/cjk cj knowles

Mezzanine Django deployment to RHEL 7

If you're deploying to a Debian-based system like Ubuntu, the Django CMS Mezzanine has a handy Fabric deployment script that will connect to your server, configure Gunicorn and Nginx and deploy Mezzanine for you.

Red Hat system's are not as easy, as the script is only prepared for Debian, and Red Hat have things in a slightly different way, with a different package system, rpm and yum/dnf instead of deb and apt; and more subtle differences, such as file system layout and default permissions.

To deploy to my CentOS 7 VPS I repeatably deployed to a locally hosted virtual machine, iteratively working out the kinks, and this post describes the result.

If you'd like to jump straight to the files, they're on github as a gist. I am hoping to contribute them to the project, as a plugin, or integrated into the main fabfile.

One warning. This will only work with SELinux disabled. This was not an immediate problem for me, as Linode, my VPS provider, permanently disable SELinux on their default images. I have a SELinux version in the works that I will share in the future.

To compare the files side-by-side you could use vim -d.

Description of changes

1. Package management - deb switched for rpm, apt-get for yum and deb names for rpm equivalents, packages added where not included in RHEL base (e.g. rsync).

2. System management - supervisorctl replaced by systemd/systemctl and an extra template file to produce a systemd service file for gunicorn based on gunicorn docs.

3. Permissions - home directory permission changed from 0700 to a read-permissive 0711, to allow nginx to read the Gunicorn socket and write to the log file location, placed in the home dir by Mezzanine's default fabfile. The default 0700 is due to Red Hat's restrictive default 077 umask.

4. File locations - changed the nginx additional config directory to /etc/nginx/conf.d and the default expected location of virtualenvwrapper.

5. System groups - sudo group replaced with wheel.

6. Firewall configuration - opened ports for http, rsyncd, and if SSL enabled, https.

7. Template dictionary changed to an OrderedDict - when the install function iterates through the template dictionary, transferring config files and starting services, the order is not controllable. This became a problem when I wanted to deploy two files for Gunicorn, the config file and systemd service file, and needed the service to start after the config file arrived. With an OrderedDict the items contained in the object are iterated through in the order they are defined.

8. PostgreSQL configuration - added the 'postgresql-setup initdb' command and adjusted settings in pg_hba.conf to allow users to authenticate using passwords, instead of the default config which delegates authentication to the system and matches database IDs with system IDs. Presume the PostgreSQL rpm has a different default configuration to the deb package.