazyserver.sh --server-name=broadcast |
e260065a | 313 | |
4e893b6e | 314 | You should be able to connect to the machine on port 6543 in your |
315 | browser to confirm that the service is operable. | |
e260065a | 316 | |
cd1abb11 CAW |
317 | .. _webserver-config: |
318 | ||
56d507b6 | 319 | |
a7d2a892 ST |
320 | FastCGI and nginx |
321 | ~~~~~~~~~~~~~~~~~ | |
322 | ||
323 | This configuration example will use nginx, however, you may | |
4e893b6e | 324 | use any webserver of your choice as long as it supports the FastCGI |
325 | protocol. If you do not already have a web server, consider nginx, as | |
326 | the configuration files may be more clear than the | |
327 | alternatives. | |
328 | ||
329 | Create a configuration file at | |
330 | ``/srv/mediagoblin.example.org/nginx.conf`` and create a symbolic link | |
331 | into a directory that will be included in your ``nginx`` configuration | |
332 | (e.g. "``/etc/nginx/sites-enabled`` or ``/etc/nginx/conf.d``) with | |
076bf0cf | 333 | one of the following commands (as the root user):: |
4e893b6e | 334 | |
44db13fa JC |
335 | sudo ln -s /srv/mediagoblin.example.org/nginx.conf /etc/nginx/conf.d/ |
336 | sudo ln -s /srv/mediagoblin.example.org/nginx.conf /etc/nginx/sites-enabled/ | |
4e893b6e | 337 | |
338 | Modify these commands and locations depending on your preferences and | |
339 | the existing configuration of your nginx instance. The contents of | |
076bf0cf WKG |
340 | this ``nginx.conf`` file should be modeled on the following:: |
341 | ||
342 | server { | |
343 | ################################################# | |
344 | # Stock useful config options, but ignore them :) | |
345 | ################################################# | |
346 | include /etc/nginx/mime.types; | |
347 | ||
348 | autoindex off; | |
349 | default_type application/octet-stream; | |
350 | sendfile on; | |
351 | ||
352 | # Gzip | |
353 | gzip on; | |
354 | gzip_min_length 1024; | |
355 | gzip_buffers 4 32k; | |
356 | gzip_types text/plain text/html application/x-javascript text/javascript text/xml text/css; | |
357 | ||
358 | ##################################### | |
359 | # Mounting MediaGoblin stuff | |
360 | # This is the section you should read | |
361 | ##################################### | |
362 | ||
363 | # Change this to update the upload size limit for your users | |
364 | client_max_body_size 8m; | |
365 | ||
a49c741f CAW |
366 | # prevent attacks (someone uploading a .txt file that the browser |
367 | # interprets as an HTML file, etc.) | |
368 | add_header X-Content-Type-Options nosniff; | |
37b48053 | 369 | |
076bf0cf WKG |
370 | server_name mediagoblin.example.org www.mediagoblin.example.org; |
371 | access_log /var/log/nginx/mediagoblin.example.access.log; | |
372 | error_log /var/log/nginx/mediagoblin.example.error.log; | |
373 | ||
374 | # MediaGoblin's stock static files: CSS, JS, etc. | |
375 | location /mgoblin_static/ { | |
376 | alias /srv/mediagoblin.example.org/mediagoblin/mediagoblin/static/; | |
377 | } | |
378 | ||
379 | # Instance specific media: | |
380 | location /mgoblin_media/ { | |
381 | alias /srv/mediagoblin.example.org/mediagoblin/user_dev/media/public/; | |
382 | } | |
383 | ||
8d051cc0 CAW |
384 | # Theme static files (usually symlinked in) |
385 | location /theme_static/ { | |
386 | alias /srv/mediagoblin.example.org/mediagoblin/user_dev/theme_static/; | |
387 | } | |
388 | ||
24ede044 CAW |
