4 Preamble: referenced user accounts
5 ----------------------------------
7 In subsequent sections, we will refer to a number of different accounts, as
10 * Linux user accounts:
11 ** The *user* Linux account is the account that you use to log onto the
12 Linux system as a regular user.
13 ** The *root* Linux account is an account that has system administrator
14 privileges. On Debian you can switch to this account from
15 your *user* account by issuing the `su -` command and entering the
16 password for the *root* account when prompted. On Ubuntu you can switch
17 to this account from your *user* account using the `sudo su -` command
18 and entering the password for your *user* account when prompted.
19 ** The *opensrf* Linux account is an account that you will create as part
20 of installing OpenSRF. You can switch to this account from the *root*
21 account by issuing the `su - opensrf` command.
23 Download and unpack the code
24 ----------------------------
26 Issue the following commands as the *user* Linux account.
28 1. Acquire a stable release tarball from https://evergreen-ils.org/opensrf-downloads/
31 ------------------------------------------------------------------------------
32 wget https://evergreen-ils.org/downloads/opensrf-3.2.1.tar.gz
33 ------------------------------------------------------------------------------
36 Developers can find the full source code at the OpenSRF Git repository:
37 http://git.evergreen-ils.org/?p=OpenSRF.git
39 2. Unpack the tarball, and move into that directory:
42 ------------------------------------------------------------------------------
43 tar -xvf opensrf-3.2.1.tar.gz
45 ------------------------------------------------------------------------------
47 Installing prerequisites
48 ------------------------
50 OpenSRF has a number of prerequisite packages that must be installed
51 before you can successfully configure, compile, and install OpenSRF.
52 On Debian and Ubuntu, the easiest way to install these prerequisites
53 is to use the Makefile.install prerequisite installer.
55 Issue the following commands as the *root* Linux account to install
56 prerequisites using the Makefile.install prerequisite installer, substituting
57 your operating system identifier for <osname> below:
60 ---------------------------------------------------------------------------
62 make -f src/extras/Makefile.install <osname>
63 ---------------------------------------------------------------------------
65 Well-tested values for <osname> include:
67 * `debian-buster` for Debian 10
68 * `debian-stretch` for Debian 9
69 * `debian-jessie` for Debian 8
70 * `ubuntu-xenial` for Ubuntu 16.04
71 * `ubuntu-bionic` for Ubuntu 18.04
72 * `ubuntu-focal` for Ubuntu 20.04
74 Patches and suggestions for improvement from users of these distributions,
75 or others, are welcome!
77 When the prerequisite installer reaches the Perl module stage, you may
78 be prompted for configuration of Comprehensive Perl Archive Network (CPAN)
79 on your server. You can generally accept the defaults by pressing <return>
80 for all of the prompts, except for the country configuration.
82 Preamble: Developer instructions
83 --------------------------------
86 Skip this section if you are using an official release tarball downloaded
87 from https://evergreen-ils.org/opensrf-downloads/
89 Developers working directly with the source code from the Git repository,
90 rather than an official release tarball, must install some extra packages
91 and perform one step before they can proceed with the `./configure` step.
93 As the *root* Linux account, install the following packages:
99 As the *user* Linux account, issue the following command in the OpenSRF
100 source directory to generate the configure script and Makefiles:
103 ------------------------------------------------------------------------------
105 ------------------------------------------------------------------------------
107 Configuration and compilation instructions
108 ------------------------------------------
110 Use the `configure` command to configure OpenSRF, and the `make` command to
111 build OpenSRF. The default installation prefix (PREFIX) for OpenSRF is
114 If you are building OpenSRF for Evergreen, issue the following commands as
115 the *user* Linux account to configure and build OpenSRF:
118 ---------------------------------------------------------------------------
119 ./configure --prefix=/openils --sysconfdir=/openils/conf
121 ---------------------------------------------------------------------------
123 By default, OpenSRF includes C, Perl, and JavaScript support.
124 You can add the `--enable-python` option to the configure command
125 to build Python support and `--enable-java` for Java support.
