Difference between revisions of "User:Aexoxea/Tiki Wiki CMS Groupware"

From ArchWiki
Jump to: navigation, search
(Security: Cleared up PHP security properties paragraph.)
(Server check: What you're looking for at a minimum.)
Line 170: Line 170:
 
=== Server check ===
 
=== Server check ===
  
Tiki ships a [https://doc.tiki.org/Server-Check Server Check] PHP script that allows you confirm if aspects of your web server, PHP and (optionally) database setup are compatible with Tiki, or will allow some optional features of Tiki to be used.
+
Tiki ships a [https://doc.tiki.org/Server-Check Server Check] PHP script that allows you confirm if aspects of your web server, PHP and (optionally) database setup are compatible with Tiki, or will allow some optional features of Tiki to be used. Tiki should work provided script doesn't flag anything as "BAD".
  
 
The script is available:
 
The script is available:

Revision as of 06:32, 17 February 2018

Warning: This is a work in progress and may not ever move to mainspace. Proceed at your own risk!

Tiki Wiki CMS Groupware (referred herein as just "Tiki") is a web-based content management system with collaboration features written in PHP.

Package Tiki

Tiki ships both stable and long-term support releases (see versioning policy and release roadmap). Choose from one of the following, then make a package using the files on the linked page:

  • For the latest stable release (18.x): Files Stable.
  • For the latest long-term support release (18.x): Files LTS.
Note: If you encounter Composer warnings (e.g. "Your requirements could not be resolved to an installable set of packages.") during packaging because of PHP's configuration, they can be safely ignored at this point.
Note: While PHP 7.2 or 7.1 should work in most circumstances with Tiki 18.x series, if you encounter difficulties you should downgrade to PHP 7.0 or 5.6 (available in AUR as php70AUR and php56AUR respectively).

Once done, continue with Install and set up prerequisites section (for new installs) or Apply the update section (for updates).

Install and set up prerequisites

Tiki relies on a typical LAMP-like stack. See Tiki's Requirements page for specific prerequisites.

Install Tiki

Install the Tiki package that you made above.

Set up a web server

You need a running web server configured to use PHP and serve up files from /usr/share/webapps/tikiwiki/.

If not sure what to pick, choose Apache and follow the instructions below.

Apache

To use Tiki on Apache, you need to:

  1. Install Apache per instructions at Apache HTTP Server#Installation.
  2. Configure Apache to use PHP per instructions at Apache HTTP Server#PHP.
  3. Copy /etc/webapps/tikiwiki/apache.example.conf to /etc/httpd/conf/extra/tikiwiki.conf.
  4. Edit /etc/httpd/conf/httpd.conf to:
    • Enable LoadModule alias_module modules/mod_alias.so (it is enabled by default on new installs).
    • Add this line where appropriate (if unsure, place it at the end): Include conf/extra/tikiwiki.conf.
  5. Start/enable the Apache service per instructions at Apache HTTP Server#Configuration.

Set up a database server

Tiki supports either MariaDB or Oracle MySQL. If not sure what to pick, use MariaDB.

Either way, you need to install, set up and start/enable the database server per instructions at MySQL#Installation.

It is recommended to let Tiki create the database (and optionally -- but recommended for security reasons -- the database user account) that it will use. You will need to note down for later:

  • The database server host name (if not on localhost),
  • The username and password of a database user account (e.g. root) with access to create new databases and new database user accounts.

If you need or want to create these manually instead, see Database - Manual creation below.

Set up PHP

PHP was pulled in as a dependency when Tiki was installed earlier.

You need to edit /etc/php/php.ini (or equivalent) and, at a minimum:

  • Set the default timezone (date.timezone=, see PHP's List of Supported Timezones for valid options).
  • Set the session data path (session.save_path=, the default "/tmp" works as a starting point).
  • Enable the calendar, iconv, intl, mysqli and pdo_mysql extensions (each has its own extension= entry).

It is also recommended to:

  • Enable the zip extension (it is enabled by default on new installs).
  • Enable the gd extension, then install the php-gd package (or equivalent) it requires to work.
Note: If using Apache, you will need to restart the web server now so these changes take effect. Other web servers may also need to be reloaded or restarted at this point; consult your documentation.

Next steps

Once done, continue with Configure Tiki below.

Configure Tiki

See Tiki's Installation and Linux pages for specific information.

Set up Tiki's files

Tiki ships with a setup script (setup.sh) that updates its file permissions and downloads any necessary extra files using Composer.

If you're using the current version of PHP that ships in the main repositories, run this from a terminal:

# cd /usr/share/webapps/tikiwiki/
# sh setup.sh -u http -g http -n fix

The -u and -g options change the user and group of Tiki's files, so set these as appropriate (noting http:http is the default user and group for most web servers).

