[Zope] FYI: QuickStart Zope/Apache on RedHat 6.1 (mini HOWTO)

Thu, 18 Nov 1999 01:50:59 +0100

QuickStart Zope/Apache on RedHat 6.1
by Miklos Nemeth (nemeth@iqsoft.hu)

Zope installation is extremelly simple if you use ZServer. But if you
want to use Zope with Apache, the installation procedure might be a
nightmare. I fight nearly a half day to install Zope with Apache. This
document describes the steps I used to install my Zope with my Apache.

I used RedHat 6.1, Apache 1.3.9 installed the standard RedHat way:
(1) httpd.conf in /etc/httpd/conf,
(2) document root directory: /home/httpd (owned by root)
(3) the user/grout to run httpd: nobody/nobody
(4) port: 80
(5) startup/shutdown script: /etc/rc.d/init.d/httpd

The first phase is to install Zope:

(1) Change (ie. su) to root, and cd to /usr/local
(2) Extract the Zope distribution file: tar xfz
Zope-2.0.1-linux2-x86.tgz
(3) cd to Zope-2.0.1-linux2-x86
(4) run "./install -u nobody -g nobody" If you do not specify "-u nobody
and -g nobody" install will not set correctly the ownership of some
files and directories.
nobody/nobody will be set as the user for Zope.cgi,  access, start, stop
and the var directory and its contents.
(5) Try to remember (ie. jot down to a safe place) the password of the
user "superuser". The password is printed on the screen by install.
(6) Copy the Zope.cgi into the directory /home/httpd/cgi-bin with "cp
-p":
"cp -p Zope.cgi  /home/httpd/cgi-bin". The -p option of the cp command
is very important. The Zope.cgi should be owned by nobody even in the
/home/httpd/cgi-bin directory.
(7) Start ZServer as nobody (if you are logged in as root): "su nobody
start". ZServer will use ports 8080, 8021, 8099. If these ports are in
use on your system, you should explicitly specify port numbers for the
start script (see the z2.py options -P, -w, -f, -m). It is crucial not
to start
ZServer as root, otherwise it creates
the var/pcgi.soc file as root, and pcgi-wrapper (see later) will not
have permission to open it as it will be run as nobody by Apache.
You do not have to specify -p for the start script: PCGI is enabled by
default. If you want to have some info about the available parameters
for start, have a look at z2.py (start invokes the z2.py module).
Later you may edit the start script as suggested by the "Gotchas for
Zope Beginners" HOWTO.
(8) If you later wishes to stop ZServer, open a new terminal and invoke:
"su nobody /usr/local/Zope-2.0.1-linux2-x86/stop"

The second phase is to edit /etc/httpd/conf/httpd.conf to force Apache
passing authentication data to Zope.cgi

(1) As root edit httpd.conf, and add to the end the following lines:
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^/Zope(.*) /home/httpd/cgi-bin/Zope.cgi$1
[e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
The RewriteRule directives must be one line. For more info see Gotchas
for Zope Beginners.
(2) Restart (as root) your Apache server by: "/etc/rc.d/init.d/httpd
restart"
(3) Start Netscape and type the URL: http://localhost/Zope. You will
see the "Welcome to Zope" page. Click on the "management screen" link.
(4) You will be asked for a username and password. Type in "superuser"
and the password you have jot down during the Zope install. If the user
name and password are correct you will have the main Zope management
page.
(5) You may connect to the management page directly by using the URL:
http://localhost/Zope/manage
(6) Notice that the root folder of your Zope site will be named Zope
(7) You may also connect to ZServer directly (avoiding PCGI):
http://localhost:8080/manage. In this case the root folder will be
unnamed.

Why the user nobody?

When Apache (ie. httpd) is started as root it opens the privileged ports
(80, 443 (SSL)), opens the log files, and then stops acting as
potentially dangerous root and become nobody (as specified in
httpd.conf). All CGI programs/scripts will be run as nobody. The
Zope.cgi (see below) is also run by nobody. The simplest configuration
is to run Zope as nobody, too. If you are an experienced UNIX
administrator, and you understand how Apache and PCGI works, you may
invent more complicated setups.

What is this Zope.cgi, and how does it work?

Zope.cgi is an executable file, but it is not a shell script to be
executed by sh. If you look at the first line you will understand the
trick:
#!/usr/local/Zope-2.0.1-linux2-x86/pcgi/pcgi-wrapper. That is, Zope.cgi
will be run by pcgi-wrapper, when Apache starts Zope.cgi (as nobody --
remember!) , if an URL requests to do so. pcgi-wrapper parses the
content of Zope.cgi and tries to connect to a running server. An 
important directive is PCGI_SOCKET_FILE which points to
/usr/local/Zope-2.0.1-linux2-x86/var/pcgi.soc; this file is used as a
communication medium between pcgi-wrapper (invoked by Apache) and
ZServer (started by the start script). Each time pcgi-wrapper started
(as a normal CGI program) it connects to ZServer via the pcgi.soc socket
file, transfers the HTTP request to ZServer, waits for the respose and
returns data
back to the Apache server. Note that ZServer is started once and runs
forever, but PCGI is started each time a Zope request is received by
Apache.

Why to use PCGI?

ZServer does not support SSL, which may be an important requirement in
your case. Apache supports SSL (Apache+SSL or mod_ssl), and thus Zope
may be used in secured communication with the help of PCGI.

What are the shortcomings of PCGI?

(1) PCGI is run as a normal CGI program. Every time a HTTP request is
sent to the Zope server a process is spawned for running Zope.cgi (via
pcgi-wrapper).
(2) The Zope server must be installed on the same host as the Apache
server, because currently PCGI does not support remote communication.