Deploying Streetsign in Production

How to deploy a ‘production-ready’ streetsign installation.

Dependencies

First you need to install the python headers (for compiling some extra modules), imagemagick (to generate thumbnails), and pip for installing other python modules, and git for downloading streetsign itself.

On Debian/Ubuntu Server, this will be:

sudo apt-get install python-pip python-dev imagemagick git

On CentOS 6.7, its:

sudo yum install python-devel python-pip ImageMagick git

User/Group

Streetsign, as every other service, should really run as it’s own user, for security’s sake

sudo useradd streetsign

Which will also create a new group for it.

Installation path

As per the LSB, probably the best place for public facing services to install their data is /srv/. So we should create that directory, and install streetsign there:

sudo mkdir /srv/streetsign
sudo chown -R streetsign:streetsign /srv/streetsign

Actually Installing it

We’ll use git to get the latest version, and set it up as normal:

cd /srv/streetsign
sudo su streetsign
git clone https://bitbucket.org/dfairhead/streetsign-server.git .
./setup.sh

Test it’s all ready to go

This step is technically un-needed, but probably a good idea. While still su‘d as streetsign:

./run.py waitress

and then from a web browser, browse to that server’s IP at port 5000. If you don’t know the server IP:

ifconfig |grep 'inet addr:'

Note that often servers may have a firewall (e.g. IPTables, or similar) blocking port 5000.

And then you can exit from the streetsign user.

Configure streetsign to start on system-boot

Unfortunately, this is different on practically every linux distribution, and even different between Ubuntu 14 and Ubuntu 15, for instance.

There are startup files in the streetsign source, in the deployment folder.

systemd systems (Ubuntu 15.x, CentOS 7, Debian Jessie, etc)

If you’re on a systemd based linux (Such as Ubuntu 15.x), then copy the deployment/systemd/streetsign.service file to /var/systemd/system, edit it to make sure it’s all correct for your system (which it should be, if you’ve followed the above instructions):

sudo cp /etc/streetsign/deployment/systemd/streetsign.service /var/systemd/system/

And then tell enable the service:

sudo systemctl enable streetsign

And then you can actually start it up:

sudo systemctl start streetsign

If it’s all running quite happily, then cool. If you want to test that it does actually start on boot, feel free to reboot the server and see what happens.

Logs for streetsign can then be found using the normal systemd logging utils:

journalctl -u streetsign.service

(Recent) upstartd systems (Ubuntu 14.x, etc)

Copy the streetsign upstart configuration file to /etc/init:

sudo cp /srv/streetsign/deployment/upstart/streetsign.conf /etc/init/

And then you should edit /etc/init/streetsign.conf to make sure it’s all correct for your system. If you’ve followed the above instructions, then it should be.

You can now start the service, to test it’s all working OK:

sudo start streetsign

And it should automatically run on boot as well. To stop that, you can edit the /etc/init/streetsign.conf file, and put a # in front of start on runlevel [2345].

The streetsign log file can be found with the rest of the upstart log files at:

/var/log/upstart/streetsign.log

SysV (initscript) systems (CentOS 6.x, etc.)

There’s a basic (hopefully OK) init script in deployment/init, which should work on many other systems. So just copy it in:

sudo cp /srv/streetsign/deployment/init/streetsign /etc/init.d/

and then turn it on with whatever your OS uses for that. On CentOS, for instance:

service streetsign start

will start it running. To make it run on system boot, it’s:

chkconfig --add streetsign

Getting Streetsign on to Port 80

If streetsign is going to be ‘public facing’, and so you want it to be running on the regular HTTP port 80, or over HTTPS, then it’s best to run a ‘reverse proxy’ in front of it.

The most popular options are NGiNX and Apache.

nginx

Install nginx:

sudo apt-get install nginx

Or on CentOS:

yum install nginx

copy the basic streetsign configuration file in:

sudo cp /srv/streetsign/deployment/nginx/streetsign /etc/nginx/sites-available/

on CentOS, it’s to /etc/nginx/conf.d/streetsign.conf:

sudo cp /srv/streetsign/deployment/nginx/streetsign /etc/nginx/conf.d/streetsign.conf

Edit it with whatever settings you wish.

Enable it (Debian Only):

sudo ln -s /etc/nginx/sites-available/streetsign /etc/nginx/sites-enabled/

And if streetsign is the only thing you’re using nginx for, and you don’t need the default welcome page, turn that off:

sudo rm /etc/nginx/sites-enabled/default

And of course, restart nginx:

sudo service nginx restart

Apache

Apache is pretty easy to install:

sudo apt-get install apache2

or:

sudo yum install httpd

is usually enough. There’s a default configuration file to put streetsign on its own virtualhost in the deployment/apache folder. If streetsign is the only site running behind apache here, then that configuration file may be enough. Usually, however, you’ll need to modify the VirtualHost / Server Name / other settings a bit yourself.

You will need the apache mod_proxy and proxy_http modules enabled. On Debian based systems:

sudo a2enmod proxy proxy_http

on others you need to check in your apache config (usually /etc/httpd/conf/httpd.conf or similar) that the modules are enabled. These two lines (wherever they are) need to be uncommented:

LoadModule proxy_module module/mod_proxy.so
LoadModule proxy_http_module module/mod_proxy_http.so

Or similar.

You can then copy in the config file. On Debian based systems:

sudo cp /srv/streetsign/deployment/apache/streetsign.conf /etc/apache2/sites-available/

Or on CentOS:

sudo cp /srv/streetsign/deployment/apache/streetsign.conf /etc/httpd/conf.d

Edit it to have the settings you need, and enable it. (Debian only):

sudo a2ensite streetsign

And if you want to, disable the default apache welcome-page/site:

sudo a2dissite 000-default

Finally, restart apache:

sudo service apache2 restart

and it should all be working.

CentOS Notes: (Esp. SELinux)

CentOS has SELinux installed often, and is locked down pretty hard. You will probably need to allow the HTTPD to make outgoing connections, and also to access files in the /srv/streetsign/streetsign_server/static folders.

(All of the following commands are as root.)

First install semanage:

yum install policycoreutils-python

Then open up HTTPD to have outgoing-network access (to the actual python server):

/usr/sbin/setsebool httpd_can_network_connect 1

And to make that permanent:

/usr/sbin/setsebool -P httpd_can_network_connect 1

Then give read access for HTTPD to the /srv/streetsign/streetsign_server/static and all subdirectories:

semanage fcontext -a -t httpd_sys_content_t "/srv/streetsign/streetsign_server/static(/.*)?"

And apply the policies:

restorecon -Rv /srv/streetsign