If you're using an earlier version of PHP, you need to add the -p option with the truncated program name, e.g. if using php70AUR:

# cd /usr/share/webapps/tikiwiki/
# sh setup.sh -u http -g http -p php70 -n fix
Tip: See permission check section for more options around setup.sh.

Run Tiki's install workflow

Finally, open a web browser and access https://localhost/tiki/tiki-install.php (HTTP will also work, but see the warning below), substituting the web server address and path if needed.

For new installs, a web-based workflow will start to guide you through the final configuration steps (including setting up the database). When this workflow is complete, Tiki is ready to use.

For updates, you'll first be prompted to enter the username and password for Tiki's database user account. When the web-based workflow appears, there will be a notice about upgrading. Follow the link under that notice; it will take you to the correct part of the workflow to upgrade the database. Run through the workflow from there; when complete, your Tiki is updated, and you should continue with After updating section.

Warning: As usernames and passwords are handled through the workflow, if the server is not on localhost or a trusted network, you should use HTTPS or another secure communication method.
Tip: The workflow defaults to English, but you can select a different language on the first page.

Updates

See Tiki's Upgrade page for detailed information about updating between versions.

Before updating

It is strongly recommended to:

  • Make sure you have a backup in place, as Tiki does not support downgrades. Take a system backup of your Arch, follow one of Tiki's Backup recommendations, or ideally, do both.
  • Close the site to non-admin users. This setting can be enabled by a Tiki admin user through the Control Panel (either General > Navigation or Security > Site Access).
  • Revert to a built-in theme, as custom themes are not guaranteed to work between versions. This setting can be changed by a Tiki admin user through the Control Panel (Look & Feel > Theme).

Apply the update

Make the new package (see Package Tiki section) and install it.

This will work in most circumstances, but if you run into difficulties, remove the existing package, troubleshoot around what files are left behind under /usr/share/webapps/tikiwiki/, then install the new package.

Note: By default, some of the directories under /usr/share/webapps/tikiwiki/ contain uploaded files (e.g. images and attachments). The update process shouldn't impact these, but if you would prefer they be located elsewhere, there are options to do so. See File Storage below for details.
Warning: Customisations to Tiki package files are likely to be lost when updating. If you make customisations, you should keep a copy of them elsewhere (e.g. in a version control system) so you can merge them back in after updating. Alternatively, if able and willing, you could consider submitting them upstream.

Once you've installed the new package successfully, continue with Configure Tiki section.

After updating

Log in to your site, check that everything is as it should be, and re-open the site when you're ready. Points to look out for include:

  • Release notes. These exist for each major version under Tiki's "New in version" page.
  • The .htaccess file (or the file it's symlinked to, such as _htaccess). If you've made custom changes, such as for SEFURLs, you may need to re-apply them.
  • Feature defaults. New features will generally be set to default values, and features deemed 'unsafe' may have been reset to 'safe' values. Change these through the Control Panel etc. as needed.
  • Custom themes. If you were using a custom theme (and it supports the updated version of Tiki), switch back to it and check if it works.
    Tip: Consider keeping a separate browser window open that shows the Look & Feel > Theme Control Panel in a built-in theme while testing. This way, you can revert easily if needed.

Security

Tiki's Security documentation page describes the Security Control Panel and links to other security-related pages. The Security ArchWiki page complements this in respect of securing the underlying operating system.

Additionally, the Server Check script checks for a number of PHP functions that have security implications. If there are functions enabled which aren't needed for your use of Tiki (or anything else on that machine), you can disable them. This is done by adding them to the disable_functions= directive under /etc/php/php.ini (or equivalent) and reloading or restarting your web server as needed.

Permission check

The setup.sh script can be used after the initial configuration to lock down local file permissions. /usr/share/webapps/tikiwiki/permissioncheck/usecases.txt shows the permission names that the script will accept, along with the numeric permission levels that are set for directories and files.

The script can be run interactively by just entering:

# cd /usr/share/webapps/tikiwiki/
# sh setup.sh

Alternatively, you can print help for the script by entering:

# cd /usr/share/webapps/tikiwiki/
# sh setup.sh -h

See Tiki's Permission Check page for more information.

Tips and Tricks

Server check

Tiki ships a Server Check PHP script that allows you confirm if aspects of your web server, PHP and (optionally) database setup are compatible with Tiki, or will allow some optional features of Tiki to be used. Tiki should work provided script doesn't flag anything as "BAD".

The script is available:

  • Before installation, as a separate download (upload it to a web server with PHP and run it in a web browser).
  • During installation, from the "Review the System Requirements" page in the workflow (see the link to "a detailed report about your server").
  • After installation, as an administration tool (you need to be logged in as a Tiki admin user).
Tip: Tiki's Requirements page lists some recommended defaults for PHP, as the script flags values that will/might be problematic but doesn't always suggest something better.

File gallery indexing dependencies

Warning: File gallery indexing presents the usual security risks if untrusted files can be uploaded.

