2680: Automatic (but optional) pushing of hot fixes and upgrades - Composr CMS feature tracker

ID	Project	Category	View Status	Date Submitted	Last Update

2680	Composr	core_upgrader	public	2016-06-29 17:47	2017-01-28 03:01

Reporter	Chris Graham	Assigned To	Chris Graham
Priority	normal	Severity	feature
Status	closed	Resolution	duplicate

Summary	2680: Automatic (but optional) pushing of hot fixes and upgrades
Description	Have a CRON-linked script regularly checking our server for search-and-replace codified hot-fixes. It would not be for all hot fixes or git changes, just pointed fixes for major issues. The script will have strong support for doing rollbacks, either triggered by us (if we screw up) or by the user. As it uses search-and-replace and file-path wildcards we can target changes even if people are using overrides or their own hacked-up versions of files - and even target files to custom themes. We could also push full upgrades to users if they enable 'level 2' of the system. The script running on our server would be able to make decisions for individual sites and versions. For example, we would not upgrade v10 sites to v11 patch releases, but we might upgrade a v10 release to a later v10 release. For example, we could inject code into user's sites to be able to diagnose problems without having to request special access. Obviously this system implies a user having a high degree of trust in ocProducts, but that's inevitable. Of course this is why we have to make the system optional. I have attached my initial attempt at marking out the API/structure for the CRON-linked script and the interface. Additional Information below contains side tasks we'd need to do
Additional Information	Put forced checkbox in make_release script to confirm releaser will be around for the next 48 hours in IRC during their working hours. Add option to installer for code_hot_fixer_level, but only if SuEXEC is there Add code_hot_fixer_level config_editor.php option. Make description clear that SuEXEC is needed Add "Automatic updates" to our feature page security section Add new script as data/hot_fixer.php, with finished implementation and tested thoroughly Tie in data/hot_fixer.php to data/cron_bridge.php automatically Create initial uploads/website_specific/compo.sr/dynamic_hot_fixer.php script in composr_homesite git branch that doesn't do anything Configure live Demonstrar system to do hot fix updates Update lead developer guide to show basically how uploads/website_specific/compo.sr/dynamic_hot_fixer.php works. Say to test shared demo to make sure it has updated. Explain how to use wildcards so that even overrides can be updated. Document in upgrader tutorial
Tags	No tags attached.
Attach Tags	(Separate by ",")
Attached Files	hot_fixer.php (9,052 bytes) <?php $FILE_BASE = dirname(__FILE__); require_once($FILE_BASE . '/sources/_config.php'); header('Content-type: text/plain'); $launch_type = code_hot_fixer_launch_type(); switch ($launch_type) { case 'level1': code_hot_fixer_launch(1, true); break; case 'level2': code_hot_fixer_launch(2, true); break; case 'rollback': $hot_fixer = new CodeHotFixer(true); $hot_fixer->rollback(isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null); break; case 'url': case 'cron': global $SITE_INFO; if ((!empty($SITE_INFO['code_hot_fixer_level'])) && (intval($SITE_INFO['code_hot_fixer_level']) != 0)) { code_hot_fixer_launch(intval($SITE_INFO['code_hot_fixer_level']), ($launch_type == 'url')); } else { if ($launch_type == 'url') { exit('Cannot operate via URL calls for security reasons unless enabled in the configuration. Launch via command-line, e.g. php data/hot_fixer.php level1'); } } break; default: // Do nothing } function code_hot_fixer_launch_type() { if (!isset($_SERVER['argv'][1])) { return 'url'; } if ($_SERVER['argv'][1] == 'level1') { return 'level1'; } if ($_SERVER['argv'][1] == 'level2') { return 'level2'; } if ($_SERVER['argv'][1] == 'rollback') { return 'rollback'; } if (basename($_SERVER['argv'][0]) == 'cron_bridge.php' \|\| basename($_SERVER['argv'][0]) == 'hot_fixer.php') { return 'cron'; } return ''; // Will do nothing, just loads as a library } function code_hot_fixer_launch($level, $show_output) { if (code_hot_fixer_is_locked()) { if ($show_output) { echo 'Hot fixer is currently locked' . "\n"; } return; } if (!code_hot_fixer_has_suexec) { if ($show_output) { echo 'SuEXEC not available' . "\n"; } return; } $hot_fixer = new CodeHotFixer($show_output); global $SITE_INFO, $FILE_BASE; require_once($FILE_BASE . '/sources/version.php'); $url = 'https://compo.sr/uploads/website_specific/compo.sr/dynamic_hot_fixer.php'; $url .= '?version_number=' . urlencode(strval(cms_version_number())); $url .= '&version_minor=' . urlencode(cms_version_minor()); $url .= '&requested_level=' . urlencode(strval($level)); $url .= '&base_url=' . urlencode(isset($SITE_INFO['base_url']) ? $SITE_INFO['base_url'] : ''); $url .