Skip to content

Commit bc3d552

Browse files
committed
Merge origin/main into feat/cli-dev-environment-docs
2 parents 5705c40 + 2ffbdeb commit bc3d552

15 files changed

Lines changed: 619 additions & 176 deletions

File tree

.wordlist.txt

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -143,6 +143,7 @@ CSP
143143
CSPs
144144
CSRF
145145
CSV
146+
CVEs
146147
CacheClearCommand
147148
CacheInvalidator
148149
CacheInvalidatorS
@@ -417,6 +418,7 @@ ExtensionAPI
417418
FLAC
418419
FPM
419420
FQCN
421+
FQDN
420422
FastRoute
421423
Fastly
422424
Fastly's
@@ -470,6 +472,7 @@ GoogleReCaptchaV
470472
Grafana
471473
Grantable
472474
GridHelper
475+
Grype
473476
GuestWishlistPage
474477
GuestWishlistPagelet
475478
HMAC
@@ -676,6 +679,7 @@ Nvidia
676679
OAuth
677680
OData
678681
OIDC
682+
OOM
679683
OPENSEARCH
680684
ORM
681685
ORMs
@@ -1059,6 +1063,7 @@ TreePath
10591063
TreePathField
10601064
TreeSelect
10611065
TriggerReload
1066+
Trivy
10621067
TwigJS
10631068
TypeDetector
10641069
TypeError
@@ -1456,6 +1461,7 @@ eslintrc
14561461
et
14571462
eu
14581463
everytime
1464+
evictable
14591465
evolvability
14601466
exampler
14611467
explainer

guides/hosting/index.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,10 @@ nav:
88

99
Setting up an operating environment for Shopware can be hard, but it doesn't have to be if you follow some general guidelines in the subsequent sections.
1010

11+
:::info
12+
This page covers the recommended application stack and supported versions. For the physical machine requirements of your workstation or server, see the [system requirements](../installation/system-requirements.md) guide.
13+
:::
14+
1115
## Recommended stack and supported versions
1216

1317
The following versions and configurations are officially supported for Shopware 6 development:

guides/hosting/infrastructure/rate-limiter.md

Lines changed: 36 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,31 @@ This functionality is available starting with Shopware 6.4.6.0.
1515

1616
Shopware 6 provides certain rate limits by default that reduces the risk of brute-force attacks for pages like login or password reset.
1717

