It’s worth noting that this post is largely a note to myself. As such, the instructions are tailored to my situation (which involves the DNS for my domains being hosted by Gandi and the servers for my domains being hosted by Linode (referral link)).

Anyway, if you’re transitioning a Let’s Encrypt certificate from one without a wildcard specification to one with a wildcard specification, the first thing you will want to do is get some information about your certificate; you can do this by running the following command:

sudo certbot certificates

This should give you some informative output about the certificates that you’ve installed with certbot. The output should look something like this:

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: example.org
    Domains: example.org,git.example.org,shiny.example.org
    Expiry Date: 2018-06-05 22:10:00+00:00 (VALID: 79 days)
    Certificate Path: /etc/letsencrypt/live/example.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.org/privkey.pem
-------------------------------------------------------------------------------

Next, you’ll want to use the certonly command to modify the certificate. This command has several options that you can use. First, you’ll want to specify the certificate name with --cert-name. If you’re transitioning an old certificate, you’ll want to use this flag to specify the same name as the certificate name that you just saw after running the command sudo certbot certificates. If you’re creating a new certificate, you can optionally use this flag to specify a name for the certificate; if you omit it, it will just use the first domain in the certificate as the name for the certificate.

After the certificate name, you’ll need to specify the domains that the certificate should be used for, which you can do with the --domains flag (or -d for short).

So, for the above certificate, where I previously had example.org, git.example.org, and shiny.example.org as domains, I now would only have example.org and *.example.org domains. The second one covers both of the previous subdomains: git.example.org and shiny.example.org. Note, however, that the wildcard *.example.org does not cover domains like adam.users.example.org; it only covers subdomains up to one level. If you wanted a subsubdomain for an arbitrary user, you’d need to add the domain *.users.example.org.

You’ll also need to ensure that you’re using a version of certbot ≥ 0.22.0. It is only since version 0.22.0 that certbot is compatible with version 2 of Let’s Encrypt’s ACME API, and it is only version 2 of this API that supports wildcard certificates. Moreover, the default API is still the first version of the API, so you’ll need to explicitly specify --server https://acme-v02.api.letsencrypt.org/directory, when running the command.

Relatedly, the only acceptable challenge for proving you own the domain when requesting a wildcard certificate is the DNS challenge, so you’ll also need to specify --preferred-challenges dns.¹

There are several DNS authenticator plugins for certbot; however, there is no authenticator plugin for Gandi, so I furthermore need to specify the --manual flag in order to do the authentication myself.

Putting this all together, you should run the following command:

sudo certbot certonly --cert-name example.org -d example.org,*.example.org --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns --manual

You may then be asked to enter your email address (I think you’ll be asked if this is the first time using version 2 of the ACME API):

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

Go ahead and enter your email address.

Next, you’ll be asked to agree to the terms of service for version 2 of the API:

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel:

And then you’ll be asked whether you want to share your email address with EFF:

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
-------------------------------------------------------------------------------
(Y)es/(N)o:

If you’re updating an old certificate that had subdomains that you’ve now dropped in favor of the wildcard specification, you’ll see a warning about the fact that you’re adding new domains and removing previously included domains. Review this information, and, if it looks correct, accept it by typing U:

-------------------------------------------------------------------------------
You are updating certificate example.org to include new domain(s):
+ *.example.org

You are also removing previously included domain(s):
- git.example.org
- shiny.example.org

Did you intend to make this change?
-------------------------------------------------------------------------------
(U)pdate cert/(C)ancel:

Next, you’ll see a warning about the fact that the IP address of your server will be logged as having publicly requested the certificate for your domain.

Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for example.org

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o:

Finally, you will see instructions for deploying a DNS TXT record to verify that you own the domain(s) for the certificate that you’ve just requested. If the certificate is for multiple domains, you’ll need to deploy this TXT record for each domain. Minimally, you’ll be asked to create two TXT records for _acme-challenge.example.org: one is for the certification of example.org, and one is for the certification of *.example.org. Furthermore, if you’ve requested a wildcard certificate for subsubdomains, you’ll also need to deploy the TXT record for, e.g., _acme-challenge.users.example.org.

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.example.org with the following value:

okzpb6F0pE8klBLVE4456jkwlUnNCC1SObMmhAu4qwe

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

After setting up the TXT record with your DNS provider (Gandi, in my case), you’ll need to wait for the DNS record to propogate before hitting Enter.² You can verify that the DNS record has propogated by running the nslookup command:

nslookup -type=TXT _acme-challenge.example.org

If the DNS record has not yet propogated, you should see this in the returned value:

[...]
Non-authoritative answer:
*** Can't find _acme-challenge.example.org: No answer
[...]

However, if the DNS record has propogated, you should see this in the returned value:

[...]
Non-authoritative answer:
_acme-challenge.example.org   text = "okzpb6F0pE8klBLVE4456jkwlUnNCC1SObMmhAu4qwe"
[...]