127 If you are planning on proxying WebSockets traffic (see below), you
128 can add `--with-websockets-port=443` to specify that WebSockets traffic
129 will be going through port 443. Without that option, the default port
132 Installation instructions
133 -------------------------
135 1. Once you have configured and compiled OpenSRF, issue the following
136 command as the *root* Linux account to install OpenSRF:
139 ---------------------------------------------------------------------------
141 ---------------------------------------------------------------------------
143 Create and set up the opensrf Unix user environment
144 ---------------------------------------------------
146 This user is used to start and stop all OpenSRF processes, and must own all
147 files contained in the PREFIX directory hierarchy. Issue the following
148 commands as the *root* Linux account to create the `opensrf` user and set up
149 its environment, substituting <PREFIX> with the value you passed to `--prefix`
150 in your configure command:
152 .Creating the `opensrf` user
154 ---------------------------------------------------------------------------
155 useradd -m -s /bin/bash opensrf
156 echo "export PATH=\$PATH:/<PREFIX>/bin" >> /home/opensrf/.bashrc
158 chown -R opensrf:opensrf /<PREFIX>
159 ---------------------------------------------------------------------------
161 Define your public and private OpenSRF domains
162 ----------------------------------------------
164 For security purposes, OpenSRF uses Jabber domains to separate services
165 into public and private realms. Throughout these instructions, we will use
166 the example domains `public.localhost` and `private.localhost`.
168 On a single-server system, the easiest way to define public and private
169 domains is to define separate hostnames by adding entries to the `/etc/hosts`
170 file. Here are entries that you could add to a stock `/etc/hosts` file for our
173 .Example added entries for `/etc/hosts`
175 ---------------------------------------------------------------------------
176 127.0.1.2 public.localhost public
177 127.0.1.3 private.localhost private
178 ---------------------------------------------------------------------------
180 Adjust the system dynamic library path
181 --------------------------------------
183 Add `<PREFIX>/lib/` to the system's dynamic library path, and then run
184 `ldconfig` as the *root* Linux account.
186 On Debian and Ubuntu systems, run the following commands as the *root*
189 .Adjusting the system dynamic library path
191 ---------------------------------------------------------------------------
192 echo <PREFIX>/lib > /etc/ld.so.conf.d/opensrf.conf
194 ---------------------------------------------------------------------------
196 On most other systems, you can add these entries to `/etc/ld.so.conf`, or
197 create a file within the `/etc/ld.so.conf.d/` directory, and then run
198 `ldconfig` as the *root* Linux account.
200 Configure the ejabberd server
201 -----------------------------
203 OpenSRF requires an XMPP (Jabber) server. For performance reasons, ejabberd is
204 the Jabber server of choice for the OpenSRF project. In most cases, you only
205 have to make a few changes to the default configuration file to make ejabberd
208 1. Stop ejabberd before making any changes to its configuration by issuing the
209 following command as the *root* Linux account:
211 .(Debian / Ubuntu Xenial / Ubuntu Bionic / Ubuntu Focal) Stopping ejabberd
213 ---------------------------------------------------------------------------
214 systemctl stop ejabberd.service
215 ---------------------------------------------------------------------------
217 2. Edit the ejabberd config file.
