Installation of Zope (2.2.0) on SuSE Linux 6.3 and 6.4, step-by-step
Created by .
Last modified on 2003/08/05.
Installation of Zope (2.2.2) on SuSE Linux 6.3 and 6.4, step-by-step
Eric Maryniak <e.maryniak@pobox.com>
Last changed: 2000-09-24. Started: 2000-06-26.
Home page: http://pobox.com/~e.maryniak/
This is a detailed step-by-step description of the procedure that I used
to install Zope 2.2.2 (dated 2000-09-18), referred to hereafter as 'Zope'
or 'Zope x.y.z', under SuSE Linux 6.3 and 6.4. It also works for previous
versions upto 2.1.6. Note that Zope is included in SuSE 7.0. Included are:
o Setup with existing web server (ic. Apache) in /opt/zope
o Apache rewrite rules for any static content and virtual hosts
o Start/Kill rc script according to SuSE Linux standards
To install Zope on SuSE Linux 6.3 or 6.4 with the existing Apache web
server (httpd) using Persistent CGI (PCGI), log in as root or become root
('su - root') and follow the steps below.
I have tried to setup Zope with security in mind, but since this is not
my field of expertise I welcome feedback there!
Notes:
- The 'bash' shell is assumed.
- The Unix shell prompt for root is '# ' and '$ ' for normal users.
- I use here-documents (those 'cat << ...' thingies) frequently in the
copy & pastable Unix commands below. You may want to familiarize
yourself with this rather neat (ba)sh feature first ('man bash' ;-)
Step 1/8. Verify python 1.5.2 is installed
==========================================
First verify that your are running Python version 1.5.2:
# rpm -q python
You should get something like 'python-1.5.2-40' or 'python-1.5.2-158'.
Alternatively, simply run Python ('python').
Somewhere in the welcome blurp, the version number is hidden :-)
Note that, unlike Red Hat, there is no 'python-devel' SuSE package.
Step 2/8. Extract the Zope source
=================================
Download the Zope source from (x.y.z is current version):
http://www.zope.org/Products/Zope/x.y.z/
and store it in directory:
/usr/src/packages/SOURCES/
Be sure to download the _source_ tarball (Zope-x.y.z-src.tgz), not a
binary distribution for some specific operating system.
Extract the Zope source (a gnuzipped tarball) and rename the Zope
directory to /opt/zope (if you have a previous Zope installation, first
stop it with 'rczope stop' and save with 'mv /opt/zope /opt/zope-prev'):
# cd /opt
# tar zxvf /usr/src/packages/SOURCES/Zope-x.y.z-src.tgz
# mv Zope-x.y.z-src /opt/zope
Note that '/opt/zope' is also the directory to unpack any additional Zope
products (zproducts) in, that you might be installing later.
Enter the Zope directory and perhaps have a look at the Zope documentation.
You may notice that the files have a funny ownership, but you may safely
leave that for now (it is fixed in a later step).
# cd /opt/zope
# less README.txt doc/INSTALL.txt doc/*.txt
Step 3/8. Build Zope (PCGI with existing web server setup)
==========================================================
Build Zope to use PCGI with an existing web server (Apache in our case),
hence use the 'w_pcgi.py' script:
# cd /opt/zope
# python w_pcgi.py
Write down the generated Zope superuser password!
The user account info is stored in file '/opt/zope/access' which must
have file permission 0600 (but we will come to security settings in the
next steps).
You can always change the Zope administrator (superuser) password later
on the command line (this is explained in section "Zope administration").
Step 4/8. Fix file permissions and ownerships of the Zope tree
==============================================================
After unpacking, the Zope tree (/opt/zope) has a few peculiarities.
The ownership is uid 506 and gid is 100. Furthermore, some directories
are group writable. The building process did not fix this.
Bring the files more in line with other SuSE program directories, which
are often root:root and 0755 for directories c.q. 0644 for files at most.
Make the 'var' directory (/opt/zope/var) writable for wwwrun:nogroup,
which is the uid:gid the Apache web server runs as, so Zope.cgi (called
by httpd) can write logging info, program pid's and the Zope database
itself (Data.fs) there. The 'access' file is also fixed:
# chown -Rh root:root /opt/zope
# chmod -R og-w /opt/zope
# chown -R wwwrun:nogroup /opt/zope/var
# chmod 0600 /opt/zope/access
# chown wwwrun:nogroup /opt/zope/access
Next, change the 'start' script (save a backup first), to make sure the
Zope server is started as user wwwrun:nogroup, just like the Apache web
server (option '-u' is used for this). Also remove the debug option ('-D').