Again, if you’re creating a certificate that covers multiple domains, you’ll need to do this for each domain, and the value that you need to specify for the TXT record will be different for each domain.

If everything succeeds, you’ll see the following output:

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.org/privkey.pem
   Your cert will expire on 2018-05-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The last thing to do, at least in my case, is to restart my web server. In my case, that’s nginx, so I just run:

sudo /etc/init.d/nginx restart

Feel free to comment with any questions! I’m happy to try to help out as best I can. 🤓 However, like I said, this particular post is largely intended as a note to self, and some aspects of this process are dependent on your particular setup; nonetheless, I’m happy to help if I can!

Notes

This post will cover how to set up a MySQL container and how to hook it up to talk to the psiTUrk container, using Docker Compose.

Setting up the MySQL Docker container

Luckily, setting up the Docker container for MySQL container is very straightforward. You don’t have to do anything! There are a variety of official Docker images that are publicly available on DockerHub, and MySQL has such an official publicly available image.

All that you have to do is configure the MySQL usernames and passwords, which we will do in a file called docker-compose.yml. As the name of the file suggests, this is where we begin to start using Docker Compose.

Using Docker Compose

Ultimately, we want the docker-compose.yml file to have the following content:

version: '3'
services:
  db:
    image: mysql:5.7
    volumes:
     - ./data/db:/var/lib/mysql
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: psiturk
      MYSQL_DATABASE: participants
      MYSQL_USER: user
      MYSQL_PASSWORD: password

  psiturk-example:
    build: .
    links:
     - db
    ports:
     - 22362:22362
    volumes:
     - ./psiturk-example:/psiturk
    tty: true
    stdin_open: true
    restart: always

This is a file that uses the YAML markup to give Docker Compose some information to work with. Specifically, it tells Docker Compose to run two services, one called db, and one called psiturk-example (you can name these whatever you want).

db service

Let’s start with the db service. The information for the db service in the YAML file says to use the latest mysql image as the base image for the Docker container. Next, it says to mount the directory /data/db from your current directory to the volume /var/lib/mysql inside the Docker container. /var/lib/mysql is where MySQL usually stores its data, so this means that the data written to MySQL will be mirrored inside the folder ~/psiturk-example/data/db on your Linode server (assuming that you run Docker Compose from the directory ~/psiturk-example).

Next, Docker Compose is instructed to always restart the db service in case it shuts down for any reason. And, finally, some environment variables are declared for use inside of the MySQL container. You will not be able to run the container without declaring these environment variables. Note that you should probably change the values of these environment variables for security reasons; don’t just use the values that are used in this blog post! ☠

psiturk-example service

Next, let’s take a look at the psiturk-example service. First, rather than specifying an image, we tell Docker Compose to build the base image for the psiturk-example container from any Dockerfile that it finds in the current directry (i.e., .). Thus, we will want to put this file in the same directory as the Dockerfile that we created in the previous post. If you were following the instructions exactly from the last post, this means that you will want to create the docker-compose.yml file in the folder ~/psiturk-example on your Linode server.

The Docker Compose file next sets up a link to the db service so that the psiturk-example container can talk to the MySQL database. We will come back to this below, because we will need to modify the config.txt file in psiTurk so that it uses this database. But let’s first finish exploring the docker-compose.yml file.

Next, Docker Compose is instructed to publish the 22362 port of the container to the 22362 port of the host computer (i.e., your Linode server), just like we did in the previous post, except that here, we’re specifying this in a file, rather than on the command line.

Moreover, just as we published the port in the previous post, we also want to map the folder ~/psiturk-example/psiturk-example on the host computer to the /psiturk folder inside of the container. This is done in the next line of the docker-compose.yml file.

Likewise, we want to ensure that a pseudo-TTY is allocated inside the container and that the STDIN pipe is kept open, which are the next two lines in the docker-compose.yml file. And, finally, Docker Compose is also instructed to restart this container if it is accidentally stopped for any reason.

Creating the file

Now that we understand what the docker-compose.yml file does, let’s actually create it. On your Linode server, make sure you’re inside the project directory. You can get there by running the command cd ~/psiturk-example. From here, you can copy and paste the following command in order to create the docker-compose.yml file (this command uses heredocs, which you can read about if you’re not familiar with them):

cat << EOF > docker-compose.yml
version: '3'
services:
  db:
    image: mysql:latest
    volumes:
     - ./data/db:/var/lib/mysql
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: psiturk
      MYSQL_DATABASE: participants
      MYSQL_USER: user
      MYSQL_PASSWORD: password

  psiturk-example:
    build: .
    links:
     - db
    ports:
     - 22362:22362
    volumes:
     - ./psiturk-example:/psiturk
    tty: true
    stdin_open: true
    restart: always
EOF

Changing config.txt

We’re almost there! Before we can actually run the experiment, we need to change the config.txt file so that it knows how to access the MySQL database. In the file ~/psiturk-example/psiturk-example/config.txt there should be a line that says:

database_url = sqlite:///participants.db

We want to change this to:

database_url = mysql://user:password@db:3306/participants

Of course, you’ll want to replace user, password, and participants with whatever values you’ve given for the environment variables MYSQL_USER, MYSQL_PASSWORD, and MYSQL_DATABASE in the docker-compose.yml file. In other words, the value for the database_url should look like this, with the values in angle brackets replaced appropriately:

mysql://<MYSQL_USER>:<MYSQL_PASSWORD>@db:3306/<MYSQL_DATABASE>

The db:3306 part refers to the db service that Docker Compose runs, and 3306 is the default port for MySQL.

