[ https://issues.apache.org/jira/browse/AIRAVATA-2581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16238309#comment-16238309 ]
Marcus Christie commented on AIRAVATA-2581: ------------------------------------------- Current work I've done so far {noformat} [Using Daemon process with mod_wsgi](https://modwsgi.readthedocs.io/en/develop/user-guides/quick-configuration-guide.html#delegation-to-daemon-process) * also has an example virtual host configuration Steps: * checkout the django code * create a virtual environment * source virtual env and run `pip install -r requirements.txt` in that environment * create a settings_local.py will have all the necessary settings * set the STATIC_ROOT in settings_local.py * run build_js.sh * run `collectstatic` * create virtual host config [like this example](https://modwsgi.readthedocs.io/en/develop/user-guides/quick-configuration-guide.html#delegation-to-daemon-process) * gracefully restart apache * create a database in MySQL for django database * migrate database and configure For the test server: * connect to dev.seagrid.org like we currently have * domain name: django.seagrid.org Do we need to rebuild mod_wsgi every time that the python version is updated? * No. Python3.4 installed by yum was compiled with `--enable-shared`. See [python patch level mismatch](https://modwsgi.readthedocs.io/en/develop/user-guides/installation-issues.html#python-patch-level-mismatch) * verifying ``` [centos@pga-scigap-develop ~]$ python3 Python 3.4.5 (default, May 29 2017, 15:17:55) [GCC 4.8.5 20150623 (Red Hat 4.8.5-11)] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import sysconfig >>> sysconfig.get_config_var('CONFIG_ARGS') "'--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-ipv6' '--enable-shared' '--with-computed-gotos=yes' '--with-dbmliborder=gdbm:ndbm:bdb' '--with-system-expat' '--with-system-ffi' '--enable-loadable-sqlite-extensions' '--with-systemtap' '--with-valgrind' '--without-ensurepip' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv ' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= ' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'" ``` Actual installation * sudo yum -y install python34 * sudo yum -y install httpd-devel * sudo yum -y install python34-devel * install mod_wsgi from source ``` mkdir mod_wsgi cd mod_wsgi/ curl -LO https://github.com/GrahamDumpleton/mod_wsgi/archive/4.5.17.tar.gz tar zxf 4.5.17.tar.gz cd mod_wsgi-4.5.17/ ./configure --with-python=/usr/bin/python3 make sudo make install ``` * configure Apache to load mod_wsgi ``` sudo vim /etc/httpd/conf.modules.d/00-wsgi.conf ``` * 00-wsgi.conf file contains ``` LoadModule wsgi_module modules/mod_wsgi.so ``` * `sudo apachectl restart` * Verify line in apache error log showing the mod_wsgi and Python34 loaded: ``` [Thu Aug 24 14:20:20.171560 2017] [mpm_prefork:notice] [pid 6657] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_wsgi/4.5.17 Python/3.4 PHP/5.4.16 configured -- resuming normal operations ``` * Clean up build: `make clean` * Clone django code and setup virtual environment ``` mkdir django-seagrid cd django-seagrid/ git clone https://github.com/machristie/django-airavata-gateway.git python3 -m venv venv source venv/bin/activate cd django-airavata-gateway/ pip install -r requirements.txt ``` * create the settings_local.py file """ Override default Django settings for a particular instance. Copy this file to settings_local.py and modify as appropriate. This file will be imported into settings.py last of all so settings in this file override any defaults specified in settings.py. """ import os # Build paths inside the project like this: os.path.join(BASE_DIR, ...) BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) # Keycloak Configuration KEYCLOAK_CLIENT_ID = 'pga' KEYCLOAK_CLIENT_SECRET = '5d2dc66a-f54e-4fa9-b78f-80d33aa862c1' KEYCLOAK_AUTHORIZE_URL = 'https://iamdev.scigap.org/auth/realms/seagrid/protocol/openid-connect/auth' KEYCLOAK_TOKEN_URL = 'https://iamdev.scigap.org/auth/realms/seagrid/protocol/openid-connect/token' KEYCLOAK_USERINFO_URL = 'https://iamdev.scigap.org/auth/realms/seagrid/protocol/openid-connect/userinfo' KEYCLOAK_LOGOUT_URL = 'https://iamdev.scigap.org/auth/realms/seagrid/protocol/openid-connect/logout' KEYCLOAK_CA_CERTFILE = os.path.join(BASE_DIR, "django_airavata", "resources", "incommon_rsa_server_ca.pem") KEYCLOAK_VERIFY_SSL = True # Airavata API Configuration GATEWAY_ID = 'seagrid' AIRAVATA_API_HOST = 'apidev.scigap.org' AIRAVATA_API_PORT = 9930 AIRAVATA_API_SECURE = True # Sharing API Configuration SHARING_API_HOST = 'apidev.scigap.org' SHARING_API_PORT = 7878 SHARING_API_SECURE = False STATIC_ROOT = "/var/www/portals/django-seagrid/static/" * as user pga, ran `python manage.py collectstatic` * create virtual host config # 2017-11-03 ## Continuing deployment * update code and virtual environment ``` cd portals/ cd django-seagrid/ cd django-airavata-gateway/ git remote set-url origin https://github.com/apache/airavata-django-portal.git git pull --ff-only source ../venv/bin/activate pip install -r requirements.txt pip install --upgrade pip ``` * run build_js.sh: install npm ``` sudo yum update epel-release sudo yum install npm ``` * run build_js.sh as user pga ``` ./build_js.sh ``` * create virtual host config ```xml <VirtualHost *:80> ServerName django.seagrid.org ## Redirect all http traffic to https RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </VirtualHost> <VirtualHost *:443> ServerName django.seagrid.org Alias /robots.txt /var/www/portals/django-seagrid/static/robots.txt Alias /favicon.ico /var/www/portals/django-seagrid/static/favicon.ico Alias /static/ /var/www/portals/django-seagrid/static/ <Directory /var/www/portals/django-seagrid/static> Require all granted </Directory> WSGIDaemonProcess django.seagrid.org python-home=/var/www/portals/django-seagrid/venv python-path=/var/www/portals/django-seagrid/django-airavata-gateway processes=2 WSGIProcessGroup django.seagrid.org WSGIScriptAlias / /var/www/portals/django-seagrid/django-airavata-gateway/django_airavata/wsgi.py <Directory /var/www/portals/django-seagrid/django-airavata-gateway/django_airavata> <Files wsgi.py> Require all granted </Files> </Directory> ErrorLog /var/log/httpd/django-seagrid.error.log CustomLog /var/log/httpd/django-seagrid.requests.log combined SSLEngine on # Disable SSLv3 which is vulnerable to the POODLE attack SSLProtocol All -SSLv2 -SSLv3 SSLCertificateFile /etc/letsencrypt/live/django.seagrid.org/cert.pem SSLCertificateChainFile /etc/letsencrypt/live/django.seagrid.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/django.seagrid.org/privkey.pem </VirtualHost> ``` * 403 Forbidden ``` [Fri Nov 03 18:15:17.798456 2017] [core:error] [pid 6181] (13)Permission denied: [client 149.160.163.103:49683] AH00035: access to / denied (filesystem path '/var/www/portals/django-seagrid/django-airavata-gateway/django_airavata/wsgi.py') because search permissions are missing on a component of the path ``` * installed setroubleshoot-server to debug, I think it is an SELinux problem ``` sealert -a /var/log/audit/audit.log ``` * running restorecon ``` restorecon -R /var/www/portals/django-seagrid/ ``` * new error: ``` [Fri Nov 03 19:02:46.626623 2017] [wsgi:error] [pid 2738] [remote 149.160.163.103:50169] ImportError: No module named 'apache.airavata'; 'apache' is not a package ``` and `sealert -a /var/log/audit/audit.log` reports: ``` found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/httpd from read access on the file pyvenv.cfg. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow httpd to have read access on the pyvenv.cfg file Then you need to change the label on pyvenv.cfg Do # semanage fcontext -a -t FILE_TYPE 'pyvenv.cfg' ... ``` But which pyvenv.cfg? * trying to turn off SELinux so I can make sure everything is installed correctly first ``` setenforce 0 ``` * there's some other `apache` object in the Python namespace that is conflicting with `apache.airavata`. I get this when I print the `apache` object imported in the wsgi.py script: ``` [Fri Nov 03 20:12:39.228053 2017] [wsgi:error] [pid 10885] apache: ['__doc__', '__loader__', '__name__', '__package__', '__spec__', 'build_date', 'description', 'maximum_processes', 'mpm_name', 'threads_per_process', 'version'] ``` * turning SELinux back on ``` setenforce 1 ``` {noformat} > Manually deploy Django version of dev seagrid > --------------------------------------------- > > Key: AIRAVATA-2581 > URL: https://issues.apache.org/jira/browse/AIRAVATA-2581 > Project: Airavata > Issue Type: Sub-task > Reporter: Marcus Christie > Assignee: Marcus Christie > Priority: Major > -- This message was sent by Atlassian JIRA (v6.4.14#64029)