4 Preamble: referenced user accounts
5 ----------------------------------
7 In subsequent sections, we will refer to a number of different accounts, as
10 * Linux user accounts:
11 ** The *user* Linux account is the account that you use to log onto the
12 Linux system as a regular user.
13 ** The *root* Linux account is an account that has system administrator
14 privileges. On Debian you can switch to this account from
15 your *user* account by issuing the `su -` command and entering the
16 password for the *root* account when prompted. On Ubuntu you can switch
17 to this account from your *user* account using the `sudo su -` command
18 and entering the password for your *user* account when prompted.
19 ** The *opensrf* Linux account is an account that you will create as part
20 of installing OpenSRF. You can switch to this account from the *root*
21 account by issuing the `su - opensrf` command.
23 Download and unpack the code
24 ----------------------------
26 Issue the following commands as the *user* Linux account.
28 1. Acquire a stable release tarball from https://evergreen-ils.org/opensrf-downloads/
31 ------------------------------------------------------------------------------
32 wget https://evergreen-ils.org/downloads/opensrf-OSRFVERSION.tar.gz
33 ------------------------------------------------------------------------------
36 Developers can find the full source code at the OpenSRF Git repository:
37 http://git.evergreen-ils.org/?p=OpenSRF.git
39 2. Unpack the tarball, and move into that directory:
42 ------------------------------------------------------------------------------
43 tar -xvf opensrf-OSRFVERSION.tar.gz
44 cd opensrf-OSRFVERSION/
45 ------------------------------------------------------------------------------
47 Installing prerequisites
48 ------------------------
50 OpenSRF has a number of prerequisite packages that must be installed
51 before you can successfully configure, compile, and install OpenSRF.
52 On Debian and Ubuntu, the easiest way to install these prerequisites
53 is to use the Makefile.install prerequisite installer.
55 Issue the following commands as the *root* Linux account to install
56 prerequisites using the Makefile.install prerequisite installer, substituting
57 your operating system identifier for <osname> below:
60 ---------------------------------------------------------------------------
62 make -f src/extras/Makefile.install <osname>
63 ---------------------------------------------------------------------------
65 Well-tested values for <osname> include:
67 * `debian-bullseye` for Debian 11
68 * `debian-buster` for Debian 10
69 * `debian-stretch` for Debian 9
70 * `ubuntu-bionic` for Ubuntu 18.04
71 * `ubuntu-focal` for Ubuntu 20.04
72 * `ubuntu-jammy` for Ubuntu 22.04
74 Patches and suggestions for improvement from users of these distributions,
75 or others, are welcome!
77 When the prerequisite installer reaches the Perl module stage, you may
78 be prompted for configuration of Comprehensive Perl Archive Network (CPAN)
79 on your server. You can generally accept the defaults by pressing <return>
80 for all of the prompts, except for the country configuration.
82 Preamble: Developer instructions
83 --------------------------------
86 Skip this section if you are using an official release tarball downloaded
87 from https://evergreen-ils.org/opensrf-downloads/
89 Developers working directly with the source code from the Git repository,
90 rather than an official release tarball, must install some extra packages
91 and perform one step before they can proceed with the `./configure` step.
93 As the *root* Linux account, install the following packages:
99 As the *user* Linux account, issue the following command in the OpenSRF
100 source directory to generate the configure script and Makefiles:
103 ------------------------------------------------------------------------------
105 ------------------------------------------------------------------------------
107 Configuration and compilation instructions
108 ------------------------------------------
110 Use the `configure` command to configure OpenSRF, and the `make` command to
111 build OpenSRF. The default installation prefix (PREFIX) for OpenSRF is
114 If you are building OpenSRF for Evergreen, issue the following commands as
115 the *user* Linux account to configure and build OpenSRF:
