Skip to content

Managing the production server

Jump to bottom
Caleb Sander edited this page Feb 19, 2020 · 20 revisions

Where is the production code?

It's in /home/ascit/donut, which is cloned from this repository. There are some secret configuration files that must also be present for the app to run; they should be the same as in the development clones of the repository:

  • donut/config.py: has configuration information for the dev and prod environments, e.g. database logins
  • calendar.json: has authorization information for the Google Calendar API

Apache

The production server (at http://35.162.204.135) uses Apache and mod_wsgi to run the Flask app. The Apache configuration is in /etc/apache2/sites-available/000-default.conf and the mod_wsgi configuration is /home/ascit/donut/donut.wsgi. To reload these configurations, run sudo service apache2 restart.

Logs

The Flask (Apache) logs are written to /var/log/apache2/access.log. Apache and mod_wsgi error logs are written to /var/log/apache2/error.log.

Database

The production MariaDB database is donut. See donut/config.py for the username and password.

virtualenv

The production server uses the virtualenv in /home/ascit/virtualenvs/donut-py3. To update the pip modules, activate the virtualenv by running . /home/ascit/virtualenvs/donut-py3/bin/activate in a shell and then run make update-packages in the production code directory.

HTTPS

After years of sending plaintext passwords on legacy Donut, we finally have encryption! We are using Let's Encrypt to get those sweet sweet HTTPS certificates for free. HTTPS was set up initially with this command, which obtained a cert and reconfigured Apache automatically:

sudo certbot --apache -d beta.donut.caltech.edu -m [email protected] --agree-tos

The certificates are installed in /etc/letsencrypt and the Apache HTTPS config is at /etc/apache2/sites-available/000-default-le-ssl.conf. The certificate expires every 3 months, and the following command is set up as a cron job to renew it:

sudo certbot renew --post-hook 'service apache2 restart'

We should probably register it with a different email address when I'm no longer on devteam just in case the renewal script fails.

Clone this wiki locally