Mateusz's picture

Hi,

I installed new Magento image with Magento 2.2.5 and php 7.0, adminer, webmin. Evertyhing its ok. But my attetion is:

LOW:

- On the end turnkey installation in the summary admin panel is "domain/admin" but admin panel is generated on the another site for example in env.xml 'frontName' => 'admin_XXXXX'

 

HIGH:

- Installator use Apache web server and use www-data user which is owner Magento directory path /var/www/magento. Magento is application which should use own shell user which for example must use Composer to deploy plugin etc. The composer can not be used as root and www-data is no shell user. After installation, there is also work related to the addition and configuration of a new user.

PROPOSE:

- Change apache for nginx

- Install varnish

- Install redis

 

Best Regards

 

Forum: 
Tags: 
Jeremy Davis's picture

Thanks for your feedback on our Magento appliance. We really appreciate and always try to take stuff on board. Having said that, we have a huge array of users with different desires, needs and preferences. So "getting it right" by everyone's standards, is near impossible. I'll try to respond to your points in order:

Note re the admin URL: Thanks for that. I recall noticing that the admin URL used a random string when I did testing, but I didn't note it at the time. My bad! Also, I'm not sure if that's setup on install, or on launch. If it's on install, then perhaps we should ideally be regenerating it on firstboot (and display it on the confconsole). Regardless, we shoudl document it for now. I've opened a new issue.

Composer running as root: Thank you for raising this. As far as I understood it, the biggest issue with using composer as the root user is that it will affect the file permissions (stuff will be owned by root, rather than www-data). That may have implications for the webapp itself and could potentially cause issues.

However, a quick read here actually alerted me to the real potential security issues! I was aware that there had been noises about security concerns, but I was under the impression that that was the usual "Ubuntu user" type noise about "shouldn't ever run as root" and the only real world issue was permissions. It seems I was wrong!

I have opened an issue for this too. At the very least we should clearly document how to use the www-data user somewhere obvious. But we should also consider your suggestion of adding a "composer" user (member of the www-data group).

Even though www-data user does not have a shell by default, that doesn't mean that you can't run as that user with a shell! So to open a shell session as the www-data user, try this:

su - -c /bin/sh www-data
su - www-data -c /bin/sh

Then you're running as the user: www-data! :)

Re your proposals. I quite like Nginx and I know that it is hugely popular, but we do have reasons why we don't use it by default. First thing worth noting is that it's actually only better at serving static content, it actually can't serve dynamic content. So for a PHP web app such as Magento you have to run a separate PHP processor (usually PHP-FPM). Now that PHP7 has implemented many of the improvements that PHP-FPM provided, you should find that Apache using mod_php should actually be able to process PHP faster! Admittedly, any advantage in PHP processing is often lost several times over because of the resource overhead of mod_php being loading into memory when serving static content, so in the real world, it's rare to see significant improvement, but it's worth mentioning.

Apache also has a range of module and plugins which makes it very flexible. Most of them are packaged for Debian, so we can leverage the auto security updates. It also has fantastic documentation and a Webmin module that makes it quite newb friendly. It also has support for .htaccess files which Nginx is missing. Whilst that doesn't necessarily have any direct impact for Magento or other projects which don't rely on .htaccess files, we do have PHP apps in the library which do. So to be able to use Apache as a common component with decent default config reduces our maintenance overheads.

Your suggestion for Varnish is a good one. Again, I've opened an issue for that. The interesting thing about that is that it caches the static content, so likely would boost Apache performance much more that Nginx, although again real world results would depend on your specific use case.

Redis I'm not so familiar with personally. I'm sure it provides advantages and we probably should consider including it with some apps. In the near future, we'll likely provide a standalone Redis server. Whether we'd move to pre-integrate it with other appliances, I'm not sure.

Thanks again for sharing your thoughts. We really appreciate it and I hope to at least include documentation for usage of composer and note the Magento admin url.

Good luck with it all and please feel free to share any more thoughts you have.

Mateusz's picture

Hi,


Many thanks for your response and thanks for taking my comments. I try use your command but I get: 

root@magtest .../www/magento# su -c /bin/sh www-data
This account is currently not available.
 

I use new installation as I wrote earlier.

 

Best Regards

Mateusz

Jeremy Davis's picture

My apologies - I had the order wrong. It should have been:

su - www-data -s /bin/sh

That will teach me for posting stuff from memory and not double checking it first!

Also please note that the extra dash (-) between su and www-data is somewhat important. Unless you include that, you will not be getting the www-data user's environment (will still have root's).

Jeremy Davis's picture

Firstly, you may actually find bash a better shell to use if you are doing things on the commandline as the www-data user (although it shouldn't matter too much for most things). I.e.:

su - www-data -s /bin/bash

Also, if you only want to run a single command, you can append the command on the end preceded by the -c switch. I.e. as a (not very useful) example:

su - www-data -s /bin/sh -c 'ls /var/www/magento'

Note the quotes around the command (double quotes are ok too). If you use a single command you don't need them, but if there are any spaces etc, you need to quotes otherwise it will try to process them as arguments for su.

Add new comment