Forum OpenACS Q&A: Project Manager Problems

Collapse
Posted by vivian Aguilar on
I run into this error when i try to create tasks:

can't use non-numeric string as operand of "!"
    while executing
"if {!$edit_p} {
        # now set up dependency options

        for {set j 1} {$j <= $number} {incr j} {
            if {![string equal $current_numb..."
    (procedure "pm::task::options_list" line 38)
    invoked from within
"pm::task::options_list  -edit_p $edit_p  -task_item_id $task_item_id_arr($i)  -project_item_id $project_item_id_arr($i)  -dependency_task_ids "$my_dep..."
    ("for" body line 63)
    invoked from within
"for {set i 1} {$i <= $number} {incr i} {

    # ----------------------------------------------------------------
    # reading this code, you may wond..."
    ("uplevel" body line 623)
    invoked from within
"uplevel {
          ad_page_contract {

    Add/edit form for tasks

Collapse
Posted by Don Baccus on
The code should use "[string is false $edit_p]" because that works for all common boolean values (0, false, f) ...
Collapse
Posted by Jade Rubick on
Thanks for clarifying what this should be, Don. I'll fix this. More current versions of Tcl do not report an error for this code snippet.

I'm on vacation now, so I won't be able to get to this for a few days. If anyone else has commit access and wants to commit it, please do so.

Collapse
Posted by Don Baccus on
If they've changed "!" to use the same logic as "string is true/false" then there's no reason to change your code as long as it's not been TOO recently...

What version of Tcl brought forth this change?  People really do need to be using later 8.4's at least for performance if nothing else.

Currently we check for RDBMS versions but not Tcl versions ... perhaps we should check for "recent enough" Tcl as well ...

Collapse
Posted by Richard Hamilton on
Don, I think there are a number of people still using ad33.13 - I certainly am because I use nsunix so that I can keep identifiable browser request logs for each virtual server.

There are only two or three cases in Jade's application that I found causing a problem so it would be a shame to take a hard line on it.

Personally I would like very much to upgrade my Aolserver but as yet I have not had time to test out the virtual hosting - and ad33.13 with nsunix is so reliable that there really has not been any imperitive.

Do you know whether Aolserver 4 can be configured as proxy to pass the requests direct to each domain server as with nsunix (so that each server can log the requests in full), or would I be stuck with the old limitations of nssock?

Regards
Richard

Collapse
Posted by Andrew Piskorski on
If OpenACS is going to require Tcl 8.4.x, then it needs to require AOLserver 4.x as well, as the only pre-4.0 AOLserver version OpenACS supports is 3.3+patches, and 3.3 use Tcl 8.3.x, only.

So, when will OpenACS officially desupport AOLserver 3.x? It would be good to give folks one whole development cycle of warning. E.g., release OpenACS 5.2, then immediately announce that 5.3 will require AOLserver 4.x - something like that. Or if you're going to deprecate AOLserver 3.3+ad13 for the upcoming OpenACS 5.2 release, publicize the fact ASAP.

Collapse
Posted by Jeff Davis on
It was tip 51 which states 5.1 is the last one to support aolserver 3.0 and starting with 5.2 only aolserver 4.0+ will be supported.
Collapse
Posted by Ola Hansson on
I am in the same situation as Richard and I second that 3.3 ad13 is very reliable. Another reason why I personally still stick with 3.3, apart from the reasons Richard put forth, is that virtual hosting with Jerry Asher's nsvhr/nsunix allows you to shut one server down without necessarily and simultaneously bringing the other ones down. I find this feature quite important in at least some situations.

Are there alternatives to nsvhr out there that are documented and that let you do the same but with AOLserver 4?

Collapse
Posted by Steve Manning on
What about nsopenssl support for AOLS 4.0?

I've been using V3 Beta 17 on my development machine for some time now and it appears rock solid, but it is still officially beta so a move to AOLS 4 would mean that folks who want https would need to use the beta or stick to AOLS 3 and pre 5.2.

    - Steve

Collapse
Posted by Bart Teeuwisse on
I've been using nsopenssl 3.x in production for almost 6 months now and has been rock solid all that time. I don't think one should hold of migrating to AOLserver 4.x on behalve of nsopenssl.

/Bart

Collapse
Posted by Richard Hamilton on
OK, now having read tip51 I realise that I cannot claim not to have had ample notice of this development!

