SchoolTool

Could you please provide a example configuration for apache wsgi

Asked by Ronald van Engelen

We're running schooltool on a hardy webserver with apache2 on which we recently switched to using mod_wsgi for hosting our trac site.

Now it seems a good idea to use zope/schooltool's wsgi capabilities but I can't figure out how to do that.

Here is our current apache configuration:

<VirtualHost *:80>
    ServerName agenda.example.nl
     RewriteEngine on
     RewriteRule ^/(.*) http://localhost:7080/++vh++https:agenda.example.nl:80/++/$1 [P]

     <Location />
         Order deny,allow
      Allow from all
     </Location>

</VirtualHost>

For trac I followed the guide on http://code.google.com/p/modwsgi/wiki/IntegrationWithTrac

For zope/schooltool I studied the following pages:
 * http://martinaspeli.net/articles/update-repoze-under-mod-wsgi-is-not-slow
 * http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives

Thanks,
Ronald

Question information

Language:
English Edit question
Status:
Answered
For:
SchoolTool Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Tom Hoffman (tom-hoffman) said : 		#1

Hi Ronald,

We've discussed this ourselves, but I don't think anyone has tried it yet. We'll look into it...

Revision history for this message
Ignas Mikalajūnas (ignas) said : 		#2

Working on it, will add instructions in here, and add support in the next bugfix release.

Revision history for this message
Ignas Mikalajūnas (ignas) said : 		#3

Still working on it, so it's not "Answered" yet.

Revision history for this message
Ignas Mikalajūnas (ignas) said : 		#4

Ok, so apparently - even when I got a working configuration (i think it was good) i could not test it because schooltool is python2.4 only, and will not work with python2.5.

python2.4 is needed because schooltool depends on zope and zope depends on restrictedpython and restricted python has not been ported to python2.5 yet.

So unless you can get mod_wsgi version that uses python2.4 working, which is kind of problamatic i am afraid you won't be able to run schooltool using mod_wsgi. At least until we get zope.pagetemplates that do not depend on restricted python, or restricted python that works on python2.5

Revision history for this message
Ignas Mikalajūnas (ignas) said : 		#5

Added to apache config:

    WSGIDaemonProcess schooltool user=schooltool group=schooltool threads=1 maximum-requests=10000 processes=4 python-path=/usr/lib/python2.4/site-packages
    WSGIScriptAlias /schooltool /home/ignas/schooltool.wsgi

    <Directory /schooltool >

        WSGIProcessGroup schooltool
        WSGIApplicationGroup %{GLOBAL}

        WSGIPassAuthorization On

    </Directory>

with schooltool.wsgi looking like:

# we are using stdout when starting schooltool wsgi application, bad thing, we will stop doing that
import sys
sys.stdout = sys.stderr

from schooltool.paste.main import PasteSchoolToolPublisherApplication
application = PasteSchoolToolPublisherApplication("/etc/schooltool/schooltool-2008/main.conf")

got:

[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] mod_wsgi (pid=23729): Target WSGI script '/home/ignas/schooltool.wsgi' cannot be loaded as Python module.
[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] mod_wsgi (pid=23729): Exception occurred processing WSGI script '/home/ignas/schooltool.wsgi'.
[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] Traceback (most recent call last):
[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] File "/home/ignas/schooltool.wsgi", line 1, in <module>
[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] from schooltool.paste.main import PasteSchoolToolPublisherApplication
[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] File "/usr/lib/python2.5/site-packages/schooltool/paste/main.py", line 28, in <module>
[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] from schooltool.app.rest import RestPublicationRequestFactory
[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] File "/usr/lib/python2.5/site-packages/schooltool/app/rest/__init__.py", line 33, in <module>
[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] from zope.app.pagetemplate.viewpagetemplatefile import ViewPageTemplateFile \\
[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] File "/usr/lib/python2.5/site-packages/zope/app/pagetemplate/__init__.py", line 20, in <module>
[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] from zope.app.pagetemplate.viewpagetemplatefile import ViewPageTemplateFile
[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] File "/usr/lib/python2.5/site-packages/zope/app/pagetemplate/viewpagetemplatefile.py", line 22, in <module>
[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] from zope.app.pagetemplate.engine import TrustedAppPT
[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] File "/usr/lib/python2.5/site-packages/zope/app/pagetemplate/engine.py", line 30, in <module>
[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] from zope.security.untrustedpython import rcompile
[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] File "/usr/lib/python2.5/site-packages/zope/security/untrustedpython/rcompile.py", line 23, in <module>
[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] import RestrictedPython.RCompile
[Thu May 29 17:30:46 2008] [error] [client 127.0.0.1] ImportError: No module named RestrictedPython.RCompile

in the error.log

Fixed /usr/lib/python2.5/site-packages/zope/app/pagetemplate/engine.py

commented out lines:

#from zope.security.untrustedpython import rcompile
#from zope.security.untrustedpython.builtins import SafeBuiltins

in /usr/lib/python2.5/site-packages/schooltool/app/interfaces.py commented out:

# RequiredMissing.__doc__ = _("""Required input is missing.""")

Still getting:

[Thu May 29 18:25:26 2008] [error] [client 127.0.0.1] IOError: [Errno 13] Permission denied: '/var/log/schooltool/schooltool-2008-error.log'

which means that apache is not running as root, it's running as www-data, so unless you can get apache to run as root - you can't get schooltool working (security reasons, allowing www-data to access schooltools Data.fs with all the student data is not a very good idea ...)

Revision history for this message
Tom Hoffman (tom-hoffman) said : 		#6

Yes, but isn't running Apache as root an even bigger security problem?

Revision history for this message
Ignas Mikalajūnas (ignas) said : 		#7

It probably is, but mod-wsgi is not listing any other options.

Ronald, how are you setting your "trac" user and group, or is trac using www-data for all of it's logs and databases?

Revision history for this message
Ronald van Engelen (ronalde) said : 		#8

The latter; www-data owns all trac db-directories and uses a postgres-useraccount to write to the actual db's.

The user (and --depending on the postgresql-configuration-- password) is specified in a trac-config file and www-data has to have access tot that config file and thus to the db.

The same goes for all other web applications, in the end you'll have to give www-data wrx-access to files which need to be written; you'll have to build security in to the application or maybe use something like apparmor(?)..

Revision history for this message
Jason Straw (jasonstraw) said : 		#9

Tom, you must run apache as root. It cannot bind to port 80 otherwise.

Normally apache is setup to then change uid/gid to www-data (or nobody depending on distro) and continue running as non-root.

Revision history for this message
Ignas Mikalajūnas (ignas) said : 		#10

On Ubuntu apache does that, it starts as root, then runs it's subproceses using www-data. So if we want to support mod-wsgi with schooltool we must:

1. Get restricted python working on python 2.5 (patching some modules is possible, but not feasible).

2. We would have to run schooltool under www-data by default and change permissions on schooltool files to www-data.

If someone will port restricted-python to python2.5 (we are not going to do it ourselves) we will do the part 2

Revision history for this message
Tom Hoffman (tom-hoffman) said : 		#11

So basically, one would expand the attack area for schooltool by using Apache and wsgi, because if an attacker could crack something else running on Apache that gave them www-data, they'd be able to get SchoolTool data, whereas otherwise they'd have to crack the schooltool user (which is only used for schooltool)?

Revision history for this message
Ignas Mikalajūnas (ignas) said : 		#12

Ok, so schooltool now is python2.5 compatible, so if you really want to use mod_wsgi, you should be able to somehow set it so it would run under schooltool user, sorry don't know how at the moment, and have everything working...

Revision history for this message
Ignas Mikalajūnas (ignas) said : 		#13

Definitive instructions:

create schooltool.wsgi somewhere on the system:

import sys
sys.stdout = sys.stderr

from schooltool.paste.main import PasteSchoolToolPublisherApplication
application = PasteSchoolToolPublisherApplication("/etc/schooltool/schooltool-2008/main.conf")

Put this in your apache config:

    WSGIDaemonProcess schooltool user=schooltool group=schooltool maximum-requests=10000 python-path=/usr/lib/python2.5/site-packages
    WSGIProcessGroup schooltool
    WSGIScriptAlias /schooltool /home/ignas/schooltool.wsgi

    <Directory /schooltool >

        WSGIApplicationGroup %{GLOBAL}
        Order deny,allow
        Allow from all
        WSGIPassAuthorization On

    </Directory>

(change the path to point to the right schooltool.wsgi)

Problems - error messages will not appear because of a nasty Zope3 on python2.5 bug... but hopefully you should not get any errors ;)

Can you help with this problem?

Provide an answer of your own, or ask Ronald van Engelen for more information if necessary.

To post a message you must log in.