Recorded September 29th, 2016
This episode we are back from our hiatus. We don’t have a guest and we don’t have a Ryan, but we have each other and you fine listeners. We talk a lot about the news we missed while we were out and also preview the talks that Bob and Mario are giving at BADCamp in October.
Acquia Developer Center Blog: Add Persistent Storage to Your Docker Containers with REX-Ray and AWS EFS
Containers are a new virtualization technology with many advantages over traditional approaches like virtual machines. At Acquia, we use containers across our different teams for a variety of purposes. Some container-related projects that have really worked out well. We'd like to share them with the rest of the world.Tags: acquia drupal planet
That’s because security has more to do with humans than code. “In most instances, the compromises analyzed had little, if anything, to do with the core of the CMS application itself, but more with improper deployment, configuration, and overall maintenance by the webmasters and their hosts,” explains Sucuri.
The Password is...
The ways that people get hacked are, for the most part, straightforward. The worst offender is a bad password. The best passwords can’t be guessed and are a mix of letters, numbers and characters. But people's memory being what it is, most passwords are easy to remember, and as a result, easy to hack. Even if a user has a secure password, he might repeat it on a number of sites. As soon as one site loses its data security, hackers will gain entry all over the web with that one frequently used password.
Another common problem is passwords that are shared across an organization, but remain unchanged when an employee leaves. If the former staffer was fired, or has had a negative experience with the company, there’s a chance that the password will fall into enemy hands.
A site that stores valuable user information (such as credit cards or personal data) is especially at risk. While the employee herself may not pose a security threat, a bad actor such as a relative or neighbor could gain access to credentials and wreak havoc.
Give permissions only to trusted users, and have protocols in place for removing access for ex-employees. It’s a good idea to set up password constraints (must contain certain characters). Some companies set up automatic expiration, in which employees are required to reset their passwords every 60 days, but this is a debated idea. Many argue that forcing password changes is not a great plan since change is hard on the memory, so people tend to use easier passwords when forced to switch frequently. If a password is good, then changing it only mitigates issues but doesn’t completely eliminate them. Plugins, Modules and Hosts
The code underlying WordPress gets a lot of attention and is often fixed so vulnerabilities are more often in plugins. The Slider Revolution (AKA RevSlider) and GravityForms plugins have provided opportunities for hackers to get into a site and facilitate the installation of malware on visitors’ computers. While fixes for these gaps have been put in place, there will always be another vulnerability around the corner. It’s a game of cat and mouse.
Then there are other ways to hack into an account that have nothing to do with the CMS. Was the site’s host account hacked? Historically, it’s been too easy to call a provider’s customer service, provide the bare minimum to the customer service rep, and get into the backend of the site. That’s not technical, and there’s no need to be a skilled hacker. Fortunately, service providers are getting smarter about these schemes. Drupal vs. Wordpress?
Drupal’s security relies upon a strong, coordinated effort. In general, Drupal is more secure overall, with a dedicated security team that operates using a series of protocols and a chain of responsibility for handling issues. As a Drupal shop, Zivtech receives weekly emails with alerts about security updates. Your CMS may do the same. Be sure to check.
Drupal is built upon rigorous coding standards, with tools to ensure that strict security practices are followed. The entire system is designed to make sure that all code that accesses the database is sanitized.
Best Practices for Drupal Security
There are ways that you can audit your site to check that you are being cautious. Drupal has specific protocols, such as ensuring that the files on the file system are safe and set up properly and that an outside system can’t connect to the database.
Certain modules should never be turned on, like the PHP module. The PHP module enables an outsider to hack into your site if you’re not extremely careful. There are a number of security updates incorporated into the latest version, Drupal 8, including the removal of the PHP filter.
First, make sure you have an SSL certificate. You can get them for free at Let’s Encrypt.
Next, if you’ve already taken all the standard steps to secure your site but still want to go a little further, you can also delete all readme text files that come with your CMS. This will reduce the surface area for an attack. By default, the readme files are accessible by anyone who visits your site. This could be a problem if an issue was discovered in a specific version of Drupal or a Drupal module. You can imagine that if there was a hack against Drupal version 7.10, hackers would scan sites for the 7.10 CHANGELOG.txt file to create a list of targets. Reduce that risk by deleting those files, or make them impossible to read over the internet.
