Misadventures in MP-WP setup, the sad work-in-progress post

Filed under: MP-WP, Software — Jacob Welsh @ 05:54

I was to write an article for publication today recounting how I finally got my blog set up. When I reported, later than I should have, that I couldn't actually get that done, my Master directed me to publish whatever I had at this point, because it is important that others can trust my exact words at any moment. I'm not proud of the "dump" format, though who knows, perhaps someone with time for a little digging might even find something useful in it.

Overview of questions, problems and other discoveries encountered.

  • I didn't have build recipes or ports (semi-automated builds for my Linux distribution) for either apache or mysql, the mainstream recommendations, as I hadn't needed these since my "industrial" days. Alternatives workable? If not, what versions to use?
  • My php port (5.6) was likely missing necessary options (libxml2, fopenwrappers)
  • Found sqlite-integration plugin; "unmaintained" and pretty invasive anyway
  • Robinson started on his own blog on rockchip: mysql dependency calculations hung indefinitely until USE -perl
  • How much time to schedule for Wordpress install? At least for one stage Robinson guessed 1.5h, I guessed 7, both ran way over
  • Upstream mysql site didn't appear to make historical versions available, likewise the Gentoo mirrors
    • I later find where they're hidden
  • MySQL build as far back as 5.5 requires CMake, which I dislike even more than autoconf and also lack a port.
  • What's the latest in mp-wp vpatches? billymg's cleanup
  • Decided to share Rockchip. How to configure Apache?
    • I don't like distributions' default apache configs, especially Gentoo's; wanted to write my own, enumerate goodness.
    • Robinson, sensibly enough, wanted to follow existing guides.
    • The dilemma of spending time untangling things up-front versus getting stuck with complexity later...
    • Gentoo has Apache 2.4; I don't like that they broke config compatibility. Can a config file be written to support both?
  • How to route requests without having to migrate existing stuff?
    • I don't much like subdomains without good reason; already have nginx gateway
    • So I can play around with my config without interfering by running a separate apache instance on an alternate port as my backend.
    • I observe the gentoo config is 1330 lines across 21 files, plus 181 lines of "init script"; replaced with 40 line config and no init script needed.
  • How to secure wp-admin? SSH in port forwarding or SOCKS proxy mode oughta work...
  • How to press keccak vpatches on rockchip?
    • Robinson works through GNAT based guides on amd64 and transfers resulting press
    • I apply the patches manually on server, but build my C Keccak util to have on hand
  • Are .htaccess files required / why? Existing guides assume their use, but I like to keep all Apache config together in the Apache config file.
  • How to configure mysql?
    • Passwords?
  • How to configure php.ini?
  • Rockchip Gentoo quirks: no syslog; ACCEPT_KEYWORDS="**"; editing manpath doesn't work
  • My parallel apache refuses to work; strace reveals gentoo has changed the documented behavior of how it finds config file
  • Was there a benefit to having a 'wpuser' unix account along with apache and one's normal user?
  • Apache 2.4 complains about NameVirtualHost directive, previously mandatory
  • Dependencies between Apache modules not well handled or documented; resulting errors confusing
  • What's the AUTH_KEY business in wp-config.php? Does the code at least use "good" PRNG?
  • "Famous five minute wordpress installation process" - didn't work
  • Found stray .orig file, turned out to be in genesis; found empty files, as I'd missed patch -E
  • Should the "post revisions" feature be enabled?
  • My ssh-based wp-admin begins to run afoul of Wordpress assumptions
    • plain HTTP proxy with port forward (rather than SOCKS) seems to help, but causes different trouble later
    • SOCKS works for Robinson, once source IP to allow is figured out, as he doesn't have the backend/frontend URL divergence
  • Working DNS needed on server to support pingbacks
  • JS needs to be allowed for some of the admin functionality
  • PHP warning spam, despite following existing suggestions for reducing it
  • Sidebar not shown on articles in the default theme
  • Contents of some external RSS feed got slurped up into the database
  • Suspicious "post via email" feature with no "off" switch
  • RSS feed XML syntax broken if extra newlines sneak into your wp-config.php or similar outside the ?php tags
  • New problem with gateway: wordpress uses the client IP address, e.g. for antispam
    • Apache has a mod_remoteip, but feels like piling on more complexity
  • Footnotes plugin once had an admin page, possibly unsecured, now absent
  • Footnotes entity escaping quirk
  • "In-band signalling" of the default footnote delimiters, and regex brokenness when trying to change
  • Yet another problem with gateway: pingbacks involve two-way verification where IPs must match
  • How to back up blog
  • What if anything to do about my existing VPS dependence
  • How to back up larger system? ...broached just before ISP went dark
  • Falling back to VPS then, but what?
  • mod_access_compat: not actually compatible!
  • Firefox SOCKS DNS checkbox doesn't actually work to disable

Chat logs.

April or May 2019:
jfw: back to priorities, I think WoT engagement should be seen as a business necessity on par with fiat incorporation
jfw: though it is also a personal priority
jfw: on my side that means: airgapping practice, MPWP setup or equivalent, then... using it

June 2019:
rmd: what's your priority after satisfied with ports?
jfw: maybe wordpress

jfw: sonnuvabitch... "This plugin was closed on June 29, 2019 and is no longer available for download."
jfw: tv raft I suppose. "Unmaintained -- doesn't work anymore (because we broke things)"
jfw: but still downloads, and looks like still in their svn.

jfw: []
jfw: allegedly mysql can use a different storage engine (MyISAM/InnoDB) per table, so the application has to specify, but wordpress doesn't, so the server default matters
jfw: or you get wonders like transaction that only transactionates halfway
jfw: though wp, natch, doesn't use transactions!
jfw: or presumably foreign key constraints...
jfw: this sqlite-integration 'plugin' seems pretty heavy-handed, 5600 lines of php at top level + 3300 in utilities/. Thinking I should stick to the beaten path of mysql for now; I'm still seeing wordpress as legacy code, on life support

2019-09-02 - My many priorities for the week included mysql port and mpwp.
jfw: well that's quite a pile huh.
rmd: yeah, just got to keep chewing.

