MediaWiki Backup And Restore: Difference between revisions

From MediaWiki
Jump to navigationJump to search
Line 323: Line 323:


==== Restart the Apache Web Service ====
==== Restart the Apache Web Service ====
Make sure the Apache Web services is restarted:
[root@nst-wiki40 scripts]# systemctl restart httpd.service php-fpm.service;


==== Certbot Configuration ====
==== Certbot Configuration ====

Revision as of 14:43, 5 July 2024

Backup

The system which contains the NST WIKI performs nightly backups. The compressed back up files under the /var/nst/nstwiki_archive directory.

The /var/nst/nstwiki_archive directory is then mirrored at external locations.

The following items are backed up:

  • The SQL database associated with the Wiki.
  • The configuration files associated with the Wiki.
  • The media files (images) associated with the Wiki.

Here is an example of using rsync to download a copy of the back up files:

[nst@nst30-repo ~]$ rsync -avhP nstwiki:/var/nst/nstwiki_archive backup/nst30-repo
receiving incremental file list
nstwiki_archive/
nstwiki_archive/nstwiki_conf_archive0.tgz
        117.14M 100%    3.94MB/s    0:00:28 (xfr#1, to-chk=1/3)
nstwiki_archive/nstwiki_media_archive0.tgz
        694.91M 100%    3.99MB/s    0:02:46 (xfr#2, to-chk=0/3)

sent 66 bytes  received 812.24M bytes  4.13M bytes/sec
total size is 812.05M  speedup is 1.00
[nst@nst30-repo ~]$ ls -l backup/nst30-repo/nstwiki_archive
total 793020
-rw-r--r-- 1 nst nst 117138773 Aug 21 05:34 nstwiki_conf_archive0.tgz
-rw-r--r-- 1 nst nst 694906230 Aug 21 05:34 nstwiki_media_archive0.tgz
[nst@nst30-repo ~]$

Restore/Move

If you need to restore the NST Wiki or need to relocate the NST Wiki to another machine, use the following strategy:

  • Set up MediaWiki on the other machine by following the instructions on the MediaWiki page.
  • Stop the httpd service.
  • Stop the mysqld service.
  • Transfer and install from the back up archives.
  • Start the mysqld service.
  • Run any new MediaWiki database upgrade scripts (if you are moving to a newer version of MediaWiki).
  • Update your LocalSettings.php file.
  • Start the httpd service.

Set Up MediaWiki

If you are moving the NST Wiki to a new machine, you will need to set up MediaWiki on the new machine:

  • Before setting up MediaWiki, review the LocalSettings.php file as you will likely want to match some of the settings (if you don't it's not the end of the world - but if you take the time now it might save you some tweaks later).
  • See the MediaWiki page for details on setting up MediaWiki on a NST system.
  • Install the EmbedVideo media extension.

Stop Services

Stop the httpd and mysqld services as shown below (use service instead of systemctl if you are on a older system):

[root@probe-p3p1 ~]# systemctl stop httpd.service
[root@probe-p3p1 ~]# systemctl stop mysqld.service
[root@probe-p3p1 ~]# 

Transfer And Extract The Backup Archives

Get a copy of the NST Wiki backup files from the directory /var/nst/nstwiki_archive directory and transfer them to your /tmp directory:

[root@probe-p3p1 ~]# rsync -rp nstwiki:/tmp/nstwiki_archive /tmp/
root@nstwiki's password: 
[root@probe-p3p1 ~]# ls -l /tmp/nstwiki_archive
total 198476
-rw-r--r-- 1 root root  66375294 Oct 22 18:32 nstwiki_conf_archive0.tgz
-rw-r--r-- 1 root root 126201929 Oct 22 18:32 nstwiki_media_archive0.tgz
[root@probe-p3p1 ~]# 

Extract the contents of the nstwiki_conf_archive0.tgz file to the /var/nst/backup directory:

[root@probe-p3p1 ~]# install -d /var/nst/backup
[root@probe-p3p1 ~]# tar xzf /tmp/nstwiki_archive/nstwiki_conf_archive0.tgz -C /var/nst/backup/ .
[root@probe-p3p1 ~]# 

Create and initialize the /var/nst/mediawiki directory:

[root@probe-p3p1 ~]# install -d /var/nst/mediawiki
[root@probe-p3p1 ~]# mw-createinstance /var/nst/mediawiki
[root@probe-p3p1 ~]# 

Extract the contents of the nstwiki_media_archive0.tgz file to the directory where your MediaWiki files live.