18+
These rate limiters are always active. You do not need to add the `shopware.api.rate_limiter` map to your `shopware.yml` for them to work. The core already ships with the defaults documented below, and the `shopware.yml` is only used to override them (for example, to raise a limit or disable a limiter).
19+
20+
## Default rate limiters
21+
22+
The following limiters are enabled by default. The values listed here reflect the current Shopware core configuration and may change between versions. When in doubt, the source of truth is `src/Core/Framework/Resources/config/packages/shopware.yaml` in the version you are running.
23+
24+
| Limiter | Protects | Since | Policy | Reset | Limits |
25+
|-------------------------------|---------------------------------------------------------------------|----------|------------------|----------|------------------------------------------------------------|
26+
| `login` | Storefront / Store-API customer authentication | 6.4.6.0 | `time_backoff` | 24 hours | 10 / 10s, 15 / 30s, 20 / 60s |
27+
| `guest_login` | Storefront / Store-API after-order guest authentication | 6.4.6.0 | `time_backoff` | 24 hours | 10 / 10s, 15 / 30s, 20 / 60s |
28+
| `oauth` | API OAuth authentication / Administration login | 6.4.6.0 | `time_backoff` | 24 hours | 10 / 10s, 15 / 30s, 20 / 60s |
29+
| `reset_password` | Storefront / Store-API customer password reset | 6.4.6.0 | `time_backoff` | 24 hours | 3 / 30s, 5 / 60s, 10 / 90s |
30+
| `user_recovery` | Administration user password recovery | 6.4.6.0 | `time_backoff` | 24 hours | 3 / 30s, 5 / 60s, 10 / 90s |
31+
| `contact_form` | Storefront / Store-API contact form | 6.4.6.0 | `time_backoff` | 24 hours | 3 / 30s, 5 / 60s, 10 / 90s |
32+
| `notification` | Store-API notification endpoint | 6.4.8.0 | `time_backoff` | 24 hours | 10 / 10s, 15 / 30s, 20 / 60s |
33+
| `newsletter_form` | Store-API newsletter registration | 6.4.16.0 | `time_backoff` | 24 hours | 3 / 30s, 5 / 60s, 10 / 90s |
34+
| `cart_add_line_item` | Adding line items to the cart | 6.4.18.0 | `system_config` | 1 hour | Limit read from `core.cart.lineItemAddLimit`, interval 60s |
35+
| `revocation_request_form` | Store-API revocation request form | 6.7.9.0 | `time_backoff` | 24 hours | 3 / 30s, 5 / 60s, 10 / 90s |
36+
| `newsletter_unsubscribe_form` | Store-API newsletter unsubscribe | 6.7.9.0 | `time_backoff` | 24 hours | 3 / 30s, 5 / 60s, 10 / 90s |
37+
| `app_shop_verify` | App shop registration verification | 6.7.9.0 | `sliding_window` | n/a | 60 / 60min |
38+
| `mcp_admin_api` | MCP server Admin API access (keyed per OAuth token) | 6.8.0.0 | `time_backoff` | 1 hour | 300 / 60s, 1000 / 10min |
39+
| `mcp_store_api` | MCP server Store API access (keyed per sales-channel context token) | 6.8.0.0 | `time_backoff` | 1 hour | 120 / 60s, 600 / 10min |
40+
41+
In the table above, `Limits` uses the `limit / interval` notation, and `s` / `min` are seconds / minutes. When you add a new default limiter to the core, add a row here with its introduction version so this table stays complete.
42+
1843
## Configuration
1944

2045
The configuration for the rate limiter of Shopware 6 resides in the general bundle configuration:
@@ -26,19 +51,13 @@ The configuration for the rate limiter of Shopware 6 resides in the general bund
2651
└── shopware.yml
2752
```
2853

29-
To configure the default rate limiters for your shop, you need to add the `shopware.api.rate_limiter` map to the `shopware.yml`. Under this key, you can separately define the rate limiters.
54+
To override the [default rate limiters](#default-rate-limiters) for your shop, you need to add the `shopware.api.rate_limiter` map to the `shopware.yml`. Under this key, you can separately define each rate limiter. Any key you set is merged into the defaults, so you only need to configure the values you want to change.
3055

31-
In the following, you can find a list of the default limiters:
56+
The following example disables the `login` limiter and overrides the `oauth` limiter:
3257

33-
- `login`: Storefront / Store-API customer authentication.
34-
- `guest_login`: Storefront / Store-API after order guest authentication.
35-
- `oauth`: API oauth authentication / Administration login.
36-
- `reset_password`: Storefront / Store-API customer password reset.
37-
- `user_recovery`: Administration user password recovery.
38-
- `contact_form`: Storefront / Store-API contact form.
58+
::: code-group
3959

40-
```yaml
41-
// <shop root>/config/packages/shopware.yaml
60+
```yaml [SHOP_ROOT/config/packages/shopware.yaml]
4261
shopware:
4362
api:
4463
rate_limiter:
@@ -55,6 +74,8 @@ shopware:
5574
interval: '60 seconds'
5675
```
5776
77+
:::
78+
5879
::: info
5980
The following optional limiters are available starting with Shopware 6.7.10.0.
6081
:::
@@ -70,8 +91,9 @@ The `time_backoff` policy is built by Shopware itself. It enables you to throttl
7091
Below you can find an example which throttles the request for 10 seconds after 3 requests and starting from 5 requests it always
7192
throttles for 60 seconds. If there are no more requests, it will be reset after 24 hours.
7293

