4 Preamble: referenced user accounts
5 ----------------------------------
7 In subsequent sections, we will refer to a number of different accounts, as
10 * Linux user accounts:
11 ** The *user* Linux account is the account that you use to log onto the
12 Linux system as a regular user.
13 ** The *root* Linux account is an account that has system administrator
14 privileges. On Debian you can switch to this account from
15 your *user* account by issuing the `su -` command and entering the
16 password for the *root* account when prompted. On Ubuntu you can switch
17 to this account from your *user* account using the `sudo su -` command
18 and entering the password for your *user* account when prompted.
19 ** The *opensrf* Linux account is an account that you will create as part
20 of installing OpenSRF. You can switch to this account from the *root*
21 account by issuing the `su - opensrf` command.
23 Download and unpack the code
24 ----------------------------
26 Issue the following commands as the *user* Linux account.
28 1. Acquire a stable release tarball from https://evergreen-ils.org/opensrf-downloads/
31 ------------------------------------------------------------------------------
32 wget https://evergreen-ils.org/downloads/opensrf-OSRFVERSION.tar.gz
33 ------------------------------------------------------------------------------
36 Developers can find the full source code at the OpenSRF Git repository:
37 http://git.evergreen-ils.org/?p=OpenSRF.git
39 2. Unpack the tarball, and move into that directory:
42 ------------------------------------------------------------------------------
43 tar -xvf opensrf-OSRFVERSION.tar.gz
44 cd opensrf-OSRFVERSION/
45 ------------------------------------------------------------------------------
47 Installing prerequisites
48 ------------------------
50 OpenSRF has a number of prerequisite packages that must be installed
51 before you can successfully configure, compile, and install OpenSRF.
52 On Debian and Ubuntu, the easiest way to install these prerequisites
53 is to use the Makefile.install prerequisite installer.
55 Issue the following commands as the *root* Linux account to install
56 prerequisites using the Makefile.install prerequisite installer, substituting
57 your operating system identifier for <osname> below:
60 ---------------------------------------------------------------------------
62 make -f src/extras/Makefile.install <osname>
63 ---------------------------------------------------------------------------
65 Well-tested values for <osname> include:
67 * `debian-bullseye` for Debian 11
68 * `debian-buster` for Debian 10
69 * `ubuntu-focal` for Ubuntu 20.04
70 * `ubuntu-jammy` for Ubuntu 22.04
72 Patches and suggestions for improvement from users of these distributions,
73 or others, are welcome!
75 When the prerequisite installer reaches the Perl module stage, you may
76 be prompted for configuration of Comprehensive Perl Archive Network (CPAN)
77 on your server. You can generally accept the defaults by pressing <return>
78 for all of the prompts, except for the country configuration.
80 Preamble: Developer instructions
81 --------------------------------
84 Skip this section if you are using an official release tarball downloaded
85 from https://evergreen-ils.org/opensrf-downloads/
87 Developers working directly with the source code from the Git repository,
88 rather than an official release tarball, must install some extra packages
89 and perform one step before they can proceed with the `./configure` step.
91 As the *root* Linux account, install the following packages:
97 As the *user* Linux account, issue the following command in the OpenSRF
98 source directory to generate the configure script and Makefiles:
101 ------------------------------------------------------------------------------
103 ------------------------------------------------------------------------------
105 Configuration and compilation instructions
106 ------------------------------------------
108 Use the `configure` command to configure OpenSRF, and the `make` command to
109 build OpenSRF. The default installation prefix (PREFIX) for OpenSRF is
112 If you are building OpenSRF for Evergreen, issue the following commands as
113 the *user* Linux account to configure and build OpenSRF:
116 ---------------------------------------------------------------------------
117 ./configure --prefix=/openils --sysconfdir=/openils/conf
119 ---------------------------------------------------------------------------
121 By default, OpenSRF includes C, Perl, and JavaScript support.
123 If you are planning on proxying WebSockets traffic (see below), you
124 can add `--with-websockets-port=443` to specify that WebSockets traffic
125 will be going through port 443. Without that option, the default port
128 Installation instructions
129 -------------------------
131 1. Once you have configured and compiled OpenSRF, issue the following
132 command as the *root* Linux account to install OpenSRF:
135 ---------------------------------------------------------------------------
137 ---------------------------------------------------------------------------
139 Create and set up the opensrf Unix user environment
140 ---------------------------------------------------
142 This user is used to start and stop all OpenSRF processes, and must own all
143 files contained in the PREFIX directory hierarchy. Issue the following
144 commands as the *root* Linux account to create the `opensrf` user and set up
145 its environment, substituting <PREFIX> with the value you passed to `--prefix`
146 in your configure command:
148 .Creating the `opensrf` user
150 ---------------------------------------------------------------------------
151 useradd -m -s /bin/bash opensrf
152 echo "export PATH=\$PATH:/<PREFIX>/bin" >> /home/opensrf/.bashrc
154 chown -R opensrf:opensrf /<PREFIX>
155 ---------------------------------------------------------------------------
157 Define your public and private OpenSRF domains
158 ----------------------------------------------
160 For security purposes, OpenSRF uses Jabber domains to separate services
161 into public and private realms. Throughout these instructions, we will use
162 the example domains `public.localhost` and `private.localhost`.
164 On a single-server system, the easiest way to define public and private
165 domains is to define separate hostnames by adding entries to the `/etc/hosts`
166 file. Here are entries that you could add to a stock `/etc/hosts` file for our
169 .Example added entries for `/etc/hosts`
171 ---------------------------------------------------------------------------
172 127.0.1.2 public.localhost public
173 127.0.1.3 private.localhost private
174 ---------------------------------------------------------------------------
176 Adjust the system dynamic library path
177 --------------------------------------
179 Add `<PREFIX>/lib/` to the system's dynamic library path, and then run
180 `ldconfig` as the *root* Linux account.
182 On Debian and Ubuntu systems, run the following commands as the *root*
185 .Adjusting the system dynamic library path
187 ---------------------------------------------------------------------------
188 echo <PREFIX>/lib > /etc/ld.so.conf.d/opensrf.conf
190 ---------------------------------------------------------------------------
192 On most other systems, you can add these entries to `/etc/ld.so.conf`, or
193 create a file within the `/etc/ld.so.conf.d/` directory, and then run
194 `ldconfig` as the *root* Linux account.
196 Configure the ejabberd server
197 -----------------------------
201 It is recommended to disable the apparmor profile for ejabberd on *Ubuntu* before
202 continuing. If you are installing on any version of *Ubuntu*, run the following
203 commands as the *root* Linux account:
206 ---------------------------------------------------------------------------
207 ln -s /etc/apparmor.d/usr.sbin.ejabberdctl /etc/apparmor.d/disable/
208 apparmor_parser -R /etc/apparmor.d/usr.sbin.ejabberdctl
209 ---------------------------------------------------------------------------
212 OpenSRF requires an XMPP (Jabber) server. For performance reasons, ejabberd is
213 the Jabber server of choice for the OpenSRF project. In most cases, you only
214 have to make a few changes to the default configuration file to make ejabberd
217 1. Stop ejabberd before making any changes to its configuration by issuing the
218 following command as the *root* Linux account:
222 ---------------------------------------------------------------------------
223 systemctl stop ejabberd.service
224 ---------------------------------------------------------------------------
226 2. Edit the ejabberd config file.