However, I am clearly not the only one using nsunix, and the two compelling reasons commonly cited for continuing to use ad33.13 with Jerry's patches are:

1) Independent server threads which means:
    i) Can restart each independently of the others
    ii) If one crashes for some reason (which does happen) it doesn't bring all of your sites crashing down with it.

2) Ability to log traffic by domain - essential if billing for bandwidth based on the server request logs.

I for one would be really grateful if someone who has implemented virtual hosting with Aolserver v4.0 can clarify whether or not these needs can be satisfied with v4.0. That would remove the obstacles to upgrading.

Andrew very kindly posted a comment on bugtracker:

'Richard, I don't think what you're saying about virtual servers is accurate. AFAIK, AOLserver 4.0 can do everything with virtual servers that 3.x, plus more. The "more" is the 1 process virtual server model, of course, but nothing forces you to do it that way. Again AFAIK, no virtual server functionality was lost with 4.0, only additional functionality gained. (I have not actually done it myself, but that's my understanding.) If you haven't already, try nsvhr/nssock first, not nsvhr/nsunix. nsunix has always been trickier and not very well supported.'

Has anyone actually done this yet? If not, looks like I'll be doing it and posting the results!!

Also, does anyone know when nsopenssl is going to become a released version?

In the meantime, while there are obstacles, and while applications such as the Project Manager are still developing at a rapid rate, it would be a shame to create major issues for people because of very minor syntactic incompatibilities. I do understand however that we would be better off exploiting Aolserver's built in internationalisation support asap.

Regards
Richard

Collapse
Posted by Richard Hamilton on
I have searched for as much documentation as I can find about virtual hosting in AOLserver v4 and still cannot find anything from anyone who has implemented it using seperate processes for each server.

This may sound mad, but has anyone actually tried loading nsunix and nsvhr into an AOLserver4 to see what happens? Or is this doomed to failure and too daft to seriously contemplate!?

R.

Collapse
13: Virtual Hosting (response to 12)
Posted by Chris Davies on
Well, there are a few ways to do AOLServer/OpenACS that I have stumbled across.

First, you can start a separate instance for each OpenACS installation, using 1 IP per installation.  For this, if you are using daemontools, you can just specify the initial tcl script for each instance.

Second, you can do the above, but use multiple ports on the same IP -- still having separate instances.  Then, you use Pound, http://www.apsis.ch/pound/  This is the method that Bart Teeuwisse advocates.

https://openacs.org/forums/message-view?message_id=169655

Or, you can run multiple instances using multiple ports, and use a slick little fix by Jade Rubick.

http://www.rubick.com:8002/openacs/easy_virtual_hosting

Or, you can use the virtual hosting built into AOLServer

http://www.panoptic.com/wiki/aolserver/98
also referenced
https://openacs.org/forums/message-view?message_id=189026

There are benefits and pitfalls to each method.  Currently I run a separate instance for two OpenACS installations that each have their own IP.  Then, I have five OpenACS instances running under one AOLServer instance on a 512mb machine and might consider pushing it too six OpenACS instances which I think is about the maximum practical limit for low-volume personal sites.

Collapse
Posted by Richard Hamilton on
Chris,

Thanks very much for the summary. It seems to me that the built in virtual hosting whilst convenient in some ways, and efficient in terms of resources is not scalable.

Certainly having multple domains running as children of the same process is not ideal. I run each service as a different user so that if any server is compromised the attacker can only damage one installation. The built in solution undermines this significantly.

Seems to me that, based on your answer, Pound is the solution to my needs - lightweight and functional, so I will work on setting up a test system of that - thank you.

There is one other issue that I thought I would comment on here and that is this issue of reverse proxying https. Now I initially wondered about this when setting up nsvhr, but then after much head scratching realised that it is a bit of a flawed notion. This is because you really only need to reverse proxy the initial contact with a site so that when someone types the domain name into their browser they are patched through to the Aolserver instance that is serving the domain that they requested. Once the connection with that server is established you might serve some public pages through the proxy until someone tries to access a restricted page. This will cause a redirect (if you have login restricted to ssl) to the /register page which will be at the address specified in the kernel parameters as [https://xxx.xxx.xxx.xxx:8443/].

