> On 8 Mar 2017, at 9:47 AM, Lukasz Szybalski <[email protected]> wrote:
>
> Hello,
> Its been a while....
> I'm emailing to get a clarification on the relationship of 4 different parts
> of python as it relates to apache:
> myapp folder ;myapp.wsgi ; env_py3 and .python-eggs
>
> A) We have default-ssl.conf in /etc/apache/sites-available/
> B) Our program : /usr/local/pyramid/myapp
> C) environment: /usr/local/pyramid/env_py3
> D) myapp.wsgi to be placed in which folder?
> E) .python-eggs placement? And if still needed for python3 as it uses .cache?
>
> Inside default-ssl.conf we add below code. I'm going to be asking about the
> bold items.
>
> WSGIApplicationGroup %{GLOBAL}
> WSGIPassAuthorization On
> WSGIDaemonProcess pyramid threads=10
> python-path=/usr/local/pyramid/env_py3/lib/python3.4/site-packages/
> maximum-requests=10000 WSGIScriptAlias /
> /usr/local/pyramid/myapp/env_py3/myapp.wsgi
>
> <Directory /usr/local/pyramid/env_py3>
> WSGIProcessGroup pyramid
> Require all granted
> </Directory>
>
>
> myapp.wsgi says:
>
> import os
> os.environ['PYTHON_EGG_CACHE'] = '/usr/local/pyramid/env_py3/.python-eggs'
>
> from pyramid.paster import get_app, setup_logging
> ini_path = '/usr/local/pyramid/myapp/myapp/production.ini'
> setup_logging(ini_path)
> application = get_app(ini_path, 'main')
>
>
>
> 1. Directory. From apache 2.2 to apache 2.4, we now use Require all granted
> to give access of apache to X folder.
> Which folder is that?
It needs to be on whatever directory the WSGI script file is in, or better
still qualified to be that specific file in the directory as well. It is needed
to tell Apache that the file is okay to use to handle the request. You want it
to be as narrow as possible to avoid making it possible to execute over scripts
if you muck up your Apache configuration in some way.
> Do I need to give apache access to :
> aa) /usr/local/pyramid/env_py3 (environment)
> or
> bb) /usr/local/pyramid/myapp (project folder)
You do not need to use Allow/Require on either the Python virtual environment
or application code, only the specific WSGI script file.
> 2. Does the myapp.wsgi should be placed inside aa, or bb from above since
> WSGIScriptAlias will be calling it?
It can go in your project folder. Eg if in '/usr/local/pyramid/myapp' use:
<Directory /usr/local/pyramid/myapp>
<Files myapp.wsgi>
Require all granted
</Files>
</Directory>
> 3. Where does the .python-eggs file should be placed? aa, or bb? or is this
> no longer required for python3 or should be replaced by something else?
The Python eggs directory is different to cache directories where individual py
files have their pyc files placed. The Python eggs directory is specifically
related to where Python packages distributed as an egg are expanded so they can
be used at runtime.
Wherever you put it, it needs to be a directory that the user that your code
runs as under Apache can write to.
> 4. If I wanted to create a user on linux to run the files, what command and
> options would I use to create that user in debian? adduser? useradd? I would
> then use
Use what ever is the standard tool used for adding a user.
> My configuration and add user= "myapp_user" which is running the whole show?
> Does that mean I should change permission for both cc an dd?
The only directory which needs special permissions is the Python egg directory.
It is actually better that application code directories and virtual environment
directory are not writable to the user your application runs as. It doesn't
matter that this means pyc files can't be written as processed are long lived
so cost of compiling code for each process is insignificant.
> WSGIDaemonProcess pyramid threads=10
> python-path=/usr/local/pyramid/env_py3/lib/python3.4/site-packages/
> maximum-requests=10000 user=myapp_user
Don't use python-path for specifying location of virtual environment, use
python-home. See:
http://modwsgi.readthedocs.io/en/develop/user-guides/virtual-environments.html
<http://modwsgi.readthedocs.io/en/develop/user-guides/virtual-environments.html>
Don't use maximum-requests in a production system if you can avoid it. The last
thing you want when an application is receiving a large number of requests is
processes restarting all the time.
What is the problem you are trying to solve by having that?
Better to look at timeout options for restarting daemon processes under various
conditions.
http://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIDaemonProcess.html
<http://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIDaemonProcess.html>
Just make sure you aren't using the out of date mod_wsgi that your Debian
distribution ships. Compile mod_wsgi from source code and use the latest.
Options to look at instead of maximum-requests are:
restart-interval=nnn
Defines a time limit on how long a daemon process should run before being
restarted.
inactivity-timeout=sss
Defines the maximum number of seconds allowed to pass before the daemon process
is shutdown and restarted when the daemon process has entered an idle state.
For the purposes of this option, being idle means there are no currently active
requests and no new requests are being received.
request-timeout=sss
Defines the maximum number of seconds that a request is allowed to run before
the daemon process is restarted. This can be used to recover from a scenario
where a request blocks indefinitely, and where if all request threads were
consumed in this way, would result in the whole WSGI application process being
blocked.
>
> cc) chown -R myapp_user:myapp_user /usr/local/pyramid/myapp
> dd) chown -R myapp_user:myapp_user /usr/local/pyramid/env_py3
> or only the env_py3? or ?
Not needed. See above.
> 5. If I'm not using the user attribute, then the permissions for the app
> should be www-data, not root correct?
No need. So long as user that Apache runs as can read the code files that is
enough. Better that not writable to that user. Only exception is Python eggs
directory.
> ee) chown -R www-data:www-data /usr/local/pyramid/myapp
> ff) chown -R www-data:www-data /usr/local/pyramid/env_py3
>
>
> Thank you
> Lucas
>
> --
> http://lucasmanual.com/ <http://lucasmanual.com/>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected]
> <mailto:[email protected]>.
> To post to this group, send email to [email protected]
> <mailto:[email protected]>.
> Visit this group at https://groups.google.com/group/modwsgi
> <https://groups.google.com/group/modwsgi>.
> For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.