118 ---------------------------------------------------------------------------
119 ./configure --prefix=/openils --sysconfdir=/openils/conf
121 ---------------------------------------------------------------------------
123 By default, OpenSRF includes C, Perl, and JavaScript support.
125 If you are planning on proxying WebSockets traffic (see below), you
126 can add `--with-websockets-port=443` to specify that WebSockets traffic
127 will be going through port 443. Without that option, the default port
130 Installation instructions
131 -------------------------
133 1. Once you have configured and compiled OpenSRF, issue the following
134 command as the *root* Linux account to install OpenSRF:
137 ---------------------------------------------------------------------------
139 ---------------------------------------------------------------------------
141 Create and set up the opensrf Unix user environment
142 ---------------------------------------------------
144 This user is used to start and stop all OpenSRF processes, and must own all
145 files contained in the PREFIX directory hierarchy. Issue the following
146 commands as the *root* Linux account to create the `opensrf` user and set up
147 its environment, substituting <PREFIX> with the value you passed to `--prefix`
148 in your configure command:
150 .Creating the `opensrf` user
152 ---------------------------------------------------------------------------
153 useradd -m -s /bin/bash opensrf
154 echo "export PATH=\$PATH:/<PREFIX>/bin" >> /home/opensrf/.bashrc
156 chown -R opensrf:opensrf /<PREFIX>
157 ---------------------------------------------------------------------------
159 Define your public and private OpenSRF domains
160 ----------------------------------------------
162 For security purposes, OpenSRF uses Jabber domains to separate services
163 into public and private realms. Throughout these instructions, we will use
164 the example domains `public.localhost` and `private.localhost`.
166 On a single-server system, the easiest way to define public and private
167 domains is to define separate hostnames by adding entries to the `/etc/hosts`
168 file. Here are entries that you could add to a stock `/etc/hosts` file for our
171 .Example added entries for `/etc/hosts`
173 ---------------------------------------------------------------------------
174 127.0.1.2 public.localhost public
175 127.0.1.3 private.localhost private
176 ---------------------------------------------------------------------------
178 Adjust the system dynamic library path
179 --------------------------------------
181 Add `<PREFIX>/lib/` to the system's dynamic library path, and then run
182 `ldconfig` as the *root* Linux account.
184 On Debian and Ubuntu systems, run the following commands as the *root*
187 .Adjusting the system dynamic library path
189 ---------------------------------------------------------------------------
190 echo <PREFIX>/lib > /etc/ld.so.conf.d/opensrf.conf
192 ---------------------------------------------------------------------------
194 On most other systems, you can add these entries to `/etc/ld.so.conf`, or
195 create a file within the `/etc/ld.so.conf.d/` directory, and then run
196 `ldconfig` as the *root* Linux account.
198 Configure the ejabberd server
199 -----------------------------
203 It is recommended to disable the apparmor profile for ejabberd on *Ubuntu* before
204 continuing. If you are installing on any version of *Ubuntu*, run the following
205 commands as the *root* Linux account:
208 ---------------------------------------------------------------------------
209 ln -s /etc/apparmor.d/usr.sbin.ejabberdctl /etc/apparmor.d/disable/
210 apparmor_parser -R /etc/apparmor.d/usr.sbin.ejabberdctl
211 ---------------------------------------------------------------------------
214 OpenSRF requires an XMPP (Jabber) server. For performance reasons, ejabberd is
215 the Jabber server of choice for the OpenSRF project. In most cases, you only
216 have to make a few changes to the default configuration file to make ejabberd
219 1. Stop ejabberd before making any changes to its configuration by issuing the
220 following command as the *root* Linux account:
224 ---------------------------------------------------------------------------
225 systemctl stop ejabberd.service
226 ---------------------------------------------------------------------------
228 2. Edit the ejabberd config file.
