OrderPortal - nsc-norway/system GitHub Wiki
yum install httpd mod_ssl
Configure httpd: create a config file in /etc/httpd/conf.d/portal.conf
:
# Configuration for NSC deployment of SciLife's order portal
<VirtualHost portal.sequencing.uio.no:443>
SSLEngine on
SSLProxyEngine on
SSLCertificateKeyFile /etc/pki/tls/private/portal.sequencing.uio.no.key
SSLCertificateFile /etc/pki/tls/portal_sequencing_uio_no_916096/portal_sequencing_uio_no.crt
SSLCertificateChainFile /etc/pki/tls/portal_sequencing_uio_no_916096/DigiCertCA.crt
ProxyPass / http://localhost:8882/
ProxyPassReverse / http://localhost:8882/
</VirtualHost>
<VirtualHost portal.sequencing.uio.no:80>
Redirect / https://portal.sequencing.uio.no/
</VirtualHost>
Also install the private key and certs referenced in this config file (This will have to be requested from a certification authority if it's a new server).
Start the server and enable on boot:
sudo systemctl start httpd
sudo systemctl enable httpd
Confirm server gives a HTTP 503 (expected until we get tornado going): curl https://portal.sequencing.uio.no
(the point is that it responds to requests, with a valid SSL cert).
The http proxy also needs a SELinux exception in order to be allowed to make connections to tornado.
setsebool -P httpd_can_network_connect 1
Enable the repo and install: http://docs.couchdb.org/en/latest/install/unix.html#installation-using-the-apache-couchdb-convenience-binary-packages. On RHEL7, the string $releasever must be replaced by 7, because the package is designed for CentOS.
yum install couchdb
Follow the initial setup instructions. To access the web interface use ssh forwarding, ssh -L5984:localhost:5984 portal.sequencing.uio.no
.
Migrate the database in. This was done using /opt/couchdb/bin/couchup
when moving to RHEL 7.
In the UI, after setup, create a user for the portal application:
- Enter the
_users
database and create a document (!)
This will create a user called "portal":
{
"_id": "org.couchdb.user:portal",
"name": "portal",
"type": "user",
"roles": [],
"password": "xxxxx"
}
Enable auto-start of CouchDB:
sudo systemctl enable couchdb
mkdir /opt/nsc
Check out the OrderPortal repo here, which will act as the installed application. Also create the site directory. The site directory holds our local modifications and settings. It will probably never have to be remade, just copied from the previous server or a backup.
[paalmbj@portal ~]$ ls -la /opt/nsc/
total 20
drwxrwxr-x. 4 root nsc-ous-admin 101 Aug 22 16:05 .
drwxr-xr-x. 7 root root 70 Aug 22 14:52 ..
drwxr-xr-x. 4 paalmbj paalmbj 4096 Aug 22 15:24 OrderPortal
drwxr-xr-x. 2 paalmbj paalmbj 4096 Aug 22 15:24 portal-site-nsc
-rwxrwxr-x. 1 paalmbj paalmbj 193 Apr 7 2016 run_debug.sh
-rwxrwxr-x. 1 paalmbj paalmbj 211 Apr 7 2016 run_messenger.sh
-rwxrwxr-x. 1 paalmbj paalmbj 209 Apr 7 2016 run.sh
At any time, the application can be invoked manually, to test if it is ready. This file run.sh
can be used to start it:
#!/bin/sh
export PYTHONPATH=/opt/nsc/OrderPortal
cd /opt/nsc/OrderPortal/orderportal
python /opt/nsc/OrderPortal/orderportal/app_orderportal.py -s /opt/nsc/portal-site-nsc/settings.yaml
Yum packages:
- python-tornado PyYAML
Pip packages: First install pip:
sudo yum install python-pip
Pip install worked at the time of installation. Maybe the server has been taken out of the firewall zone. The command to install pip packages with proxy, inside the DMZ, is:
pip install --proxy http://updateproxy.uio.no:3128 pip-pakke
Here are the packages installed from pip:
CouchDB openpyxl
The portal should now start using the ''run.sh'' shown above.
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --add-service=https
The tornado server should only operate locally, and we rely on the ''iptables'' firewall (managed by ''firewall-cmd'') to block access. It is then up to Apache httpd to wrap it in SSL and serve it on the standard port 443. It may be useful to test the tornado server directly though, use this:
sudo firewall-cmd --add-port=8882/tcp # Temporary, reboot to clear
Go to http://portal.sequencing.uio.no:8882
The tornado server could run as a new user called tornado. Step 1 is to create a system user:
sudo useradd -r tornado
In general, the code and files in /opt/nsc
are not confidential, and could be world readable. Tornado does not need to write to any of the files, just the database. There is one exception, the file which contains the database password and other secrets. This file should ideally be readable only by the tornado group and writable by the admins. That's not easy, so we can use sudo to edit it instead.
sudo chmod 660 /opt/nsc/portal-site-nsc/settings.yaml
sudo chown tornado:tornado /opt/nsc/portal-site-nsc/settings.yaml
Beware of hidden swap files left over by e.g. vim when editing.
Supervisor can be used to launch the tornado server on boot. First install it
sudo yum install supervisor
The following job definition can be added to /etc/supervisord.conf
to start tornado:
[program:portal]
user=tornado
command=/opt/nsc/run.sh
autostart=true
autorestart=false
log_stdout=true
log_stderr=true
logfile=/var/log/portal.log
The log file may need to be writable by the tornado user. Never checked properly.
The next step is to confirm that everything starts on reboot.
First line of troubleshooting may be these commands (no particular order):
sudo supervisorctl status
sudo -u tornado /opt/nsc/run.sh
curl http://portal.sequencing.uio.no:8882
The configured portal log /var/log/portal.log
.
The notes above are from migration to RHEL7. Some files could then just be copied over. The below describes how to set up the Portal settings, but it is out of date, unfortunately.
- Needed files:
-
Code: git repo
-
Config file: settings.yaml
-
Site files: Misc. yaml files.
-
Client-side dependencies: jquery-ui, jQuery, etc. See email from Per; stored in /orderportal/static/
python /var/portal/OrderPortal/orderportal/scripts/init_database.py -s /var/portal/settings.yaml
-