Finally, only listen on localhost (127.0.0.1), so it not possible to bypass
Apache and directly go to the Zope web, ftp and monitor server on ports
8080, 8021 and 8099, respectively (like http://www.yourdomain.tld:8080/
etc.).
This way it is ensured that all traffic goes through Apache and thus have
uniform logging (visitor statistics) and other Apache goodies (such as
URL rewriting and SSL support).
When doing bulk file uploads to Zope using ftp (on port 8021), just simply
temporarily remove '-a 127.0.0.1', restart Zope, do the ftp upload, add the
'-a 127.0.0.1' option again and restart Zope.
To add a little bit more security, you may consider running Zope on a
non-standard base port (eg. 8800).
Note that a cracker will still detect this with a portscan.
Be sure to fully copy and paste the cat command, ie. upto and including
the end-of-script (_EOS) marker or just start an editor and copy the stuff
between 'cat << ...' and '_EOS':
# mv /opt/zope/start /opt/zope/start.orig
# cat <<'______EOS' > /opt/zope/start
#! /bin/sh
reldir=`dirname $0`
PYTHONHOME=`cd $reldir; pwd`
export PYTHONHOME
#
# Only enable one (1) of the three next 'exec' statements.
#
# 1. Normal use.
# Secure setup, running Zope only on localhost, thus only accepting
# http trafic as relayed from Apache's httpd on default port 80xx.
exec /usr/bin/python $PYTHONHOME/z2.py -u wwwrun -a 127.0.0.1 "$@"
#
# 2. Remote maintenance and FTP bulk uploading on default ports 80xx.
# Insecure setup to be used only temporarily to enable
# - remote web maintenance on default port 8080
# - ftp bulk uploading on default port 8021.
# from "foreign" hosts.
# Note missing '-a' flag.
#exec /usr/bin/python $PYTHONHOME/z2.py -u wwwrun "$@"
#
# 3. Remote maintenance and FTP bulk uploading on non-standard ports 88xx.
# Somewhat less insecure setup to be used only temporarily to enable
# - remote web maintenance on non-standard port 8880
# - ftp bulk uploading on non-standard port 8821.
# from "foreign" hosts.
# Note '-P' flag and missing '-a' flag.
#exec /usr/bin/python $PYTHONHOME/z2.py -u wwwrun -P 8800 "$@"
______EOS
# chown root:root /opt/zope/start
# chmod 0711 /opt/zope/start
Create a symlink from /var/log/zope to /opt/zope/var, so you can use a
'tail -f /var/log/zope/*.log /var/log/httpd*log /var/log/httpd/*log' to
monitor zope and web log files:
# ln -s /opt/zope/var /var/log/zope
Finally, verify that there are no setuid or setgid files (always a safe
precaution):
# find /opt/zope \
-type f \( -perm -04000 -o -perm -02000 \) -exec ls -lg {} \;
Step 5/8. Create a cgi-bin directory for Zope.cgi
=================================================
Create a special cgi-bin directory for Zope.cgi, because the default
cgi-bin directory does not allow cgi scripts to execute ('Options None'
in /etc/httpd/httpd.conf of SuSE Linux 6.3 and 6.4).
Instead of adding an 'Options +ExecCGI' to the generic cgi-bin directory
and thus possibly creating a security hole, we therefore create a special
zope-cgi-bin directory (and add 'ExecCGI' later, when we edit the Apache
config file).
Use the same ownership (root:root) and permission (0755) as the other
cgi-bin directory:
# mkdir /usr/local/httpd/zope-cgi-bin
# chown root:root /usr/local/httpd/zope-cgi-bin
# chmod 0755 /usr/local/httpd/zope-cgi-bin
For the <VirtualHost> virtual.yourdomain.tld, do:
# mkdir /home/www/virtual.yourdomain.tld/zope-cgi-bin
# chown root:root /home/www/virtual.yourdomain.tld/zope-cgi-bin
# chmod 0755 /home/www/virtual.yourdomain.tld/zope-cgi-bin
Copy Zope.cgi to the specially created zope cgi-bin directory:
# cp -p /opt/zope/Zope.cgi /usr/local/httpd/zope-cgi-bin/.
For the <VirtualHost> 'virtual.yourdomain.tld', do:
# cp -p /opt/zope/Zope.cgi /home/www/virtual.yourdomain.tld/zope-cgi-bin/.
Make sure Zope.cgi has the same ownership (root:root) and permission (0755)
as the cgi scripts in /usr/local/httpd/cgi-bin/.
