4 Preamble: referenced user accounts
5 ----------------------------------
7 In subsequent sections, we will refer to a number of different accounts, as
10 * Linux user accounts:
11 ** The *user* Linux account is the account that you use to log onto the
12 Linux system as a regular user.
13 ** The *root* Linux account is an account that has system administrator
14 privileges. On Debian you can switch to this account from
15 your *user* account by issuing the `su -` command and entering the
16 password for the *root* account when prompted. On Ubuntu you can switch
17 to this account from your *user* account using the `sudo su -` command
18 and entering the password for your *user* account when prompted.
19 ** The *opensrf* Linux account is an account that you will create as part
20 of installing OpenSRF. You can switch to this account from the *root*
21 account by issuing the `su - opensrf` command.
23 Download and unpack the code
24 ----------------------------
26 Issue the following commands as the *user* Linux account.
28 1. Acquire a stable release tarball from https://evergreen-ils.org/opensrf-downloads/
31 ------------------------------------------------------------------------------
32 wget https://evergreen-ils.org/downloads/opensrf-OSRFVERSION.tar.gz
33 ------------------------------------------------------------------------------
36 Developers can find the full source code at the OpenSRF Git repository:
37 http://git.evergreen-ils.org/?p=OpenSRF.git
39 2. Unpack the tarball, and move into that directory:
42 ------------------------------------------------------------------------------
43 tar -xvf opensrf-OSRFVERSION.tar.gz
44 cd opensrf-OSRFVERSION/
45 ------------------------------------------------------------------------------
47 Installing prerequisites
48 ------------------------
50 OpenSRF has a number of prerequisite packages that must be installed
51 before you can successfully configure, compile, and install OpenSRF.
52 On Debian and Ubuntu, the easiest way to install these prerequisites
53 is to use the Makefile.install prerequisite installer.
55 Issue the following commands as the *root* Linux account to install
56 prerequisites using the Makefile.install prerequisite installer, substituting
57 your operating system identifier for <osname> below:
60 ---------------------------------------------------------------------------
62 make -f src/extras/Makefile.install <osname>
63 ---------------------------------------------------------------------------
65 Well-tested values for <osname> include:
67 * `debian-buster` for Debian 10
68 * `debian-stretch` for Debian 9
69 * `debian-jessie` for Debian 8
70 * `ubuntu-xenial` for Ubuntu 16.04
71 * `ubuntu-bionic` for Ubuntu 18.04
73 Patches and suggestions for improvement from users of these distributions,
74 or others, are welcome!
76 When the prerequisite installer reaches the Perl module stage, you may
77 be prompted for configuration of Comprehensive Perl Archive Network (CPAN)
78 on your server. You can generally accept the defaults by pressing <return>
79 for all of the prompts, except for the country configuration.
81 Preamble: Developer instructions
82 --------------------------------
85 Skip this section if you are using an official release tarball downloaded
86 from https://evergreen-ils.org/opensrf-downloads/
88 Developers working directly with the source code from the Git repository,
89 rather than an official release tarball, must install some extra packages
90 and perform one step before they can proceed with the `./configure` step.
92 As the *root* Linux account, install the following packages:
98 As the *user* Linux account, issue the following command in the OpenSRF
99 source directory to generate the configure script and Makefiles:
102 ------------------------------------------------------------------------------
104 ------------------------------------------------------------------------------
106 Configuration and compilation instructions
107 ------------------------------------------
109 Use the `configure` command to configure OpenSRF, and the `make` command to
110 build OpenSRF. The default installation prefix (PREFIX) for OpenSRF is
113 If you are building OpenSRF for Evergreen, issue the following commands as
114 the *user* Linux account to configure and build OpenSRF:
