Nice grey life

Drupal in Debian: System Integration for Drupal

As far as how to install and maintain Drupal, it would seem there is no need to dig any further. Installing Drupal in any hosting provider is just a matter of decompressing a tarball, and Drush large-scale automation gives the seasoned sysadmin a wealth of administrative aides. However, when considering integration with the system as a whole, there is ample room for improvement.

Drupal cannot exist outside of a given environment. Say, the PHP version used, the way it is integrated into its host operating system, the modules for connecting to the database — And the database engine itself. Ideally, they will all make up a coherent entity, with a single, unified administrative logic. Looking at each component individually would quickly lead to madness, specially for the sysadmin, who has to keep the whole stack secure and updated.

Debian

Debian is one of the earliest Free Software distributions built around Linux¹. By the time this article is printed, Debian 8 (codenamed Jessie) should have been released, with over 35,000 binary packages (that is, independent programs), and lives according to the distribution's motto, the universal operating system: It runs from the smallest embedded devices to the largest workstations, across many different hardware architectures.

System-wide integration

One of Debian's strongest merits that has made it not only exist but be a lively, energetic community with a sound technological platform and projection into the future is its policy: Despite the amount of available packages, they are all standardized: They are all configured in the same location, follow the same layout logic, and are guaranteed not to clash with one another.

But where this policy shines most is when it is applied to keeping things optimally administered: Debian provides not just easing the installation of the system, but security support throughout the stable release cycle. As it was already stated, our Drupal installs involve quite a bit beyond just Drupal itself. So, on a just-installed system, it's just a matter of stating:

# apt-get install drupal7

And all of the necessary software (that is, an HTTP server, the PHP programming language and execution environment, a relational database engine, and the needed glue between them) will be installed. And, in order to apply all of the pending security and reliability fixes all across the system:

# apt-get update && apt-get upgrade

is all that's needed to get every component in the system up to date.

The Drupal installation is multisite-aware. This means that all of the sites Drupal will respond to are to be configured from the same location: If your host will serve both example.com and anotherexample.org, you only need to create both the /etc/drupal/7/sites/example.com and /etc/drupal/7/sites/anotherexample.org directories and put there the configuration files. All of the codebase will be shared, installed only once in the /usr/share/drupal7/ directory.

This has an interesting advantage security-wise when compared with what I have seen at most shared hosting providers: As the Drupal code belongs all to root, any attacker that manages to subvert Drupal's (or any of the installed modules') security, they will not have enough privileges to modify your site's code and will thus have a harder time leaving a backdoor or modifying your site's behavior for their interests. And even if they got a local privilege escalation exploit, finding their misdeed will be easier as Debian ships cryptographic signatures for all of its files — By simply running:

$ debsums drupal7

any file that was modified will be reported.

Handling modules

The Drupal ecosystem is very rich on third-party code: Almost 30,000 modules and over 2,000 themes. Packaging them all for Debian is plainly unfeasible — But we have a tool, dh-make-drupal, that takes care not only to package modules and themes pointed to it, but to process dependency handling as well. This way, even having a complex, multi-site and multi-server deployment, it's easy to deliver code with all of the characteristics mentioned in the previous section.

Version stability

Just as, within Drupal, all of the related PHP and Javascript libraries are frozen prior to a release and not changed since that point to avoid breaking internal stability throughout the life cycle of a stable release, packages in Debian are frozen and do not get updated when new versions come out — But in order to keep security tracking to the level required by our users, all important fixes get backportedto the corresponding release.

As an example, Debian 7 (frozen gradually since June 2012 until its release in May 2013) shipped with Drupal 7.14. But that does not mean that it went on for its three years of life unpatched: While feature releases were not incorporated, as you can see in our public Git repository,² all bugfix releases were.

What about Drupal 8?

Now... With all the hype set in the future, it might seem striking that throughout this article I only talked about Drupal 7. This is because Debian seeks to ship only production-ready software — And by the time this article is being written, Drupal 8 is still in Beta. Not too long ago, we saw still internal reorganizations of its directory structure.

Once Drupal 8 is released, of course, we will take care to package it. And although Drupal 8 will not be a part of Debian 8, it will be offered through the Backports archive, following all of Debian's security and stability requirements.

Wrapping up

Of course, I understand the workflow and tools mentioned here are not for every person and situation. Drupal developing is clearly served better by the “traditional” way of installing Drupal. However, for administering a large-scale Drupal installation, operating-system integration through Debian might be just what you need!

Attachments

GW_Drupal_Watchdog.pdf (636 KB)