Step 6/8. Configure Apache for Zope with PCGI
=============================================
Now that Zope is built and installed, we have to configure the Apache web
server (httpd) so that Zope can be used (via PCGI). Furthermore, we want to
make sure Zope is started after a system reboot.
We already copied Zope.cgi to the cgi-bin directory.
As always, begin with making a copy of the Apache config file in case you
need to rollback:
# cp -p /etc/httpd/httpd.conf /etc/httpd/httpd.conf.bak
First add an entry for the zope-cgi-bin directory we created above.
Either do this globally, or for specific virtual hosts (in our case for
the <VirtualHost> 'virtual.yourdomain.tld').
In the Apache web server configuration file (/etc/httpd/httpd.conf) locate
'ScriptAlias /cgi-bin/' and '<Directory "/usr/local/httpd/cgi-bin">' and
add the zope-cgi-bin entries (add the '==> Add this' piece).
===> For the global configuration:
[---- Begin file (fragment): /etc/httpd/httpd.conf ----]
# ... Notes about ScriptAlias ...
ScriptAlias /cgi-bin/ "/usr/local/httpd/cgi-bin/"
# ... The regular cgi-bin directory:
<Directory "/usr/local/httpd/cgi-bin">
# ... with very restrictive 'Options None' ...
</Directory>
# ==> Add this:
# Zope setup.
# Zope.cgi is located in it's own zope-cgi-bin, because ExecCGI
# permission is needed, which is not (by default) enabled in SuSE
# Linux 6.3 and 6.4 for the regular cgi-bin directory.
ScriptAlias /zope-cgi-bin/ "/usr/local/httpd/zope-cgi-bin/"
<Directory "/usr/local/httpd/zope-cgi-bin">
AllowOverride None
Options None
Options +ExecCGI
Order allow,deny
Allow from all
</Directory>
# ==> End: zope-cgi-bin <==
[------ End file (fragment): /etc/httpd/httpd.conf ----]
===> For the <VirtualHost> 'virtual.yourdomain.tld' configuration:
[---- Begin file (fragment): /etc/httpd/httpd.conf ----]
# ... Notes about ScriptAlias ...
ScriptAlias /cgi-bin/ "/home/www/virtual.yourdomain.tld/cgi-bin/"
# ... The regular cgi-bin directory:
<Directory "/home/www/virtual.yourdomain.tld/cgi-bin">
# ... with very restrictive 'Options None' ...
</Directory>
# ==> Add this:
# Zope setup.
# Zope.cgi is located in it's own zope-cgi-bin, because ExecCGI
# permission is needed, which is not (by default) enabled in SuSE
# Linux 6.3 and 6.4 for the regular cgi-bin directory.
ScriptAlias /zope-cgi-bin/ "/home/www/virtual.yourdomain.tld/zope-cgi-bin/"
<Directory "/home/www/virtual.yourdomain.tld/zope-cgi-bin">
AllowOverride None
Options None
Options +ExecCGI
Order allow,deny
Allow from all
</Directory>
# ==> End: zope-cgi-bin <==
[------ End file (fragment): /etc/httpd/httpd.conf ----]
Next configure Apache to pass authentication headers to Zope.
Add these lines to the _bottom_ of the Apache web server configuration file
(/etc/httpd/httpd.conf) and/or to the _bottom_ of every virtual host you
might have (enclosed in <VirtualHost>) and that you want to use Zope for
(in our case for the <VirtualHost> 'virtual.yourdomain.tld').
Note that mod_rewrite must be loaded (default it is in SuSE Linux 6.3/6.4).
===> For the global configuration:
[---- Begin file (fragment): /etc/httpd/httpd.conf ----]