You can replace this value in config.txt on your Linode server by running the following command:¹

sed -i 's/database_url = sqlite:\/\/\/participants.db/database_url = mysql:\/\/user:password@db:3306\/participants/' ~/psiturk-example/psiturk-example/config.txt

Now that the psiTurk container is able to connect to the database, we can start both containers with Docker Compose. ✨

Running Docker Compose

Again, make sure that your docker-compose.yml file is in the same directory as your Dockerfile, since Docker Compose will try to build the psiturk-example service from the Dockerfile in the current directory. Specifically, if you’ve been following along, both of these files should be in the directory ~/psiturk-example.

So, make sure you’re in that directory by running cd ~/psiturk-example. Then, you can start all of the services that are specified in the docker-compose.yml file by running docker-compose up -d. The up command creates and starts containers, and the -d flag runs them in the background.

You can see which containers are being run by Docker Compose, with the docker-compose ps command, and you can stop all services being run with the docker-compose stop command. In general, you can run docker-compose --help to see more information about the available commands.

Starting the experiment

Once you’ve started your two services with docker-compose, you can attach to the psiTurk container in order to start the experiment. docker-compose will automatically name the containers for the services that have been started based on the directory name. It will most likely name the psiTurk container something like psiturkexample_psiturk-example_1, for example.

You can attach to this container by running the following command:

docker attach psiturkexample_psiturk-example_1

It might appear as if the command is hanging and not doing anything; however, this is not the case (see here for an explanation). Just hit ENTER a second time after running the docker attach command in order to get to the shell prompt of the psiTurk container.

Then, just like we did in the previous post, you can start the psiTurk shell by running the command psiturk inside of the container. You will then see something like the following:

And from here you can create and run your experiment! One final important thing to note is that when running an experiment, you’ll want to make sure that the container is still running and that psiturk is running inside of it. After you’ve deployed your experiment via the psiTurk shell from inside of the container, you can detach from the container and leave it running in the background by hitting CTRL+p and then CTRL+q.²

That’s it for this post! As always, please feel free to comment with any questions! And, if you do sign up for a Linode account, please consider signing up using my referral link. Thanks! 🐙

Notes

This post will cover how to run the psiTurk example experiment inside of a Docker container.

Setting up the psiTurk Docker container

Now that we have Docker installed, let’s work on setting up the psiTurk Docker container. First, create a directory for your experiment on your Linode server:

mkdir ~/psiturk-example

Next, change to the newly created directory and create a file called Dockerfile in that directory:

cd ~/psiturk-example
touch Dockerfile

A Dockerfile is a set of instructions for building Docker images. An image is the basis for a container. You can think of a running Docker container as an instance of a Docker image. (See this Stack Overflow question for more discussion.) The set of instructions in the Dockerfile is what allows this process to be automated and reproducible.

Now, we want to create a Docker image that runs psiTurk and serves our experiment. I’ve already created a publicly available Docker image with psiTurk that can be used as the basis for other Docker images, so the Dockerfile that we have to create is pretty simple, consisting of only two lines. In the end, your Dockerfile should look like this:

FROM adamliter/psiturk:latest
VOLUME ["/psiturk"]

You can add the above content to your Dockerfile by running the following command:

echo -e 'FROM adamliter/psiturk:latest\nVOLUME ["/psiturk"]' > Dockerfile

The FROM instruction tells Docker to build the image on top of the publicly available image called adamliter/psiturk:latest, which is an image that contains the latest version of psiTurk.

The VOLUME instruction tells Docker to expect the user to map a folder from the host computer to the folder /psiturk inside the Docker container. This will allow you to edit the experiment files on the host computer (i.e., the Linode server) and have these changes automatically reflected inside the container itself! 🎈

Now that you have your Dockerfile set up, go ahead and run the following command:

docker build -t <YOUR_USERNAME>/psiturk-example .

The docker build command is used to build images from Dockerfiles. The -t flag allows you to specify the name of the image. If you ever intend on making this publicly available on DockerHub, you should replace <YOUR_USERNAME> with the username for your DockerHub account. If you don’t have a DockerHub account and/or don’t intend to ever make it publicly available, it’s still a good idea to replcae <YOUR_USERNAME> with something. You could use the same username as the account on your Linode server that you’re currently signed in to. Finally, the . at the end of the command just tells docker to look for a Dockerfile in the current directory.

After this runs, you’ll now have a Docker image containing psiTurk and a prespecified place for where you ought to mount your experiment files. Let’s move on to generating and setting up the experiment files.