230 (Debian Stretch) Ejabberd 16.x::
231 Open `/etc/ejabberd/ejabberd.yml` and make the following
233 a. Define your public and private domains in the `hosts` directive. For
237 ---------------------------------------------------------------------------
240 - "private.localhost"
242 ---------------------------------------------------------------------------
244 b. Change `auth_password_format` to plain
245 c. Change `shaper:` `normal` and `fast` values to 500000
246 d. Increase the `max_user_sessions:` `all:` value to 10000
247 e. Comment out the `mod_offline` directive
249 -----------------------
251 ##access_max_user_messages: max_user_offline_messages
252 -----------------------
254 (Debian Buster / Ubuntu Bionic / Ubuntu Focal) Ejabberd 18.x::
255 Open `/etc/ejabberd/ejabberd.yml` and make the following
257 a. Define your public and private domains in the `hosts` directive. For
261 ---------------------------------------------------------------------------
264 - "private.localhost"
266 ---------------------------------------------------------------------------
268 b. Change `starttls_required` to false
269 c. Change `auth_password_format` to plain
270 d. Change `shaper:` `normal` and `fast` values to 500000
271 e. Increase the `max_user_sessions:` `all:` value to 10000
272 f. Comment out the `mod_offline` directive
274 -----------------------
276 ##access_max_user_messages: max_user_offline_messages
277 -----------------------
279 g. Uncomment or add the `mod_legacy_auth` directive under the `modules:` section
281 -----------------------
283 -----------------------
285 (Debian Bullseye / Ubuntu Jammy) Ejabberd 21.x::
286 Open `/etc/ejabberd/ejabberd.yml` and make the following
288 a. Define your public and private domains in the `hosts` directive. For
292 ---------------------------------------------------------------------------
297 ---------------------------------------------------------------------------
299 b. Change `starttls_required` to false
300 c. Change `auth_password_format` to plain
301 d. Change all `shaper:` `normal` and `fast` values to 500000
302 e. Increase the `shaper_rules:` `max_user_sessions:` value to 10000
303 f. Comment out the `shaper_rules:` `max_user_offline_messages:` values
305 -----------------------
306 ##max_user_offline_messages:
309 -----------------------
311 g. Comment out the `mod_offline` directive
313 -----------------------
315 ##access_max_user_messages: max_user_offline_messages
316 -----------------------
318 h. Add the `mod_legacy_auth` directive under the `modules:` section
320 -----------------------
322 -----------------------
324 3. Restart the ejabberd server to make the changes take effect:
328 ---------------------------------------------------------------------------
329 systemctl start ejabberd.service
330 ---------------------------------------------------------------------------
332 Create the OpenSRF Jabber users
333 -------------------------------
335 On each domain, you need two Jabber users to manage the OpenSRF communications:
337 * a `router` user, to whom all requests to connect to an OpenSRF service
338 will be routed; this Jabber user must be named `router`
339 * an `opensrf` user, which clients use to connect to OpenSRF services; this
340 user can be named anything you like
342 Create the Jabber users by issuing the following commands as the *root* Linux
343 account. Substitute `<password>` for your chosen passwords for each user
346 .Creating the OpenSRF Jabber users
348 ---------------------------------------------------------------------------
349 ejabberdctl register router private.localhost <password>
350 ejabberdctl register opensrf private.localhost <password>
351 ejabberdctl register router public.localhost <password>
352 ejabberdctl register opensrf public.localhost <password>
353 ---------------------------------------------------------------------------
355 Update the OpenSRF configuration files
356 --------------------------------------
358 About the OpenSRF configuration files
359 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
360 There are several configuration files that you must update to make OpenSRF
361 work. SYSCONFDIR is `/opensrf/etc` by default, or the value that you passed to
362 `--sysconfdir` during the configuration phase.
364 * `SYSCONFDIR/opensrf.xml` - this file lists the services that this
365 OpenSRF installation supports; if you create a new OpenSRF service,
366 you need to add it to this file.
367 ** The `<hosts>` element at the bottom of the file lists the services
368 that should be started for each hostname. You can force the system
369 to use `localhost`, so in most cases you will leave this section
372 * `SYSCONFDIR/opensrf_core.xml` - this file lists the Jabber connection
373 information that will be used for the system, as well as determining
374 logging verbosity and defining which services will be exposed on the
377 * `~/.srfsh.xml` - this file gives a Linux account the ability to use
378 the `srfsh` interpreter to communicate with OpenSRF services.
380 Updating the OpenSRF configuration files
381 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
382 1. As the *opensrf* Linux account, copy the example configuration files
383 to create your locally customizable OpenSRF configuration files:
385 .Copying the example OpenSRF configuration files
387 ---------------------------------------------------------------------------
389 cp opensrf_core.xml.example opensrf_core.xml
390 cp opensrf.xml.example opensrf.xml
391 ---------------------------------------------------------------------------
393 2. Edit the `SYSCONFDIR/opensrf_core.xml` file to update the four username
394 / password pairs to match the Jabber user accounts you just created:
396 a. `<config><opensrf>` = use the private Jabber `opensrf` user
397 b. `<config><gateway>` = use the public Jabber `opensrf` user
398 c. `<config><routers><router>` = use the public Jabber `router` user
399 d. `<config><routers><router>` = use the private Jabber `router` user
400 3. Create a `.srfsh.xml` file in the home directory of each user
401 that you want to use `srfsh` to communicate with OpenSRF services. For
402 example, to enable the *opensrf* Linux account to use `srfsh`:
403 a. `cp SYSCONFDIR/srfsh.xml.example ~/.srfsh.xml`
404 b. Open `~/.srfsh.xml` in your text editor of choice and update the
405 password to match the password you set for the Jabber `opensrf` user
406 at the `private.localhost` domain.