# Zope setup.
# Zope PCGI at the end of the global configuration.
# Final rewrite rules to ensure that '/' is served by Zope.
# These must be the _last_ lines in the Apache httpd.conf file, or,
# if that is appropiate, at the bottom of every <VirtualHost> you
# wish to use Zope for. The order of the rules is significant!
# To facilitate the migration of static content (*.html files in
# /usr/local/httpd/htdocs) into Zope, it is served as /static/.
RewriteEngine on
# Remove the next 2 rules if migration of static content is done or
# if you start with Zope from scratch and do not have html files yet.
RewriteRule ^/static/(.*) /usr/local/httpd/htdocs/$1 [L]
RewriteRule ^/cgi-bin/(.*) /usr/local/httpd/cgi-bin/$1 \
[e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,L]
# Ensure the documentroot '/' is served by Zope and Apache passes
# authentication headers to Zope as well. Zope.cgi is located in it's
# own /zope-cgi-bin/ directory for security reasons ('Options +ExecCGI').
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) /usr/local/httpd/zope-cgi-bin/Zope.cgi$1 \
[e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,L]
[------ End file (fragment): /etc/httpd/httpd.conf ----]
===> For the <VirtualHost> 'virtual.yourdomain.tld' configuration:
[---- Begin file (fragment): /etc/httpd/httpd.conf ----]
# Zope setup.
# Zope PCGI at the end of <VirtualHost> 'virtual.yourdomain.tld'.
# Final rewrite rules to ensure that '/' is served by Zope.
# These must be the _last_ lines in the Apache httpd.conf file, or,
# if that is appropiate, at the bottom of every <VirtualHost> you
# wish to use Zope for. The order of the rules is significant!
# To facilitate the migration of static content (*.html files in
# /home/www/virtual.yourdomain.tld/htdocs) into Zope, it is served as /static/.
RewriteEngine on
# Remove the next 2 rules if migration of static content is done or
# if you start with Zope from scratch and do not have html files yet.
RewriteRule ^/static/(.*) /home/www/virtual.yourdomain.tld/htdocs/$1 [L]
RewriteRule ^/cgi-bin/(.*) /home/www/virtual.yourdomain.tld/cgi-bin/$1 \
[e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,L]
# Ensure the documentroot '/' is served by Zope and Apache passes
# authentication headers to Zope as well. Zope.cgi is located in it's
# own /zope-cgi-bin/ directory for security reasons ('Options +ExecCGI').
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) /home/www/virtual.yourdomain.tld/zope-cgi-bin/Zope.cgi$1 \
[e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,L]
[------ End file (fragment): /etc/httpd/httpd.conf ----]
Notes:
a) The order of the rules is important and allows you to keep static html
files (default in directory entry <Directory "/usr/local/httpd/htdocs">)
and have them served as:
http://www.yourhost.tld/static/*
which allows a gradual zope-ing of your static content into Zope served
content. In this setup Zope serves the root (http://www.yourhost.tld/).
If, however, you start from scratch and do not have old static content,
remove RewriteRule's '^/static/(.*)' and '^/cgi-bin/(.*)'.
b) Note the intentional omission of trailing slashes in the last rule.
If you use '^/(.*)' and 'Zope.cgi/$1' instead of '^(.*)' and 'Zope.cgi$1',
respectively, you would have trouble deleting objects in the root folder.
Furthermore, all html served by Zope would have an extra slash at the
beginning ('//index.html' etc.), as can be verified by inspecting the log
file '/opt/zope/var/Z2.log'.
c) Replace '/usr/local/httpd/htdocs/' and/or '/usr/local/httpd/cgi-bin/'
with appropiate locations if you changed SuSE's defaults and/or added
virtual hosts for which you use Zope as well.
d) If your Apache server does not support line splitting with '\', then
every Rewrite* statement must be on one (1) line.
e) The last character in some RewriteRule's ('[L]', ',L]') is the letter L,
not the digit 1 (lowercase, [l] is also allowed).
You may restart Apache at this moment, just to verify that the httpd.conf
is parsed ok, but realize that Zope is not running yet! If you want to be
on the safe side, goto the next step.
If you do want to restart Apache, keep a sharp lookout on the log files
with 'tail -f' in a separate window:
# tail -f /var/log/httpd.access_log /var/log/httpd/*
and then restart the Apache server:
# rcapache restart
Undo the changes (using the backup '/etc/httpd/httpd.conf.bak') if strange
things happen.
Step 7/8. Create start/stop Zope rc script and verify Zope
==========================================================
Using the rc skeleton script, /sbin/init.d/skeleton, as a starting point,
create the Zope rc script, listed next.
Be sure to fully copy and paste the cat command, ie. upto and including
the end-of-script (_EOS) marker or just start an editor and copy the stuff
between 'cat << ...' and '_EOS':
# cat <<'______EOS' > /sbin/init.d/zope
#! /bin/sh
# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany.