2019-09-10 - Robinson working to apply the mp-wp guides on rockchip gentoo.
jfw: thinking apache and mysql version considerations would be a good starting question
jfw: existing guides I've seen are just 'emerge'
rmd: the flow of events that makes sense to me is: once key ready, transition signed, ask for up, register new key, link to transition note, share you have gcc4.7+busybox+musl that's e.g. running trb, but doesn't have ports for all mp-wp deps
rmd: canonical apache, mysql
rmd: could link to that and verify if that's what you ought to target.
rmd: communicate your deadline and get crackin.
rmd: << from today's log that has me more pushy than yest.
rmd: on my side, I have apache emerged and mysql through 6 out of 9 dependencies. lost over an hour because default mysql has perl USE and continually hung on calc dependencies step (longest I let it go for was ~28 mins (during our conversation above). once applied the -perl in package.use, calculated deps as ~normal.
rmd: not sure what that's all about.
jfw: "using portage" is what that's all about
jfw: but, good to have specific examples, unfortunately I haven't saved photographic examples of my frustrations over the years

rmd: <jfw> I guess the start times partially satisfy that << right, I was estimating with the start and end times of the block
jfw: ok so 1.5 hr for mp-wp install
jfw: obvs this discussion cut into that but imho my 7 hour estimate for that is moar realistic
rmd: it's both an estimate of how long it may take and how long I plan to spend on it during this block of time.

jfw: on mysql front, 5.5.x is oldest of the 5 branches still published by upstream, .62 is latest, .60 is what MP said 'known to work'; DC tried but it wouldn't build because portage (
jfw: I've grabbed .62 but .60 is gone from current mirrors

jfw: fuckers, 20MB tarball but changelog / release notes and docs not included
jfw: (working on mysql 5.5.62 for gport.)
jfw: (if someone coughs up a .60, would like to compare.)
jfw: so mysql is mix of C and C++, and appears to require cmake to build
jfw: uses yacc/bison, INPUT for which is 14302 lines
jfw: includes zlib and spencer regex, dunno if hacked up
jfw: big test suite, dunno if big == valuable tho
jfw: 9573 total files, buncha subdirs many with nested subdirs
jfw: boasts of being multi-threaded
jfw: jeez, bundles both gnu readline and libedit
jfw: 14MB of charset noise
jfw: and sure, what to me is noise to washitistani is ability to search / sort data in his local encoding. But even if you accepted this, a skim of the actual sources reveals much redundancy / auto-generated-and-threw-away-the-scaffolds
jfw: I suspect I will also need to port libxml2 and update php port to suck it in, given wordpress uses xmlrpc for pingback (iirc)
jfw: looks like mysql 5.5 came right after 5.1
jfw: (maybe there were dev branches)
jfw: 5.5.14 (grabbed from bbgentoo) did not yet have the docs unbundled but was already married to cmake; 5.1.70 still had an autoconf/make option
jfw: I dunno, could be just ignorance but I've really never liked cmake, even after trying to learn it for KDE development. I look at any cmake build system and all I see is BLAH BLAH (BLAHBLAH CMAKE_BLAH(BLAH) (BLAH)) BLAH BLAH
jfw: I suspect it's an attempt to "clean up autoconf" by hiding stuff, thus result is just as complex but harder to trace.
jfw: ./configure --help always works and is sometimes even helpful. CMake has no such thing but would you like a GUI??
jfw: top-level CMakeLists.txt line counts by version: 5.1.70: 315, 5.5.14: 389, 5.5.62: 569
jfw: I expect this somewhat estimates time required to replace with plain Makefile / config.h
jfw: one provisional takeaway from log digging was that needing both mysql and postgres is unfortunately the status quo and will remain for some time
jfw: so it seems to me this project is ballooning into a couple avenues of potential value: mysql port involving further archeology and build cleanup; postgres port, which itself may involve same; ironing out any MPWP/postgres interop problems that have crept in
jfw: but all this is more than I wanted to or can bite off Right Now, so contemplating more well-trodden routes...
jfw: hmm could revisit sqlite too, if in fact supported choice of mysql/pg, perhaps it's easier than they make you think.

I take Robinson up on his offer to share the Rockchip and work with whatever's found in Portage.

jfw: well I combed thewhet archive month-by-month and confirmed nothing new on mp-wp since March - the one linked from billymg.
jfw: Which appears to be the html comments fix.
jfw: Certainly underscores to *me* the crucial role of the blog as first-level index of useful information -- the dig woulda been orders of magnitute worse if it were 'search the log and wade through endless threads'

rmd: I'm thinking I should go for the multi website apache config from the start on this mp-wp setup. going to take more work, cause not documented, but should save you time.
jfw: what's "the multi website config" -- NameVirtualHost?
jfw: my approach to apache is to throw out whatever 'helpful' distro config and write httpd.conf from scratch
jfw: you don't need subdirs with included config snippets and all that jazz
rmd: yea, apache virtual host
jfw: prolly the way to go; I could make do with port-based virtual host for now as I'll be gatewaying it from existing nginx, but better for the long run
jfw: and no more difficult when SSL isn't involved
rmd: gatewaying from existing nginx ?
jfw: domain will stay where it is; that server will route a portion of its URL space to another server, aka acting as a reverse proxy or gateway.
jfw: unless I decide against the /fixpoint/ scheme, idk...
rmd: ok, not sure where to begin with that on my end since the examples I've seen thus far don't include that complexity.
rmd: I like the /fixpoint/ scheme fwiw
jfw: nothing special is needed on your end.
jfw: just assign me a portion of the virtual hostname / url space and I route to that.
rmd: ok, well I have enough learning to do to get my own blog standing in reasonable time. I think I'll continue following the various guides.
jfw: cool.
rmd: thanks.
jfw: , are canonical.
rmd: my instinct on the ssl side was to kill it, e.g. in the apache config. but then it occurred to me it might be "needed" for wp-admin...
jfw: can use ssh proxy for that :)
rmd: :) aite, so I'll remove from apache then.

