Skip to content

Commit

Permalink
Merge pull request #2980 from SpaceFox/feature-fix_2589_1679
Browse files Browse the repository at this point in the history 
MAJ de la conf nginx et du script de déploiement
  • Loading branch information
@pierre-24
pierre-24 committed Sep 3, 2015
2 parents 9b812d7 + fb774b8 commit 23cd3a7
Show file tree
Hide file tree
Showing 2 changed files with 116 additions and 68 deletions.
178 changes: 113 additions & 65 deletions doc/source/install/deploy-in-production.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,15 @@ Paramètres généraux
+------------------------+----------------------------+
| Paramètre | Valeur |
+========================+============================+
| OS | Linux, Debian 7 "Wheezy" |
| OS | Linux, Debian 8 "Jessie" |
+------------------------+----------------------------+
| Serveurs web | Nginx |
+------------------------+----------------------------+
| Moteur WSGI | Gunicorn |
+------------------------+----------------------------+
| SGBD | MySQL |
+------------------------+----------------------------+
| Contrôle des process | Supervisor |
| Contrôle des process | systemd |
+------------------------+----------------------------+
| Surveillance | Munin |
+------------------------+----------------------------+
Expand All @@ -34,9 +34,9 @@ Paramètres spécifiques
+================+=============================+=============================+
| Nom | beta.zestedesavoir.com | zestedesavoir.com |
+----------------+-----------------------------+-----------------------------+
| IPv4 | ``46.105.246.77`` | ``176.31.187.88`` |
| IPv4 | ``46.105.246.77`` | ``149.202.54.142`` |
+----------------+-----------------------------+-----------------------------+
| IPv6 | x | ``2001:41d0:52:100::b4f`` |
| IPv6 | x | Pas encore disponible… |
+----------------+-----------------------------+-----------------------------+
| Identifiant | *Demande privée* | *Demande privée* |
+----------------+-----------------------------+-----------------------------+
Expand Down Expand Up @@ -108,39 +108,20 @@ Gunicorn

Installer Gunicorn dans le virtualenv.

Dans ``/opt/zdsenv/unicorn_start`` :
Dans ``/opt/zdsenv/gunicorn_config.py`` :