117 ---------------------------------------------------------------------------
118 ./configure --prefix=/openils --sysconfdir=/openils/conf
120 ---------------------------------------------------------------------------
122 By default, OpenSRF includes C, Perl, and JavaScript support.
124 If you are planning on proxying WebSockets traffic (see below), you
125 can add `--with-websockets-port=443` to specify that WebSockets traffic
126 will be going through port 443. Without that option, the default port
129 Installation instructions
130 -------------------------
132 1. Once you have configured and compiled OpenSRF, issue the following
133 command as the *root* Linux account to install OpenSRF:
136 ---------------------------------------------------------------------------
138 ---------------------------------------------------------------------------
140 Create and set up the opensrf Unix user environment
141 ---------------------------------------------------
143 This user is used to start and stop all OpenSRF processes, and must own all
144 files contained in the PREFIX directory hierarchy. Issue the following
145 commands as the *root* Linux account to create the `opensrf` user and set up
146 its environment, substituting <PREFIX> with the value you passed to `--prefix`
147 in your configure command:
149 .Creating the `opensrf` user
151 ---------------------------------------------------------------------------
152 useradd -m -s /bin/bash opensrf
153 echo "export PATH=\$PATH:/<PREFIX>/bin" >> /home/opensrf/.bashrc
155 chown -R opensrf:opensrf /<PREFIX>
156 ---------------------------------------------------------------------------
158 Define your public and private OpenSRF domains
159 ----------------------------------------------
161 For security purposes, OpenSRF uses Jabber domains to separate services
162 into public and private realms. Throughout these instructions, we will use
163 the example domains `public.localhost` and `private.localhost`.
165 On a single-server system, the easiest way to define public and private
166 domains is to define separate hostnames by adding entries to the `/etc/hosts`
167 file. Here are entries that you could add to a stock `/etc/hosts` file for our
170 .Example added entries for `/etc/hosts`
172 ---------------------------------------------------------------------------
173 127.0.1.2 public.localhost public
174 127.0.1.3 private.localhost private
175 ---------------------------------------------------------------------------
177 Adjust the system dynamic library path
178 --------------------------------------
180 Add `<PREFIX>/lib/` to the system's dynamic library path, and then run
181 `ldconfig` as the *root* Linux account.
183 On Debian and Ubuntu systems, run the following commands as the *root*
186 .Adjusting the system dynamic library path
188 ---------------------------------------------------------------------------
189 echo <PREFIX>/lib > /etc/ld.so.conf.d/opensrf.conf
191 ---------------------------------------------------------------------------
193 On most other systems, you can add these entries to `/etc/ld.so.conf`, or
194 create a file within the `/etc/ld.so.conf.d/` directory, and then run
195 `ldconfig` as the *root* Linux account.
197 Configure the ejabberd server
198 -----------------------------
200 OpenSRF requires an XMPP (Jabber) server. For performance reasons, ejabberd is
201 the Jabber server of choice for the OpenSRF project. In most cases, you only
202 have to make a few changes to the default configuration file to make ejabberd
205 1. Stop ejabberd before making any changes to its configuration by issuing the
206 following command as the *root* Linux account:
208 .(Debian / Ubuntu Xenial / Ubuntu Bionic) Stopping ejabberd
210 ---------------------------------------------------------------------------
211 systemctl stop ejabberd.service
212 ---------------------------------------------------------------------------
214 2. Edit the ejabberd config file.