228 (Debian Buster / Ubuntu Focal) Ejabberd 18.x::
229 Open `/etc/ejabberd/ejabberd.yml` and make the following
231 a. Define your public and private domains in the `hosts` directive. For
235 ---------------------------------------------------------------------------
238 - "private.localhost"
240 ---------------------------------------------------------------------------
242 b. Change `starttls_required` to false
243 c. Change `auth_password_format` to plain
244 d. Change `shaper:` `normal` and `fast` values to 500000
245 e. Increase the `max_user_sessions:` `all:` value to 10000
246 f. Comment out the `mod_offline` directive
248 -----------------------
250 ##access_max_user_messages: max_user_offline_messages
251 -----------------------
253 g. Uncomment or add the `mod_legacy_auth` directive under the `modules:` section
255 -----------------------
257 -----------------------
259 (Debian Bullseye / Ubuntu Jammy) Ejabberd 21.x::
260 Open `/etc/ejabberd/ejabberd.yml` and make the following
262 a. Define your public and private domains in the `hosts` directive. For
266 ---------------------------------------------------------------------------
271 ---------------------------------------------------------------------------
273 b. Change `starttls_required` to false
274 c. Change `auth_password_format` to plain
275 d. Change all `shaper:` `normal` and `fast` values to 500000
276 e. Increase the `shaper_rules:` `max_user_sessions:` value to 10000
277 f. Comment out the `shaper_rules:` `max_user_offline_messages:` values
279 -----------------------
280 ##max_user_offline_messages:
283 -----------------------
285 g. Comment out the `mod_offline` directive
287 -----------------------
289 ##access_max_user_messages: max_user_offline_messages
290 -----------------------
292 h. Add the `mod_legacy_auth` directive under the `modules:` section
294 -----------------------
296 -----------------------
298 3. Restart the ejabberd server to make the changes take effect:
302 ---------------------------------------------------------------------------
303 systemctl start ejabberd.service
304 ---------------------------------------------------------------------------
306 Create the OpenSRF Jabber users
307 -------------------------------
309 On each domain, you need two Jabber users to manage the OpenSRF communications:
311 * a `router` user, to whom all requests to connect to an OpenSRF service
312 will be routed; this Jabber user must be named `router`
313 * an `opensrf` user, which clients use to connect to OpenSRF services; this
314 user can be named anything you like
316 Create the Jabber users by issuing the following commands as the *root* Linux
317 account. Substitute `<password>` for your chosen passwords for each user
320 .Creating the OpenSRF Jabber users
322 ---------------------------------------------------------------------------
323 ejabberdctl register router private.localhost <password>
324 ejabberdctl register opensrf private.localhost <password>
325 ejabberdctl register router public.localhost <password>
326 ejabberdctl register opensrf public.localhost <password>
327 ---------------------------------------------------------------------------
329 Update the OpenSRF configuration files
330 --------------------------------------
332 About the OpenSRF configuration files
333 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
334 There are several configuration files that you must update to make OpenSRF
335 work. SYSCONFDIR is `/opensrf/etc` by default, or the value that you passed to
336 `--sysconfdir` during the configuration phase.
338 * `SYSCONFDIR/opensrf.xml` - this file lists the services that this
339 OpenSRF installation supports; if you create a new OpenSRF service,
340 you need to add it to this file.
341 ** The `<hosts>` element at the bottom of the file lists the services
342 that should be started for each hostname. You can force the system
343 to use `localhost`, so in most cases you will leave this section
346 * `SYSCONFDIR/opensrf_core.xml` - this file lists the Jabber connection
347 information that will be used for the system, as well as determining
348 logging verbosity and defining which services will be exposed on the
351 * `~/.srfsh.xml` - this file gives a Linux account the ability to use
352 the `srfsh` interpreter to communicate with OpenSRF services.
354 Updating the OpenSRF configuration files
355 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
356 1. As the *opensrf* Linux account, copy the example configuration files
357 to create your locally customizable OpenSRF configuration files:
359 .Copying the example OpenSRF configuration files
361 ---------------------------------------------------------------------------
363 cp opensrf_core.xml.example opensrf_core.xml
364 cp opensrf.xml.example opensrf.xml
365 ---------------------------------------------------------------------------
367 2. Edit the `SYSCONFDIR/opensrf_core.xml` file to update the four username
368 / password pairs to match the Jabber user accounts you just created:
370 a. `<config><opensrf>` = use the private Jabber `opensrf` user
371 b. `<config><gateway>` = use the public Jabber `opensrf` user
372 c. `<config><routers><router>` = use the public Jabber `router` user
373 d. `<config><routers><router>` = use the private Jabber `router` user
374 3. Create a `.srfsh.xml` file in the home directory of each user
375 that you want to use `srfsh` to communicate with OpenSRF services. For
376 example, to enable the *opensrf* Linux account to use `srfsh`:
377 a. `cp SYSCONFDIR/srfsh.xml.example ~/.srfsh.xml`
378 b. Open `~/.srfsh.xml` in your text editor of choice and update the
379 password to match the password you set for the Jabber `opensrf` user
380 at the `private.localhost` domain.