The browser, has already done the domain lookup so still displays [https://www.domain.com:8443/register?return_urletc], but the advantage now is that all the traffic is direct to the domain server on its own port which avoids hammering the proxy by passing all requests through it. The only config change is to open up the firewall to allow direct connections on each of your https ports. This is in practical terms no less secure than having 1 https listener open - 1 open port or 100 open ports makes no difference if they are all attached to instances of the same software (i.e. if there is a security hole in your webserver, one open port is just as insecure as 100 open ports!).

So I hope that this can be done using pound and that the full request header will be logged in each server instance.

Many thanks - I'll post my results.

Regards
Richard

Collapse
Posted by Richard Hamilton on
I found this in one of the above threads:
____________________________________________________

Jon Griffin on Jul 07 2003 19:39:03  [ reply | forward ]

Pound doesn't play nice with OACS or, for that matter any server that allows html streaming. I would advise against using it (unless they changed this in the last couple of months which I doubt).
Your APM pages will break as well as some others. Sorry.

Bart Teeuwisse on Jul 07 2003 19:45:10  [ reply | forward ]

Jon,

you are absolutely right. While Pound is small and fast, it doesn't work well with HTML streaming. I merly pointed to Pound as an example of accepting SSL connections to virtual servers.

/Bart
_________________________________________________________

Does that mean that the package manager functionality breaks with pound? What is meant by HTML streaming? Is this still an issue or has it been fixed?

Regards
Richard

Collapse
16: Re: Virtual Hosting (response to 13)
Posted by Jade Rubick on
By the way, I think it would be easy to take my 'easy virtual hosting' document and create a package that did this for you. Then you could just mount the package, and it would take care of the rest. You could handle the port numbers, etc.. through parameters. This would be an extremely easy way to add extra servers on other ports.

Also, I've updated my easy virtual hosting document recently. I figured out how to overcome a major problem I was having.

Collapse
Posted by Bart Teeuwisse on
Richard,

this problem has been fixed in Pound 1.7. A current version of Pound works flawlessly w/ OpenACS including tDAV. Pound releases and the current development snapshot are available as tarballs from http://www.apsis.ch/pound/ or as a GNU Arch (http://wiki.gnuarch.org/) archive from the Code Mill (see http://www.thecodemill.biz/publications/blog/one-entry?entry_id=10095).

/Bart

Collapse
Posted by Richard Hamilton on
Thank you Bart and Jade, that's brilliant.
Collapse
Posted by C. R. Oldham on
Bart,

Which Linux distribution and version of OpenSSL are you using?

Collapse
Posted by Bart Teeuwisse on
C.R.,

I'm using Redhat Linux 7.3 & 8.0 and openssl 0.9.6b or later. I haven't tested Redhat Enterprise 3 enough to vouch for that distrubtion. Do you have reason to belief some distributions and/or openssl versions do not work w/ AOLserver 4.x and nsopenssl 3.x?

/Bart

Collapse
Posted by C. R. Oldham on
On Debian 3.0, kernel 2.4.22 with a backported OpenSSL 0.9.7 we were seeing runaway nsd threads that when stopped with 'gdb attach' seemed to be hanging up in a libssl function.  I thought Scott and I had stomped that one, and I was just checking before we go production with 4.0.5.
Collapse
Posted by Steve Manning on
CR,

Is that 'stomp' in nsopenssl beta 17? I've been running nsopenssl 3beta17 on openssl 0.9.7 on a late series 2.4 kernel and like Bart, I have had no problems tho it is a development server so its not exactly loaded at the moment.

    - Steve

Collapse
Posted by C. R. Oldham on
We are currently running the CVS version, which Scott told me had some fixes over beta 17.  I caught him on AIM the other day to ask if beta 17 might be the production release, and he said he was chasing a couple of other bugs with some other people, and his regular job had been getting in the way.  His goal was to try to finish up and release sometime in the next two weeks.
Collapse
Posted by Andrew Piskorski on
Ah, Tip 51 was from February, so long ago that I'd forgotten! Thanks Jeff, you guys did the right thing, with more than enough advanced notice.
Collapse
Posted by Steve Manning on
CR

Thats sounds good - we can view beta17 as a release candidate and look forward to the production release so,eti,e soon. All we have to do now is document the config for OACS. As your aware its a bit more sophisticated than v2. 😊

I'm happy to post a snippet of my config if people want to crib it. Its a simple beast just using one sslcontext but it seems to work.

    - Steve

Collapse
Posted by Jade Rubick on
Vivian, I believe this issue has been addressed. Please let me know if you see any similar errors.