rmd: so the mp-wp set up requires gnat on account of keccak, been working my way through the maze of guides
jfw: i dunno if this'd be a 'legal' shortcut but you could just apply the patches by hand... there's what, like 3 of them?
jfw: is there even a gnat on arm guide?
jfw: path as I understand it is Adacore 2016 (glibc x86_64) -> ave1 gnat (static musl x86_64) -> cross compile to whatever
jfw: and dunno if anyone's documented the third leg of that
jfw: aaaalso, original Stan doesn't verify hashes so won't care about hash algo
jfw: imho, 'eat the full tmsr stack before standing up blog' is false prerequisite for you here as 'build the perfect mysql' was for me
rmd: my 'shortcut' was install adacore x86_64 gnat on vm, use that to press the mp-wp tree. transfer the pressed tree to rk.
rmd: don't yet have adacore gnat installed there properly.
rmd: I have 4 patches on top of the genesis from billymg's guides.

rmd: for the ssh proxy to administer wordpress my thought is to run the proxy from the pizarro server. i.e. configure your host to proxy to the pizarro server, only permit the pizarro server's ip in the various .htaccess files.
jfw: [...] Little confused on the proxy point
jfw: idea is to only permit localhost
jfw: then ssh -D to piz host, configure browser with local SOCKS proxy, perhaps in a dedicated profile. Perhaps what you meant.
jfw: btw I don't know why they use .htaccess files, my understanding of their purpose is for poor man on shared web host to be able to override some aspects of apache config
rmd: thanks for clarifying, that's what I meant.
jfw: per-directory config can be done just fine in main httpd.conf, through stanzas
rmd: I bring up .htaccess because it was in the guides that I've been following.
jfw: understood that it's in the guides.
jfw: and if you do want to use htaccess you'll also need

jfw: oh we were discussing htaccess last night - that there was some wordpress-specific need for them. Does it write them dynamically or something??
jfw: 'pretty urls' are based on mod_rewrite afaik, which can be configured statically along with the rest of the apache stuff
jfw: though if "just following the guides exactly" actually works, I've no problem with it for now.
rmd: I'm not sure the details on htaccess. atm though I have my hands full following the guides since they're rather terse to begin with. I'm following them as close as possible, but I've not got it working yet.
jfw: any specific problem?
rmd: afaict i've followed the guides, but haven't got anything to load. after making request I went to look in the apache log, nothing there. ps reports apache isn't running so atm looking to see how to start it.
jfw: for gentoo, might need to futz with /etc/conf.d/apache2
jfw: and ofc, rc-update add apache2 default and start the init script
rmd: yeah, I never did that.
rmd: the rc-update part
jfw: hmm well that'd just affect boot-up. The apache error log is empty or just access?
rmd: yea, I never did rc-service apache start , did that now and have some progress.
rmd: let me investigate and report back. while I appreciate the support, I can learn and you can get back to your priorities.

rmd: got the wp installed and logged into the admin, w00t!
jfw: 'grats on wordpress, is mysql ready to go?
rmd: not sure if can correctly answer mysql ready to go, but "worx" so far. haven't exercised it much.
jfw: are you aware of mysql_secure_install and either done it or established not needed? what IP is it listening on? Is there user/password/grants for a user for use by wordpress? that'd be what I reckon as ready to go.
rmd: <jfw> are you aware of mysql_secure_install << wasn't aware.
rmd: what IP is it listening on? << bind_address to in /etc/mysql/my.conf
rmd: user/password/grants for a user for use by wordpress? << yeah set from mysql command line and then in wp-config.php
jfw: cool, and netstat -tnlp won't hurt to verify.
rmd: cool, netstat verifies, thanks for the link.

jfw: "<jfw> my approach to apache is to throw out whatever 'helpful' distro config and write httpd.conf from scratch" << I gather you didn't go that route, which means the apache config is spewed out across 21 files and 1330 lines
jfw: for what could probably be 20 lines.
jfw: (oh and 181 lines for the init script... solving all the hallucinated problems)
jfw: the stupid already shows in the very first non-comment config line, ServerRoot "/usr/lib64/apache2" -- redundant with daemon option hardcoded in init script
jfw: << the main config breakage I remembered about apache 2.4, but one can use mod_access_compat
jfw: ooh I see it in your package.use!
jfw: any particular reasoning behind APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D PHP -D LANGUAGE" (/etc/conf.d/apache2)?
jfw: these serve to enable various tentacles of the config
jfw: looking over php.ini too, one thing that might warrant enabling is session.cookie_httponly
jfw: not sure if the POST/upload size limits would affect e.g. wordpress image upload
jfw: and for disabling - expose_php (no reason to show "X-Powered-By: PHP/5.6.35-pl1-gentoo" to scanners)
jfw: "fopen wrappers" is also a retarded feature but not sure if wordpress requires, e.g. for trackbacks
jfw: to bed for now.
rmd: <jfw> for what could probably be 20 lines. << I don't doubt this may be the case, but as I stated earlier in the week, I decided to follow the various guides and had my hands/head full doing that.
rmd: what can be done in 20 lines requires not only substantial knowledge for running a webserver, but also skill in detangling gentoo's defaults.
rmd: <jfw> any particular reasoning behind APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D PHP -D LANGUAGE" (/etc/conf.d/apache2)? << I added -D PHP as directed by esthlos' guide. the others were there by default. I removed 2 ssl options from that line that were there by default.
jfw: Understood, and I don't mean to argue it was the wrong decision, but it does have its costs which I figure I ought to tally for future reference.
jfw: detangling gentooism is the skill that's now required to answer anything about the config
rmd: thanks, tally away and feel frree to exercise you wizardry in collapsing it down to 'fits in head'
rmd: would be yet another arrow in the fixedpoint quiver.