#
# Author: Eric Maryniak <e.maryniak@pobox.com>, 2000-09-24.
#
# /sbin/init.d/zope
#
# and symbolic links:
#
# /usr/sbin/rczope
# /sbin/init.d/rc2.d/K20apache
# /sbin/init.d/rc2.d/S20apache
# /sbin/init.d/rc3.d/K20apache
# /sbin/init.d/rc3.d/S20apache
#
# Zope rc start/stop script for SuSE Linux 6.3 and 6.4
# (verified for Zope versions 2.1.6, 2.2.0, 2.2.1 and 2.2.2).
# SuSE 7.0 includes Zope as a package (previous versions did not).
# The Zope base directory is assumed to be: /opt/zope
# More information about Zope at the Zope web site:
#
# http://www.zope.org/
#
. /etc/rc.config
# Determine the base and follow a runlevel link name.
base=${0##*/}
link=${base#*[SK][0-9][0-9]}
# Force execution if not called by a runlevel directory.
test $link = $base && START_ZOPE=yes
test "$START_ZOPE" = yes || exit 0
# The echo return value for success (defined in /etc/rc.config).
# Default is rc_done, but if something fails, the value is set appropiately.
return=$rc_done
# The Zope base directory.
zope_base=/opt/zope
# The start and stop script, provided in the Zope distribution.
zope_start=$zope_base/start
zope_stop=$zope_base/stop
# The main Zope process id (Z2 pid) file.
# This should be /var/run under SuSE Linux.
# However, because the z2.py process is running as wwwrun and
# Z2.pid has ownership wwwrun, z2.py cannot write to /var/run.
# So we keep Zope's default (./var).
zope_pid=$zope_base/var/Z2.pid
# The Zope access file.
zope_access=$zope_base/access
# The Apache config file (if any).
apache_config=/etc/httpd/httpd.conf
case "$1" in
start)
## Start Zope with the Zope start script '/opt/zope/start',
## unless it is already running (checked with 'checkproc').
## If this fails, the echo return value is set appropriately.
echo -n "Starting service Zope (z2.py):"
checkproc -f $zope_pid /usr/bin/python 1>/dev/null 2>/dev/null
if [ $? -eq 0 ]; then
# Zope is still running. Do not start a second instance.
return=$rc_failed
/usr/bin/logger -i -p user.err -t /sbin/init.d/zope \
"Zope: error: cannot start, because it is already running"
else
# Zope is not running (anymore). It is safe to try to start.
if [ -x $zope_start ]; then
$zope_start 2>/dev/null
if [ $? -eq 0 ]; then
/usr/bin/logger -i -p user.info -t /sbin/init.d/zope \
"Zope: info: started successfully"
else
return=$rc_failed
/usr/bin/logger -i -p user.err -t /sbin/init.d/zope \
"Zope: error: cannot start, reason unknown"
fi
else
# The Zope start script is not executable (or missing!).
return=$rc_failed
/usr/bin/logger -i -p user.err -t /sbin/init.d/zope \
"Zope: error: cannot execute start script $zope_start"
fi
fi
echo -e "$return"
;;
stop)
## Stop Zope with the Zope stop script '/opt/zope/stop'.
## If this fails, the echo return value is set appropriately.
## Wait 3 seconds after stopping, or a restart will fail.
echo -n "Shutting down service Zope (z2.py):"
if [ -x $zope_stop ]; then
$zope_stop 2>/dev/null
if [ $? -eq 0 ]; then
/usr/bin/logger -i -p user.info -t /sbin/init.d/zope \
"Zope: info: stopped successfully"
sleep 3
else
# Zope failed to stop.
return=$rc_failed
checkproc -f $zope_pid /usr/bin/python 1>/dev/null 2>/dev/null
if [ $? -eq 0 ]; then
# Zope is still running. Maybe a privilege thing.
/usr/bin/logger -i -p user.err -t /sbin/init.d/zope \
"Zope: error: cannot stop, reason unknown (privilege?)"
else
/usr/bin/logger -i -p user.err -t /sbin/init.d/zope \
"Zope: error: cannot stop, because it is not running"
fi
fi
else
# The Zope stop script is not executable (or missing!).
return=$rc_failed
/usr/bin/logger -i -p user.err -t /sbin/init.d/zope \
"Zope: error: cannot execute stop script $zope_stop"
fi
echo -e "$return"
;;
restart)
## Stop Zope and if that goes ok, start Zope.
## In either case, the echo return value is set appropriately.
$0 stop && $0 start || return=$rc_failed
;;
reload)
