I've been using Vanilla for about 5 years, and have developed a maintenance process along the way that has broken down. My goal was to version control our setup (customisations, theme, plugins), and allow for automated deployments like the rest of our stack. I did this by forking the repo and adding to it: for plugins that were on GitHub, I added them as submodules; when they weren't on GitHub, I added their contents to our repo.
This worked for the most part, but upgrading the forums was always a bit of a pain, as we had to rebase and deal with any merge conflicts. We now have a huge number of merge conflicts, to the point that I'd like to start over and make a better setup.
The goal is to create a version controlled forum setup, with reproducible builds, that can run on an ephemeral filesystem (even heroku) so we can load balance it and even blow it away and reconstruct it if necessary. The twelve-factor app provides some background and general principles for this.
To do this, I figure I'll need to:
- Start from a specific Vanilla release: either a distributed package (zip) or the GitHub codebase (in which case I'd need to run composer).
- Fill in
config.phpwith settings and secrets, without putting secrets into version control.
- Pull in our theme, either from a separate git repo or from a directory within this repo, and move it to the
themesdirectory of the Vanilla codebase.
- Do the same for 10+ plugins, some of which are on GitHub, others which are just .zip files on the addons website.
uploadsto be writable by PHP.
- Somehow make
uploadsa separate volume (like S3) so it can be shared across multiple instances and can persist (even be backed up).
I've started implementing this in a Dockerfile. You can see my progress so far at this repo.
Where I need help
I'm having some trouble with
config.php because Vanilla writes to it when an admin makes a change in the admin dashboard: it replaces
getenv(...) with the plaintext value. Therefore, if you want to commit any changes made in the dashboard back to source control (say, by mounting
config.php as a volume and then making the changes), you'd be committing secrets unless you remember to go back in and change them back to
getenv . Solutions to this I've thought of so far are: (a) make it read-only, so the application cannot change it, or (b) consider it a secrets file, outside of source control. But then how would you do an automated deployment? Is there a way to stop Vanilla from writing to
config.php ? I would think the database would be better suited for some of these settings, no?
2. Pulling in the theme and plugins
The simplest approach here is for the Dockerfile to just curl and unzip the theme and plugins. I can either put them in the appropriate place in the Vanilla codebase, or symlink them; it doesn't make much difference, I don't think. But it starts to feel like the job of a dependency manager. I could use composer here, but I'd have to either move the installed directory or symlink it to the appropriate place, and I don't think composer can do that, can it? Does anything else come to mind here?
Let me know if there's been any prior work on this, or if anyone wants to collaborate. I'm sure there's ways we can make the repo generic.
Missed the 3.0 release? Check out the upgrade & release notes here.
Hi everyone! The team has been hard at work over the last month fixing bugs and security holes and even squeezing in a new feature. There should be no breaking changes in this release so it should be a very straightforward update.
- Vanilla 3.x requires PHP 7.1 which is a change from earlier versions. We strongly recommend upgrading to PHP 7.3 as soon as possible. Many hosting plans allow a seamless transition via their control panel.
- Follow the normal upgrade process, including running /utility/update.
- Follow additional specific upgrade instructions.
- Test your plugin & theme compatibility in a safe place before upgrading your production forum.
Get over in the addon directory. https://open.vanillaforums.com/addon/vanilla-core-3.1
Get it right here: https://open.vanillaforums.com/addon/vanilla-core-2.8.4
This release contains CRITICAL security patches.
- Patched SSRF in HTTP client.
- Updated release file system permissions to be less permissive.
It has been brought to our attention that our file system permissions were far to open in our open source releases. These concerns were initially dismissed because in our version control repository and on all of our infrastructure the permissions were correct.
Thanks to the insistence of @R_J I discovered a bug in our OSS release build tool that reset all of the file permissions to 777 (very dangerous).
Starting in this release file system permissions are essentially 755 for directories and 644 for files.
Please upgrade to the latest version of Vanilla as soon as possible. No other changes from 2.8.3 are in this version.