Fending off security attacks is like playing hide and seek with frequently shifting rules. The developers behind the most popular CMS platforms work tirelessly to keep up. The primary reason that WordPress sites are attacked more frequently is actually all about the numbers. It's the most popular CMS, and therefore the most vulnerable.
The first half of the presentation I provided a technical update on Drupal 8. I showcased some of the big changes in Drupal 8.2 such as the settings tray, REST API improvements, migration tool improvements, and easier to use block placement. I also talked about how we've transformed Drupal 8 for continuous innovation. I'm super excited about our improved development process and release cycle, as it helps us ship innovative updates to Drupal 8 faster and with a much easier upgrade path.
The second half of the talk focused on "The why" of Drupal, and asked an important question for all of us to think about: what is Drupal's collective purpose? In addition to me talking about my own purpose, my team interviewed Drupal people around the world about their passion and purpose.
I featured a lot of interviews with Drupalists. If you're interested in viewing their individual videos, they're now available on my YouTube channel:Paul Johnson
I am a big fan of Drupal Console, the CLI built on top of Symfony Console for use with Drupal 8. As well as the ability to generate skeleton code, Drupal Console has a heap of commands for a number of uses, routing, debugging, and now with the new field:info command you can gain an overview of what fields are on a site and where they are used.A bit of background
I wrote this last month as a result of attending the Drupal Global Sprint Weekend - London Outpost which was focusing on Drupal Console. I'd been wanting to learn how Drupal Console worked for a long time, and as it's always easier when sitting around a table with other Drupalers, I jumped at the opportunity and made my way up to the Big Smoke for the day. Big thanks due here to Robert Castelo for organising the sprint, and for keeping the Drupal lights on in London for all these years - I believe it was one of, if not the first, local Drupal User Group!
I managed to get all the info I needed to set up my machine on the Saturday in order to contribute to the project and take on an issue from the Drupal Console GitHub issue queue - one was a feature request for this command which looked like something I could achieve, so decided upon that as my task. It ended up taking a couple of weeks to write and I'm extremely happy with the results, of course I learned much on the way too so I never see it as 'contribution' but more as 'free learning' for me! A big thanks here to the DrupalConsole team who provided me with a lot of help over on the Drupal Console gitter.im chat channel.Stealing code is a Good Thing
I discovered a Drupal module which had the basic functionality I needed for this command - Field Report - which I then re-factored for use in Drupal Console and added the extras for the options. I even managed to contribute a patch back to the Field Report module to fix an issue they had, which was nice to be able to do as I'd used their code!A quick retropective
I think the hardest part was getting the display to look nice, however as my first 'professional' programming was RPG (Report Program Generator, not Role Playing Games unfortunately!) for IBM AS/400s which originated from punch cards I was used to figuring out text-only outputs ;) Apart from that is was just a case of reading the Symfony Console documentation to understand how options and arguments work, and which one to use for particular purposes.The field:info Screencast
And finally at last, here's the field:info screencast ~ enjoy!Category Tutorials Tags Add new comment
Freelock : 11 Questions Businesses need to ask themselves when choosing a Drupal host: The Comprehensive Freelock Hosting Guide
When choosing any service provider, a crucial question is, "What happens if something goes wrong?" When you're choosing a hosting provider, we like to dig a bit deeper, and ask what risks are likely to be an issue for you?
Here are some of our questions:DrupalHostingDrupal PlanetSecurityBackupmaintenanceUpdates
After a week on the Emerald Island we are back from DrupalCon Dublin. Like every year, we have seen members of the community that we don’t get to see as much as we would like to. We have attended fantastic sessions and learned new things that we want to apply in our daily business. Read more about our favorite sessions that are now also available on video for those who could not attend the event.
Founded in 1932, the NYU Rory Meyers College of Nursing is the second-largest private university college of nursing in the US, and NYU wanted a new online experience that was as modern as their user base… […]
During the Commerce 2.x session at DrupalCon Dublin we officially tagged Drupal Commerce 2.0-beta1, our first production ready release. This does not mean it is feature complete or bug-free, but it does mean that from this point on, we support updating between 2.x releases - a key requirement for production usage. Start a Drupal 8 eCommerce site today, and you will be able to update your way to the full 2.0 release and beyond.