216 (Debian Jessie) Ejabberd 13.x and 14.x::
217 Open `/etc/ejabberd/ejabberd.yml` and make the following
219 a. Define your public and private domains in the `hosts` directive. For
223 ---------------------------------------------------------------------------
226 - "private.localhost"
228 ---------------------------------------------------------------------------
230 b. Change `shaper:` `normal` and `fast` values to 500000
231 c. Increase the `max_user_sessions:` `all:` value to 10000
232 d. Comment out the `mod_offline` directive
234 -----------------------
236 ##access_max_user_messages: max_user_offline_messages
237 -----------------------
239 (Debian Stretch / Ubuntu Xenial) Ejabberd 16.x::
240 Open `/etc/ejabberd/ejabberd.yml` and make the following
242 a. Define your public and private domains in the `hosts` directive. For
246 ---------------------------------------------------------------------------
249 - "private.localhost"
251 ---------------------------------------------------------------------------
253 b. Change `auth_password_format` to plain
254 c. Change `shaper:` `normal` and `fast` values to 500000
255 d. Increase the `max_user_sessions:` `all:` value to 10000
256 e. Comment out the `mod_offline` directive
258 -----------------------
260 ##access_max_user_messages: max_user_offline_messages
261 -----------------------
263 (Debian Buster / Ubuntu Bionic) Ejabberd 18.x::
264 Open `/etc/ejabberd/ejabberd.yml` and make the following
266 a. Define your public and private domains in the `hosts` directive. For
270 ---------------------------------------------------------------------------
273 - "private.localhost"
275 ---------------------------------------------------------------------------
277 b. Change `starttls_required` to false
278 c. Change `auth_password_format` to plain
279 d. Change `shaper:` `normal` and `fast` values to 500000
280 e. Increase the `max_user_sessions:` `all:` value to 10000
281 f. Comment out the `mod_offline` directive
283 -----------------------
285 ##access_max_user_messages: max_user_offline_messages
286 -----------------------
288 g. Uncomment or add the `mod_legacy_auth` directive under the `modules:` section
290 -----------------------
292 -----------------------
294 3. Restart the ejabberd server to make the changes take effect:
296 .(Debian / Ubuntu Xenial / Ubuntu Bionic) Starting ejabberd
298 ---------------------------------------------------------------------------
299 systemctl start ejabberd.service
300 ---------------------------------------------------------------------------
302 Create the OpenSRF Jabber users
303 -------------------------------
305 On each domain, you need two Jabber users to manage the OpenSRF communications:
307 * a `router` user, to whom all requests to connect to an OpenSRF service
308 will be routed; this Jabber user must be named `router`
309 * an `opensrf` user, which clients use to connect to OpenSRF services; this
310 user can be named anything you like
312 Create the Jabber users by issuing the following commands as the *root* Linux
313 account. Substitute `<password>` for your chosen passwords for each user
316 .Creating the OpenSRF Jabber users
318 ---------------------------------------------------------------------------
319 ejabberdctl register router private.localhost <password>
320 ejabberdctl register opensrf private.localhost <password>
321 ejabberdctl register router public.localhost <password>
322 ejabberdctl register opensrf public.localhost <password>
323 ---------------------------------------------------------------------------
325 Update the OpenSRF configuration files
326 --------------------------------------
328 About the OpenSRF configuration files
329 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
330 There are several configuration files that you must update to make OpenSRF
331 work. SYSCONFDIR is `/opensrf/etc` by default, or the value that you passed to
332 `--sysconfdir` during the configuration phase.
334 * `SYSCONFDIR/opensrf.xml` - this file lists the services that this
335 OpenSRF installation supports; if you create a new OpenSRF service,
336 you need to add it to this file.
337 ** The `<hosts>` element at the bottom of the file lists the services
338 that should be started for each hostname. You can force the system
339 to use `localhost`, so in most cases you will leave this section
342 * `SYSCONFDIR/opensrf_core.xml` - this file lists the Jabber connection
343 information that will be used for the system, as well as determining
344 logging verbosity and defining which services will be exposed on the
347 * `~/.srfsh.xml` - this file gives a Linux account the ability to use
348 the `srfsh` interpreter to communicate with OpenSRF services.
350 Updating the OpenSRF configuration files
351 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
352 1. As the *opensrf* Linux account, copy the example configuration files
353 to create your locally customizable OpenSRF configuration files:
355 .Copying the example OpenSRF configuration files
357 ---------------------------------------------------------------------------
359 cp opensrf_core.xml.example opensrf_core.xml
360 cp opensrf.xml.example opensrf.xml
361 ---------------------------------------------------------------------------
363 2. Edit the `SYSCONFDIR/opensrf_core.xml` file to update the four username
364 / password pairs to match the Jabber user accounts you just created:
366 a. `<config><opensrf>` = use the private Jabber `opensrf` user
367 b. `<config><gateway>` = use the public Jabber `opensrf` user
368 c. `<config><routers><router>` = use the public Jabber `router` user
369 d. `<config><routers><router>` = use the private Jabber `router` user
370 3. Create a `.srfsh.xml` file in the home directory of each user
371 that you want to use `srfsh` to communicate with OpenSRF services. For
372 example, to enable the *opensrf* Linux account to use `srfsh`:
373 a. `cp SYSCONFDIR/srfsh.xml.example ~/.srfsh.xml`
374 b. Open `~/.srfsh.xml` in your text editor of choice and update the
375 password to match the password you set for the Jabber `opensrf` user
376 at the `private.localhost` domain.