219 (Debian Jessie) Ejabberd 13.x and 14.x::
220 Open `/etc/ejabberd/ejabberd.yml` and make the following
222 a. Define your public and private domains in the `hosts` directive. For
226 ---------------------------------------------------------------------------
229 - "private.localhost"
231 ---------------------------------------------------------------------------
233 b. Change `shaper:` `normal` and `fast` values to 500000
234 c. Increase the `max_user_sessions:` `all:` value to 10000
235 d. Comment out the `mod_offline` directive
237 -----------------------
239 ##access_max_user_messages: max_user_offline_messages
240 -----------------------
242 (Debian Stretch / Ubuntu Xenial) Ejabberd 16.x::
243 Open `/etc/ejabberd/ejabberd.yml` and make the following
245 a. Define your public and private domains in the `hosts` directive. For
249 ---------------------------------------------------------------------------
252 - "private.localhost"
254 ---------------------------------------------------------------------------
256 b. Change `auth_password_format` to plain
257 c. Change `shaper:` `normal` and `fast` values to 500000
258 d. Increase the `max_user_sessions:` `all:` value to 10000
259 e. Comment out the `mod_offline` directive
261 -----------------------
263 ##access_max_user_messages: max_user_offline_messages
264 -----------------------
266 (Debian Buster / Ubuntu Bionic / Ubuntu Focal) Ejabberd 18.x::
267 Open `/etc/ejabberd/ejabberd.yml` and make the following
269 a. Define your public and private domains in the `hosts` directive. For
273 ---------------------------------------------------------------------------
276 - "private.localhost"
278 ---------------------------------------------------------------------------
280 b. Change `starttls_required` to false
281 c. Change `auth_password_format` to plain
282 d. Change `shaper:` `normal` and `fast` values to 500000
283 e. Increase the `max_user_sessions:` `all:` value to 10000
284 f. Comment out the `mod_offline` directive
286 -----------------------
288 ##access_max_user_messages: max_user_offline_messages
289 -----------------------
291 g. Uncomment or add the `mod_legacy_auth` directive under the `modules:` section
293 -----------------------
295 -----------------------
297 3. Restart the ejabberd server to make the changes take effect:
299 .(Debian / Ubuntu Xenial / Ubuntu Bionic / Ubuntu Focal) Starting ejabberd
301 ---------------------------------------------------------------------------
302 systemctl start ejabberd.service
303 ---------------------------------------------------------------------------
305 Create the OpenSRF Jabber users
306 -------------------------------
308 On each domain, you need two Jabber users to manage the OpenSRF communications:
310 * a `router` user, to whom all requests to connect to an OpenSRF service
311 will be routed; this Jabber user must be named `router`
312 * an `opensrf` user, which clients use to connect to OpenSRF services; this
313 user can be named anything you like
315 Create the Jabber users by issuing the following commands as the *root* Linux
316 account. Substitute `<password>` for your chosen passwords for each user
319 .Creating the OpenSRF Jabber users
321 ---------------------------------------------------------------------------
322 ejabberdctl register router private.localhost <password>
323 ejabberdctl register opensrf private.localhost <password>
324 ejabberdctl register router public.localhost <password>
325 ejabberdctl register opensrf public.localhost <password>
326 ---------------------------------------------------------------------------
328 Update the OpenSRF configuration files
329 --------------------------------------
331 About the OpenSRF configuration files
332 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
333 There are several configuration files that you must update to make OpenSRF
334 work. SYSCONFDIR is `/opensrf/etc` by default, or the value that you passed to
335 `--sysconfdir` during the configuration phase.
337 * `SYSCONFDIR/opensrf.xml` - this file lists the services that this
338 OpenSRF installation supports; if you create a new OpenSRF service,
339 you need to add it to this file.
340 ** The `<hosts>` element at the bottom of the file lists the services
341 that should be started for each hostname. You can force the system
342 to use `localhost`, so in most cases you will leave this section
345 * `SYSCONFDIR/opensrf_core.xml` - this file lists the Jabber connection
346 information that will be used for the system, as well as determining
347 logging verbosity and defining which services will be exposed on the
350 * `~/.srfsh.xml` - this file gives a Linux account the ability to use
351 the `srfsh` interpreter to communicate with OpenSRF services.
353 Updating the OpenSRF configuration files
354 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
355 1. As the *opensrf* Linux account, copy the example configuration files
356 to create your locally customizable OpenSRF configuration files:
358 .Copying the example OpenSRF configuration files
360 ---------------------------------------------------------------------------
362 cp opensrf_core.xml.example opensrf_core.xml
363 cp opensrf.xml.example opensrf.xml
364 ---------------------------------------------------------------------------
366 2. Edit the `SYSCONFDIR/opensrf_core.xml` file to update the four username
367 / password pairs to match the Jabber user accounts you just created:
369 a. `<config><opensrf>` = use the private Jabber `opensrf` user
370 b. `<config><gateway>` = use the public Jabber `opensrf` user
371 c. `<config><routers><router>` = use the public Jabber `router` user
372 d. `<config><routers><router>` = use the private Jabber `router` user
373 3. Create a `.srfsh.xml` file in the home directory of each user
374 that you want to use `srfsh` to communicate with OpenSRF services. For
375 example, to enable the *opensrf* Linux account to use `srfsh`:
376 a. `cp SYSCONFDIR/srfsh.xml.example ~/.srfsh.xml`
377 b. Open `~/.srfsh.xml` in your text editor of choice and update the
378 password to match the password you set for the Jabber `opensrf` user
379 at the `private.localhost` domain.