jfw: thinking I'll just do a daemontools-managed alt-Apache config on port 81, not interfere with the existing, and document in a recipe.
jfw: can then promote to port 80 if it works out.
rmd: sounds like a nice approach.
jfw: how do I go about adminning mysql -- is there a password for root?
rmd: there is.
jfw: my approach would be to put it in /root/.my.cnf
rmd: plain text ?
jfw: see start of /etc/mysql/my.cnf for reference
jfw: yes; since /root is mode 700, read access there == r/w access to mysql data anyway.
jfw: much like the bitcoind rpc password or ~/.Xauthority
rmd: ok, it's there.
jfw: fixed syntax, works now.
jfw: this also means mysqldump works without password, for cron job or whatev.
jfw: huh, there's no syslogd on here
jfw: and lotta noise in dmesg

jfw: fuckin' gentoo, editing manpath in /etc/man_db.conf doesn't work apparently because it's overridden by $MANPATH env var
jfw: terraforming proceeding well with daemontools and socklog. SSH auth logs now captured in /var/log/syslog/
jfw: and kernel in /var/log/klog/

jfw: Further example: the config line to load is indirected from httpd.conf to modules.d/70_mod_php.conf, and from there to /var/lib/eselect-php/mod_php.conf, and gated on that -DPHP setting in /etc/conf.d/apache2. Now: one line in main httpd.conf, delete or comment if you don't want.
jfw: One problem in current setup is there's neither vhost-specific access logs nor the vhost name included in the log format, so no way to distinguish which line is from which site
jfw: (I could override for mine, so not a real problem I guess, just pointing out)
jfw: ugh, stuck on "httpd (pid 6579) already running". Even explicitly using a different pid file.
jfw: I'm removing ACCEPT_KEYWORDS="**" from make.conf, was that there on purpose??
jfw: means for example it'll try to install un-keyworded dev versions of ebuilds, downloading from git etc
rmd: make.conf, was that there on purpose?? << not by me.
jfw: in further weird, that string "already running" is found nowhere in httpd source
jfw: got strace installed to check 'wtf', now wtf: it's loading /etc/apache2/httpd.conf rather than conf/httpd.conf relative to the given server root, contrary to docs
jfw: naturally a complete autoconf mess to see what or why.

jfw: Whew, basic apache finally up.
rmd: nice !
jfw: btw, tightening ownership of /www which was wpuser:wpuser
jfw: is wpuser even used for anything actually?
rmd: in wp-config.php
jfw: looks like just a mysql user, I mean the unix user
rmd: not sure, residual from following the guides. what'd you propose as alternative ?
jfw: well that depends on the purpose, which apparently we don't know
rmd: a non-privileged user that owns the wp install.
jfw: so far as I can tell the only thing that runs as that user is your shell when tweaking the php
jfw: I guess it's a marginal improvement over having them root-owned, less chance of accident while editing or whatever
jfw: will probably skip for mine tho

jfw: found another apache2.4ism: using VirtualHost where previously NameVirtualHost was required
jfw: "Apache was one of the first servers to support IP-based virtual hosts right out of the box." << BS... zero special support is required to do this, just run different processes bound to different IPs/ports (as I'm doing right now!)
jfw: "what do you have remaining in blog set up?" << vhost config, mp-wp press, whatever mod_php / mod_rewrite setup it needs, wp config

jfw: since I'm "enumerating goodness" on apache modules to load, I'm finding the dependencies between them are not well handled.
jfw: (or documented.)
jfw: e.g., so far had to add mod_dir, mod_authn_core and mod_authz_core, based on errors that don't at all point to the real problem
jfw: ok, got php handling, directory autoindex, and recognition of index.php as a dir index; set expose_php = Off and session.cookie_httponly = On in php.ini as mentioned.
jfw: (apparently that's a newer security feature, firefox 3 / ie7 era)
jfw: saw mysql still had the anonymous user and test database so I ran mysql_secure_installation.
jfw: at the stage of tryna grok what's in the sample .htaccess.
jfw: did you fill the AUTH_KEY stuff ('fill your own's in wp-config.php, not mentioned by esthlos?)
jfw: well the 'famous five minute wordpress installation process' is totally broken, unsurprise
jfw: didn't work with no wp-config.php; didn't work with the pressed wp-config.php (invalid table_prefix), but hey good thing we know how to unix; readme.html link broken; it didn't ask any useful questions really but demanded an email for unspecified reasons; magically generated an admin password (I wonder if it even used urandom or just did some awful self-delusion...); then on the login page, made
jfw: blog title a link to, and automagically decided its base URL is [...] (which is how the gateway is referring to it based on its own hosts file); and top-level now just redirects to "Already installed".
jfw: so good thing we know how to SQL too. update options set option_value='http://actual-url/' where option_name in ('siteurl', 'home'); clears up the url problem
jfw: rmd: I have ssh-based wp-admin working, using -L (local port forwarding) though rather than -D because in theory it requires less browser futzing
jfw: grr, the mp-wp genesis includes a mp-wp/wp-comments-post.php.orig, here I was thinking I'd screwed up the press by invoking patch wrong or something
jfw: [...] Doesn't look to me like it leaks anything sensitive, but this sorta thing easily can if you're not careful.
jfw: I did however screw up the press by omitting -E from patch options (and looks like omits this too), so the 'weight loss' patch results in a bunch of zero-length files rather than deleting.
jfw: easy fix without re-pressing: find . -size 0 -exec rm {} +
jfw: heard any gossip on the 'post revisions' feature? apparently it's enabled by default but disabled in the genesis wp-config.php

