Setting Up Drupal 8 with a DigitalOcean Droplet

I've been a Drupal developer for four or five years now, and though I started on Drupal 6, I've mostly used Drupal 7. Drupal 8 has been a long time coming. I can remember Dries talking about it's imminent arrival back at DrupalCon Denver in early 2013. Well it's 2017 and Drupal 8 is now firmly in place and now seems as good a time as any to start experimenting and playing with it, hence this new blog.

I have a full-time job already as a web developer and my free time is pretty small, so I wanted to set this blog up as simply as possible: enter DigitalOcean. Though I used to do my hosting through Amazon EC2, DigitalOcean is now my preferred host. I like how dead simple and affordable it is. Besides, I just can't stomach looking at the acronym button cloud that is Amazon EC2 anymore. 

Back to DigitalOcean. Speaking of simplicity, their one-click install droplets are a tremendous time saver. I am fully versed in automated configuration using Ansible as well as automated Drupal site setups and configuration, a la DrupalVM. So, could I do all this myself? Sure. But for just kicking the tires, why not let DigitalOcean do the grunt work?

With that, here's a quick run-down about getting started with a Drupal 8 one-click install.

Launching a Drupal 8 Site in <10 Minutes

Getting started is silly easy, here are the steps I took:

  1. I followed the handy step-by-step tutorial from DigitalOcean on how to get the one-click install running. 
  2. I made sure that I enabled my two already saved ssh keys so that I could easily ssh into the new machine.
  3. Once the machine started, I opened iTerm (so much better than Terminal on a Mac) and ran ssh root@IP_ADDRESS
  4. I gained access that way easily and DigitalOcean gave me a password for an admin account, however, I didn't even use this, instead I ran drush uli admin and used the generated one-time login to get into the site (works just like D7! sweet!).
  5. I changed my admin account password.

And with that you have a running Drupal 8 site that you can login to and configure away!

But...

Security Problems

As lovely as it is to have a quick install, unfortunately there are a few security concerns:

Security Update Pending and Can't Run drush up

The one-click image actually has two small problems to overcome right away:

  1. You won't be able to run a lot of drush commands, like drush up
  2. You'll need to update Drupal core because (in my experience anyway) the installed version needs a security update

While issue 2 there is a severe problem, without being able to fix issue 1 you'd be forced to update Drupal manually. What are we? Cavemen? 

Here's how to fix the drush problem, with a hattip to this forum post.

After running drush up, you'll get the infamous error:

"Command pm-update needs a higher bootstrap level to run - you will need to invoke drush from a more functional Drupal environment to run this command."

The problem lies in a MySQL configuration file in your root user's home directory called .my.cnf. If you simply rename the file, the .my.cnf configuration will no longer supersede your Drupal database connection settings stored in settings.php. So, for example run:

mv /root/.my.conf /root/.my.conf.backup

Having a password stored in your .my.cnf is a nice useful trick for not having to enter a password anytime you enter into the MySQL CLI, but unfortunately it is no good for Drupal.

Another potential solution to this problem would be to leave the .my.cnf in place and actually create another user on your system that is less privileged than root as your default user to login as via ssh. This would be handy to handle the next problem too:

www-data is Both Owner and Group... for Your Entire Drupal Site!

This potentially even worse than the pending security update that is needed. With www-data (i.e., apache) owning everything, any file that provides write access to either owner or group is now vulnerable. To solve that, just create a new user in your OS (adduser command on Ubuntu) and make that the "Drupal owner." After that just follow the instructions provided by the community to secure your site's permissions.

Setup Security Update Emails

Before I got going writing this post, I made sure to check out the module update report email settings. This, to me, is a crucial configuration. Go to /admin/reports/updates/settings and make sure you are getting daily notification emails of any pending security updates. Ever since Drupalgeddon, we Drupal developers have become ever more vigilant about patching our instances as quickly as possible.

Wrapping Up

With that, you now have a more secure, drush-able and production ready one-click install Drupal instance on DigitalOcean. Easy peasy amiright? In a future post I'll talk about the other basic configurations I made to get the blog in even better shape. Thanks for reading.

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.