User login

You are here

Exploring Ansible's Drupal image

Something very nice about Ansible and the whole devops movement are companies like Digital Ocean with their ready to go Drupal images, in this case lets see what 11080335 gives you

In my case I got the 11080335 from using a direct curl request and parsing the output via python's json tool

curl -X GET -H 'Content-Type: application/json' -H 'Authorization: Bearer YOURAPITOKENGOESHERE' "https://api.digitalocean.com/v2/images?page=1&per_page=1000"| python -m json.tool

Image still requires application of security updates, [url=https://github.com/jnv/ansible-role-unattended-upgrades]use the unattended upgrades role[/url]

Probably worth[url=https://github.com/kamaln7/ansible-swapfile] enabling swap[/url]

total used free shared buffers cached
Mem: 501800 442332 59468 5744 16548 306116
-/+ buffers/cache: 119668 382132
Swap: 0 0 0

The image is preconfigured with nginx with PHP 5.5 in FPM configuration

docroot is /var/www/html/drupal, MySQL DB name is 'drupal', username is 'drupal', password is always randomly generated which great

nmap reveals nothing other than what I expect is running

Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-12 14:56 CEST
Nmap scan report for 188.226.224.46
Host is up (0.054s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 1.03 seconds

However one [b]very important issue[/b] is setting the file permissions correctly, right now there is a security problem where the entire PHP stack can write to its own files

ls -al /var/www/html/drupal/
total 280
drwxr-xr-x 9 www-data www-data 4096 Mar 18 15:37 .
drwxr-xr-x 3 root root 4096 Mar 19 15:24 ..
-rw-r--r-- 1 www-data www-data 6604 Mar 18 15:20 authorize.php
-rw-r--r-- 1 www-data www-data 93778 Mar 18 15:20 CHANGELOG.txt
-rw-r--r-- 1 www-data www-data 1481 Mar 18 15:20 COPYRIGHT.txt
-rw-r--r-- 1 www-data www-data 720 Mar 18 15:20 cron.php
-rw-r--r-- 1 www-data www-data 174 Mar 18 15:20 .gitignore
-rw-r--r-- 1 www-data www-data 5767 Mar 18 15:20 .htaccess
drwxr-xr-x 4 www-data www-data 4096 Mar 18 15:20 includes
-rw-r--r-- 1 www-data www-data 529 Mar 18 15:20 index.php
-rw-r--r-- 1 www-data www-data 1717 Mar 18 15:20 INSTALL.mysql.txt
-rw-r--r-- 1 www-data www-data 1874 Mar 18 15:20 INSTALL.pgsql.txt
-rw-r--r-- 1 www-data www-data 703 Mar 18 15:20 install.php
-rw-r--r-- 1 www-data www-data 1298 Mar 18 15:20 INSTALL.sqlite.txt
-rw-r--r-- 1 www-data www-data 17995 Mar 18 15:20 INSTALL.txt
-rw-r--r-- 1 www-data www-data 18092 Sep 23 2014 LICENSE.txt
-rw-r--r-- 1 www-data www-data 8542 Mar 18 15:20 MAINTAINERS.txt
drwxr-xr-x 4 www-data www-data 4096 Mar 18 15:20 misc
drwxr-xr-x 42 www-data www-data 4096 Mar 18 15:20 modules
drwxr-xr-x 5 www-data www-data 4096 Mar 18 15:20 profiles
-rw-r--r-- 1 www-data www-data 5382 Mar 18 15:20 README.txt
-rw-r--r-- 1 www-data www-data 1550 Mar 18 15:20 robots.txt
drwxr-xr-x 2 www-data www-data 4096 Mar 18 15:20 scripts
drwxr-xr-x 4 www-data www-data 4096 Mar 18 15:20 sites
drwxr-xr-x 7 www-data www-data 4096 Mar 18 15:20 themes
-rw-r--r-- 1 www-data www-data 19986 Mar 18 15:20 update.php
-rw-r--r-- 1 www-data www-data 9642 Mar 18 15:20 UPGRADE.txt
-rw-r--r-- 1 www-data www-data 2178 Mar 18 15:20 web.config
-rw-r--r-- 1 www-data www-data 417 Mar 18 15:20 xmlrpc.php

Can you guess who php-fpm is running as?

www-data 997 0.0 1.1 368884 5520 ? S 08:45 0:00 \_ php-fpm: pool www
www-data 998 0.0 1.1 368884 5520 ? S 08:45 0:00 \_ php-fpm: pool www