Setting up the experiment files

For the purposes of this blog post, we’re just going to use the default experiment from psiTurk, which you can generate with the psiTurk command psiturk-setup-example. However, you currently don’t have Python installed on your Linode server, much less psiTurk! But Python and psiTurk are installed inside the Docker image that you just built! 👀

Let’s see how we can take advantage of that fact. First, make sure that your ~/psiturk-example directory only contains the Dockerfile:

ls ~/psiturk-example

The ls command should just return Dockerfile. Next, run the following command from inside of the ~/psiturk-example directory. You can run the command cd ~/psiturk-example first, if you want to make sure you’re in that directory:

cd ~/psiturk-example
docker run -i -t --rm --name psiturk-example -p 22362:22362 -v $(pwd):/psiturk <YOUR_USERNAME>/psiturk-example

Let’s break down the docker run command, starting from the back. The part at the very end of the command (<YOUR_USERNAME>/psiturk-example) is the name of image that is the basis for the container that you’re instantiating and running (remember, a container is a running instance of an image). So, whatever you named your image in the command above, you’ll want to make sure that it is the same name here.

The next part is the -v flag. This is short for --volume, and it is what allows you to map a directory on the host folder to a directory inside the container. In this case, $(pwd) is being mapped to the folder /psiturk inside of the container. $(pwd) is a command that evaluates to your current working directory, which should be something like /home/<YOUR_USERNAME>/psiturk-example.

The -p flag (short for --publish) “publishes” a port from the container to a port on the host computer. Like with the -v flag, the part on the left side of the : is for the host computer, and the stuff on the right side of the : is for the container. Mapping port 22362 on the host computer to port 22362 of the container just means that the traffic on port 22362 of the host computer will be passed to port 22362 of the Docker container.¹

The next part from the back of the command is --name psiturk-example. This one is pretty straightforward. The --name flag allows you to specify a name for the container. In principle, it could be whatever you want it to be. It doesn’t have to be related to the name of the image (which is <YOUR_USERNAME>/psiturk-example), but it is nonetheless often convenient to give the container a name that is related to the image, which is why I’ve named the container psiturk-example.

Working backwards still, the next part of the command is --rm. The --rm flag simply means that the container will be automatically removed when it is exited. This helps reduce clutter so you don’t accidentally end up with a bunch of running Docker containers that you’ve long since forgotten about.

Lastly, the -i and -t flags to the docker run command are related, so I will talk about them together. The -t flag allocates a psuedo-TTY, which basically just means that you are given a shell where you can execute commands inside of the Docker container. The -i flag keeps the STDIN pipe open if you detach from the running Docker container, meaning you can reattach to the container and continue executing commands in that same shell.

After running this command, you should now be looking at a shell prompt that looks something like this:

root@66e24f5bfce1:/psiturk#

This means you’re signed in as root to the machine 66e24f5bfce1, and you’re currently in the directory /psiturk (the alphanumeric string that is the name of your container will be different for you). Congratulations, you’re inside the Docker container! 🔧  🎉

Remember that this container includes both Python and psiTurk, so we can run psiTurk commands. In particular, run the following command from inside of the Docker container:

psiturk-setup-example

This will create a directory called psiturk-example, which contains the experiment files for the example experiment that ships with psiTurk.

You should also see a message indicating that a file called ~/.psiturkconfig was created. I’ve configured the Docker container that your Docker container is built on top of to expect the .psiturkconfig file to be in the same directory as the experiment files. So, go ahead and move it there by running the following command from inside of the Docker container:

mv ~/.psiturkconfig /psiturk/psiturk-example/

After doing that, go ahead and disconnect from the Docker container by either typing exit and hitting ENTER or by hitting CTRL+d on the keyboard.

You should now be back at a shell prompt for your Linode server. If you run the command docker ps to show all containers, you won’t see any containers since the container you were just in was configured to remove itself (--rm) when you disconeccted from it. So did we lose the files that we just created inside of the container?!

Nope, those files live on the host computer, your Linode server. This is because we mapped the folder ~/psiturk-example on your Linode server to the folder /psiturk inside of the container. All changes inside the container appear on the host machine, and vice-versa.

If you run the command ls ~/psiturk-example, you should see:

Dockerfile psiturk-example

And if you run the command ls ~/psiturk-example/psiturk-example, you should see:

config.txt  custom.py  herokuapp.py  herokuapp.pyc  Procfile  requirements.txt  runtime.txt  static  templates

Yes, you do have a folder called psiturk-example inside of a folder called psiturk-example, but so it goes … ¯\_(ツ)_/¯

The folder ~/psiturk-example/psiturk-example is what contains the experiment files for the example experiment that psiTurk automatically generated.

Let’s go ahead and make one small edit to the config.txt file in that folder. In the config.txt file, there’s a line that says host = localhost. I’ve never had any luck getting psiTurk to work with this default setting. Instead, we’re going to change this line to say host = 0.0.0.0.

