CentOS - Apr 2016 - Apache/PHP Installation - opinions

Hey guys,

I tend to work on small production environments for a large enterprise.

Never more than 15 web servers for most sites.

But most are only 3 to 5 web servers. Depends on the needs of the
client.I actually like to install Apache and PHP from source and by
hand. Although I know that's considered sacrilege in some shops.

I do this because on RH flavored systems like CentOS the versions of
Apache, php and most other software are a little behind the curve in
terms of versions.

And that's intentionally so! Because the versions that usually go into
the various repos are tested and vetted thoroughly before going into
the repos.

I like to use the latest, stable versions of apache and php for my
clients without having to create a custom RPM every time a new version
comes out.

So what I'd like to know is it better in your opinion to install from
repos than to install by source as a best practice? Is it always
better to use puppet, chef, ansible etc even if the environment is
small? I'm sure this is a matter preference, but I would like to know
what your preferences are.

Thanks,
Tim

Sent from my iPhone

On 4/26/2016 3:27 PM, Tim Dunphy wrote:
> I like to use the latest, stable versions of apache and php for my
> clients without having to create a custom RPM every time a new version
> comes out.
>
> So what I'd like to know is it better in your opinion to install from
> repos than to install by source as a best practice? Is it always
> better to use puppet, chef, ansible etc even if the environment is
> small? I'm sure this is a matter preference, but I would like to know
> what your preferences are.
I would setup your own private yum repo, with RPMs built from source, 
ideally built to run in /opt/yourstuff or /usr/local or something, as 
you prefer, so they don't collide with any system packages..     once 
you've got the rpm build down, unless there's major architectural 
changes in the package, it shouldn't take more than fetching the latest 
tarball and run your rpm build script, then test it on a staging 
platform, when it meets your requirements, post it on your repo, and 
have your sites update via yum...

I've never gotten into the puppet/chef/etc stuff cuz every one of the 35 
servers and VMs in the development lab at work is a different custom 
configuration, so I config them by hand, its not that much work in my 
environment.  For CentOS VMs, I generally install from the minimal ISO, 
then copypasta a few yum commands to get all my favorite tools onboard, 
and past that its a custom configuration of this java plus that database 
server and whatall user accounts this app environment needs, doesn't 
take a half hour to build a new system this way, and I don't have to 
build them that often (maybe a couple a month at most?).


-- 
john r pierce, recycling bits in santa cruz

If you need more recent versions checkout softwarecollections.org. It has
more recent rebuilds of the big package suites that install under /opt and
don't collide with the system installed packages. There is a CentOS
specific channel in there somewhere.

On 04/26/2016 03:27 PM, Tim Dunphy wrote:
> So what I'd like to know is it better in your opinion to install from
> repos than to install by source as a best practice?
Your tools should save you time.

Building packages should involve three steps: download the source, 
update the version number in your spec file, mock build / sign / publish 
(the last set should be a small shell script).  Building in mock means 
that the package is predictable.  Every time it builds, it'll detect the 
same available libraries during ./configure, so your build is consistent.
> Is it always
> better to use puppet, chef, ansible etc even if the environment is
> small?
Again, your tools should save you time.

If your configuration manager takes more effort than configuring a 
system by hand, you should probably look for a better tool. Personally, 
I like bcfg2.  And yes, I use it for everything.  I use templates 
extensively so that anything that varies from site to site or host to 
host is easy to adjust, and I can apply a configuration far more quickly 
and reliably than I can configure a system manually.

On 04/26/2016 03:27 PM, Tim Dunphy wrote:
> Hey guys,
>
> I tend to work on small production environments for a large enterprise.
>
> Never more than 15 web servers for most sites.
>
> But most are only 3 to 5 web servers. Depends on the needs of the
> client.I actually like to install Apache and PHP from source and by
> hand. Although I know that's considered sacrilege in some shops.
>
> I do this because on RH flavored systems like CentOS the versions of
> Apache, php and most other software are a little behind the curve in
> terms of versions.
>
> And that's intentionally so! Because the versions that usually go into
> the various repos are tested and vetted thoroughly before going into
> the repos.
>
> I like to use the latest, stable versions of apache and php for my
> clients without having to create a custom RPM every time a new version
> comes out.
>
> So what I'd like to know is it better in your opinion to install from
> repos than to install by source as a best practice? Is it always
> better to use puppet, chef, ansible etc even if the environment is
> small? I'm sure this is a matter preference, but I would like to know
> what your preferences are.
>
> Thanks,
> Tim
>
I don't have php 7 but I do have 5.6.20 (latest in 5.6 branch), Apache 
2.4.20, etc. at https://librelamp.com/

The purpose of that repo is LAMP stack built against LibreSSL opposed to 
OpenSSL.

