1. OIS Progress on Drupal pilot service ENTICE meeting, 30 th September 2010 Jarosław (Jarek) Polok IT-OIS Operating systems and Internet services

2. OIS Drupal pilot service @ CERN ● Multiple components to be integrated: ● Drupal CMS – Plus add-on modules, preset theme, etc... ● Back-end database(s) – MySQL (in pilot) ● Front-end web server(s) – Apache (in pilot: modified) ● PHP interpreter – Different version required (5.2 vs. 5.1) ● Single Sign-On system ● Operating system ● (Automated) management and monitoring of all the above...

3. OIS Service components ● Drupal CMS and add-ons ● Drupal 6 now (6.19 as of September) ● CernMods – an additional integration module has been implemented (very preliminary version). ● Shib_Auth – has been (a little bit) modified. ● Modules requested by ENTICE have been added to the default installation. ● Installation profile has been developed to accommodate requested presets (very preliminary version). ● Automated installation method has been prepared. ● Back-end database ● 'out-of-the-box' MySQL 5.0.77

4. OIS Service components ● Web front-end – Apache 2.2.3 ● Modified for this service to increase security: – full isolation between Virtual Hosts (sites) running on shared Drupal code base: ● mpm-itk worker - runs each site as a separate system user. ● mod_chroot - prevents web site code to have access to the operating system outside of drupal installation directory. ● SELinux – controls what web server processes are allowed to access. – We aim at a setup very similar to what ISP drupal providers can offer. ● NOTE: increased drupal sites security may prevent correct functioning of some (not well implemented) third-party drupal modules – if you observe such misbehavior, please let us know and we will find a solution/workaround.

5. OIS Service components ● PHP interpreter ● v. 5.2.10 (vs 5.1.6) – all additional modules (alike APC cache) need to be rebuilt for this version. ● Single Sign-On ● 'out-of-the-box' Shibboleth 2.3 we provide already. ● Operating system ● Standard SLC5 / x86_64 – But due to all modifications mentioned previously it cannot be managed using standard CERN Computer Center management tools for now...

6. OIS Service components ● Monitoring ● Only basic operating system health monitoring for now... – MySQL / Apache / Drupal specific monitoring components are to be developed in the future. ● (Automated) management ● Basic operations automated for now... – Site creation / Database allocation / DNS configuration / Single SignOn setup ● Backups ● Automated using TSM plus custom scripts for drupal – But restores are manual (and complicated) process...

7. OIS Current status of components ● Pilot service infrastructure ● Database(s) – MySQL database main server – prepared. ● Performance tuning – to be investigated. – MySQL database replication server - in progress. ● Web server(s) – Shared web front-end server – prepared. ● Performance tuning – investigation started. – Dedicated web front-end servers – in progress. ● Fail-over/automated recovery strategy – investigation started. ● Integration with CERN web services - started.

8. OIS Current status of components ● Single SignOn (SSO) ● Initial integration – implemented. – Needs more work on CernMods module ● A 'chicken-and-egg' problem: new user appears in drupal site only after he/she signed-in for the first time, therefore a specific role cannot be assigned to this user before that happens... (but: see e-groups) ● E-groups ● E-groups are exposed in SSO therefore can already be used to assign drupal roles. ● Pre-installed drupal themes and modules ● CERN default theme (Thanks Dan!) plus few others ● ENTICE requested modules (except apache_solr, poormanscron).

9. OIS How to request a new site ● Manual process for now, to be automated in the future: – Send your request to drupal-request@cern.ch, with following details: ● Desired SITENAME (must be available...) ● Administrator Login, Firstname and Surname – All sites are created in *.web.cern.ch sub-domain and can be accessed via: ● http://cern.ch/SITENAME ● http://SITENAME.web.cern.ch/ – Administrator MUST be a real person (only a primary account can be used) ● Allow up to 8 (working) hours for site creation.

10. OIS Few details about your (future) site ● No local site accounts. ● Anonymous access via http:// ● Authenticated access via https:// with SSO ● Authenticated access to site modules/themes and files via webdavs (https) on port 444 from CERN network only and for site admin only – This cannot be delegated to other users for now. ● Pre-installed with CERN Default theme and some modules already enabled. – Work in progress, expect changes !

11. OIS Are we open for business ? ● Well - yes, but please remember: ● This is a pilot service – No guarantees concerning: ● Availability ● Performance ● Scalability ● Functionality ● Help and support outside working hours. ●... ● DO NOT HOST YOUR PRODUCTION SITE USING THIS PILOT SERVICE, unless you can assume the above...

12. OIS Towards a production service. ● Some important decisions shall be made before we start developing the pilot further ● Drupal 6 or Drupal 7 ? – Part of current work on pre-installed defaults for Drupal 6 will not be needed for 7... ● MySQL or Oracle ? – All work on backups/restores/performance/scalability and handling of DB back-end may need to be redone depending on the decision... ● Current resources on our (IT/OIS) side are very limited: ● New developer(s) will start working on this project only in Q1/Q2 2011. ●

13. OIS Questions ?