408 Starting and stopping OpenSRF services
409 --------------------------------------
411 To start all OpenSRF services with a hostname of `localhost`, issue the
412 following command as the *opensrf* Linux account:
415 ---------------------------------------------------------------------------
416 osrf_control --localhost --start-all
417 ---------------------------------------------------------------------------
419 To stop all OpenSRF services with a hostname of `localhost`, issue the
420 following command as the *opensrf* Linux account:
423 ---------------------------------------------------------------------------
424 osrf_control --localhost --stop-all
425 ---------------------------------------------------------------------------
427 Testing the default OpenSRF services
428 ------------------------------------
430 By default, OpenSRF ships with an `opensrf.math` service that performs basic
431 calculations involving two integers. Once you have started the OpenSRF
432 services, test the services as follows:
434 1. Start the `srfsh` interactive OpenSRF shell by issuing the following
435 command as the *opensrf* Linux account:
437 .Starting the `srfsh` interactive OpenSRF shell
439 ---------------------------------------------------------------------------
441 ---------------------------------------------------------------------------
443 2. Issue the following request to test the `opensrf.math` service:
446 ---------------------------------------------------------------------------
447 srfsh# request opensrf.math add 2,2
448 ---------------------------------------------------------------------------
450 You should receive the value `4`.
452 Websockets installation instructions
453 ------------------------------------
455 1. Install websocketd (latest stable release from http://websocketd.com/)
459 ---------------------------------------------------------------------------
461 wget 'https://github.com/joewalnes/websocketd/releases/download/v0.3.0/websocketd-0.3.0-linux_amd64.zip'
462 unzip websocketd-0.3.0-linux_amd64.zip
463 sudo cp websocketd /usr/local/bin/
464 ---------------------------------------------------------------------------
468 Choose option a or b, below.
471 ===========================================================================
472 websocketd does not offer a configurable inactivity timeout, meaning
473 websocket client connections will persist until each client disconnects
474 or the service is restarted. However, a timeout can be achieved with
475 the use of a proxy (option 'a' below). A proxy also allows websocketd
476 to be exposed to web clients on port 443 instead of its internal port,
477 which may simplify firewall configuration.
478 ===========================================================================
480 a. Run websocketd as 'opensrf'
483 ===========================================================================
484 This choice requires one of the proxy configurations mentioned below.
485 ===========================================================================
489 ---------------------------------------------------------------------------
490 /usr/local/bin/websocketd --port 7682 /openils/bin/osrf-websocket-stdio &
492 # Other useful command line parameters include:
493 # --loglevel debug|trace|access|info|error|fatal
496 # --origin=host[:port][,host[:port]...]
498 # See https://github.com/joewalnes/websocketd/blob/master/help.go
499 ---------------------------------------------------------------------------
501 b. Run websocketd without a proxy
505 ---------------------------------------------------------------------------
506 sudo -b /usr/local/bin/websocketd --port 7682 --ssl --sslcert=/etc/apache2/ssl/server.crt \
507 --sslkey=/etc/apache2/ssl/server.key /openils/bin/osrf-websocket-stdio
508 ---------------------------------------------------------------------------
510 Optional Systemd Setup
511 ~~~~~~~~~~~~~~~~~~~~~~
513 Websocketd is a standalone program with no daemon mode, but can be implemented as a systemd service.
515 Copy <PREFIX>/examples/websocket-osrf.service.example into file /lib/systemd/system/websocketd-osrf.service
517 Then add & start the service.
520 --------------------------------------
521 sudo systemctl daemon-reload
522 sudo systemctl enable websocketd-osrf
523 sudo systemctl start websocketd-osrf
524 --------------------------------------
526 Optional: Using a web proxy (Apache 2.4 and above)
527 --------------------------------------------------
528 When the OpenSRF HTTP Translator runs behind a proxy, Apache must be
529 configured to read the IP address of the originating client instead
530 of the proxy IP address.