[root@probe-p3p1 ~]# tar xzf /tmp/nstwiki_archive/nstwiki_media_archive0.tgz -C /var/nst/mediawiki
[root@probe-p3p1 ~]#

Add a sym-link to the images directory under /usr/share/mediawiki (still not sure why this is required). Also, you may need to edit/save each NST WIKI page if thumbnails are not being created automatically.

[root@probe-p3p1 ~]# mv /usr/share/mediawiki/images /usr/share/mediawiki/images.orig  
[root@probe-p3p1 ~]# ln /var/nst/mediawiki/images /usr/share/mediawiki/images
[root@probe-p3p1 ~]#

Restore The NST Wiki Database

At this point you can start up the mysqld service and restore the most recent version of the NST Wiki backup. However, before you can restore using the SQL file you will need to drop the wikidb (or whatever you named your database) if it exists:

[root@probe-p3p1 ~]# systemctl start mysqld.service
[root@probe-p3p1 ~]# mysql -h 127.0.0.1 --user=root --password
Enter password:  
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.5.14 MySQL Community Server (GPL)

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> drop database wikidb;
Query OK, 45 rows affected (0.15 sec)

mysql> \q
Bye
[root@probe-p3p1 ~]# 

At this point you can restore the NST Wiki database:

[root@probe-p3p1 ~]# gzip -dc < /var/nst/backup/db/nstwikidb.sql.gz | mysql -h 127.0.0.1 --user=root --password
Enter password: 
[root@probe-p3p1 ~]#

Update The NST Wiki Database

If the location you are restoring the database to uses a newer version of MediaWiki, you will likely need to run the MediaWiki upgrade commands. Review the /usr/share/doc/mediawiki/UPGRADE file. Most likely you will need to run the following commands:

[root@probe-p3p1 ~]# cd /usr/share/mediawiki/maintenance/
[root@probe-p3p1 maintenance]# php update.php 
A copy of your installation's LocalSettings.php
must exist and be readable in the source directory.
[root@probe-p3p1 maintenance]# php update.php --conf /var/nst/mediawiki/LocalSettings.php
MediaWiki 1.16.5 Updater

Going to run database updates for wikidb
Depending on the size of your database this may take a while!

... Lot's of output as database is updated ...

Purging caches...done.
Done.
[root@probe-p3p1 maintenance]# cd
[root@probe-p3p1 ~]#

Update LocalSettings.php

Before starting up the web server, you will want to review your LocalSettings.php file:

  • Compare it with the back up you made earlier (/root/LocalSettings.php.working).
  • Initially disable any extensions currently configured (you may need to install the extension modules before enabling).
  • Review the contents of /usr/share/mediawiki/includes/DefaultSettings.php to see if there are any new settings you need to add.
[root@probe-p3p1 ~]# emacs -nw /var/nst/mediawiki/LocalSettings.php LocalSettings.php.working
[root@probe-p3p1 ~]#

Also, for some reason a copy of the LocalSettings.php file also needs to be under the /usr/share/mediawiki (at least for MediaWiki 1.33 and Fedora 30 packaging).

[root@probe-p3p1 ~]# ln /var/nst/mediawiki/LocalSettings.php /usr/share/mediawiki/LocalSettings.php
[root@probe-p3p1 ~]#

Restart The Web Service And Test

At this point you should be able to restart the web service and PHP engine and test your installation.