Photo credit Will Jackson during the "Launching online stores with Commerce 2.x on Drupal 8" session.
For a quick overview of our project philosophy and the improvements we've included in Commerce 2.x, watch our session from DrupalCon Dublin.
The session heavily features the Sport Obermeyer case study, one of the first major eCommerce projects built on Drupal 8 by Bluespark and Commerce Guys. Their project influenced and shaped Commerce 2.x development in a big way, validating our ideas and providing solid use cases for features like fancy attributes, promotions, coupons, and more.
Additionally, we helped build the project as a single site serving three unique customer personas with a different purchasing workflow for each one. That drove development on our add to cart and checkout flow APIs, ensuring they have the needed flexibility to allow parallel implementations from day one. In addition to the case study linked above, check out Matt Glaman's interview with Bluespark for more information.
So... what has changed since alpha4?
MagMutual, the Southeast’s premier provider of medical professional liability insurance to physicians and hospitals in the United States, launched its new corporate website this week. Founded by physicians in 1982, MagMutual is one of the leading privately-held providers of medical professional liability insurance to physicians and hospitals in the United States.
Drupal 8, natively multilingual, offers a GUI to be able to translate both the site configuration (field's label, view's title, etc.) and the contents themselves. But we sometimes need to translate programmatically contents or configurations, particularly in the context of a website factory to generate such a multilingual site.
Discover some examples to help us translate on the fly both configurations and contents. The examples below assume that we have an original content in French and that we wish to associate their English translation.
It is hard to describe my excitement at DrupalCon Dublin, my first DrupalCon indeed. After a year of preparations by the local Irish community it was hard to believe that it was actually happening.
I think I was pretty well prepared and knew what to expect. A couple of blogs from fellow Annertechies had helped to plan it, especially Mark's Get the Most out of DrupalCon Dublin.
I've been using a Docker based development environment for about a year. The purpose of this post is to document how I do it and hopefully get some feedback from other Docker users.
I will update this post as I evolve my approach and learn better ways of doing things.Why would anyone do that?
Modern web applications can become very complex. Days when LAMP was enough to run them are a distant past. Nowadays we need much more; Apache Solr for running search, Memcached or Redis as a fast cache storage backend, reverse proxies like Varnish and more. In order to make the development as similar as possible to the production environments we need most of those services. Installing all this services to the developer's workstation can be complicated and can eat a lot of resources. Docker solves both problems by allowing you to clearly describe your stack and share this definition among your team members. It also allows you to easily start and stop the entire stack with one command, which means that your services only run when you really need them.
There is more... Ever needed to test your app on a different PHP version and tried to run two different versions of PHP in parallel? With docker you simply download the images that you need and change the one that is being used with a trivial change in your definition file.
Ever wanted to try a new software, but you didn't want to install a ton of dependencies on your machine? With Docker you don't need to do that. Simply download an image from Docker Hub, give it a try and remove it when you don't need it any more.Images
I am mostly relying on Drupal Docker images, which are maintained by Jakub Piasecki (big thanks!) with the help of other members of the community. Its goal is to provide Drupal-tailored set of images that will help anyone to get started quickly and save a lot of time building custom ones. There are of course a PHP and Drush images, but there is more. You will find a Nginx, MySQL and MariaDB images with default configuration suitable for Drupal projects.
Every project needs multiple containers to function properly. I am using Docker compose to describe environment for every Drupal project I work on. Drupal compose is a tool tool that allows you to describe docker containers that you need and links between them. This is my standard docker-compose.yml file, which lives in the root of a given Drupal project:maria: image: drupaldocker/mariadb:10 environment: MYSQL_ALLOW_EMPTY_PASSWORD: 'True' MYSQL_DATABASE: drupal ports: - 3306 web: image: drupaldocker/nginx:1 ports: - 80 volumes_from: - php links: - php php: image: drupaldocker/php-dev:7 links: - maria volumes: - ./docroot:/var/www/html drush: image: drupaldocker/drush:8 links: - maria - web - phantomjs volumes_from: - php solr: image: solr:5.5-alpine ports: - 8983 volumes: - ./modules/search_api_solr/solr-conf/5.x:/solr-conf/conf entrypoint: - docker-entrypoint.sh - solr-precreate - d8 - /solr-conf redis: image: redis:3-alpine phantomjs: image: wernight/phantomjs:2 volumes_from: - php links: - web entrypoint: phantomjs command: "--ssl-protocol=any --ignore-ssl-errors=true /var/www/html/vendor/jcalderonzumba/gastonjs/src/Client/main.js 8510 1024 768"
One thing that experienced Docker users will notice is the fact that I do not include Drupal codebase in the PHP image. I prefer to check it out on my local machine and mount it into the running container. This allows me to use IDE that is installed on the host machine while still being able to run my Drupal applications inside containers.