378 Starting and stopping OpenSRF services
379 --------------------------------------
381 To start all OpenSRF services with a hostname of `localhost`, issue the
382 following command as the *opensrf* Linux account:
385 ---------------------------------------------------------------------------
386 osrf_control --localhost --start-all
387 ---------------------------------------------------------------------------
389 To stop all OpenSRF services with a hostname of `localhost`, issue the
390 following command as the *opensrf* Linux account:
393 ---------------------------------------------------------------------------
394 osrf_control --localhost --stop-all
395 ---------------------------------------------------------------------------
397 Testing the default OpenSRF services
398 ------------------------------------
400 By default, OpenSRF ships with an `opensrf.math` service that performs basic
401 calculations involving two integers. Once you have started the OpenSRF
402 services, test the services as follows:
404 1. Start the `srfsh` interactive OpenSRF shell by issuing the following
405 command as the *opensrf* Linux account:
407 .Starting the `srfsh` interactive OpenSRF shell
409 ---------------------------------------------------------------------------
411 ---------------------------------------------------------------------------
413 2. Issue the following request to test the `opensrf.math` service:
416 ---------------------------------------------------------------------------
417 srfsh# request opensrf.math add 2,2
418 ---------------------------------------------------------------------------
420 You should receive the value `4`.
422 Websockets installation instructions
423 ------------------------------------
425 1. Install websocketd (latest stable release from http://websocketd.com/)
429 ---------------------------------------------------------------------------
431 wget 'https://github.com/joewalnes/websocketd/releases/download/v0.3.0/websocketd-0.3.0-linux_amd64.zip'
432 unzip websocketd-0.3.0-linux_amd64.zip
433 sudo cp websocketd /usr/local/bin/
434 ---------------------------------------------------------------------------
438 Choose option a or b, below.
441 ===========================================================================
442 websocketd does not offer a configurable inactivity timeout, meaning
443 websocket client connections will persist until each client disconnects
444 or the service is restarted. However, a timeout can be achieved with
445 the use of a proxy (option 'a' below). A proxy also allows websocketd
446 to be exposed to web clients on port 443 instead of its internal port,
447 which may simplify firewall configuration.
448 ===========================================================================
450 a. Run websocketd as 'opensrf'
453 ===========================================================================
454 This choice requires one of the proxy configurations mentioned below.
455 ===========================================================================
459 ---------------------------------------------------------------------------
460 /usr/local/bin/websocketd --port 7682 /openils/bin/osrf-websocket-stdio &
462 # Other useful command line parameters include:
463 # --loglevel debug|trace|access|info|error|fatal
466 # --origin=host[:port][,host[:port]...]
468 # See https://github.com/joewalnes/websocketd/blob/master/help.go
469 ---------------------------------------------------------------------------
471 b. Run websocketd without a proxy
475 ---------------------------------------------------------------------------
476 sudo -b /usr/local/bin/websocketd --port 7682 --ssl --sslcert=/etc/apache2/ssl/server.crt \
477 --sslkey=/etc/apache2/ssl/server.key /openils/bin/osrf-websocket-stdio
478 ---------------------------------------------------------------------------
480 Optional: Using a web proxy (Apache 2.4 and above)
481 --------------------------------------------------
482 When the OpenSRF HTTP Translator runs behind a proxy, Apache must be
483 configured to read the IP address of the originating client instead
484 of the proxy IP address.
486 1. Enable mod_remoteip
489 ---------------------------------------------------------------------------
490 sudo a2enmod remoteip
491 ---------------------------------------------------------------------------
493 2. Enable remote IP settings by uncommenting and modifying as needed the
494 Apache configuration variables starting with RemoteIP* in the sample Apache
495 configuration file opensrf.conf.