Notes:

  • Make sure a php-fpm configuration file exists for the systemd httpd.service unit: "/etc/php-fpm.d/www.conf"
  • NST Wiki uses a httpd configuration file: "/etc/httpd/conf.d/nstwiki.conf"
#
# This is for the NST Wiki

#DocumentRoot "/var/nst/mediawiki"
#ServerName wiki.networksecuritytoolkit.org

#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
#TransferLog logs/wiki_access_log
#ErrorLog logs/wiki_error_log
#LogLevel warn

BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE # !no-gzip !gzip-only-text/html

DeflateFilterNote Input input_info
DeflateFilterNote Output output_info
DeflateFilterNote Ratio ratio_info
LogFormat '"%r" %{output_info}n/%{input_info}n (%{ratio_info}n%%)' deflate
CustomLog logs/deflate_log deflate

  #
  # NST Wiki entry point...
  <Directory "/var/nst/mediawiki">
    DirectoryIndex index.php
    Options FollowSymLinks ExecCGI
    Require all granted

    AddOutputFilterByType DEFLATE text/html
  </Directory>

  #
  # IP tools areas (fetch public IP address via SHTML - requires Includes directive)
  <Directory "/var/nst/mediawiki/tools">
    Options Includes
    Require all granted
  </Directory>

Alias /nstwiki "/var/nst/mediawiki"

  #
  # NST Repo...
  <Directory "/var/nst/repo">
    Options Indexes
    Require all granted
  </Directory>

Alias /repo "/var/nst/repo"

  #
  # Icons for NST Repo dir listing...
  <Directory "/var/nst/mediawiki/icons">
    Options Indexes MultiViews
    AllowOverride None
  </Directory>

Alias /icons/ "/var/nst/mediawiki/icons/"

<Directory "/usr/share/nst-webgl-globe">
    Options -Indexes
    Require all granted
</Directory>

Alias /nst-webgl-globe "/var/nst/mediawiki/nst-webgl-globe"

#
# Provide server status information
#
#<Location /server-status>
#    SetHandler server-status
#
#    AuthType Basic
#    AuthName "NST WUI: System Management"
#    AuthUserFile "/etc/nst/httpd/conf/htuser.nst"
#    require valid-user
#</Location>

#
# Provide server information
#
#<Location /server-info>
#    SetHandler server-info
#
#    AuthType Basic
#    AuthName "NST WUI: System Management"
#    AuthUserFile "/etc/nst/httpd/conf/htuser.nst"
#    require valid-user
#</Location>
  • Start these services and then check the NST Wiki.
[root@probe-p3p1 ~]# systemctl start httpd.service
[root@probe-p3p1 ~]# systemctl restart php-fpm.service
[root@probe-p3p1 ~]#
[root@probe-p3p1 ~]# firefox http://127.0.0.1/nstwiki
[root@probe-p3p1 ~]#

At this point you should be able to review the contents of the Wiki and determine what is broken (not working) and then try to figure out what you need to do in:

  • Examine log files under the /var/log/httpd directory - they will often provide useful clues.
  • The /var/nst/mediawiki/LocalSettings.php file (look for new values you might need to override in /usr/share/mediawiki/includes/DefaultSettings.php). Also, consider temporarily enabling the debug logging feature with:
# Uncomment to enable debug log file when trouble shooting
$wgDebugLogFile = "/var/log/httpd/debug-wikidb.log";
  • Review the /etc/httpd/conf/httpd.conf file.
  • Review your mediawiki configuration file under the /etc/httpd/conf.d directory (nstwiki.conf).

Default Font Size

To change the global font size for all NST Wiki pages do the following.

  • Search for "MediaWiki:Common.css"
  • Add the following CSS entry:
body { font-size: 9pt; }

Certbot - HTTPS TLS Certificates

Certbot Overview

Certbot is part of EFF's effort to encrypt the entire Internet. Secure communication over the Web relies on HTTPS, which requires the use of a digital certificate that lets browsers verify the identity of web servers (e.g., is that really google.com?). Web servers obtain their certificates from trusted third parties called certificate authorities (CAs). Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.