With the compose file in place I can now control my environment from anywhere inside the checkout with a few simple commands:# To bring the environment up. docker-compose up -d # To stop it. docker-compose stop # To remove all containers (and their data). docker-compose rm # To see the status of all running containers. docker-compose ps
This approach works quite well, but I am aware that is not perfect. It would be very interesting to hear how others approach this (check the comments section below!).Drush
Drush is a crucial part of any Drupal development workflow. I run it through a separate container, which shares volumes with the main PHP and is linked to the database container. In order to run it I do:docker-compose run --rm drush drush
This will run the drush command inside drush container (see definition in the compose file above) and remove the container when done. The command is a bit too long to type it into the console every time so I created an alias for it:# To install drupal. dcdr site-install --account-name=admin --account-pass=admin # To enable the Entity browser module. dcdr en entity_browser Debugging with xdebug
It has become practically impossible to develope for Drupal without the step debugger. In order to enable this in my setup I use PHP development images that Drupal Docker provides and come with the Xdebug extension pre-installed. Debugging http requests is as easy as enabling debugging for the requests and making sure that the IDE or text editor is listening to the incoming connections from Xdebug.
It is also possible to debug drush requests by setting a few environment variables:docker-compose run --rm drush sudo -u root XDEBUG_CONFIG="idekey=PHPSTORM_XDEBUG remote_host=172.17.0.1" php /root/.composer/vendor/bin/drush.php
PHPSTORM_XDEBUG is the session id that my IDE listens for and 172.17.0.1 IP of the host machine from within the container. I have an alias for that too:# To debug migration of users. dcdrd migrate-import users Running tests
I run tests through the drush container. In order to run Simpletest I have to do the following:docker-compose run --rm drush sudo -u www-data php ./core/scripts/run-tests.sh --color --directory modules/entity_browser
And to run PHPUnit:docker-compose run --rm drush sudo -u www-data MINK_DRIVER_ARGS="[\"http:\/\/phantomjs:8510\"]" SIMPLETEST_DB="mysql://root@maria/drupal" ./vendor/bin/phpunit --verbose -c core modules/entity_browser
And yes, there are aliases for those too. See the pattern? :)Conclusion
The described approach has been working quite well so far. I like Docker and I am planning to keep using it in the future. It is clear to me that my approach probably isn't the most standard and that there are probably better ways.
Exactly for that reason I'd like to hear from you. Do you believe that your solution works better? Do you like to approach things differently? Let us know in the comments section below so we'll learn together!slashrsm Thu, 06.10.2016 - 00:50 Tags Drupal Docker Enjoyed this post? There is more! janezurevc.name runs on Drupal 8! Call for Drupal 8 media ecosystem co-maintainers Releases of various Drupal 8 media modules
Drupal has a powerful menu system, but most of the content on a typical Drupal website doesn't end up in the menu navigation. Articles, blog posts, events, you name it. Most content is linked to from views, not directly from a menu. So how do we make it easy for users to know where they are in the hierarchy of the site if they are looking at content that isn't in a menu?read more
Much like previous versions of Drupal, version 8 of the CMS revolves around the concept of Entities. These are objects that have an ID, Language, Type, and Storage. Some optional properties are URLs, Bundles, and labels. They can be viewed, loaded, created, saved, and deleted, as well as have access permissions set for them. Most things in Drupal are entities, such as Users, Nodes, or Blocks. Many of the core services provide functionality for interacting with entities, and a great deal of caching functionality serves to make entities perform better.