.. code:: bash
#!/bin/bash
NAME="ZesteDeSavoir"
DJANGODIR=/opt/zdsenv/ZesteDeSavoir/
SOCKFILE=/opt/zdsenv/bin/gunicorn.sock
USER=zds
GROUP=root
NUM_WORKERS=7 # how many worker processes
DJANGO_SETTINGS_MODULE=zds.settings # django settings file
DJANGO_WSGI_MODULE=zds.wsgi # WSGI modul
echo "Starting $NAME"
# Activate the virtual environment
cd $DJANGODIR
source ../bin/activate
export DJANGO_SETTINGS_MODULE=$DJANGO_SETTINGS_MODULE
export PYTHONPATH=$DJANGODIR:$PYTHONPATH
.. code:: python
RUNDIR=$(dirname $SOCKFILE)
test -d $RUNDIR || mkdir -p $RUNDIR
command = '/opt/zdsenv/bin/gunicorn'
pythonpath = '/opt/zdsenv/ZesteDeSavoir'
bind = 'unix:/opt/zdsenv/bin/gunicorn.sock'
workers = 7
user = 'zds'
group = 'zds'
errorlog = '/opt/zdsenv/logs/gunicorn_error.log'
loglevel = 'info'
pid = '/opt/zdsenv/gunicorn.pid'
exec ../bin/gunicorn ${DJANGO_WSGI_MODULE}:application \
--name $NAME \
--workers $NUM_WORKERS \
--user=$USER --group=$GROUP \
--log-level=debug \
--timeout=300 \
--bind=unix:$SOCKFILE
Nginx
~~~~~
Expand All @@ -150,23 +131,42 @@ Installer nginx. Sous Debian, la configuration est splittée par site. Pour Zest
.. code:: text
upstream zdsappserver {
server unix:/opt/zdsenv/bin/gunicorn.sock fail_timeout=0;
server unix:/opt/zdsenv/bin/gunicorn.sock fail_timeout=0;
}
server {
listen [::]:80;
listen [::]:443;
listen 80;
listen 443 ssl;
ssl_certificate /etc/ssl/certs/zds/ssl_2015_unified.crt;
ssl_certificate_key /etc/ssl/certs/zds/ssl_2015.key;
# ssl_certificate /etc/ssl/certs/zds/selfgenerated.pem;
# ssl_certificate_key /etc/ssl/certs/zds/selfgenerated.key;
ssl_session_timeout 1d;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_dhparam /etc/nginx/dhparam.pem;
server_name www.zestedesavoir.com;
rewrite ^(.*) http://zestedesavoir.com$1 permanent;
rewrite ^(.*) $scheme://zestedesavoir.com$1 permanent;
}
server {
listen [::]:80 ipv6only=on;
listen [::]:443 ssl ipv6only=on;
listen 80;
listen 443 ssl;
ssl_certificate /etc/ssl/certs/zds/ssl.crt;
ssl_certificate_key /etc/ssl/certs/zds/ssl.key;
ssl_certificate /etc/ssl/certs/zds/ssl_2015_unified.crt;
ssl_certificate_key /etc/ssl/certs/zds/ssl_2015.key;
# ssl_certificate /etc/ssl/certs/zds/selfgenerated.pem;
# ssl_certificate_key /etc/ssl/certs/zds/selfgenerated.key;
ssl_session_timeout 1d;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
ssl_session_cache builtin;
ssl_session_cache shared:SSL:50m;
ssl_dhparam /etc/nginx/dhparam.pem;
server_name zestedesavoir.com;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
Expand All @@ -177,12 +177,16 @@ Installer nginx. Sous Debian, la configuration est splittée par site. Pour Zest
location /author-files/ {
index index.html index.php;
alias /home/zds/tutos_sdzv3/script/;
include php.fast.conf;
#include php.fast.conf;
}
location = /robots.txt {
alias /opt/zdsenv/ZesteDeSavoir/robots.txt;
}
# Gandi
location = /D6BA7D30872A8A72ED225D5601248024.txt {
alias /opt/zdsenv/ZesteDeSavoir/D6BA7D30872A8A72ED225D5601248024.txt;
}
location /static/ {
alias /opt/zdsenv/ZesteDeSavoir/static/;
Expand All @@ -200,10 +204,12 @@ Installer nginx. Sous Debian, la configuration est splittée par site. Pour Zest
location / {
if ($uri !~ \. ){
rewrite ^(.*[^/])$ $1/ permanent;
}
rewrite ^(.*[^/])$ $1/ permanent;
}
rewrite ^/teasing/$ / permanent;
client_max_body_size 100M;
sendfile on;
keepalive_timeout 0;
proxy_read_timeout 1000s;
proxy_connect_timeout 1000s;
proxy_redirect off;
Expand All @@ -213,19 +219,23 @@ Installer nginx. Sous Debian, la configuration est splittée par site. Pour Zest
proxy_set_header X-Forwarded-Proto $scheme;
add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
add_header Strict-Transport-Security max-age=500;
add_header Strict-Transport-Security max-age=15768000;
add_header Access-Control-Allow-Origin *;
add_header X-Clacks-Overhead "GNU Terry Pratchett";
if (!-f $request_filename) {
if (!-f $request_filename) {
proxy_pass http://zdsappserver;
break;
}
}
# Error pages
error_page 500 502 503 504 /500.html;
location = /500.html {
root /opt/zdsenv/ZesteDeSavoir/templates/;
