[triangle-zpug] New ZEO with mount points script

Chris Calloway cbc at unc.edu
Fri Jul 7 00:05:17 CEST 2006

I think I already posted this a couple of times. But Rob and Edmund 
asked me to post this again.

Jim Allman and I had a one day mini-sprint to work on Plone deployment. 
The product of this was a script I use to create:

1) a ZEO instance
2) Any number of named mount points in the ZODB (each good for contained 
it's own Plone site in it's own .fs file, but sharing a common Products 
directory with all other Plone sites in the ZODB)
3) a single ZClient instance with processor affinity for SMP boxes
4) Plone installed in Products directory for all ZClients

The script is temporarily here:


I have it shown there with a txt extension so you can read it online. 
You can remove that extension or make it .sh as is your preference. It 
just needs to be owned and executed by the zope instance owner as 
discussed further below.

You can read and understand the script, or you can look at the feeble 
and verbose explanations I have provided below. I cannot support this 
script at this time, so don't ask too many questions.

The purpose of this script was to get around a lot of security 
deficiencies in many ZEO recipes I've seen. The idea is that the Python 
and Zope code bases can be owned by root, like any other system 
software. The Zope instances directories can be owned by another Linux 
user, which you can trust to Zope admins without allowing them to change 
the Python or Zope code bases. That is, you can allow a Zope admin to 
add products and external methods without allowing them access to the 
rest of the box. Zope will run as still another Linux user which cannot 
change the Zope instance, especially not the Products or Extensions 
directories. This Zope running user can only write to the ZODB and the 
logs. This Zope running user should not even have a Linux login. And 
there is yet another user, a Zope user which is the Zope instance owner 
in the Zope root acl_users folder in the ZMI (not a Linux user).

You must run this script as the owner of the Zope instance code (and the 
script enforces that), which is explained below. The script will create 
everything and then run ZEO and the ZClient to create all the log files 
and ZODB files with the correct owners and permissions. You then have to 
hit Ctl-C to stop the foregrounded ZEO and hunt for the ZClient process 
(with ps -Af) and kill it (with a default SIGTERM). Then some 
instructions for starting zeoctl and zopectl appear. You should run 
zeoctl and zopectl as root. They will switch users to the correct zope 
run user at the appropriate time. Zeoctl and zopectl are normally run 
automatically as service scripts (with chkconfig) but I have not done 
anything to put them into chkconfig form yet. You can grab the RPM and 
look for proper chkconfig scripts or look at some of the other instance 
creation script packages around. At least three other people have 
presented instance creations scripts to TriZPUG.

This script is not in its final form. It is provided for instructional 
purposes only. I'm not recommending that you do this. I'm sure there are 
better ways of doing this with all the instance creation scripts out 
there but I don't have the time to reverse engineer or test them. But 
this script does work for me. I'd like to add the ability to create more 
ZClients, to turn off processor affinity for SMP, to add more mount 
points on the fly, to add more ZClients on the fly, to create dummy ZODB 
and log files with the correct owner and permissions so we don't need to 
run zeoctl or zopectl in the foregrond and Ctl-C out to make them, and 
several other things.

You should be able to add more mount points on the fly by lookiing at 
zeo.conf and zope.conf. You should be able to add more ZClients on the 
fly by running mkzopeinstance.

Like Joel says, please do not make fun of my bash scripting. I am not a 
bash programmer. And I am by no means a sed expert.

You will need an install of Python 2.3.5 with PIL installed in it, and a 
the Zope code base (the code which allows you to create Zope instances) 
installed, in order to use this script. These are simple 
confiure/make/make (alt)install procedures described in the READMEs for 
Python and Zope. The Zope code base must be executable by the Zope 
instance owner. This is usually the case for any user, so you normally 
don't need to worry about it. My Python and Zope code bases are normally 
*owned* by root, but executable by any user.

At the top of the script, you will see a bunch of variables which need 
to be customized to your box:


So obviously, you tell the script through these variables:

1) PYTHON_BASE = Where your Python lives

2) ZOPE_BASE = Where your Zope code base lives

3) ZOPE_INSTANCES = Where you'd like Zope instances to be created

4) ZOPE_MANAGER = What Linux user (with a login) you'd like to own the 
Zope instance. This user must already be created. You can usually do 
this (as root) with something like:

/usr/sbin/useradd zopemanager -m -G users,wheel -s /bin/bash

5) ZOPE_OWNER = What Zope user you'd like to be the Owner of the Zope 
instance. This is the user with which you will initially log into the 
Zope root ZMI.

6) ZOPE_RUNNER = What Linux user (a system user without a login) you 
like to run Zope. This user must already be created. You can usually do 
this (as root) with something like:

/usr/sbin/adduser -r -g zopemanager -s /sbin/nologin zoperunner

7) ZEO_NAME = What the name of your zeo directory in the instance is 
(probably doesn't need to change)

8) ZCLIENT_NAME = What the base name of the zclient directories is 
(probably doesn't need to change)

9) ZCLIENT_INSTANCE = What the suffix to ZCLIENT_NAME should be for the 
first ZClient instance (probably doesn't need to change). The idea is 
for this to be a number and for it to increment in a later script 
improvement. So your first ZClient instance will be names zclient0, the 
second zclient1, and so on.

10) PLONE_TARBALL_URI_PATH = Where to go fetch you Plone tarball with 
wget. This might be better to be some place local rather than plone.org 
if you run this script a lot.

11) PLONE_TARBALL_URI_FILE = The name of the Plone tarball

12) PLONE_TARBALL_URI_EXT = The Plone tarball extension (probably 
doesn't need to change)

So once you customize all that, you can run the script (as ZOPE_MANAGER) 
like so:

mkzeowmp \
  prod    \ # the name of your instance directory in ZOPE_INSTANCES
  9099    \ # the port number of your ZEO server
  1000    \ # the base for the http and webdav port in zope.conf
  8080    \ # the http port base
  1980    \ # the webdav port base (for Enfold Deskop)
  2       \ # the CPU on which to run the first ZClient (starts with 1)
  seacoos trizpug                     \ # any number of
  whitehouse unitednations illuminati \ # names for mount points

This will give you a ZEO server running on port 9099, an http port 
running on 9080, and a webdav port running on 2980.

I recommend creating a production instance on one set of ports and a 
test instance on another set of ports. Your development instance should, 
of course, be run on your laptop or desktop.

To get usage information, just run mkzeowmp without arguments and get:

usage: mkzeowmp instance_name       \
                 zeo_port            \
                 zclient_port_base   \
                 http_port           \
                 webdav_port         \
                 client_cpu_affinity \
                 [list of mount point names separated by spaces]*

The first time you log into Zope as ZOPE_OWNER, add a "ZODB Mount 
Point." You will see all your mount points listed and checked. Check 
"add folders." Click on "save." All you mount points will be created. 
You can go look in ZOPE_INSTANCES/INSTANCE_NAME/ZEO_NAME/var on the 
filesystem and see a separate .fs file for each mount point. You can go 
in each mount point folder in the ZMI and create a Plone site. All the 
data for that Plone site will be in a separate .fs file in the ZODB.


Chris Calloway
office: 17-6 Venable Hall   phone: (919) 962-4323
mail: Campus Box #3300, UNC-CH, Chapel Hill, NC 27599

More information about the triangle-zpug mailing list