73-
```yaml
74-
// <plugin root>/src/Resources/config/rate_limiter.yaml
94+
::: code-group
95+
96+
```yaml [PLUGIN_ROOT/src/Resources/config/rate_limiter.yaml]
7597
example_route:
7698
enabled: true
7799
policy: 'time_backoff'
@@ -82,3 +104,5 @@ example_route:
82104
- limit: 5
83105
interval: '60 seconds'
84106
```
107+
108+
:::

guides/hosting/infrastructure/redis.md

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ nav:
77

88
# Redis
99

10-
[Redis](https://redis.io/docs/latest/get-started/) is an in-memory data storage, that offers high performance and can be used as a cache, message broker, and database. It is a key-value store that supports various data structures like strings, hashes, lists, sets, and sorted sets.
10+
[Redis](https://redis.io/docs/latest/get-started/) is an in-memory data storage that offers high performance and can be used as a cache, message broker, and database. It is a key-value store that supports various data structures like strings, hashes, lists, sets, and sorted sets.
1111
Especially in high-performance and high-throughput scenarios it can give better results, than relying on a traditional relational database.
1212
Therefore, multiple adapter exists in shopware, to offload some tasks from the DB to Redis.
1313

@@ -16,8 +16,8 @@ However, as the data that is stored in Redis differs and also the access pattern
1616
The data stored in Redis can be roughly classified into those three categories:
1717

1818
1. Ephemeral data: This data is not critical and can be easily recreated when lost, e.g., caches.
19-
2. Durable, but "aging" data: This data is important and cannot easily be recreated, but the relevance of the data decreases over time, e.g. sessions.
20-
3. Durable and critical data: This data is important and cannot easily be recreated, e.g. carts, number ranges.
19+
2. Durable, but "aging" data: This data is important and cannot easily be recreated, but the relevance of the data decreases over time, e.g., sessions.
20+
3. Durable and critical data: This data is important and cannot easily be recreated, e.g., carts, number ranges.
2121

2222
Please note that in current Redis versions, it is not possible to use different eviction policies for different databases in the same Redis instance. Therefore, it is recommended to use separate Redis instances for different types of data.
2323

@@ -30,29 +30,33 @@ For key eviction policy you should use `volatile-lru`, which only automatically
3030

3131
The caching data (HTTP-Cache & Object cache) is what should be stored in this instance.
3232

33+
::: warning
34+
A cache Redis reaching its memory limit is normal — `volatile-lru` keeps evicting least recently used keys that have a TTL set to make room. The problem is having too many keys **without** a TTL: `volatile-lru` can only evict keys that have one. Symfony's tag-aware cache adapter stores tag-index sets without a TTL, and they accumulate orphaned entries over time. If they are never pruned, they leave Redis with too little evictable data, and it runs out of memory. See [Cache tags and keys without a TTL](../performance/caches#cache-tags-and-keys-without-a-ttl) for how to detect and prune them.
35+
:::
36+
3337
<PageRef page="../performance/caches" />
3438

3539
## Durable, but "aging" data
3640

37-
As the data stored here is durable and should be persistent, even in the case of a Redis restart, it is recommended to configure the used Redis instance that it will not just keep the data in memory, but also store it on the disk. This can be done by using snapshots (RDB) and Append Only Files (AOF), refer to the [Redis docs](https://redis.io/docs/latest/operate/oss_and_stack/management/persistence/) for details.
41+
As the data stored here is durable and should be persistent, even in the case of a Redis restart, it is recommended to configure the used Redis instance that it will not just keep the data in memory but also store it on the disk. This can be done by using snapshots (RDB) and Append Only Files (AOF), refer to the [Redis docs](https://redis.io/docs/latest/operate/oss_and_stack/management/persistence/) for details.
3842

39-
`allkeys-lru` should be used as key eviction policy here, as by default more recent data is more important than older data, therefore the oldest values should be discarded, when Redis reach the max memory.
43+
`allkeys-lru` should be used as key eviction policy here, as by default more recent data is more important than older data, therefore, the oldest values should be discarded, when Redis reach the max memory.
4044

4145
The session data is what should be stored in this instance.
4246

4347
<PageRef page="../performance/session" />
4448

4549
## Durable and critical data
4650

47-
Again this is durable data, that can not easily be recreated, therefore it should be persisted as well.
51+
Again, this is durable data that cannot easily be recreated, therefore, it should be persisted as well.
4852

4953
As the data is critical, it is important to use a key eviction policy that will not delete data that is not expired, therefore `volatile-lru` should be used.
5054

51-
The cart, number range, lock store and increment data is what should be stored in this instance.
55+
The cart, number range, lock store, and increment data are what should be stored in this instance.
5256

5357
## Configuration
5458

55-
Starting with v6.6.8.0 Shopware supports configuring different reusable Redis connections in the`config/packages/shopware.yaml` file under the `shopware` section:
59+
Starting with v6.6.8.0, Shopware supports configuring different reusable Redis connections in the`config/packages/shopware.yaml` file under the `shopware` section:
5660

5761
```yaml
5862
shopware:

guides/hosting/installation-updates/deployments/build-w-o-db.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,11 @@
11
---
22
nav:
33
title: Building Without Database
4-
position: 20
4+
position: 25
55

66
---
77

8-
# Building Assets of Administration and Storefront without a Database
8+
# Building Administration and Storefront Assets Without a Database
99

1010
It is common to prebuild assets in professional deployments to deploy the build artifact assets to the production environment. This task is mostly done by a CI job that doesn't have access to the production database. Shopware needs access to the database to look up the installed extensions/load the configured theme variables. To be able to build the assets without a database, we can use static dumped files. All extensions need to be required by Composer to be able to be loaded by the `ComposerPluginLoader`.
1111

Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,106 @@
1+
---
2+
nav:
3+
title: Deployment Helper Troubleshooting
4+
position: 20
5+
6+
---
7+
8+
# Deployment Helper Troubleshooting
9+
10+
This page highlights common failures when running `vendor/bin/shopware-deployment-helper run`, and provides guidance for resolving them. For the full command, configuration, and environment-variable reference, see [Deployment Helper](deployment-helper.md).
11+
12+
## Getting more detail
13+
14+
`run` returns a non-zero exit code on failure and prints each step's output. Read the output above the failure to find the failing command, and re-run that Shopware console command directly (for example, `bin/console system:update:finish`) to see its full error.
15+
16+
## The deploy fails to reach the database
17+
18+
**Symptom:** the run ends with a database connection error, or `Could not connect to database`.
19+
20+
The helper waits for the database, retrying up to 10 times with a one-second pause between attempts. If it still cannot connect, it fails.
21+
22+
Check if:
23+
24+
- `DATABASE_URL` is correct and reachable from the deploy environment (host, port, credentials).
25+
- the database service is actually up before the helper runs. In container setups, order startup so the database is ready, or add your own wait.
26+
- TLS is required, and `DATABASE_SSL_CA` / `DATABASE_SSL_CERT` / `DATABASE_SSL_KEY` are set. To bypass server-certificate verification (non-production only), set `DATABASE_SSL_DONT_VERIFY_SERVER_CERT`. See [Environment variables](deployment-helper.md#environment-variables).
27+
28+
## A step times out on a large shop
29+
30+
**Symptom:** a step is killed after 300 seconds.
31+
32+
Each step has a timeout (default 300s). Raise or disable it:
33+
34+
```bash
35+
vendor/bin/shopware-deployment-helper run --timeout=900
36+
# or disable entirely:
37+
vendor/bin/shopware-deployment-helper run --timeout=null
38+
```
39+
40+
You can also set `SHOPWARE_DEPLOYMENT_TIMEOUT` in the environment. The `--timeout` option takes precedence.
41+
42+
## Theme and assets were not pre-built in CI/CD
43+
44+
The deployment artifact must already contain the compiled theme and installed assets. In CI/CD, build the artifact with `shopware-cli project ci` and deploy that output.
45+
46+
At deploy time, run Deployment Helper with the theme and asset steps skipped so it only consumes the pre-built artifact:
47+
48+
```bash
49+
vendor/bin/shopware-deployment-helper run --skip-theme-compile --skip-assets-install
50+
```
51+
52+
