diff --git a/doc/source/install/deploy-in-production.rst b/doc/source/install/deploy-in-production.rst index fccbcb8eb0..49683878f3 100644 --- a/doc/source/install/deploy-in-production.rst +++ b/doc/source/install/deploy-in-production.rst @@ -13,7 +13,7 @@ Paramètres généraux +------------------------+----------------------------+ | Paramètre | Valeur | +========================+============================+ -| OS | Linux, Debian 7 "Wheezy" | +| OS | Linux, Debian 8 "Jessie" | +------------------------+----------------------------+ | Serveurs web | Nginx | +------------------------+----------------------------+ @@ -21,7 +21,7 @@ Paramètres généraux +------------------------+----------------------------+ | SGBD | MySQL | +------------------------+----------------------------+ -| Contrôle des process | Supervisor | +| Contrôle des process | systemd | +------------------------+----------------------------+ | Surveillance | Munin | +------------------------+----------------------------+ @@ -34,9 +34,9 @@ Paramètres spécifiques +================+=============================+=============================+ | Nom | beta.zestedesavoir.com | zestedesavoir.com | +----------------+-----------------------------+-----------------------------+ -| IPv4 | ``46.105.246.77`` | ``176.31.187.88`` | +| IPv4 | ``46.105.246.77`` | ``149.202.54.142`` | +----------------+-----------------------------+-----------------------------+ -| IPv6 | x | ``2001:41d0:52:100::b4f`` | +| IPv6 | x | Pas encore disponible… | +----------------+-----------------------------+-----------------------------+ | Identifiant | *Demande privée* | *Demande privée* | +----------------+-----------------------------+-----------------------------+ @@ -108,39 +108,20 @@ Gunicorn Installer Gunicorn dans le virtualenv. -Dans ``/opt/zdsenv/unicorn_start`` : +Dans ``/opt/zdsenv/gunicorn_config.py`` : -.. code:: bash - - #!/bin/bash - - NAME="ZesteDeSavoir" - DJANGODIR=/opt/zdsenv/ZesteDeSavoir/ - SOCKFILE=/opt/zdsenv/bin/gunicorn.sock - USER=zds - GROUP=root - NUM_WORKERS=7 # how many worker processes - DJANGO_SETTINGS_MODULE=zds.settings # django settings file - DJANGO_WSGI_MODULE=zds.wsgi # WSGI modul - - echo "Starting $NAME" - - # Activate the virtual environment - cd $DJANGODIR - source ../bin/activate - export DJANGO_SETTINGS_MODULE=$DJANGO_SETTINGS_MODULE - export PYTHONPATH=$DJANGODIR:$PYTHONPATH +.. code:: python - RUNDIR=$(dirname $SOCKFILE) - test -d $RUNDIR || mkdir -p $RUNDIR + command = '/opt/zdsenv/bin/gunicorn' + pythonpath = '/opt/zdsenv/ZesteDeSavoir' + bind = 'unix:/opt/zdsenv/bin/gunicorn.sock' + workers = 7 + user = 'zds' + group = 'zds' + errorlog = '/opt/zdsenv/logs/gunicorn_error.log' + loglevel = 'info' + pid = '/opt/zdsenv/gunicorn.pid' - exec ../bin/gunicorn ${DJANGO_WSGI_MODULE}:application \ - --name $NAME \ - --workers $NUM_WORKERS \ - --user=$USER --group=$GROUP \ - --log-level=debug \ - --timeout=300 \ - --bind=unix:$SOCKFILE Nginx ~~~~~ @@ -150,23 +131,42 @@ Installer nginx. Sous Debian, la configuration est splittée par site. Pour Zest .. code:: text upstream zdsappserver { - server unix:/opt/zdsenv/bin/gunicorn.sock fail_timeout=0; + server unix:/opt/zdsenv/bin/gunicorn.sock fail_timeout=0; } server { + listen [::]:80; + listen [::]:443; + listen 80; + listen 443 ssl; + ssl_certificate /etc/ssl/certs/zds/ssl_2015_unified.crt; + ssl_certificate_key /etc/ssl/certs/zds/ssl_2015.key; + # ssl_certificate /etc/ssl/certs/zds/selfgenerated.pem; + # ssl_certificate_key /etc/ssl/certs/zds/selfgenerated.key; + ssl_session_timeout 1d; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:50m; + ssl_dhparam /etc/nginx/dhparam.pem; + server_name www.zestedesavoir.com; - rewrite ^(.*) http://zestedesavoir.com$1 permanent; + rewrite ^(.