error_page 500 502 503 504 /errors/500.html;
#location = /500.html {
# root /opt/zdsenv/ZesteDeSavoir/templates/;
#}
location /errors/ {
alias /opt/zdsenv/ZesteDeSavoir/errors/;
}
Expand Down Expand Up @@ -353,7 +363,7 @@ Installer nginx. Sous Debian, la configuration est splittée par site. Pour Zest
}
server{
server_name uploads.beta.zestedesavoir.com;
server_name uploads.zestedesavoir.com;
root /home/zds/tutos_sdzv3/images_distantes;
index index.html index.htm;
}
Expand All @@ -368,9 +378,9 @@ La configuration de la page de maintenance, quant à elle, se fait dans ``/etc/n
listen [::]:443 ssl ipv6only=on;
listen 80;
listen 443 ssl;
ssl_certificate /etc/ssl/certs/beta_zds/ssl.crt;
ssl_certificate_key /etc/ssl/certs/beta_zds/ssl.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/ssl/certs/zds/ssl_2015_unified.crt;
ssl_certificate_key /etc/ssl/certs/zds/ssl_2015.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name zestedesavoir.com www.zestedesavoir.com;
Expand Down Expand Up @@ -412,29 +422,67 @@ Créer deux configurations :
Configuration ZdS
^^^^^^^^^^^^^^^^^

La conf dans ``/etc/supervisor/conf.d/zds.conf`` permet de lancer Solr à l'aide de ``supervisorctl start zds`` et l'arrêter avec ``supervisorctl stop zds``.
Les confs dans ``/etc/systemd/system/zds.service`` et ``/etc/systemd/system/zds.socket`` permet de lancer le serveur applicatif de Zeste de Savoir (Gunicorn) à l'aide de ``systemctl start zds.{service,socket}`` et l'arrêter avec ``systemctl stop zds.{service,socket}``.

.. code:: text
[program:zds]
command = /opt/zdsenv/unicorn_start ;
user = zds ;
stdout_logfile = /opt/zdsenv/logs/gunicorn_supervisor.log ;
redirect_stderr = true ;
[Unit]
Description=Zeste de Savoir
Requires=zds.socket
After=network.target
[Service]
PIDFile=/run/gunicorn/pid
User=zds
Group=zds
WorkingDirectory=/opt/zdsenv
# ExecStart=/opt/zdsenv/bin/gunicorn --pid /run/gunicorn/pid -c /opt/zdsenv/gunicorn_config.py zds.wsgi
ExecStart=/opt/zdsenv/bin/gunicorn -c /opt/zdsenv/gunicorn_config.py zds.wsgi
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
.. code:: text
[Unit]
Description=ZdS Gunicorn socket
[Socket]
#ListenStream=/run/gunicorn/socket
ListenStream=/opt/zdsenv/bin/gunicorn.sock
ListenStream=0.0.0.0:9000
ListenStream=[::]:8000
[Install]
WantedBy=sockets.target
Configuration Solr
^^^^^^^^^^^^^^^^^^

La conf dans ``/etc/supervisor/conf.d/solr.conf`` permet de lancer Solr à l'aide de ``supervisorctl start solr`` et l'arrêter avec ``supervisorctl stop solr``.
La conf dans ``/etc/systemd/system/solr.service`` permet de lancer Solr à l'aide de ``systemctl start solr`` et l'arrêter avec ``systemctl stop solr``.

.. code:: text
[program:solr]
command=java -jar start.jar
autostart=true
autorestart=true
stderr_logfile=/opt/zdsenv/logs/solr.err.log
stdout_logfile=/opt/zdsenv/logs/solr.out.log
[Unit]
Description=SolR ZdS
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
PIDFile=/run/solrzds/pid
WorkingDirectory=/opt/zdsenv/apache-solr/example/
ExecStart=/usr/bin/java -jar start.jar
User=zds
Group=zds
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
Munin
~~~~~
Expand Down
6 changes: 3 additions & 3 deletions scripts/deploy.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ cd /opt/zdsenv/ZesteDeSavoir/
# Maintenance mode
sudo rm /etc/nginx/sites-enabled/zestedesavoir
sudo ln -s /etc/nginx/sites-available/zds-maintenance /etc/nginx/sites-enabled/zds-maintenance
sudo service nginx reload
sudo systemctl reload nginx.service

# Delete old branch if exists
git checkout prod
Expand All @@ -57,12 +57,12 @@ python manage.py collectstatic --noinput --clear
deactivate

# Restart zds
sudo supervisorctl restart zds
sudo systemctl restart zds.{service,socket}

# Exit maintenance mode
sudo rm /etc/nginx/sites-enabled/zds-maintenance
sudo ln -s /etc/nginx/sites-available/zestedesavoir /etc/nginx/sites-enabled/zestedesavoir
sudo service nginx reload
sudo systemctl reload nginx.service

# Display current branch and commit
git status
Expand Down

0 comments on commit 23cd3a7

Please sign in to comment.