## Implement a reload as a restart, because the Zope scripts
## and Zope server do not seem to accept a SIGHUP signal to
## reread a (changed) configuration.
$0 stop && $0 start || return=$rc_failed
;;
status)
## Check Zope status with checkproc(8).
## If the process is running, checkproc exits with code 0.
echo -n "Checking for service Zope (z2.py): "
checkproc -f $zope_pid /usr/bin/python 1>/dev/null 2>/dev/null
[ $? -eq 0 ] && echo OK || echo No process
;;
probe)
## Probe for the necessity of a start, restart or reload and
## give out the argument which is required for the applicable
## action (if any). The idea is that you can always safely do:
## rczope `rczope probe`
## If there is nothing to do, or if there is an error condition,
## output will go to stderr, so the command will still work.
# Check Zope status with checkproc(8) and save the result.
checkproc -f $zope_pid /usr/bin/python 1>/dev/null 2>/dev/null
[ $? -eq 0 ] && zope_runs=1 || zope_runs=0
# Zope needs a restart if the access file has been changed.
# Thus, test if the access file is newer (-nt) than the pid file.
# First test if the access file is present and if Zope is running.
# Finally, also suggest a restart if the Apache configuration file,
# if present, is newer (ie. has changed) than the pid file.
# This is a conservative approach: most of the time a Zope restart
# is probably not necessary, but the RewriteCond-ition(s) and/or
# RewriteRule-(s) for Zope may have changed.
if [ ! -e $zope_access ]; then
echo "error: no access file ($zope_access); unable to probe." \
> /dev/stderr
elif [ ! -e $zope_pid ]; then
echo start
elif [ $zope_runs -eq 0 ]; then
echo start
elif [ $zope_access -nt $zope_pid ]; then
echo restart
elif [ -e $apache_config ]; then
if [ $apache_config -nt $zope_pid ]; then
echo restart
fi
fi
;;
*)
echo "Usage: $0 {start|stop|restart|reload|status|probe}" \
> /dev/stderr
exit 1
;;
esac
# Inform the caller verbosely and set an exit status as well.
test "$return" = "$rc_done" || exit 1
exit 0
______EOS
Next, fix permissions and ownerships:
# chmod 0744 /sbin/init.d/zope
# chown root:root /sbin/init.d/zope
And create symbolic links.
Also note the handy '/usr/sbin/rczope', which is SuSE specific.
You have an rc<service> for all services (rcapache, rcmysql, rcsmb, etc.).
I use it often, if not exclusively.
Number 20 is somewhat arbitrary, but Apache has 20 as well, so Zope will
be started shortly after Apache (/sbin/init.d/apache).
# cd /sbin/init.d/rc2.d && ln -s ../zope K20zope; \
cd /sbin/init.d/rc2.d && ln -s ../zope S20zope; \
cd /sbin/init.d/rc3.d && ln -s ../zope K20zope; \
cd /sbin/init.d/rc3.d && ln -s ../zope S20zope
# cd /usr/sbin && ln -s ../../sbin/init.d/zope rczope
I wonder why SuSE uses these relative links (../) so extensively; it has
probably to do with mount points when installing a new system (mount on
/mnt, so /sbin is /mnt/sbin).
Anyways, finish up with making /etc/rc.config (and thus YaST!) Zope aware
(do a grep first, to prevent multiple entries).
Be sure to fully copy and paste the grep/cat command, ie. upto and including
the end-of-script (_EOS) marker or just start an editor and copy the stuff
between 'grep ...' and '_EOS':
# grep -q START_ZOPE /etc/rc.config || cat <<'______EOS' >> /etc/rc.config
#
# Should Zope be started at bootup? (yes/no)
#
# Zope is the leading Open Source web application server.
# Zope enables teams to collaborate in the creation and management of
# dynamic web-based business applications such as intranets and portals.
# Zope makes it easy to build features such as site search, news,
# personalization, and e-commerce into your web applications.
# (Quoted from www.zope.org on 2000-09-24).
#
START_ZOPE=yes
______EOS
If you have a previous Zope version, first put back your Zope data
('cp -p /opt/zope-prev/var/Data.fs /opt/zope/var/Data.fs') and extensions
(Extensions/) or products (import/) you may have.
Also re-install, if necessary, additional libraries (e.g. ZMySQLDA, see
section 29 "MySQL", subsection "MySQL database access via Zope, paragraph
"Installation of the Zope MySQL Database Adapter (ZMySQLDA)").