*) $scheme://zestedesavoir.com$1 permanent; } server { listen [::]:80 ipv6only=on; listen [::]:443 ssl ipv6only=on; listen 80; listen 443 ssl; - ssl_certificate /etc/ssl/certs/zds/ssl.crt; - ssl_certificate_key /etc/ssl/certs/zds/ssl.key; + ssl_certificate /etc/ssl/certs/zds/ssl_2015_unified.crt; + ssl_certificate_key /etc/ssl/certs/zds/ssl_2015.key; + # ssl_certificate /etc/ssl/certs/zds/selfgenerated.pem; + # ssl_certificate_key /etc/ssl/certs/zds/selfgenerated.key; + ssl_session_timeout 1d; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; ssl_prefer_server_ciphers on; - ssl_session_cache builtin; + ssl_session_cache shared:SSL:50m; + ssl_dhparam /etc/nginx/dhparam.pem; server_name zestedesavoir.com; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; @@ -177,12 +177,16 @@ Installer nginx. Sous Debian, la configuration est splittée par site. Pour Zest location /author-files/ { index index.html index.php; alias /home/zds/tutos_sdzv3/script/; - include php.fast.conf; + #include php.fast.conf; } location = /robots.txt { alias /opt/zdsenv/ZesteDeSavoir/robots.txt; } + # Gandi + location = /D6BA7D30872A8A72ED225D5601248024.txt { + alias /opt/zdsenv/ZesteDeSavoir/D6BA7D30872A8A72ED225D5601248024.txt; + } location /static/ { alias /opt/zdsenv/ZesteDeSavoir/static/; @@ -200,10 +204,12 @@ Installer nginx. Sous Debian, la configuration est splittée par site. Pour Zest location / { if ($uri !~ \. ){ - rewrite ^(.*[^/])$ $1/ permanent; - } + rewrite ^(.*[^/])$ $1/ permanent; + } rewrite ^/teasing/$ / permanent; client_max_body_size 100M; + sendfile on; + keepalive_timeout 0; proxy_read_timeout 1000s; proxy_connect_timeout 1000s; proxy_redirect off; @@ -213,19 +219,23 @@ Installer nginx. Sous Debian, la configuration est splittée par site. Pour Zest proxy_set_header X-Forwarded-Proto $scheme; add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"'; - add_header Strict-Transport-Security max-age=500; + add_header Strict-Transport-Security max-age=15768000; add_header Access-Control-Allow-Origin *; add_header X-Clacks-Overhead "GNU Terry Pratchett"; - if (!-f $request_filename) { + + if (!-f $request_filename) { proxy_pass http://zdsappserver; break; } } # Error pages - error_page 500 502 503 504 /500.html; - location = /500.html { - root /opt/zdsenv/ZesteDeSavoir/templates/; + error_page 500 502 503 504 /errors/500.html; + #location = /500.html { + # root /opt/zdsenv/ZesteDeSavoir/templates/; + #} + location /errors/ { + alias /opt/zdsenv/ZesteDeSavoir/errors/; } @@ -353,7 +363,7 @@ Installer nginx. Sous Debian, la configuration est splittée par site. Pour Zest } server{ - server_name uploads.beta.zestedesavoir.com; + server_name uploads.zestedesavoir.com; root /home/zds/tutos_sdzv3/images_distantes; index index.html index.htm; } @@ -368,9 +378,9 @@ La configuration de la page de maintenance, quant à elle, se fait dans ``/etc/n listen [::]:443 ssl ipv6only=on; listen 80; listen 443 ssl; - ssl_certificate /etc/ssl/certs/beta_zds/ssl.crt; - ssl_certificate_key /etc/ssl/certs/beta_zds/ssl.key; - ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; + ssl_certificate /etc/ssl/certs/zds/ssl_2015_unified.crt; + ssl_certificate_key /etc/ssl/certs/zds/ssl_2015.key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; server_name zestedesavoir.com www.zestedesavoir.com; @@ -412,29 +422,67 @@ Créer deux configurations : Configuration ZdS ^^^^^^^^^^^^^^^^^ -La conf dans ``/etc/supervisor/conf.d/zds.conf`` permet de lancer Solr à l'aide de ``supervisorctl start zds`` et l'arrêter avec ``supervisorctl stop zds``. +Les confs dans ``/etc/systemd/system/zds.service`` et ``/etc/systemd/system/zds.socket`` permet de lancer le serveur applicatif de Zeste de Savoir (Gunicorn) à l'aide de ``systemctl start zds.