I prefer LibreSSL over OpenSSL but I like CentOS so to use LibreSSL in 
CentOS I had to make that repo.

I've been told the php 7 RPMs maintained by Remi work just fine with it 
if you really need php 7 (php 7 breaks some web apps I run so I stick to 
5.6 branch)

A lot of of the RPMs are tweaked rebuilds of Fedora source RPMs

On 26 Apr 2016 23:28, "Tim Dunphy" <bluethundr at gmail.com>
wrote:
>
> Hey guys,
>
> I tend to work on small production environments for a large enterprise.
>
> Never more than 15 web servers for most sites.
>
> But most are only 3 to 5 web servers. Depends on the needs of the
> client.I actually like to install Apache and PHP from source and by
> hand. Although I know that's considered sacrilege in some shops.
>
> I do this because on RH flavored systems like CentOS the versions of
> Apache, php and most other software are a little behind the curve in
> terms of versions.
>
> And that's intentionally so! Because the versions that usually go into
> the various repos are tested and vetted thoroughly before going into
> the repos.
>
> I like to use the latest, stable versions of apache and php for my
> clients without having to create a custom RPM every time a new version
> comes out.
>
> So what I'd like to know is it better in your opinion to install from
> repos than to install by source as a best practice? Is it always
> better to use puppet, chef, ansible etc even if the environment is
> small? I'm sure this is a matter preference, but I would like to know
> what your preferences are.
>
Unless you are explicitly tracking upstream and religiously providing
builds as upstream release them taking upstream sources and building from
them is a disservice to your customers.

This goes doubly for just installing from source without making packages as
then it's impossible to audit the system for what is installed or properly
clean up after it.

You need to be aware that it's not only about "vetting" but rather
that
auditing for a CVE becomes as simple as rpm -q --changelog | grep CVE ...
Security updates from RH don't alter functional behaviour reducing the need
for regression testing.

Unless you have a very specific requirement for a very bleeding edge
feature it's fundamentally a terrible idea to move away from the
distribution packages in something as exposed as a webserver ... And when
you do you absolutely need to have the mechanisms in place to efficiently
and swiftly build and deploy new versions, and deal with any fallout
yourself.

Finally keep in mind the CentOS project can only viably support what we
ship and not $random source. When you do need help and head to #centos on
irc or report something on the mailing list keep that in mind.

As for CM? Doesn't take any significant effort or time to knock together a
playbook to cover what you did by hand. Doesn't need to be high quality and
distro agnostic ready for galaxy (or forge or whatever chef does) but it
does mean you have "documentation in code" of how that system is
without
having to maintain info on how to rebuild it anyway. And assume every
system may need a rebuild at some point - having CM in place makes that
trivial rather than "oh what was the special thing on this one"
scenarios.

On 04/27/2016 12:30 AM, James Hogarth wrote:
*snip*
>
> Unless you have a very specific requirement for a very bleeding edge
> feature it's fundamentally a terrible idea to move away from the
> distribution packages in something as exposed as a webserver ...
I use to believe that.

However I no longer.

First of all, advancements in TLS happen too quickly.

The RHEL philosophy of keeping API stability for as long as the release 
is supported means you end up running old protocols and old cipher 
suites and don't have the new protocols and cipher suites available.

That's a problem.

With respect to Apache and PHP -

There is a lot of benefit to HTTP/2 but you can't get that with the 
stock Apache in RHEL / CentOS 7. You just can't.

The PHP in stock RHEL / CentOS is so old that web application developers 
largely are not even using it anymore, resulting in some web 
applications that just simply don't work unless you update the PHP to 
something more modern.

It's a nice idealistic philosophy to want to keep the same versions and 
backport security fixes and keep everything API compatible but in real 
world practice, it makes your server stale.

Another way i choose is install what i need in opt a php cli and configure
apache. What is the different? I drive php 5.3, 5.6 side by side. It always
depends of your needs.

How configure this stuff on my virtual host? ISP-Config
make it easy for me. 

