DrupalCon Day 3 – security and scalability

Day 3 at DrupalCon was the busiest so-far, where I saw the best talks revolving around security and high scalability sites.

Many, many multisites

It started with Zeki Vázquez talking about a project he is working on where his (secret) client has requested a standard Drupal 7 multisite platform that has the ability to handle over 100,000 (yep, you read that correct, it isn’t a typo) multisites all sharing the same Drupal core codebase with an uptime availability of 99.99%!

The web server of choice for any scalable system is always Nginx due to its flexible configuration with PHP-FPM doing the HTML rendering.  

The code containers use Docker which in turn connects to the databases and an S3 bucket mounted via S3fs. The main advantage of this is that the S3fs system can split a single S3 bucket into separate disks for each multisite required, thereby bypassing the 100 buckets per AWS account.

Infrastructure as code

A recurring theme this DrupalCon is the shift towards treating infrastructure as code where with technologies such as Ansible Playbooks and Dockerfile they can be stored in the same repository as your website code. This means that any developer can spin up his own Vagrant virtual server and use the provisioning scripts in the code to make an exact copy of the production environments.

When planning systems at this scale a standard MySQL database just won’t cut it, so Zeki discussed the way that he removed any cache, field data and field permissions out of MySQL and into the flat document NoSQL database called MongoDB. Drupal needs quick access to these tables as they hold the data that is constantly in use.  Seeing as no complex joins or manipulation is required on this data, it can safely be stored in flat files, which is exactly the way that MongoDB works.

Winning hearts and minds

The theme of scalability continued after the break when Maxime Topolov (@mtopolov) from Adyax talked about their recent development of a Drupal CMS designed for large publishers such as Rue89 and Le Monde. His client required an always-on system that could still operate if all three internet connections to the building were severed. This was achieved by hosting servers inside the building then having Drupal synchronise with a mirror copy in a data center.

Maxime reiterated the age old Change Management issue of winning the hearts and minds of the end users, where the journalists who were set in their ways refused to even participate in training events. He combated this by targeting the most vocal and getting them involved very early in the design process of the system.

From a technical point of view they developed a very clever tiered repository of Drupal profiles where they controlled the main core distribution and then they granted downstream access (and controlled push access) to third party agencies and freelancers. This was acheived by using their very own DocMan.

Better security through testing

Later on I sat in a conversation regarding Drupal security from @scorlosquet and @_klausi_ from Acquia and Epiqo who sit on the Drupal security team. They advised of the best practices to use, which most developers would consider common sense but security is definitely something that is worth talking about.

Klausi gave a great explanation on exactly how XSS and CSRF attacks are used to force access bypass checks, as well as the ways to mitigate the risks by setting up automated tests to ensure that specific roles can only access certain endpoints.

Drupal 8 will be more secure due to CSRF protection being built into core and the inability to execute any other code except from the index.php file. This means that, at last, no more PHP in the template files – instead Drupal themers can use Twig.

A wee drop

After another tour of the exhibition hall I got talking to Daniel from Drop Guard about their automated upgrade & patching system. I was quite impressed by what he said the system could do so he gave me a Beta access to the product – watch this space for a review of the system.

After the business chat, he told me about his upcoming trip to Scotland and I gave him some pointers on which distilleries he should visit. (Seeing as ah’m partial to a wee dram masel’.)