{service,socket}`` et l'arrêter avec ``systemctl stop zds.{service,socket}``. .. code:: text - [program:zds] - command = /opt/zdsenv/unicorn_start ; - user = zds ; - stdout_logfile = /opt/zdsenv/logs/gunicorn_supervisor.log ; - redirect_stderr = true ; + [Unit] + Description=Zeste de Savoir + Requires=zds.socket + After=network.target + + [Service] + PIDFile=/run/gunicorn/pid + User=zds + Group=zds + WorkingDirectory=/opt/zdsenv + # ExecStart=/opt/zdsenv/bin/gunicorn --pid /run/gunicorn/pid -c /opt/zdsenv/gunicorn_config.py zds.wsgi + ExecStart=/opt/zdsenv/bin/gunicorn -c /opt/zdsenv/gunicorn_config.py zds.wsgi + ExecReload=/bin/kill -s HUP $MAINPID + ExecStop=/bin/kill -s TERM $MAINPID + PrivateTmp=true + + [Install] + WantedBy=multi-user.target + + +.. code:: text + + [Unit] + Description=ZdS Gunicorn socket + + [Socket] + #ListenStream=/run/gunicorn/socket + ListenStream=/opt/zdsenv/bin/gunicorn.sock + ListenStream=0.0.0.0:9000 + ListenStream=[::]:8000 + + [Install] + WantedBy=sockets.target Configuration Solr ^^^^^^^^^^^^^^^^^^ -La conf dans ``/etc/supervisor/conf.d/solr.conf`` permet de lancer Solr à l'aide de ``supervisorctl start solr`` et l'arrêter avec ``supervisorctl stop solr``. +La conf dans ``/etc/systemd/system/solr.service`` permet de lancer Solr à l'aide de ``systemctl start solr`` et l'arrêter avec ``systemctl stop solr``. .. code:: text - [program:solr] - command=java -jar start.jar - autostart=true - autorestart=true - stderr_logfile=/opt/zdsenv/logs/solr.err.log - stdout_logfile=/opt/zdsenv/logs/solr.out.log + [Unit] + Description=SolR ZdS + After=syslog.target network.target remote-fs.target nss-lookup.target + + [Service] + PIDFile=/run/solrzds/pid + WorkingDirectory=/opt/zdsenv/apache-solr/example/ + ExecStart=/usr/bin/java -jar start.jar + User=zds + Group=zds + ExecReload=/bin/kill -s HUP $MAINPID + ExecStop=/bin/kill -s QUIT $MAINPID + PrivateTmp=true + + [Install] + WantedBy=multi-user.target Munin ~~~~~ diff --git a/requirements.txt b/requirements.txt index cf1bd838fa..de96f110d7 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,7 @@ pygments==2.0.2 python-social-auth==0.2.9 # Explicit dependencies (references in code) -django==1.7.9 +django==1.7.10 coverage==3.7.1 django-crispy-forms==1.4.0 django-haystack==2.3.1 diff --git a/scripts/deploy.sh b/scripts/deploy.sh index bb3df16908..7bf1dcde86 100755 --- a/scripts/deploy.sh +++ b/scripts/deploy.sh @@ -31,7 +31,7 @@ cd /opt/zdsenv/ZesteDeSavoir/ # Maintenance mode sudo rm /etc/nginx/sites-enabled/zestedesavoir sudo ln -s /etc/nginx/sites-available/zds-maintenance /etc/nginx/sites-enabled/zds-maintenance -sudo service nginx reload +sudo systemctl reload nginx.service # Delete old branch if exists git checkout prod @@ -57,12 +57,12 @@ python manage.py collectstatic --noinput --clear deactivate # Restart zds -sudo supervisorctl restart zds +sudo systemctl restart zds.{service,socket} # Exit maintenance mode sudo rm /etc/nginx/sites-enabled/zds-maintenance sudo ln -s /etc/nginx/sites-available/zestedesavoir /etc/nginx/sites-enabled/zestedesavoir -sudo service nginx reload +sudo systemctl reload nginx.service # Display current branch and commit git status diff --git a/templates/tutorial/includes/tutorial_item.part.html b/templates/tutorial/includes/tutorial_item.part.html index b43ce7cecf..ec00dc8ab9 100644 --- a/templates/tutorial/includes/tutorial_item.part.html +++ b/templates/tutorial/includes/tutorial_item.part.html @@ -24,8 +24,8 @@ {% endcaptureas %} {% captureas tutorial_state %} - {% if tutorial.pubdate %} - {% trans "Publié" %} {{ tutorial.pubdate|format_date }} + {% if tutorial.on_line %} + {% trans "Publié" %} {% if tutorial.pubdate %}{{ tutorial.pubdate|format_date }}{% endif %} {% else %} {% trans "En rédaction" %} {% endif %}