Since the files were all created by the root user inside the Docker container, your user currently does not have sufficient permission to edit the files. Go ahead and change the ownership of the files by running the following command on your Linode server (replacing both instances of your_username with the username for your account on your Linode server):

sudo chown -R your_username:your_username ~/psiturk-example

Now you can edit the config.txt file to change the line to say 0.0.0.0 for the host. Do so by running the following command on your Linode server:

sed -i 's/host = localhost/host = 0.0.0.0/' ~/psiturk-example/psiturk-example/config.txt

We are now finally ready to try out the example experiment! To do so, restart the docker container. Note that the command this time is going to be slightly different!

cd ~/psiturk-example
docker run -i -t --rm --name psiturk-example -p 22362:22362 -v $(pwd)/psiturk-example:/psiturk <YOUR_USERNAME>/psiturk-example

The command is almost the same, except that this time, you’re mapping $(pwd)/psiturk-example on the host computer to /psiturk inside of the container (instead of just $(pwd)). The /psiturk directory inside of the container should contain the experiment files; you don’t want to have the experiment files nested one directory down. So we want to map the nested psiturk-example directory on the host machine to the /psiturk directory inside of the container.

You should now be looking at a shell prompt for the Docker container, and if you run the ls command you should see the experiment files:

config.txt  custom.py  herokuapp.py  herokuapp.pyc  Procfile  requirements.txt  runtime.txt  static  templates

Go ahead and start the psiTurk shell by running the command psiturk inside of your Docker container. You should now see something like the following:

Again, this tutorial series assumes familiarity with how psiTurk works, so if you’re not familiar with the psiTurk shell, I suggest you spend some time reading the psiTurk documentation.

Once the psiTurk shell is running, type the command server on from inside of the psiTurk shell:

server on

If all goes well, you should see a message that says:

Now serving on http://0.0.0.0:22362

This means that the psiTurk example experiment is accessible on port 22362 of the Docker container … which is published to port 22362 of your Linode server … which is publicly accessible … which means that you can access the example experiment by navigating to the following URL in a browser: http://<LINODE_IP_ADDRESS>:22362 (replacing <LINODE_IP_ADDRESS> with the static IP address of your Linode server)! 🙌  🍾

As exciting is this is, you might want to wait on popping the champagne. (Sorry, I got ahead of myself.)

We still need to set up a MySQL Docker container and hook it up to the psiTurk experiment, which will be covered in the next post.

For now, go ahead and turn the psiTurk server off by running the following command:

server off

Then hit CTRL+d twice in order to exit the psiTurk shell and then the Docker container.

That’s it for this post! In the final post of this series, I’ll cover how to set up a Docker container for MySQL and hook everything together. As always, please feel free to comment with any questions! And, if you do sign up for a Linode account, please consider signing up using my referral link. Thanks! 🤓

Notes

This post will cover how to install Docker and Docker Compose, which we will use to run the two programs necessary for deploying an experiment with psiTurk: MySQL and psiTurk itself.

This picks up from the previous post, where we configured a virtual private server on Linode.

What is Docker and why use it?

Docker is a software container platform. What this means is that Docker allows you to run programs inside of containers that are isolated from the host computer. Docker allows you to specify how exactly to build the container, which helps ensure that the program you want to run inside of the container has access to everything it needs.

This is useful for several reasons. For example, it ensures that the program runs exactly the same way on two completely different computers; it also allows you to automate the creation of a new development or production environment. (For more information, head over to Docker’s website.)

There’s also a Docker tool called Docker Compose, which allows you to run multiple containers on the same host machine in an automated and coordinated manner. Using Docker Compose will thus allow for deploying both a database and psiTurk itself on the Linode server that you’ve set up.

The application stack: MySQL and psiTurk

As you may know, with psiTurk it is necessary to hook your experiment up to a database so that you can record the data from participants as they participate. By default, psiTurk is configured to use SQLite, which is not the most robust database. Particularly, it is a bad idea to use SQLite when you actually deploy your experiment to Amazon Mechanical Turk. SQLite won’t do well if multiple people are doing the experiment at the same time; you might lose data. Instead, you want to use MySQL, which is a more robust database.

In addition to running MySQL, you’ll also need to run psiTurk itself. Creating a Docker container for each of these programs will be covered later in the series. This post focuses on installing docker and docker-compose.

Installing Docker

If you’re not already logged in to your Linode account that you set up in the previous post, go ahead and log in to it using SSH (again, replace the 0’s with your server’s IP address and your_username with your username):

ssh your_username@00.000.000.00

Next, you can install Docker by curl-ing and running a script that the Docker folks maintain for installations:

curl -sSL https://get.docker.com/ | sh

At the end, you’ll probably see a message suggesting that you add yourself to the newly created docker group. Doing so would allow you to run docker commands without having to use sudo. If you do decide to do this, you can add yourself to the docker group by running the following command (replacing your_username with your username):

sudo usermod -aG docker your_username

In order for this to take effect, you’ll need to log out and log back in.