rmd: <jfw> did you fill the AUTH_KEY stuff ('fill your own's in wp-config.php, << i didn't. did you find out what it was about ?
jfw: not really, though maybe it generates one in the database if you don't specify, and there's indeed a retarded RNG in wp-includes/pluggable.php but also something with urandom in wp-includes/pluggable.php
rmd: <jfw> so good thing we know how to SQL too. update options set option_value='http://actual-url/' where option_name in ('siteurl', 'home'); clears up the url problem << my inference is I'll need to do this as well.
jfw: the automagic probably worked for you if you didn't go off the beaten path, e.g. did the install using url
jfw: pretty obvious when it's wrong, admin login is broken
rmd: ok, I stayed on the beaten path with the install.php
jfw: ugh, use_smilies option defaults to 1, "Convert emoticons like :-) and :P to graphics when displayed"
jfw: I think we'll need local DNS after all for pingbacks

jfw: djbdns deployed.
rmd: nice.
rmd: mind sharing the ssh syntax you're using for the ssh-based wp-admin with -L ?
rmd: my reading comprehension of the man page has been insufficient
rmd: making progress.
rmd: I have : ssh -L *:1080: [piz login]
jfw: yep, shouldn't need the * if ssh client is on same box as browser tho
rmd: running ssh in -vvv shows the requests are being sent. by browser says the proxy server is refusing connections.
jfw: (I have a feeling this method will run afoul of the site url issue from a different angle though, will soon see)
jfw: you don't use a proxy this way but connect to localhost:1080

jfw: sigh, indeed does not work (leaks password even) because the login POSTs to absolute URL based on the configuration.
jfw: guess I'll try the -D (socks proxy).
jfw: ...which won't work for me because is not the local server.
jfw: well, I guess I gotta tell it that it is.
rmd: I got the login page to load, without css apparently. but the username/password that were issued aren't working.
rmd: so I should also go for the -D ?
jfw: yes that's the symptom, css link and form action point to normal url
jfw: I would think -D should work for you

rmd: ok, I got the -D working and connected, and see in the apache access_log it's trying to connect from [piz ip] rather than local host.
rmd: so going to change .htaccess to piz ip rather than
jfw: works
rmd: now in!
jfw: seems like firefox is resolving dns locally, so hosts-file on remote end does me no good :(
jfw: really what I seem to need is a different base URL for wp-admin
jfw: but I'm so over time budget here :(
jfw: one cut would be to drop the gateway and make it as piz ip
jfw: seems like a 'run moar usg.dns' tho
jfw: Ha! Using a plain HTTP (not SOCKS) proxy with ssh -L does the trick
jfw: and that's because from client's POV an HTTP proxy ain't any different from a normal server - just that it sends all requests there instead of to the dns-resolved hosts.
jfw: i.e. lets the remote host resolve the url as it sees fit, so for example external sites won't work in this config because the remote apache doesn't serve them -- an actual proxy server (such as the ssh socks) required for that
rmd: so you're into your admin ?
jfw: yep. Gonna make a browser profile to use the proxy / allow js

jfw: I'm now banging head on why it's STILL trying to redirect based on the host given by the gateway, not on the admin but on the main blog
jfw: fixed on the nginx side.
jfw: (i.e. configured it to use as the host header despite a different server name in the target url, pretty cool.)
rmd: hey hey, nice !
rmd: I think I got the permalinks working, needed to enable js for wp-admin in browser
jfw: yes it did look pretty js-heavy
jfw: there's a whole minified jquery open sore in the genesis
jfw: re WP writing .htaccess dynamically, indeed it does try, but if it can't (as in our setup, since the apache user can't write to the php code, as it should be) then it'll show sample lines to paste.
jfw: Which can be inserted, THINKINGLY, into a <Directory> stanza in httpd.conf.

jfw: yay permalinks workin'.
jfw: tons of php warning spam (mktime) in error log
jfw: also hitting the issue that the sidebar, once configured, only shows on homepage, not article. Forget where I saw it mentioned, iirc MP said 'yeah you gotta do some css hacking'
rmd: has a php warning silencer
jfw: well, error_reporting is already at the suggested 'production' value which ought to supress E_STRICT (coding standard warnings)
jfw: the most verbose date ones were an easy fix, just date.timezone = UTC in php.ini
jfw: ffs, wordpress itself overrides the error_reporting setting in various places...
jfw: tried her settings for the sake of trying, doesn't help with the 'strict standards' warnings
jfw: Your RSS feeds still throwing XML errors, mine seem to work, didn't have to do anything special
jfw: Yuck, it seems to have gone and imported the contents of some rando RSS feed... into the *options* table
jfw: next, I gotta wonder whether it's trying to connect to '' for this 'Post via e-mail' feature that doesn't have a disable switch
rmd: first hint on the rss error is rogue whitespace, haven't tracked down yet
jfw: ah possibly one of yer php files got extra emacstastic newlines after the ?> close tag ?
jfw: one hitch with the ssh -L as http proxy setup, the pages outside of admin don't work, all 404 (but through the php!!)
jfw: dumb, but can view stuff from other browser.
jfw: gah, completely breaks previewing though.
rmd: I've not turned one up and didn't use emacs at all. I pressed from a different dir then copied to install and diff -ur a b | cat -A didn't turn up the rogue whitespace.
jfw: heh, didn't know about cat -A
jfw: I'll take a peek at your code...
jfw: error_reporting(E_ALL & ~E_NOTICE & ~E_USER_NOTICE & ~E_STRICT); << where'dya get that? (in wp-config.php) It's exactly what I derived for error suppression but didn't see in known guides
jfw: oh hey and you apparently figured out the mysql unix socket syntax too
rmd: I took a peek at yours...
jfw: oh, hehe.
jfw: not seeing anything obvious with the feeds -- pretty sure it's that leading newline but dunno where coming from. And tracing the code is total spaghetti
rmd: thanks for looking
jfw: huh, comments feed looks OK but not posts -- I swear it was also broken before
rmd: clear your browser cache.
rmd: and the entries rss works
jfw: huh, I had tried a reload, shift-ctrl-r did it, wtf.
jfw: it's probably using http cache headers to complicate browser behavior.
jfw: what was the trick?
rmd: i'm not exactly sure because i tried various changes without clearing the cache, but I did remove a trailing whitespace in wp-config.php as a first step..
jfw: ah that's it then.
rmd: 'it always takes longer than you think'