389 | # Plugin static files (usually symlinked in) |
390 | location /plugin_static/ { | |
391 | alias /srv/mediagoblin.example.org/mediagoblin/user_dev/plugin_static/; | |
392 | } | |
393 | ||
076bf0cf WKG |
394 | # Mounting MediaGoblin itself via FastCGI. |
395 | location / { | |
396 | fastcgi_pass 127.0.0.1:26543; | |
397 | include /etc/nginx/fastcgi_params; | |
398 | ||
399 | # our understanding vs nginx's handling of script_name vs | |
400 | # path_info don't match :) | |
401 | fastcgi_param PATH_INFO $fastcgi_script_name; | |
402 | fastcgi_param SCRIPT_NAME ""; | |
4e893b6e | 403 | } |
076bf0cf | 404 | } |
4e893b6e | 405 | |
f44bd7dc CAW |
406 | The first four ``location`` directives instruct Nginx to serve the |
407 | static and uploaded files directly rather than through the MediaGoblin | |
408 | process. This approach is faster and requires less memory. | |
409 | ||
410 | .. note:: | |
411 | ||
412 | The user who owns the Nginx process, normally ``www-data``, | |
413 | requires execute permission on the directories ``static``, | |
414 | ``public``, ``theme_static`` and ``plugin_static`` plus all their | |
415 | parent directories. This user also requires read permission on all | |
416 | the files within these directories. This is normally the default. | |
417 | ||
4e893b6e | 418 | Now, nginx instance is configured to serve the MediaGoblin |
419 | application. Perform a quick test to ensure that this configuration | |
420 | works. Restart nginx so it picks up your changes, with a command that | |
44db13fa | 421 | resembles one of the following:: |
4e893b6e | 422 | |
076bf0cf WKG |
423 | sudo /etc/init.d/nginx restart |
424 | sudo /etc/rc.d/nginx restart | |
44db13fa | 425 | sudo systemctl restart nginx |
4e893b6e | 426 | |
427 | Now start MediaGoblin. Use the following command sequence as an | |
076bf0cf | 428 | example:: |
4e893b6e | 429 | |
076bf0cf WKG |
430 | cd /srv/mediagoblin.example.org/mediagoblin/ |
431 | ./lazyserver.sh --server-name=fcgi fcgi_host=127.0.0.1 fcgi_port=26543 | |
4e893b6e | 432 | |
433 | Visit the site you've set up in your browser by visiting | |
518c5eb3 | 434 | <http://mediagoblin.example.org>. You should see MediaGoblin! |
4e893b6e | 435 | |
4e893b6e | 436 | .. note:: |
437 | ||
a085dda5 | 438 | The configuration described above is sufficient for development and |
439 | smaller deployments. However, for larger production deployments | |
440 | with larger processing requirements, see the | |
441 | ":doc:`production-deployments`" documentation. | |
a7d2a892 ST |
442 | |
443 | ||
444 | Apache | |
445 | ~~~~~~ | |
446 | ||
041d2fd7 CAW |
447 | Instructions and scripts for running MediaGoblin on an Apache server |
448 | can be found on the `MediaGoblin wiki <http://wiki.mediagoblin.org/Deployment>`_. | |
b835e153 E |
449 | |
450 | ||
451 | Security Considerations | |
452 | ~~~~~~~~~~~~~~~~~~~~~~~ | |
453 | ||
454 | .. warning:: | |
455 | ||
456 | The directory ``user_dev/crypto/`` contains some very | |
457 | sensitive files. | |
458 | Especially the ``itsdangeroussecret.bin`` is very important | |
459 | for session security. Make sure not to leak its contents anywhere. | |
460 | If the contents gets leaked nevertheless, delete your file | |
461 | and restart the server, so that it creates a new secret key. | |
fd5c35e5 JC |
462 | All previous sessions will be invalidated. |
463 | ||
f44bd7dc CAW |
464 | .. |
465 | Local variables: | |
466 | fill-column: 70 | |
467 | End: |