382 Starting and stopping OpenSRF services
383 --------------------------------------
385 To start all OpenSRF services with a hostname of `localhost`, issue the
386 following command as the *opensrf* Linux account:
389 ---------------------------------------------------------------------------
390 osrf_control --localhost --start-all
391 ---------------------------------------------------------------------------
393 To stop all OpenSRF services with a hostname of `localhost`, issue the
394 following command as the *opensrf* Linux account:
397 ---------------------------------------------------------------------------
398 osrf_control --localhost --stop-all
399 ---------------------------------------------------------------------------
401 Testing the default OpenSRF services
402 ------------------------------------
404 By default, OpenSRF ships with an `opensrf.math` service that performs basic
405 calculations involving two integers. Once you have started the OpenSRF
406 services, test the services as follows:
408 1. Start the `srfsh` interactive OpenSRF shell by issuing the following
409 command as the *opensrf* Linux account:
411 .Starting the `srfsh` interactive OpenSRF shell
413 ---------------------------------------------------------------------------
415 ---------------------------------------------------------------------------
417 2. Issue the following request to test the `opensrf.math` service:
420 ---------------------------------------------------------------------------
421 srfsh# request opensrf.math add 2,2
422 ---------------------------------------------------------------------------
424 You should receive the value `4`.
426 Websockets installation instructions
427 ------------------------------------
429 1. Install websocketd (latest stable release from http://websocketd.com/)
433 ---------------------------------------------------------------------------
435 wget 'https://github.com/joewalnes/websocketd/releases/download/v0.3.0/websocketd-0.3.0-linux_amd64.zip'
436 unzip websocketd-0.3.0-linux_amd64.zip
437 sudo cp websocketd /usr/local/bin/
438 ---------------------------------------------------------------------------
442 Choose option a or b, below.
445 ===========================================================================
446 websocketd does not offer a configurable inactivity timeout, meaning
447 websocket client connections will persist until each client disconnects
448 or the service is restarted. However, a timeout can be achieved with
449 the use of a proxy (option 'a' below). A proxy also allows websocketd
450 to be exposed to web clients on port 443 instead of its internal port,
451 which may simplify firewall configuration.
452 ===========================================================================
454 a. Run websocketd as 'opensrf'
457 ===========================================================================
458 This choice requires one of the proxy configurations mentioned below.
459 ===========================================================================
463 ---------------------------------------------------------------------------
464 /usr/local/bin/websocketd --port 7682 /openils/bin/osrf-websocket-stdio &
466 # Other useful command line parameters include:
467 # --loglevel debug|trace|access|info|error|fatal
470 # --origin=host[:port][,host[:port]...]
472 # See https://github.com/joewalnes/websocketd/blob/master/help.go
473 ---------------------------------------------------------------------------
475 b. Run websocketd without a proxy
479 ---------------------------------------------------------------------------
480 sudo -b /usr/local/bin/websocketd --port 7682 --ssl --sslcert=/etc/apache2/ssl/server.crt \
481 --sslkey=/etc/apache2/ssl/server.key /openils/bin/osrf-websocket-stdio
482 ---------------------------------------------------------------------------
484 Optional Systemd Setup
485 ~~~~~~~~~~~~~~~~~~~~~~
487 Websocketd is a standalone program with no daemon mode, but can be implemented as a systemd service.
489 Copy <PREFIX>/examples/websocket-osrf.service.example into file /lib/systemd/system/websocketd-osrf.service
491 Then add & start the service.
494 --------------------------------------
495 sudo systemctl daemon-reload
496 sudo systemctl enable websocketd-osrf
497 sudo systemctl start websocketd-osrf
498 --------------------------------------
500 Optional: Using a web proxy (Apache 2.4 and above)
501 --------------------------------------------------
502 When the OpenSRF HTTP Translator runs behind a proxy, Apache must be
503 configured to read the IP address of the originating client instead
504 of the proxy IP address.