rmd: what's the status on your side ? looks like it's coming along.
jfw: drinking from firehose, but starting to know my way around
jfw: one new worry re the gateway, is for comment antispam - wordpress shows the poster IP in the dashboard, but they'll all show the same, that is, the gateway IP rather than the originator
jfw: the gateway can add some kinda header like X-Forwarded-For: ip, then there's an apache module that can make it interpret this as the 'real' remote IP for a given trusted proxy IP, but I dunno, lot of stuff to go wrong
jfw: really making me lean toward It's a 'heavy' app, really wants to own the domain
jfw: is 'parked' sadly
jfw: "next, I gotta wonder whether it's trying to connect to '' for this 'Post via e-mail' feature" << looks like not normally but will if you load wp-mail.php which is completely exposed
jfw: Deleting that and wp-includes/class-pop3.php, stolen from squirrelmail and only used by wp-mail
jfw: i bet there's more suprises lurking in that vein

jfw: I've tweaked the PHP to make sidebar show on post pages and maybe a couple other trivia
jfw: discovered why the admin options for the footnotes plugin are broken: the orig plugin had an 'options.php' alongside the 'footnotes.php' that hanbot didn't capture
jfw: possibly deliberate, based on commented-out POST handling code in footnotes.php
jfw: (which appears not to check admin privileges!)
jfw: (a casualty of the phpist conflation of coadlibs with directly loadable pages, it would seem.)

2019-10-05 - I compared the footnotes plugin code with subsequent upstream changes, which turned up a mistake in entity escaping, which MP-WP fixed and upstream later maybe-fixed in a more convoluted and fragile way. In exploring the problem I wasn't initially convinced that the MP-WP fix was sufficient, and was attempting to simplify the upstream one.

jfw: gah, the footnote entity escaping simplification doesn't work on web as it did on php CLI, fucking pile of swamp chairs.
jfw: specifically see what happened to the & in the footnote tooltip on my current Hello World. But at least the quote escaping is OK so I'll live with it for now.
jfw: oh I see what's happening.
jfw: [...] the original footnotes.php was correct. I'll just change mine to use &quot; instead of ` for "
jfw: and by "original was correct" I mean the version from hanbot, not the original author whose broken version is seen in the comment.
jfw: &quot; instead of ` for " << worx!
jfw: yet another worry about footnotes is the simple (( )) parsing is gonna wreak havoc on Lisp code.
jfw: now tried changing the open/close markers to <fn> and </fn>, as would be logical given that tags are THE means of out-of-band signalling in html, but dun work :(
jfw: omfg, the post editor doesn't encode entities in the underlying text!
jfw: e.g. use the editor to put &lt;/textarea&gt; in the post; save/publish; this then becomes </textarea> in the source and anything after 'leaks'
jfw: er, missed a step there - it becomes </textarea> in the browser display, which if saved again, goes into the source.
jfw: possible this is fallout of the weightloss patch since it ripped out the wysiwyg editor
jfw: Whew, cracked all of the above, I think. The problem with <fn> stems from the spurious complexity of 'Perl Compatible Regex' -- it demands 'delimiter' character like / even though it's already taking php's quote-delimited strings, but its preg_quote function doesn't quote the delimiter. Ripped out the whole spurious layer of indirection of the WP_FOOTNOTES_OPEN/CLOSE variables.

jfw: Note that my patch above kills the JS selectatron, on the theory that it's better to get some flak up front for 'no selection' with a reasonable path to adding it, than accumulate backlinks with JS-based selection and be painted into a corner of either breaking them or maintaining the feature.
jfw: 'it never pays to play along with empire' as MP lamented, of being in the latter situation

(Not being at all comfortable with this theory, I worked out the server-side selection soon after.)

jfw: fyi, I'm rebuilding apache2 with apache2_modules_remoteip enabled, for getting client IPs from the gateway.
jfw: client IP passthrough now working.
jfw: :D :D
rmd: hey hey lbj !! reading now.
jfw: idk if pingbacks are working, probably not because basically nothing on this blog worked until vigorous prodding.
rmd: [...] As you said in the piece, "ice is broken" and situation as is is accepted, time to move forward. on the ping back front, have you considered ?
jfw: ah fuck, "the blog's own IP" is a thing? I was afraid of something like that but unsure exactly why.