Next, you’ll need to install Docker Compose. This is done by curl-ing a file from GitHub and saving it to your server, after which you’ll need to give it executable permissions. You’ll want to download the latest version of Docker Compose, which you can find by following this link. After you follow that link, you should see some commands to execute. At the time of writing, the most recent version of Docker Compose is 1.15.0, so the first command to run is:

sudo bash -c "curl -L https://github.com/docker/compose/releases/download/1.15.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose"

If you’re reading this in the future, the command will likely be slightly different in order to reflect the most recent version. You’ll have to change the version number after /download/ in the URL. Moreover, note that the command above is slightly different than what is suggested on the GitHub release page. There, they just suggest the part of the command which is in quotes above. However, since the results of the curl are being redirected to the file /usr/local/bin/docker-compose, you’ll need root permissions in order to save the file because /usr/local/bin is a directory that is owned by root. This isn’t quite as simple as just running sudo curl ... > /usr/local/bin/docker-comopose because that only executes the curl command as root. It doesn’t do the redirecting (>) as root. To get the redirect to happen with root permissions, you’ll need to run sudo bash -c "COMMAND HERE", replacing COMMAND HERE with the redirected curl command.

And just to note one last time: if you’re reading this in the future, you will again want to follow this link in order to get the latest version.

Next, after curl-ing the file, you’ll need to make it executable with the following command:

sudo chmod +x /usr/local/bin/docker-compose

Now you should be able to run the docker-compose command. Congrats!

In the next post in the series, you’ll learn how to set up the psiTurk Docker container.

Please feel free to comment with any questions! And, if you are finding this information helpful, please consider signing up for Linode using my referral link. Thanks! 🙇

This first post will cover setting up a server to host the experiment. If you’re unfamiliar with psiTurk, psiTurk is, according to the documentation:

designed to help you run fully-customized and dynamic web-experiments on [Amazon Mechanical Turk]. Specifically, it allows you to:

1. Run a web server for your experiment
2. Test your experiment
3. Interact with [Amazon Mechanical Turk] to recruit, post [Human Intelligence Task]s, filter, and pay participants ([Amazon Mechanical Turk] workers)
4. Manage databases and export data

psiTurk also includes a powerful interactive command interface that lets you manage most of your [Amazon Mechanical Turk] activity.

In brief, psiTurk allows you to deploy more customized experiments to Amazon Mechanical Turk. Fair warning, however: the following tutorial assumes that you are relatively familiar with psiTurk. It also assumes that you are comfortable with a little bit of programming and using the command line on a computer.

In this first post, I will cover how to set up a web server, which is where you will eventually run psiTurk.

Why a webserver?

First, let’s start with the question of why you need a web server to run your experiment. There are at least two reasons. The first is that by using a web server, you will (most likely) receive a static IP address.

If you’re unfamiliar with IP addresses, these are basically the phone numbers of the internet. Each device that is connected to the internet receieves an IP address. Moreover, URLs like https://google.com are actually translated into an IP address when you go to visit that website. At the time of writing this blog post, https://google.com gets translated into the IP address 172.217.8.14. So when you go to https://google.com, you’re actually connecting to a computer whose IP address is 172.217.8.14. I’m not sure about you, but, for me, the URL is a lot easier to remember than the IP address.

Now, what’s important about a static IP address is that, well, it’s static; it doesn’t change. With the proliferation of computing devices, there are way more devices connecting to the internet than there are possible IP addresses. Thus, most personal computing devices end up receiving a dynamic IP address from the internet service provider, based on what IP addresses are available at the time when the device happens to connect to the internet. (With routers, it’s a bit more complicated than this, but that’s outside the scope of this blog post.)

So having a static IP address for your computer (or server) that is running psiTurk will make things easier. Specifically, when you recruit people on Amazon Mechanical Turk, you can point your participants to a single address, without having to worry about that address possibly having changed since you posted your experiment to Amazon Mechanical Turk.¹

So how do you get a static IP address? If you pay for a virtual private server, you will most likely get a static IP address. There are several companies that offer virtual private servers, including Linode and Digital Ocean. Both of these companies do give you a static IP address when you pay for a virtual private server.

One alternative you may wish to consider is the possibility of receiving a static IP address from your university. It is quite likely that your university can provide you with a static IP address for a particular computer. Then, you could configure a computer in your lab to have that static IP address and to run psiTurk. This is not something I will cover in this series since doing this is dependent upon the IT infrastructure of your university as well as the operating system of the computer you choose to use. If you do decide to do this, all future posts in this blog series should nonetheless still be relevant and helpful.

A second reason you might wish to pay for a web server is because you can pay for the resources you need. If you look at the different pricing options for Linode, for example, you’ll see that you can pay for more memory, more CPUs, more storage, and more bandwidth. In particular, if you’re running a large experiment, you might wish to consider a web server over a personal computer with a static IP address from your university because you’re likely to get better bandwidth through a company like Linode.