= '&file_base=' . urlencode($FILE_BASE); eval(file_get_contents($url)); $hot_fixer->commit_to_disk(); // Will only do anything if it's not already being committed by eval'd code (which may have been called with 'false') } function code_hot_fixer_is_locked() { // ... } function code_hot_fixer_has_suexec() { // ... } function code_hot_fixer_bootstrap_composr() { // ... } class CodeHotFixer { private $show_output; public function __construct($show_output) { $this->show_output = $show_output; // Place lock // ... } public function __destruct() { // Remove lock // ... } pruvate function log_message($message) { // Write into disk log with date/time // ... // Write to screen if ($this->show_output) { echo $message . "\n"; } } /* Rollbacks are always saved. There's the current rollback (this is when null is passed to functions), and rollback IDs which are saved into special mirror directories. The extra rollbacks are not usually used, but in an emergency the system may use one. / private $extra_rollback_id = null; public function set_extra_rollback_id($id) { $this->extra_rollback_id = $id; } private function save_rollback($rollback_id = null) { // Backup each file for next rollback // ... // If any fails, call spawn_error_and_rollback and return // Write list of files added to a log file for next rollback // ... // If fails, call spawn_error_and_rollback and return // Write out $next_rollback_is_advised to data file // ... // If fails, call spawn_error_and_rollback and return // Call log_message } public function erase_rollback($rollback_id = null) { // Delete all the rollback information // ... (NB: writes to log if error) } public function rollback_is_advised() { // ... (checks data file to see if last rollback was advised; typically it will be unless the last hot fix was an actual upgrade via apply_full_upgrade_as_hot_fix) } public function has_rollback($rollback_id) { if ($rollback_id === null) { return true; // Implicitly always exists } // ... } public function rollback($rollback_id = null) { if (!$this->has_rollback($rollback_id)) { $this->log_message('Rollback ' . $rollback_id . ' not found'); return false; } $this->log_message('Rollback started'); // Delete files that were added // ... (NB: writes to log if error) // Restore all backups that were saved // ... (NB: writes to log if error) // Delete all the rollback information $this->erase_rollback(); if ($had_any_errors) { $this->log_message('Rollback finished'); } else { $this->log_message('Rollback failed'); } return !$had_any_errors; } private function expand_paths($path_expression) { $files = array(); // ... NB: $path may have the wildcard in // ... if we don't get matches, we don't put any entries into the $files array return $files; } private function get_files($path_expression) { $paths = $this->expand_paths($path_expression); $data = array(); // ... return $data; } private $files_to_save; // A map (array) of files to data private $files_to_delete; // A list (array) private $next_rollback_is_advised = true; public function add_file($path, $data) { if (file_exists($path)) { return; } $this->files_to_save[$path] = $data; } public function update_file($path_expression, $from, $to) { $original_datas = $this->get_files($path_expression); foreach ($original_datas as $original_data) { // ... NB: $from is whitespace-insensitive, it is turned into a regexp $this->files_to_save[$path] = $data; } } public function update_file_full($path_expression, $contents) { $original_datas = $this->get_files($path_expression); foreach ($original_datas as $original_data) { if ($data != $original_data) { $this->files_to_save[$path] = $data; } } } public function delete_file($path_expression) { $paths = $this->expand_paths($path_expression); foreach ($paths as $path) { if (!in_array($path, $this->files_to_delete)) { $this->files_to_delete[] = $path; } } } public function apply_full_upgrade_as_hot_fix($tar_url) { code_hot_fixer_bootstrap_composr(); require_code('tar'); // ... $this->next_rollback_is_advised = false; if ($this->extra_rollback_id) { $this->set_extra_rollback_id(basename($tar_url)); // We need to be very careful, so we'll always save an extra rollback } } private function spawn_error_and_rollback($message) { $this->log_message($message); $this->rollback(); } public function commit_to_disk($start_with_rollback = null) { if (count($this->files_to_save) == 0 && count($this->files_to_delete) == 0) { return; } if ($start_with_rollback === true \|\| start_with_rollback === null && $this->rollback_is_advised()) { // Roll back to clean state $test = rollback(); if (!$test) return; // Roll back failed } else { $this->erase_rollback(); } // Save rollback(s) $this->save_rollback(); if ($this->extra_rollback_id !== null) { $this->save_rollback($this->extra_rollback_id); } // Delete every planned delete // ... // If fails, call spawn_error_and_rollback and return // Call log_message // Write out every new/updated file // ... // If fails, call spawn_error_and_rollback and return // Call log_message // Mark that we're now done $this->files_to_save = array(); $this->files_to_delete = array(); $this->log_message('Finished hot fix update!'); } } hot_fixer.php (9,052 bytes)