jfw: "bash one-liner" to back up all of blog, besides server config:
jfw: ssh [host] 'printf "dumping... " >&2; mysqldump fixpoint | gzip' >$HOME/backup/fixpoint-`date +%Y%m%d`.sql.gz
jfw: echo done
jfw: rsync -av --delete-after [host]:fixpoint/ $HOME/backup/fixpoint/
jfw: (the echoism is cuz ssh handshake is so slow, but the actual transfer could also get slow, I like to see what stage it's at)
jfw: reason for rsync is the blog directory could get Big, with photo uploads and such

jfw: well, on the pingbacks, maybe means it's time I moved all my cloudstuff to the RK already. 'But muh VPS is reliable!' - only so long as I don't do anything sufficiently interesting with it
jfw: another idea was hooking up business fiber here and running a home server.
jfw: with 'interfast', $90/mo gets you 10mbit or some shit; residential class way higher capacity but I dun wanna know how they hobble it
jfw: one worry is if I travel, something's gonna fall over guaranteed, UPS or no...
jfw: but maybe that's neurotic of me - building has backup generator and all, power or net have never had extended failure yet in my tenure
jfw: re "you're supposed to see and know why it is your pingbacks don't make it", I haven't found anything in the UI about pingback status
jfw: for all I'd know it hasn't even tried

jfw: We should coordinate on the system-level backups of the rockchip. I propose integrating it into my weekly tar backups, but with exclusions for /home, /www and /var/lib/mysql which are to be individual responsibility. But for example config files, built packages and apache logs would be captured hereby.
jfw: mysql I believe is not safe for file-level hot backup; need to use mysqldump on each desired database. Ideally I'd like to set up some kinda live replication; I can run my backup script after posting but there'd still be a window for loss of comments.

jfw: holy shit 71.9h week, 27h of blog setup tarpit, no wonder I'm struggling for air

The Pizmess happens.

jfw: One thought re blog was to use the VPSjacking recipe to do a Cuntoo install
jfw: but this means waiting on trinque to get his stuff back up, unless you have the 800MB tarball.
jfw: so I found where mysql well-hid their historical archives,

At this point I'm willing to eat just about anything in terms of infrastructure to get back online without excessive fuss. Unfortunately the Rockchip Gentoo setup would be hard to reproduce: Gentoo installations done by different people never come out quite the same, especially if done at different times; we didn't manage to get that system-level backup done; and even if we had, where to find an aarch64 machine ready to receive it? Happily I find my existing VPS provider has a CentOS 6 image available, which I know well enough as the last stable version predating the "systemd" heresy. I return Robinson's hosting favor by folding his as-yet virgin blog into my efforts.

jfw: oh, I made your account on the new blog VPS: [...]@[...] /, port [...], fingerprint SHA256:[...]. Should have your authorized key all set.
jfw: no database, apache or wordpress futzing done yet though.
jfw: Learned from my last mistake and got backups of root FS and my whole homedir (not just live blog) squared away. You'll need to take care of your own homedir and db dumps.
rmd: thank you.

jfw: I set up your db, my.cnf, wordpress vpress, and wp-config.php
jfw: so you should be able now to update local /etc/hosts, ssh -D / socks proxy, and get to the installer.
jfw: From there you'll want to at least: set admin fullname and password; activate wp-footnotes plugin; don't convert emoticons (under Writing); don't break comments into pages / don't email me (under Discussion)
jfw: Since I'm not using suphp or whatever shared hosting isolation, the wp-config.php's need to be readable by both our users and apache, which practically means others-readable, thus db passwords are visible to local users. Needless to say, one shouldn't touch others' databases without asking.

jfw: (you'd instead restore db via 'mysql dorionmode < dump.sql' if you had dump)
rmd: ok thanks.

jfw: In the firefox network settings check that "Proxy DNS when using SOCKS v5" is not checked
jfw: I could add to server hosts file, but better not to rely on that right?
jfw: also good to update your DNS sooner rather than later as it usually takes time to propagate.
rmd: mind trying adding dorion-mode to /etc/hosts
rmd: yeah, yeah I shoulda done that a while ago.
jfw: but also good now to make sure hosts files are working.
rmd: "Remote DNS" is unchecked in the Network -> Settings
rmd: "Proxy DNS when using SOCKS v5" << I don't see that verbatim
rmd: Advanced -> Network -> Settings
jfw: probably just diff ffx version wank there
rmd: sure, but rather be explicit
jfw: yeah and good to point out, possibly they changed the functioning too
jfw: added to hosts file
rmd: ta-da !
rmd: so that ff option didn't work
rmd: unchecked, but was still using remote
jfw: at least not as expected yeah, possibly mine only worked via dns
rmd: heh.
rmd: thank you!
jfw: yw and plz speak up if further trouble.
rmd: will do.
jfw: I wonder how that 'remote DNS' works, sshd includes dns resolver?!
jfw: apparently so, well presumably the libc resolver; documented in sshd(8) for other purposes but not the proxy

rmd: [...] you know how to make a new line in a footnote ?
jfw: should be able to <br /> or <p> like anywhere I'd assume

rmd: did you modify your sidebar via the admin -> appearance -> editor -> sidebar.php ?
jfw: re sidebar: it's actually widgetized; there's a whole schmancy Appearance -> Widgets.

A sidetrack, recorded in my notes to self, as mentioned.

  • One thing that's tossing me around here is the number of old, possibly foolish decisions this story seems to import.
  • Why did I need x, y and z ported? Because I wanted to strengthen my distro.
  • Why my own distro? Wanted to be rid of headaches of others configuring my system with stuff I don't need, plus bootstrapping "problem of trust".
  • Why needing Apache/mysql ported? Because I chose nginx/sqlite on first pass.
  • sqlite at least made sense, for python module, as I was using it myself.
  • nginx - initially for the sake of trying new things, since I considered Apache 2.4 a "new thing" anyway; missed that "apache is a selected, not designed, item"
  • Why needing php port fixed? Because I built php a while back without a specific necessity to guide it, that I can recall.
  • So, the explosion of priors. The would-be rabbit-hole of links among the articles I haven't been writing all this time.