506 1. Enable mod_remoteip
509 ---------------------------------------------------------------------------
510 sudo a2enmod remoteip
511 ---------------------------------------------------------------------------
513 2. Enable remote IP settings by uncommenting and modifying as needed the
514 Apache configuration variables starting with RemoteIP* in the sample Apache
515 configuration file opensrf.conf.
517 3. Configure Apache to listen on port 7080 for HTTP and port 7443 for HTTPS
518 and ensure that it is not listening on ports 80 and 443, then restart Apache.
520 4. If you didn't run `configure` with the `--with-websockets-port=443` option,
521 edit `<PREFIX>/javascript/opensrf_ws.js` and `<PREFIX>/javascript/opensrf_ws_shared.js`
525 ---------------------------------------------------------------------------
526 var WEBSOCKET_PORT_SSL = 7682;
527 ---------------------------------------------------------------------------
532 ---------------------------------------------------------------------------
533 var WEBSOCKET_PORT_SSL = 443;
534 ---------------------------------------------------------------------------
537 Optional: Using NGINX as a proxy
538 --------------------------------
539 NGINX can be used to proxy HTTP, HTTPS, and WebSockets traffic. Among other
540 reasons, this can be useful for Evergreen setups that want to have both
541 HTTPS and secure WebSockets traffic both go through port 443 while using
542 two Apache instances (one for the WebSockets gateway and one for the more
543 memory-intensive TPAC pages).
545 The following instructions are a guide for setting this up on Debian
546 and Ubuntu systems, but expect general familiarity with various system
547 administration and network tasks. The steps should be run as the *root*
548 Linux account, and assume that you already followed the instructions
549 for installing WebSockets support.
551 1. Install NGINX if not already present:
554 ---------------------------------------------------------------------------
555 apt-get install nginx
556 ---------------------------------------------------------------------------
558 2. Copy the example NGINX configuration file into place and remove default.
561 ---------------------------------------------------------------------------
562 cd /path/to/opensrf-OSRFVERSION
563 cp examples/nginx/osrf-ws-http-proxy /etc/nginx/sites-available/
564 ln -s /etc/nginx/sites-available/osrf-ws-http-proxy /etc/nginx/sites-enabled/osrf-ws-http-proxy
565 rm /etc/nginx/sites-enabled/default
566 ---------------------------------------------------------------------------
568 3. Edit `/etc/nginx/sites-available/osrf-ws-http-proxy` to set the location
569 of the SSL certificate and private key.
570 4. Generate a dhparam file in the directory specified in the nginx config.
573 ---------------------------------------------------------------------------
574 # Default config stores dhparam.pem in the Apache2 ssl directory.
575 openssl dhparam -out /etc/apache2/ssl/dhparam.pem 2048
576 ---------------------------------------------------------------------------
581 ---------------------------------------------------------------------------
582 /etc/init.d/nginx start
583 ---------------------------------------------------------------------------
585 Optional: Using HAProxy as a proxy
586 ----------------------------------
587 HAProxy can also be used to proxy HTTP, HTTPS, and WebSockets traffic
588 as an alternative to NGINX.
590 The following instructions are a guide for setting this up on Debian
591 and Ubuntu systems, but expect general familiarity with various system
592 administration and network tasks. The steps should be run as the *root*
593 Linux account, and assume that you already followed the instructions
594 for installing WebSockets support.
596 1. Install HAProxy if not already present:
599 ---------------------------------------------------------------------------
600 apt-get install haproxy
601 ---------------------------------------------------------------------------
603 2. Append the example HAProxy to `haproxy.cfg`.
606 ---------------------------------------------------------------------------
607 cd /path/to/opensrf-OSRFVERSION
608 cat examples/haproxy/osrf-ws-http-proxy >> /etc/haproxy/haproxy.cfg
609 ---------------------------------------------------------------------------
611 3. Edit `/etc/haproxy/haproxy.cfg` to set the location
612 of the PEM file containing the SSL certificate and private key.
616 ---------------------------------------------------------------------------
617 /etc/init.d/haproxy start
618 ---------------------------------------------------------------------------
623 Need help installing or using OpenSRF? Join the mailing lists at
624 http://evergreen-ils.org/communicate/mailing-lists/ or contact us
625 on the Freenode IRC network on the #evergreen channel.