Do a last check for setuid files (there should be none):
# find /opt/zope \
-type f \( -perm -04000 -o -perm -02000 \) -exec ls -lg {} \;
Now we can restart Apache and start Zope:
# rcapache restart
# rczope start
Simultaneously, keep a sharp lookout on the log files:
# tail -f /var/log/httpd.access_log /var/log/httpd/* /var/log/zope/*.log
You will probably get this message in /var/log/{messages,warn}:
checkproc: No pid file /opt/zope/var/Z2.pid for /usr/bin/python
This is correct: 'rczope start' uses 'checkproc' to see if Zope is already
running and checkproc will not find a /opt/zope/var/Z2.pid the very first
time. But, you should also see in /var/log/messages:
Zope: info: started successfully
which indicates startup of Zope was successful.
Now start a browser and see if you get the Zope welcome page!
If strange things happen, rollback to backupped configuration files or undo
changes.
Step 8/8. Zope administration
=============================
Once Zope is started, you can administer Zope with a locally started
frames-capable web browser (such as Netscape) from this URL:
http://localhost/manage
You may get a warning:
Alert!: Access without authorization denied -- retrying
But then the prompt:
Username for 'Zope' at server 'localhost': superuser
Password: XXXXXXXX
Alternatively, you can administer Zope from a non-local host, provided
the host is a member of the domain (*.yourdomain.tld) to which the access is
restricted.
Changing the Zope adminstrator password.
The Zope administrator account is used, amongst other things, to create
Zope users. One of the first things to do is change the password and add
domain restriction. You can change the Zope administrator ('superuser')
password from the command line with:
# /usr/bin/python /opt/zope/zpasswd.py /opt/zope/access
Use at least 8 characters for a password, of which at least two (2) should
be non-alfanumerical, and SHA encrypting:
[==== Begin dialog: /opt/zope/zpasswd.py (password change) ====]
Username: superuser
Password:
Verify password:
Please choose a format from:
SHA - SHA-1 hashed password
CRYPT - UNIX-style crypt password
CLEARTEXT - no protection.
Encoding: sha
Domain restrictions: *.yourdomain.tld
[====== End dialog: /opt/zope/zpasswd.py (password change) ====]
You can now enter use the management screen to add users, etc.
The access file, /opt/zope/access, must be 0600 and wwwrun:nogroup, ie.
the same ownership as the web server (httpd), that, in our case, calls
the Zope.cgi wrapper.
After a password change, you need to restart Zope, as an 'rczope probe'
will tell you:
# rczope probe
restart
Shortcuts for restarting Zope and Apache are:
# rczope restart
# rcapache restart
Note that 'rczope' is a symlink to '/sbin/init.d/zope'.
Apart from the usual 'start', 'stop' and 'restart' signals, a status and
probing signal is also supported:
# rczope status
# rczope probe
The idea of a probe is that is it always safe to:
# rczope `rczope probe`
Installing additional Zope products (zproducts) is simply done by unpacking
them into the Zope base directory:
/opt/zope
after which they will usually be put in '/opt/zope/lib/python/Products'.
Exported Zope objects (use extension '.zexp') go to:
/opt/zope/var
And you can import them by putting a .zexp file in:
/opt/zope/import
Hotfixes are also installable as a product, so if you are running (say)
version 2.2.1 and want to install "Hotfix_yyyy_mm_dd" for Zope 2.2.1,
then save file
http://www.zope.org/Products/Zope/Hotfix_yyyy_mm_dd/Hotfix_yyyy_mm_dd.tgz
as
/usr/src/packages/SOURCES/Zope-Hotfix_yyyy_mm_dd.tgz
and as root do:
# chown root:root /usr/src/packages/SOURCES/Zope-Hotfix_yyyy_mm_dd.tgz
# chmod 0644 /usr/src/packages/SOURCES/Zope-Hotfix_yyyy_mm_dd.tgz
# cd /opt/zope && \
tar zxvf /usr/src/packages/SOURCES/Zope-Hotfix_yyyy_mm_dd.tgz
# chown -R root:root /opt/zope/lib/python/Products
# chmod -R og-w /opt/zope/lib/python/Products
# rczope restart
Go to the management screen (http://virtual.yourdomain.tld/manage) as Zope superuser
and verify in menu /Control Panel/Products that the Hotfix Product was
installed successfully; there should be a listing:
Hotfix_yyyy_mm_dd (Installed product Hotfix_yyyy_mm_dd)
To prepare a move of Zope to a new server, which must be running the same
Zope version (!), at least save these files:
/opt/zope/access -- User accounts and passwords
/opt/zope/var/Data.fs -- Primary database file (object database)
The move itself can probably be as crude as:
a) stopping Zope ('rczope stop')
b) saving Data.fs and access
c) (re-)moving the old Zope tree
d) extracting and installing the new Zope tree
e) (re-)installing additional site-specifec software,
for example the ZMySQLDA product (MySQL database adaptor)
f) putting Data.fs and access back in place
g) putting additional products in /opt/zope/import, unless already there,
for example the Zope 2.2 tuturial examples (ZopeTutorialExamples.zexp)
h) starting the new Zope ('rczope start')
i) (re-)installing the additional products that you had put in
/opt/zope/import
Note that you must not do it like this when the Zope version on the target
server is different: use the export function for the necessary folders etc.