I happen to use Linode, not Digital Ocean, so the rest of this blog post will cover how to set up a Linode account and provision a virtual private server of our own.

Getting a Linode account

If you find this blog post or any other posts in this series useful, I encourage you to sign up for Linode using my referral link. If you choose to use the referral link, thank you! 🎉   If you’d rather not, no worries! 😎  I hope you still find this information useful.

Creating a Linode

After you create an account, you’ll need to create a Linode. Linode actually has really good documentation for how to get started, so I recommend that you follow the instructions in their documentation for provisioning a server.

I’d recommend that you choose to use the most recent version of Ubuntu, which is one of the more popular versions of Linux.

Connecting to and configuring the server

The following instructions are largely taken out of the “Getting Started with Linode” guide. Especially if this blog post is old, I’d recommend that you simply read that guide.

However, since the guide tries to be generic for all possible operating systems, I’ve pulled out the instructions for Ubuntu and put them in this blog post in an effort to be more helpful and condense the information that you need in order to get started. Moreover, you’ll minimally need to read the end of this blog post where you learn which port you’ll need to open up for incoming connections for psiTurk.

Anyway, once you’ve provisioned and booted up your server from the Linode interface, you’ll want to connect using SSH. SSH is a protocol for connecting from one computer to another, using the command line.

In order to connect, you’ll need to know the IP address of your Linode server, which you can find from the Linode website:

In the example image shown, you’ll want to use the IPv4 address, which is 96.126.108.123. Of course, you’ll want to use the address you see in your browser, not the address from this image!

To connect to your new server, open a command line and run the command, replacing the 0’s with the IP address of your server:

ssh root@00.000.000.00

You’ll be given an authenticity warning, to which you should answer yes. Then, you’ll be prompted for a password. Enter the password for the root user that you created in the provisioning process.

Now, the first thing you’ll want to do to configure the server is install software updates. You can do this on Ubuntu by running the following commands:

apt-get update -y && apt-get upgrade -y

Next, you’ll need to set the hostname of the computer. If you’re using a version of Ubuntu equal to or more recent than 15.04, you can do this with the following command, replacing giraffe with whatever you want the name of your server to be:²

hostnamectl set-hostname giraffe

After this, you can also set up the correct timezone using the command:

dpkg-reconfigure tzdata

Securing your server

You’ll also want to do some work to secure your server. The following is also largely taken from the Linode documentation for “Securing Your Server”, but I’ve pulled out just the parts that are relevant for Ubuntu. Again, however, if you’re reading this far in the future, you may wish to refer to the Linode documentation directly.

You’ll first want to create a non-root user, which you can do with the following command, replacing your_username with whatever user name you want:

adduser your_username

You’ll then want to add the user to the sudo group, replacing your_username with the name of the user that you just created:

adduser your_username sudo

Next, you need to do some things on your personal computer, so disconnect from the server:

exit

Currently, you can connect to the server using the password of the user that you just created, but it’s safer to only allow access with SSH keys, not passwords.

To do this, you’ll want to create an SSH keypair on your personal computer. This creates two files: a public key and a private key. You’ll want to upload the public key to your server, and you’ll want to keep the private key safe on your computer.

To create the keypair, use the following commands on your personal computer (not the server!), replacing COMMENT HERE with a comment of your choice (such as the name of your personal computer):

mkdir -p ~/.ssh
chmod 700 ~/.ssh
ssh-keygen -t rsa -b 4096 -C "COMMENT HERE"

The ssh-keygen command will prompt you for some information, including where to save the keypair and what passphrase to give the keypair. The passphrase is used to unlock your private key, which is stored in an encrypted format on disk. Choose a strong passphrase, and I’d recommend using the default location for the keypair of ~/.ssh/id_rsa. This will save the public key to the file ~/.ssh/id_rsa.pub, and the private key to the file ~/.ssh/id_rsa.

Next, you’ll need to reconnect to the Linode server so you can upload your public key, replacing your_username with the name of the user you created and the 0’s with the IP address of your server:

ssh your_username@00.000.000.00

For now, you’ll still login with your password for that user, but this is what we will be changing momentarily.

On the server, you’ll also need to create an ~/.ssh directory and set the right permissions. Moreover, you’ll create a file called authorized_keys, which is where you’ll put your public key from your personal computer:

mkdir -p ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Now, in your command line program, open another window or tab so that you have two shell sessions running. In the second shell session (which should not be connected to your server), run the following command:

cat ~/.ssh/id_rsa.pub

This will print the contents of the file ~/.ssh/id_rsa.pub to the screen, which you can then copy and paste into the following command. This command should be executed in the first shell session that is still connected to your server, replacing the CONTENTS OF id_rsa.pub FILE with what you just copied and pasted from the other shell sesssion:

echo "CONTENTS OF id_rsa.pub FILE" >> ~/.ssh/authorized_keys

Here’s a screenshot of what you need to do, in case it is helpful (I’ve blurred out the details of my own key):

You should now be able to connect to your server using your SSH keypair. Next, we want to configure things so that you can only connect using your SSH keypair and so that you can only connect as a non-root user. To do this, you’ll need to edit the file /etc/ssh/sshd_config, which you can do using the nano text editor.