If the Storefront is missing assets after deployment, fix the CI build artifact or upload step. Do not compensate by compiling the theme or installing assets during deployment.
53+
54+
## An update ran, but `system:update:finish` did not
55+
56+
This is expected. The update-finish/migration step runs only when the Shopware version actually changed. If you redeploy the same version, that step is skipped by design. To force it, deploy an actual version change.
57+
58+
## A one-time task keeps running every deploy
59+
60+
A one-time task is only recorded as done after it succeeds. If it keeps running, it is failing partway through. Check the deploy output for its error:
61+
62+
- Inspect state: `one-time-task:list`.
63+
- If the task's effect is already applied and you want to stop it: `one-time-task:mark <id>`.
64+
- To force a rerun: `one-time-task:unmark <id>`.
65+
66+
## A config setting seems to have no effect
67+
68+
Deployment Helper provides a configuration schema for `.shopware-project.yml`. Use it in your editor to validate the file while editing, so misspelled or misplaced keys are reported before deployment.
69+
70+
Check if:
71+
72+
- Your editor is using the schema and does not report any validation errors.
73+
- The key is nested under the correct section, for example `deployment:`.
74+
- You are editing the file the helper actually loads. If `SHOPWARE_PROJECT_CONFIG_FILE` or `--project-config` is set, that file wins over the auto-discovered one.
75+
- A `.shopware-project.local.yml` is overriding your value. Local files merge on top of the base file. See [Local configuration overrides](deployment-helper.md#local-configuration-overrides).
76+
77+
## Extensions aren't being installed or updated as expected
78+
79+
- Confirm `deployment.extension-management.enabled` is `true`.
80+
- Check the extension isn't listed under `exclude`, or set to `state: ignore` / `inactive` in `overrides`.
81+
- If extensions are managed by the Store or Administration instead, extension management may be intentionally disabled — reconcile the two so they don't fight. Prefer managing extensions from code (via Composer) or via the helper, not both. See [Extension management and Store-installed plugins](deployment-helper.md#extension-management-and-store-installed-plugins).
82+
83+
## Store login or license refresh fails
84+
85+
App installation and license refresh need valid Store credentials and a license domain. Verify:
86+
87+
- `SHOPWARE_STORE_ACCOUNT_EMAIL` and `SHOPWARE_STORE_ACCOUNT_PASSWORD` (or `SHOPWARE_STORE_SHOP_SECRET`) are set.
88+
- A license domain is set, via `deployment.store.license-domain` or `SHOPWARE_STORE_LICENSE_DOMAIN`.
89+
90+
## Fastly snippets aren't updating
91+
92+
Automatic snippet deployment during `run` only happens when:
93+
94+
- A `config/fastly` directory exists in the project, and
95+
- `FASTLY_API_TOKEN` and `FASTLY_SERVICE_ID` are set, and
96+
- `FASTLY_DISABLE_SNIPPET_UPDATE` is **not** set to `1`.
97+
98+
To manage snippets manually, use the `fastly:snippet:*` commands. See [Fastly integration](deployment-helper.md#fastly-integration).
99+
100+
## Need to completely reinstall
101+
102+
If an environment is broken beyond repair, force a clean `install` from scratch.
103+
104+
:::warning
105+
Setting `SHOPWARE_DEPLOYMENT_FORCE_REINSTALL=1` triggers a fresh `install` with `--drop-database`. This destroys existing data! Only use it in disposable environments, never in production.
106+
:::

0 commit comments

Comments
 (0)