If you want to use file gallery indexing, you need to do two things:

First, use the server check script to confirm that the popen and shell_exec PHP functions are enabled. If they aren't, remove them from the disable_functions= directive under /etc/php/php.ini (or equivalent) and reload or restart your web server as needed.

Second, install the following packages as desired:

Package Provides Binaries Used For Types
catdoc catdoc, catppt, xls2cvs Microsoft Office, RTF
docx2txt docx2txt Microsoft Word (OOXML)
elinks elinks HTML
odt2txt odt2txt OpenDocument
pstotext pstotext PDF, PostScript
unzip unzip Zip

For convenience, this PKGBUILD pulls in all packages that support file gallery indexing: Files Meta.

Database

Manual creation

Tiki needs its own, UTF-8 charset database, and access to an account with privileges to that database. Tiki can create these during the install workflow, or you can set these up manually and give Tiki the details instead.

An example of doing this manually through a terminal (change the bold bits as needed) is:

$ mysql -u root -p
mysql> CREATE DATABASE `tikiwiki` DEFAULT CHARACTER SET `utf8` COLLATE `utf8_unicode_ci`;
mysql> CREATE USER `tikiwiki`@'localhost' IDENTIFIED BY 'password';
mysql> GRANT ALL PRIVILEGES ON `tikiwiki`.* TO `tikiwiki`@'localhost';
mysql> FLUSH PRIVILEGES;
mysql> quit
Warning: The password in the above is the password of the database user account, not the authentication type. Make sure you don't accidentally set the password to "password" if you copy/paste!
Warning: The password you provide above will be saved to a local command history file at ~/.mysql_history. At a minimum, you should redact that part of the file when finished.

Manual removal

If you need or want to remove the Tiki database for any reason, you have to do so manually. An example of doing this through a terminal (change the bold bits as needed) is:

$ mysql -u root -p
mysql> DROP USER `tikiwiki`@'localhost';
mysql> DROP DATABASE `tikiwiki`;
mysql> quit

File Storage

Tiki is able to store uploaded files either in its database or on the file system. The pros and cons of each approach are covered on Tiki's File Storage page.

Uploaded files stored on the file system are located under /usr/share/webapps/tikiwiki/ by default. There are options to move these elsewhere on the file system if desired, again outlined on Tiki's File Storage page, and on the related Control Panel pages for the specific features that accept file uploads.

Note: Where directories are created outside the /usr/share/webapps/tikiwiki/ hierarchy, remember to update web server options and local file permissions so they can be accessed. For example, if using Apache, make sure the new directories are owned by http:http (or equivalent), then add their paths to the open_basedir parameter under /etc/httpd/conf/extra/tikiwiki.conf.

Troubleshooting

Timeout updating database on large sites

If you have a large site, PHP timeout values may be exceeded when updating the database in the web-based workflow. Should this occur, you have two choices:

  1. Extend PHP's timeout values, then try again.
  2. Run the database update from a terminal, then manually lock the installer (you should then be able to skip the web-based workflow, and continue from After updating section):
# cd /usr/share/webapps/tikiwiki/
# php console.php database:update
# touch db/lock

Substitute php in the terminal example above if using an earlier version of PHP.

"Installer not locked" warning

A warning will appear in the Tiki Control Panel if the installer lock file is missing. This can occur if the Tiki package is uninstalled and reinstalled, or the package is updated but the web-based workflow isn't completed.

In circumstances where there is no need to go through the web-based workflow, you should manually create the lock file as suggested in the warning. This can be done from a terminal like so:

# touch /usr/share/webapps/tikiwiki/db/lock

Miscellanea

Linter Errata

If running Namcap on the tikiwiki or tikiwiki-lts packages, it will print some or all of the following:

Message Remarks
W: Directory (usr/share/webapps/tikiwiki/<multiple>) is empty The package ships with a number of empty directories, and it's unclear which ones are safe to remove. You may wish to configure your web server to deny directory listings.
W: Potential non-FHS info page (usr/share/webapps/tikiwiki/vendor_bundled/vendor/fortawesome/font-awesome/src/<version>/icon/info/index.html) found All Font Awesome icon subdirectories have an equivalent index.html file. It appears this one is being singled out because of its path.
W: Referenced library 'node' is an uninstalled dependency This warning is ambiguous. In any case, all explicit requirements are satisfied by the package dependencies.
E: Dependency python detected and not included (programs ['python'] needed in scripts ['usr/share/webapps/tikiwiki/vendor_bundled/vendor/adodb/adodb-php/scripts/<multiple>', 'usr/share/webapps/tikiwiki/vendor_bundled/vendor/openid/php-openid/<multiple>']) These scripts (from ADOdb and Janrain) are not required for normal operation.
W: Dependency included and not needed ('php-intl') The PHP Intl module is required, and this is also used to pull in PHP as a dependency.

See Also