You’ll need to open the file with root privileges, so run the following command:

sudo nano /etc/ssh/sshd_config

Find the line that says PermitRootLogin and change it to the following (or, if the line does not exist, create it):

PermitRootLogin no

Similarly, find the line that says PasswordAuthentication and change it to the following (or, again, if the line does not exist, create it):

PasswordAuthentication no

You can close the file with CTRL+x, after which you will be prompted to save the file, which you can do by typing y, and then hitting ENTER to save it. To cause these changes to go into effect, you’ll need to restart the SSH service:³

sudo systemctl restart sshd

The last thing you’ll want to do to secure your server is to configure a firewall. This will allow you to determine which types of connections to allow. This is easiest to do with a program called ufw (uncomplicated firewall). Linode also has documentation for ufw, which you might wish to refer to, especially if this blog post is old.

However, the Linode documentation cannot tell you which ports you’ll need to open for psiTurk to work. Specifically, you’ll want to allow incoming connections on ports 22 (for SSH connections) and 22362 (for psiTurk).

To do this using ufw, you’ll first need to install ufw on your server with the following commands:

sudo apt-get update -y && sudo apt-get upgrade -y
sudo apt-get install ufw

Next, as a starting point, make everything restrictive by allowing all outgoing connections and denying all incoming connections:

sudo ufw default allow outgoing
sudo ufw default deny incoming

As mentioned, the two ports that you want to allow incoming connections on are ports 22 and 22362. To do this, run the following commands:

sudo ufw allow 22
sudo ufw allow 22362

To enable these new firewall settings, run the following command:

sudo ufw enable

And that’s it! Now you have a Linode virtual private server with a static IP address. In the next post of the series, “Using Docker Compose to run psiTurk and MySQL”, I will cover how to set up psiTurk.

Remember, if you found this information helpful, please consider signing up for Linode using my referral link. 🖖

And please feel free to comment with any questions!

Notes

Let’s Encrypt now supports wildcard certificats, and there is an updated post on Atomic Writing called “Using a wildcard domain specification with a Let’s Encrypt SSL certificate” that goes over how to get a Let’s Encrypt wildcard certificate.

In January of 2018, Let’s Encrypt will begin supporting wildcard certificates. Until then, it’s still necessary to update a certificate file in order to add any new subdomains.

This blog post is largely intended as a note to self about how to update my Let’s Encrypt certificate for my personal website. But if you, like me, find yourself in the position of needing to expand your certificate to include another subdomain, hopefully you will find this post helpful.

The first thing you will want to do is get some information about your certificate, you can do this by running the following command:

sudo certbot certificates

This should give you some informative output about the certificates that you’ve installed with certbot. The output should look something like this:

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: example.org
    Domains: example.org,git.example.org,shiny.example.org
    Expiry Date: 2017-11-14 22:10:00+00:00 (VALID: 79 days)
    Certificate Path: /etc/letsencrypt/live/example.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.org/privkey.pem
-------------------------------------------------------------------------------

You’ll want to use the certonly subcommand for certbot to modify your certificate. You can specify which certificate with the --cert-name flag. You’ll also need to specify the --webroot-path (or -w, for short), indicating where the files for the website actually live. If this is multiple locations, you can use the -w flag multiple times (see the manual pages for more information).

The next thing you’ll want to do is indicate the domains for the certificate; this includes all of the domains for which the certificate is already valid as well as any new domains that you want to add to the certificate.

For example, say that you wanted to add the subdomain svn.example.org to the example.org certificate above. You can specify all old domains and the new domain using the --domains flag (or -d, for short). You can either specify the domains with the -d flag as a comma-separated list, or you can use multiple -d flags. Finally, since you’re adding a new subdomain, you’ll also want to give the --expand flag to the command.

Thus, putting it all together, you should run the following command to add svn.example.org to your example.org certificate:

sudo certbot certonly --cert-name example.org -w /var/www/example -d example.org,git.example.org,shiny.example.org,svn.example.org --expand

You will be prompted about how you’d like to authenticate:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

For this, I usually choose the second option.

Then, you’ll also be prompted about whether you really meant to add new domains to the certificate:

-------------------------------------------------------------------------------
You are updating certificate example.org to include domains: example.org,
git.example.org, shiny.example.org, svn.example.org

It previously included domains: example.org, git.example.org,
shiny.example.org

Did you intend to make this change?
-------------------------------------------------------------------------------
(U)pdate cert/(C)ancel:

Since this update is intentional, type U and hit ENTER.

Finally, restart your web server. In my case, I use nginx, so restarting it looks like this:

sudo /etc/init.d/nginx restart

Feel free to comment with any questions! I’m happy to try to help out as best I can. 🤓  However, like I said, this particular post is largely intended as a note to self, and some aspects of this process are dependent on your particular setup; nonetheless, I’m happy to help if I can!