A few weeks ago we announced we are adding a way to deploy updates on a production October CMS installation without the necessity to run Composer and access the server via SSH, such as shared hosting environments. Today we are happy to announce that the plugin is ready for you to use in your October CMS developer environments. The plugin uses the latest features of the platform and is compatible with version 2.0 and above.
Here is a screencast that demonstrates the new deployment plugin:
Why We Built This Plugin
When we launched the next generation of the October CMS platform, we made the decision to remove the one click updater and wizard installer. This is a concept that is over 10 years old and was born in a time when Composer did not exist.
Now that software reuse is finally here, it has brought an enormously positive transformation for software developers. This is the driver behind our commitment to using Composer as a first class citizen moving forward.
There are some challenges that we face with this move:
Combining two package managers (October gateway and Composer) no longer makes sense
Some shared hosting environments cannot run Composer
It is through these challenges that we find innovation. We built the deployment plugin as a solution to deploying your website to micro instances and shared environments that do not support Composer natively.
How It Works
The concept of the deployment plugin is almost identical to the Wizard installer and one click updater, except it operates in reverse. Instead of your server pulling updates from the October gateway, your development environment pushes the updates to your server instead. This is important for two reasons: you have complete control over what is deployed and you no longer depend on the October CMS gateway.
In some cases, we found that developers were using projects and the one click updater as their primary method of deployment. The new process is more aligned with modern development techniques and looks like this:
Install October CMS locally with Composer
Test and build the website, including themes and plugins
Upload the Deploy plugin Beacon files via FTP (4 small files)
Install October CMS or update remotely via the plugin
Select components that you want to deploy, e.g. the platform core, plugins, themes, configuration, etc.
There are distinct benefits to this:
The deploy plugin no longer forces a "one size fits all" approach to the platform code.
If your server needs specific libraries, configuration or has a customized plugin, you can make sure it is all deployed with one-click.
You can match your entire stack locally with the stack you have on your server to ensure stability.
The deploy plugin logic bypasses the framework, so if your remote server crashes, the plugin can still continue to deploy files.
The plugin ships with a console emulator so you can easily run PHP code to inspect or patch your server without needing shell access.
The plugin can be used to upgrade major versions, for example, upgrading from v1 to v2.
A Note On Security
From a security perspective, we have taken extreme care when designing this solution and use the industry standard of RSA public key cryptography, which is the same technology that secures almost every internet application. We encourage you to audit the script that is used by this plugin. For extra safety, this feature is an optional plugin and not included in the core version of October CMS.
Some key points in the security design:
A private key is needed to deploy to the server
The private key is stored only on the developer’s machine
The private key is never sent across the internet
The private key is not stored on the remote server
When a deployment happens, a command is sent to the server and cryptographically signed by the private key. The command and its signature is sent across the internet. The server uses the public key to verify the signature and accept the command. Therefore, commands are only accepted from the holder of the private key.
If the message is intercepted, it doesn't matter since it only contains the signature and the private key cannot be determined from this. If the server is compromised, it doesn't matter since it only contains the public key and the private key cannot be determined from this. You can learn more about public key cryptography and one-way functions by watching this video on Diffie-Hellman Key Exchange.
Just like a local SSH key that you might use to access GitHub, it is important that you protect the private keys located on your computer so the system remains secure.
How to Install the Deployment Plugin
The deployment plugin is available today and you can start using it with October CMS v2.0 and above.
Run the command php artisan plugin:install RainLab.Deploy
Navigate to Settings > Deploy
Click Create Server and enter a name for the server with the URL
Generate a new RSA key
Begin your first deployment
The complete source code for the plugin is available on GitHub and it is free to use for all October CMS customers.
Where to Get Help/Support
We hope you enjoy using this new plugin from the October CMS team. If you need help deploying to your server, don't hesitate to send us an email.
On January 14, 2022, we were made aware that some Ukrainian government websites running on October CMS were targeted by hackers. The hackers replaced the website's home pages with a political message. The Ukrainian Ministry of Digital Transformation has announced that there was no data leak.