532 1. Enable mod_remoteip
535 ---------------------------------------------------------------------------
536 sudo a2enmod remoteip
537 ---------------------------------------------------------------------------
539 2. Enable remote IP settings by uncommenting and modifying as needed the
540 Apache configuration variables starting with RemoteIP* in the sample Apache
541 configuration file opensrf.conf.
543 3. Configure Apache to listen on port 7080 for HTTP and port 7443 for HTTPS
544 and ensure that it is not listening on ports 80 and 443, then restart Apache.
546 4. If you didn't run `configure` with the `--with-websockets-port=443` option,
547 edit `<PREFIX>/javascript/opensrf_ws.js` and `<PREFIX>/javascript/opensrf_ws_shared.js`
551 ---------------------------------------------------------------------------
552 var WEBSOCKET_PORT_SSL = 7682;
553 ---------------------------------------------------------------------------
558 ---------------------------------------------------------------------------
559 var WEBSOCKET_PORT_SSL = 443;
560 ---------------------------------------------------------------------------
563 Optional: Using NGINX as a proxy
564 --------------------------------
565 NGINX can be used to proxy HTTP, HTTPS, and WebSockets traffic. Among other
566 reasons, this can be useful for Evergreen setups that want to have both
567 HTTPS and secure WebSockets traffic both go through port 443 while using
568 two Apache instances (one for the WebSockets gateway and one for the more
569 memory-intensive TPAC pages).
571 The following instructions are a guide for setting this up on Debian
572 and Ubuntu systems, but expect general familiarity with various system
573 administration and network tasks. The steps should be run as the *root*
574 Linux account, and assume that you already followed the instructions
575 for installing WebSockets support.
577 1. Install NGINX if not already present:
580 ---------------------------------------------------------------------------
581 apt-get install nginx
582 ---------------------------------------------------------------------------
584 2. Copy the example NGINX configuration file into place and remove default.
587 ---------------------------------------------------------------------------
588 cd /path/to/opensrf-OSRFVERSION
589 cp examples/nginx/osrf-ws-http-proxy /etc/nginx/sites-available/
590 ln -s /etc/nginx/sites-available/osrf-ws-http-proxy /etc/nginx/sites-enabled/osrf-ws-http-proxy
591 rm /etc/nginx/sites-enabled/default
592 ---------------------------------------------------------------------------
594 3. Edit `/etc/nginx/sites-available/osrf-ws-http-proxy` to set the location
595 of the SSL certificate and private key.
596 4. Generate a dhparam file in the directory specified in the nginx config.
599 ---------------------------------------------------------------------------
600 # Default config stores dhparam.pem in the Apache2 ssl directory.
601 openssl dhparam -out /etc/apache2/ssl/dhparam.pem 2048
602 ---------------------------------------------------------------------------
607 ---------------------------------------------------------------------------
608 /etc/init.d/nginx start
609 ---------------------------------------------------------------------------
611 Optional: Using HAProxy as a proxy
612 ----------------------------------
613 HAProxy can also be used to proxy HTTP, HTTPS, and WebSockets traffic
614 as an alternative to NGINX.
616 The following instructions are a guide for setting this up on Debian
617 and Ubuntu systems, but expect general familiarity with various system
618 administration and network tasks. The steps should be run as the *root*
619 Linux account, and assume that you already followed the instructions
620 for installing WebSockets support.
622 1. Install HAProxy if not already present:
625 ---------------------------------------------------------------------------
626 apt-get install haproxy
627 ---------------------------------------------------------------------------
629 2. Append the example HAProxy to `haproxy.cfg`.
632 ---------------------------------------------------------------------------
633 cd /path/to/opensrf-OSRFVERSION
634 cat examples/haproxy/osrf-ws-http-proxy >> /etc/haproxy/haproxy.cfg
635 ---------------------------------------------------------------------------
637 3. Edit `/etc/haproxy/haproxy.cfg` to set the location
638 of the PEM file containing the SSL certificate and private key.
642 ---------------------------------------------------------------------------
643 /etc/init.d/haproxy start
644 ---------------------------------------------------------------------------
649 Need help installing or using OpenSRF? Join the mailing lists at
650 http://evergreen-ils.org/communicate/mailing-lists/ or contact us
651 on the Freenode IRC network on the #evergreen channel.