Initial outline, constructed from memory prior to log dig.

- Feasible to run on my own distro?
  - httpd
    - nginx/php - done, but not mainstream mp-wp
    - apache - no port or recipe
  - db
    - checked sqlite-integration plugin - abandoned but found in trac; way too invasive
    - found that it might work with postgres; no port, but recipe, and personal preference
    - perhaps could work fine with sqlite too
    - mysql - the mainstream option but no port or recipe handy. Decided to make one.
      - so which version? latest - ugh, prominently featured bloat
      - found DC's post; didn't find the tarballs in question from upstream or gentoo mirrors
        - later found upstream's archive
  - php - had port (hm, why'd I originally port this?), probably missing at least xml and fopenwrappers crap
- Robinson offered Rockchip gentoo
  - sounded perfect
    - actually-private infra
    - could defer ideal builds for now
    - could just gateway from existing frontend
  - Robinson already had basic blog setup from following guides (esthlos, ?)
    - missed mysql_secure_installation, .my.cnf password, backup strategy
    - hadn't figured out restricting admin access
  - I tended toward writing fresh Apache config, reinforced upon beholding the rat's nest of gentooism "making it easy"
    - especially because apache 2.4
      - found mod_access_compat - cool so I don't have to use the new style stuff and can have a backward-compat config, right??
  - to avoid stepping on toes, I'd write new config, with Apache standard paths, on alternate port taking advantage of gateway, as daemontools service
    - man page lied about httpd.conf default path
    - needs SIGUSR1 rather than SIGHUP for graceful restart
    - 'enumerating goodness' on DSOs gave some rather strange errors
  - gateway woes
    - WP stupid assumptions: put SITEURL in config
    - source IP for logs/spam checks: found mod_remoteip
    - admin proxy woes
    - admin previews broken
- pizmess: fuck it, centos6 VPS
  - purging cloud crud, installing essentials
    - static yum mirror
  - apache 2.2 goodness
    - ugh, the 'compat' module reversed default allow/deny order, my config is all backwards nao.
    - DSO list changed, but to be expected
    - no mod_remoteip! some 'backports' on shithub; one - dysfunctional; both - lengthy
  - fuck it, no gateway
    - socks5 proxy works - but 'remote dns' checkbox defective in ffx, always remote?


  1. "found DC's post; didn't find the tarballs in question from upstream or gentoo mirrors" - so why not simply comment there at that post, at that time and simply ask maybe I would share the tarballs?

    Otherwise tbh I think in this particular case the format works great to convey precisely the ...mess that there is. And at any rate, your time is really way better spent on more useful things than cleaning all this installation-mess up (without a clearly fixed, unchanging environment, the installation will still remain a mess, no matter how clean the new recipe).

    Comment by Diana Coman — 2019-10-28 @ 22:05

  2. I should have asked, yes. Thinking back on it, at the time I was optimizing along a different line than you - finding which version would be most manageable to inspect internally in the event that I had to - I wasn't all that motivated to pursue a specific version just because it was known to work in your environment. Though writing this, it sounds dumb because the cost to ask was minimal and potential benefits of sharing a common version unexplored.

    Glad to move on from this one. Except ugh, I found two mismatched sub-list items ("I later find where they're hidden", "Apache has a mod_remoteip"); I'll just make an update to fix those.

    Comment by Jacob Welsh — 2019-10-29 @ 18:42

  3. [...] Mircea Popescu's Wordpress, which amount to an approximation of the changes I've been running since initial setup of Fixpoint, reground to build upon subsequent improvements by billymg and Diana [...]

    Pingback by Selection and other sundries for MP-WP « Fixpoint — 2020-05-11 @ 05:43

  4. I finally got around to switching footnotes to the standard double-parentheticals from prior <fn> and [[ special-snowflakeisms, for both Fixpoint and Dorion Mode where I had propagated the configuration. I went to some lengths to make sure everything came out right -- easy enough for his, while my own turned up fun meta-instances like this one to be escaped -- but I'd appreciate the note should you find anything amiss.

    The procedure was, roughly:

    1. Make a SQL dump for backup purposes. Search and manually replace things that conflict with the new delimiter. For instance,

    mysql mpwp_db_name -e "select id from posts where post_content like '%((%';"

    2. Edit wp-content/plugins/footnotes.php, find the preg_match_all call, and replace the opening and closing delimiter options in its regex with ones that cover both your old and new delimiters (following the pattern it already uses for allowing <footnote>).

    3. Bulk replace the old with new delimiters, for instance:

    mysql mpwp_db_name -e "update posts set post_content = replace(replace(post_content, '<fn>', ' (('), '</fn>', '))')"

    Comment by Jacob Welsh — 2020-12-01 @ 19:34

  5. you know how to make a new line in a footnote ?

    I'm not sure how the obvious answer didn't occur to either of us at the time - I guess the non-documentation situation really is that bad - but at any rate: you can indeed use explicit br and p tags if you're that sort of a masochist, but then again you can just hit "Return" like a normal person. Once for line break, twice for paragraph break, all the same whether in footnotes, body text or comments.

    Comment by Jacob Welsh — 2021-03-09 @ 03:37

  6. I hope I can install MP-WP.

    Comment by Cristi — 2023-04-10 @ 08:33

  7. @Cristi: You can hope all you want, but if you want to make progress you'd still be better advised to ask questions and be specific.

    Comment by Jacob Welsh — 2023-04-12 @ 01:51

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by MP-WP. Copyright Jacob Welsh.