Time estimation (hours)	20
Sponsorship open

Date Added	Member	Amount Sponsored

Chris Graham 2016-06-29 17:50 administrator ~4071	We can make the server preferentially upgrade certain sites, e.g. the Demonstratr system, so that advance-testing can be done by people on this, before everyone else is automatically upgraded.

Chris Graham 2016-06-29 18:48 administrator ~4074	Also add a way of querying a site to see if automatic updates are enabled. Also add ability for system to add a backdoor_ip setting to _config.php easily, so manual testing can be done. We'll have to be very clear that enabling automated updates grants ocProducts full admin access to the site to make fixes and changes as seen fit. Maybe a confirm in the installer if checking the option.

Chris Graham 2016-06-29 20:11 administrator ~4075	Actually we should probably add a bank of privacy options to the installer... - Send error mails to ocProducts - Keep your site registered with ocProducts (call home) - Allow listing your site as an example Composr CMS site - Automatically apply critical hot fixes - Allow automatic targeted upgrades - Allow ocProducts to temporarily log in as an administrator on your site to run tests

Chris Graham 2016-06-29 20:16 administrator ~4076	Also we should put something in the text of ocProducts error mails to say whether the site supports automatic updates. That will help us respond to issues more quickly, and identify issues with users running the latest code.

PDStig 2016-06-29 21:05 administrator ~4077	Ooh I really like this idea. My only concern is I think there should be a choice between automatic hotfixing updates and choosing which hot fixes the site manager wants to install.

Chris Graham 2016-06-29 21:13 administrator ~4079	I don't want to make a UI for manually installing individual fixes, it'd get pretty complicated to build a good UI and architecture for that and we'd have to debug sites being in intermediate states, all the different permutations. However, what we could do is we could add a 'dryrun' mode, and we could add in a reason field for all the updates. When you manually call up a dry-run it would show everything that would change, and why. You'd then get a link to run it. We could put a link to the dry-run under the upgrade block in the Admin Zone dashboard if the automatic updates were not enabled.

Chris Graham 2016-06-29 21:17 administrator ~4081	Also the wording in the integrity checker would need updating to make it clear some changes may be due to automatic hot fixing.

Chris Graham 2017-01-09 23:43 administrator ~4681	Thinking about this more, it would be nice to have a really well-featured system for rolling forward/backward between versions. Each time a new version is available, it schedules the upgrade and notifies the staff about that. Allow for jumping in and specifying an upgrade date/time manually too. When an upgrade happens, it first checks it has enough disk space to clone the whole site. If not, it won't proceed. The upgrade then backs up the whole site Composr-owned files to a new subdir, except the 'uploads' directory which would be symlinked from the new subdir to the original location of the uploads directory. The database would also be copied to a different table prefix. The _config.php file in the subdir would be altered so that the full backed up site could run from this subdir and table prefix. Then the original site is upgraded automatically. There'd be an upgrade panel which can activate temporary redirects into the subdirs of previous versions, in case an upgrade failed and you need the old version back while the situation is debugged. This would use the correct HTTP status code, so that Google knows to pause indexing. The redirects would include an exception if a keep_root_version=1 flag was in the URL. The upgrade panel would also allow deleting of old versions, showing the space each takes plus the remaining disk space. We can probably think about this some more. E.g. maybe we can make the redirect maintain old URLs by transparently redirecting everything into the subdir. Maybe we can do automatic rollback if errors are detected. Maybe we can send more emails out during the process. Maybe we can auto-close the forum of a site to new posts in the backup, to stop community content getting lost when there's a temporary rollback. Maybe we should have an option to only roll forward manually, so the webmaster could test it. Maybe we can have keep_version=<whatever> flags that allow jumping into any prior backed up version. Maybe we can put a tonne of buttons on the upgrader panel to control all of this.

Chris Graham 2017-01-28 02:59 administrator ~4724	I'm adding a new issue that is far more extensive, but takes a different approach in a number of ways. Main difference: - Instead of doing hot-fixes as well as upgrades, just do upgrades - Do release manager improvements so we can do a much higher rate of upgrades without it being too time consuming or spammy - Changes in how themeing and overrides are advised/managed to reduce the chance of failed upgrades - Therefore we can drop the idea of having to worry about having temporary redirects to old versions - A better integrated upgrade system even if automatic updates aren't on

Date Modified	Username	Field	Change
2016-06-29 17:47	Chris Graham	New Issue
2016-06-29 17:50	Chris Graham	Note Added: 0004071
2016-06-29 18:35	Chris Graham	File Added: hot_fixer.php
2016-06-29 18:48	Chris Graham	Note Added: 0004074
2016-06-29 20:11	Chris Graham	Note Added: 0004075
2016-06-29 20:16	Chris Graham	Note Added: 0004076
2016-06-29 21:05	PDStig	Note Added: 0004077
2016-06-29 21:13	Chris Graham	Note Added: 0004079
2016-06-29 21:17	Chris Graham	Note Added: 0004081
2017-01-09 23:43	Chris Graham	Note Added: 0004681
2017-01-28 02:59	Chris Graham	Note Added: 0004724
2017-01-28 02:59	Chris Graham	Status	Not Assigned => Closed
2017-01-28 02:59	Chris Graham	Assigned To	=> Chris Graham
2017-01-28 02:59	Chris Graham	Resolution	open => duplicate
2017-01-28 03:01	Chris Graham	Relationship added	duplicate of 3049