in that case.
Optionally, edit the /etc/services file, so some (open) ports have more
user friendly names, when nmap-ping or otherwise port-scanning:
[---- Begin file (fragment): /etc/services ----]
#
# Entries for Zope (www.zope.org).
# z2.py is usually started with options: -w8080 -f8021 -m8099
#
zope-ftp 8021/tcp # Zope "Medusa" ftp server
zope-http 8080/tcp # Zope "Medusa" http server
zope-monitor 8099/tcp # Zope Monitor
[------ End file (fragment): /etc/services ----]
Final trivia
============
o Installing the Zope MySQL Database Adapter and accessing MySQL from Zope.
o Installation of the Zope MySQL Database Adapter (ZMySQLDA).
Zope installation is described above.
Install the Zope MySQL Database Adapter (ZMySQLDA), version 1.2.0
or newer (which includes MySQLdb 0.1.2 or newer), url:
http://www.zope.org/Members/mordred/ZMySQLDA/
Verify that Python >= 1.5.2 is installed, MySQL and the MySQL libraries
(which must be locatable by ld) version 3.22.11 or higher:
# rpm -qa | egrep -i '(python|mysqldev)'
python-1.5.2-40
mysqldev-3.22.30-0
# ldconfig -p | grep -i mysql
libmysqlclient.so.6 (libc6) => /usr/lib/libmysqlclient.so.6
libmysqlclient.so (libc6) => /usr/lib/libmysqlclient.so
Download 'ZMySQLDA-1.2.0.tar.gz' to /usr/src/packages/SOURCES/ and
unpack it in the Zope top-level directory:
# cd /opt/zope
# tar zxvf /usr/src/packages/SOURCES/ZMySQLDA-1.2.0.tar.gz
Fix ownership and permissions:
# chown -R root:root /opt/zope/lib/python/Products/ZMySQLDA/.
# chmod -R og-w /opt/zope/lib/python/Products/ZMySQLDA/.
Verify that there are no setuid or setgid files (always a safe
precaution):
# find /opt/zope \
-type f \( -perm -04000 -o -perm -02000 \) -exec ls -lg {} \;
Go to the MySQLdb-0.1.2 sub-directory:
# cd /opt/zope/lib/python/Products/ZMySQLDA/MySQLdb-0.1.2
Make a copy and then edit the file 'Setup.in':
# cp -pv Setup.in Setup.in.orig
change the one (1) line with -L and -I flags to:
_mysql _mysqlmodule.c -L/usr/lib -I/usr/include/mysql -lmysqlclient
Next build the ZMySQLDA product, while still in the MySQLdb
sub-directory '/opt/zope/lib/python/Products/ZMySQLDA/MySQLdb-0.1.2':
# python build.py
And install:
# make install
# cp -pv MySQLdb.py{,c,o} /usr/lib/python1.5/site-packages
Finally, restart Zope:
# rczope restart
o Create a ZMySQL connection (simple).
Inside a Folder, add a 'ZMySQL Database Connection' Item.
The "connection string" looks like:
database[@host] user passwd
For the "customerdb" database user custreadonly@localhost, this becomes
(replace XXXXXXXX with the real password of custreadonly):
customerdb@localhost custreadonly XXXXXXXX
Go to the 'Test' tab, enter this query and then 'Submit Query':
SELECT sometable.somefield, sometable.otherfield FROM sometable;
You should get a table.
o Moving static html content into Zope.
After you have moved the static content (html files) into Zope, remove
the RewriteRule's '^/static/(.*)' and '^/cgi-bin/(.*)' in the Apache
config file (/etc/httpd/httpd.conf) and restart Apache.
Remove the html files themselves as well after verifying that they have
been incorporated into Zope successfully.
Be sure not to remove the SuSE online help info: it is best to put that
in a virtual host.
Log in
Forgot your password?