497 3. Configure Apache to listen on port 7080 for HTTP and port 7443 for HTTPS
498 and ensure that it is not listening on ports 80 and 443, then restart Apache.
500 4. If you didn't run `configure` with the `--with-websockets-port=443` option,
501 edit `<PREFIX>/javascript/opensrf_ws.js` and `<PREFIX>/javascript/opensrf_ws_shared.js`
505 ---------------------------------------------------------------------------
506 var WEBSOCKET_PORT_SSL = 7682;
507 ---------------------------------------------------------------------------
512 ---------------------------------------------------------------------------
513 var WEBSOCKET_PORT_SSL = 443;
514 ---------------------------------------------------------------------------
517 Optional: Using NGINX as a proxy
518 --------------------------------
519 NGINX can be used to proxy HTTP, HTTPS, and WebSockets traffic. Among other
520 reasons, this can be useful for Evergreen setups that want to have both
521 HTTPS and secure WebSockets traffic both go through port 443 while using
522 two Apache instances (one for the WebSockets gateway and one for the more
523 memory-intensive TPAC pages).
525 The following instructions are a guide for setting this up on Debian
526 and Ubuntu systems, but expect general familiarity with various system
527 administration and network tasks. The steps should be run as the *root*
528 Linux account, and assume that you already followed the instructions
529 for installing WebSockets support.
531 1. Install NGINX if not already present:
534 ---------------------------------------------------------------------------
535 apt-get install nginx
536 ---------------------------------------------------------------------------
538 2. Copy the example NGINX configuration file into place and remove default.
541 ---------------------------------------------------------------------------
542 cd /path/to/opensrf-OSRFVERSION
543 cp examples/nginx/osrf-ws-http-proxy /etc/nginx/sites-available/
544 ln -s /etc/nginx/sites-available/osrf-ws-http-proxy /etc/nginx/sites-enabled/osrf-ws-http-proxy
545 rm /etc/nginx/sites-enabled/default
546 ---------------------------------------------------------------------------
548 3. Edit `/etc/nginx/sites-available/osrf-ws-http-proxy` to set the location
549 of the SSL certificate and private key.
550 4. Generate a dhparam file in the directory specified in the nginx config.
553 ---------------------------------------------------------------------------
554 # Default config stores dhparam.pem in the Apache2 ssl directory.
555 openssl dhparam -out /etc/apache2/ssl/dhparam.pem 2048
556 ---------------------------------------------------------------------------
561 ---------------------------------------------------------------------------
562 /etc/init.d/nginx start
563 ---------------------------------------------------------------------------
565 Optional: Using HAProxy as a proxy
566 ----------------------------------
567 HAProxy can also be used to proxy HTTP, HTTPS, and WebSockets traffic
568 as an alternative to NGINX.
570 The following instructions are a guide for setting this up on Debian
571 and Ubuntu systems, but expect general familiarity with various system
572 administration and network tasks. The steps should be run as the *root*
573 Linux account, and assume that you already followed the instructions
574 for installing WebSockets support.
576 1. Install HAProxy if not already present:
579 ---------------------------------------------------------------------------
580 apt-get install haproxy
581 ---------------------------------------------------------------------------
583 2. Append the example HAProxy to `haproxy.cfg`.
586 ---------------------------------------------------------------------------
587 cd /path/to/opensrf-OSRFVERSION
588 cat examples/haproxy/osrf-ws-http-proxy >> /etc/haproxy/haproxy.cfg
589 ---------------------------------------------------------------------------
591 3. Edit `/etc/haproxy/haproxy.cfg` to set the location
592 of the PEM file containing the SSL certificate and private key.
596 ---------------------------------------------------------------------------
597 /etc/init.d/haproxy start
598 ---------------------------------------------------------------------------
603 Need help installing or using OpenSRF? Join the mailing lists at
604 http://evergreen-ils.org/communicate/mailing-lists/ or contact us
605 on the Freenode IRC network on the #evergreen channel.