Can be a solution for you. RPM isn?t that bad and  hold
the configuration in a spec file is handy. You can take a name for a package
like php-7 and
 will be never overwritten by an update. There are many ways to track down
problems. It?s up to you. 
> Am 27.04.2016 um 09:30 schrieb James Hogarth <james.hogarth at
gmail.com>:
> 
> On 26 Apr 2016 23:28, "Tim Dunphy" <bluethundr at gmail.com
<mailto:bluethundr at gmail.com>> wrote:
>> 
>> Hey guys,
>> 
>> I tend to work on small production environments for a large enterprise.
>> 
>> Never more than 15 web servers for most sites.
>> 
>> But most are only 3 to 5 web servers. Depends on the needs of the
>> client.I actually like to install Apache and PHP from source and by
>> hand. Although I know that's considered sacrilege in some shops.
>> 
>> I do this because on RH flavored systems like CentOS the versions of
>> Apache, php and most other software are a little behind the curve in
>> terms of versions.
>> 
>> And that's intentionally so! Because the versions that usually go
into
>> the various repos are tested and vetted thoroughly before going into
>> the repos.
>> 
>> I like to use the latest, stable versions of apache and php for my
>> clients without having to create a custom RPM every time a new version
>> comes out.
>> 
>> So what I'd like to know is it better in your opinion to install
from
>> repos than to install by source as a best practice? Is it always
>> better to use puppet, chef, ansible etc even if the environment is
>> small? I'm sure this is a matter preference, but I would like to
know
>> what your preferences are.
>> 
> 
> Unless you are explicitly tracking upstream and religiously providing
> builds as upstream release them taking upstream sources and building from
> them is a disservice to your customers.
> 
> This goes doubly for just installing from source without making packages as
> then it's impossible to audit the system for what is installed or
properly
> clean up after it.
> 
> You need to be aware that it's not only about "vetting" but
rather that
> auditing for a CVE becomes as simple as rpm -q --changelog | grep CVE ...
> Security updates from RH don't alter functional behaviour reducing the
need
> for regression testing.
> 
> Unless you have a very specific requirement for a very bleeding edge
> feature it's fundamentally a terrible idea to move away from the
> distribution packages in something as exposed as a webserver ... And when
> you do you absolutely need to have the mechanisms in place to efficiently
> and swiftly build and deploy new versions, and deal with any fallout
> yourself.
> 
> Finally keep in mind the CentOS project can only viably support what we
> ship and not $random source. When you do need help and head to #centos on
> irc or report something on the mailing list keep that in mind.
> 
> As for CM? Doesn't take any significant effort or time to knock
together a
> playbook to cover what you did by hand. Doesn't need to be high quality
and
> distro agnostic ready for galaxy (or forge or whatever chef does) but it
> does mean you have "documentation in code" of how that system is
without
> having to maintain info on how to rebuild it anyway. And assume every
> system may need a rebuild at some point - having CM in place makes that
> trivial rather than "oh what was the special thing on this one"
scenarios.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org <mailto:CentOS at centos.org>
> https://lists.centos.org/mailman/listinfo/centos
<https://lists.centos.org/mailman/listinfo/centos>

On Tue, 26 Apr 2016, Tim Dunphy wrote:
> So what I'd like to know is it better in your opinion to install 
> from repos than to install by source as a best practice?
"Better" all depends on your workflow and your customers'
concerns.

If you are always available to update all your customers' 
installations, esp. when there's a security update, then installing 
from source may allow you to roll out new features more quickly than 
stock CentOS.

OTOH, if you go on vacation, or get injured, or whatever -- then your 
clients may be left exposed when a new exploit is released. Someone at 
Red Hat (and from there CentOS) will be dealing with it, and your 
customers get the benefit of that work with a simple "yum update".

At the very least, I'd inform the clients of the benefits and risks of 
both approaches and see what best matches their concerns.
> Is it always better to use puppet, chef, ansible etc even if the 
> environment is small? I'm sure this is a matter preference, but I 
> would like to know what your preferences are.
Personally, I've found the break-even point to be three to four 
systems. That is, once I'm managing four systems, I'll spend less time 
over the life-cycle of those hosts spinning up puppet or cfengine than 
I will managing those systems by hand. Other admins may have a 
different opinion, but that's what I've discovered.

-- 
Paul Heinlein
heinlein at madboa.com
45?38' N, 122?6' W