Certbot Installation On NST Wiki - Tips & Modifications

This section goes through various steps to install certbot on an NST system for the NST Wiki web service (Apache - HTTPD). It can be a bit tricky.

DNF Install Required Packages

dnf install certbot python3-certbot python3-certbot-apache;

Fedora Python Code Modification (NST 40)

Insert this hack into the python code: "/usr/lib/python3.12/site-packages/certbot_apache/_internal/entrypoint.py" for Fedora OS identification. Verify if it has been fixed in a newer version before using the hack.

Before hack:

    os_name, os_version = util.get_os_info()
    os_name = os_name.lower()
    override_class = None

    # Special case for older Fedora versions

After hack:

    os_name, os_version = util.get_os_info()
    os_name = os_name.lower()
    override_class = None
>   os_name = 'fedora'
>   os_version = '40'

    # Special case for older Fedora versions

Create an Apache VirtualHost Configuration File

Certbot requires an Apache VirtualHost configuration file using port: 80. Add this file: "certbot.conf" to the Apache configuration directory: "/etc/httpd/conf.d"

[root@nst-wiki40 conf.d]# cat /etc/httpd/conf.d/certbot.conf;
<VirtualHost *:80>
ServerName wiki.networksecuritytoolkit.org
ServerAlias *.networksecuritytoolkit.org
DocumentRoot /var/nst/mediawiki
RewriteEngine on
RewriteCond %{SERVER_NAME} =*.networksecuritytoolkit.org [OR]
RewriteCond %{SERVER_NAME} =wiki.networksecuritytoolkit.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Restart the Apache Web Service

Make sure the Apache Web services is restarted:

[root@nst-wiki40 scripts]# systemctl restart httpd.service php-fpm.service;

Certbot Configuration

  • Certbot apache plugin options:
[root@nst-wiki40 ~]# certbot --help apache
usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 

options:
  -h, --help            show this help message and exit
  -c CONFIG_FILE, --config CONFIG_FILE
                        path to config file (default: /etc/letsencrypt/cli.ini and ~/.config/letsencrypt/cli.ini)

apache:
  Apache Web Server plugin

  --apache-enmod APACHE_ENMOD
                       Path to the Apache 'a2enmod' binary (default: None)
  --apache-dismod APACHE_DISMOD
                        Path to the Apache 'a2dismod' binary (default: None)
  --apache-le-vhost-ext APACHE_LE_VHOST_EXT
                       SSL vhost configuration extension (default: -le-ssl.conf)
  --apache-server-root APACHE_SERVER_ROOT
                        Apache server root directory (default: /etc/httpd)
  --apache-vhost-root APACHE_VHOST_ROOT
                        Apache server VirtualHost configuration root (default: None)
  --apache-logs-root APACHE_LOGS_ROOT
                        Apache server logs directory (default: /var/log/httpd)
  --apache-challenge-location APACHE_CHALLENGE_LOCATION
                        Directory path for challenge configuration (default: /etc/httpd/conf.d)
  --apache-handle-modules APACHE_HANDLE_MODULES
                        Let installer handle enabling required modules for you (Only Ubuntu/Debian currently) (default: False)
  --apache-handle-sites APACHE_HANDLE_SITES
                        Let installer handle enabling sites for you (Only Ubuntu/Debian currently) (default: False)
  --apache-ctl APACHE_CTL
                        Full path to Apache control script (default: httpd)
  --apache-bin APACHE_BIN
                        Full path to apache2/httpd binary (default: None)
  • Run Certbot configuration using the apache plugin:
certbot --apache --apache-server-root /etc/httpd --apache-bin /usr/sbin/apachectl;
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: wiki.networksecuritytoolkit.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

Crontab - Certificate Updates

Add the following line to the crontab file: "/etc/crontab" for certbot to attempt to renew the NST Wiki certificate:

[root@nst-wiki40 ~]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q