381 Starting and stopping OpenSRF services
382 --------------------------------------
384 To start all OpenSRF services with a hostname of `localhost`, issue the
385 following command as the *opensrf* Linux account:
388 ---------------------------------------------------------------------------
389 osrf_control --localhost --start-all
390 ---------------------------------------------------------------------------
392 To stop all OpenSRF services with a hostname of `localhost`, issue the
393 following command as the *opensrf* Linux account:
396 ---------------------------------------------------------------------------
397 osrf_control --localhost --stop-all
398 ---------------------------------------------------------------------------
400 Testing the default OpenSRF services
401 ------------------------------------
403 By default, OpenSRF ships with an `opensrf.math` service that performs basic
404 calculations involving two integers. Once you have started the OpenSRF
405 services, test the services as follows:
407 1. Start the `srfsh` interactive OpenSRF shell by issuing the following
408 command as the *opensrf* Linux account:
410 .Starting the `srfsh` interactive OpenSRF shell
412 ---------------------------------------------------------------------------
414 ---------------------------------------------------------------------------
416 2. Issue the following request to test the `opensrf.math` service:
419 ---------------------------------------------------------------------------
420 srfsh# request opensrf.math add 2,2
421 ---------------------------------------------------------------------------
423 You should receive the value `4`.
425 Websockets installation instructions
426 ------------------------------------
428 1. Install websocketd (latest stable release from http://websocketd.com/)
432 ---------------------------------------------------------------------------
434 wget 'https://github.com/joewalnes/websocketd/releases/download/v0.3.0/websocketd-0.3.0-linux_amd64.zip'
435 unzip websocketd-0.3.0-linux_amd64.zip
436 sudo cp websocketd /usr/local/bin/
437 ---------------------------------------------------------------------------
441 Choose option a or b, below.
444 ===========================================================================
445 websocketd does not offer a configurable inactivity timeout, meaning
446 websocket client connections will persist until each client disconnects
447 or the service is restarted. However, a timeout can be achieved with
448 the use of a proxy (option 'a' below). A proxy also allows websocketd
449 to be exposed to web clients on port 443 instead of its internal port,
450 which may simplify firewall configuration.
451 ===========================================================================
453 a. Run websocketd as 'opensrf'
456 ===========================================================================
457 This choice requires one of the proxy configurations mentioned below.
458 ===========================================================================
462 ---------------------------------------------------------------------------
463 /usr/local/bin/websocketd --port 7682 /openils/bin/osrf-websocket-stdio &
465 # Other useful command line parameters include:
466 # --loglevel debug|trace|access|info|error|fatal
469 # --origin=host[:port][,host[:port]...]
471 # See https://github.com/joewalnes/websocketd/blob/master/help.go
472 ---------------------------------------------------------------------------
474 b. Run websocketd without a proxy
478 ---------------------------------------------------------------------------
479 sudo -b /usr/local/bin/websocketd --port 7682 --ssl --sslcert=/etc/apache2/ssl/server.crt \
480 --sslkey=/etc/apache2/ssl/server.key /openils/bin/osrf-websocket-stdio
481 ---------------------------------------------------------------------------
483 Optional: Using a web proxy (Apache 2.4 and above)
484 --------------------------------------------------
485 When the OpenSRF HTTP Translator runs behind a proxy, Apache must be
486 configured to read the IP address of the originating client instead
487 of the proxy IP address.
489 1. Enable mod_remoteip
492 ---------------------------------------------------------------------------
493 sudo a2enmod remoteip
494 ---------------------------------------------------------------------------
496 2. Enable remote IP settings by uncommenting and modifying as needed the
497 Apache configuration variables starting with RemoteIP* in the sample Apache
498 configuration file opensrf.conf.
500 3. Configure Apache to listen on port 7080 for HTTP and port 7443 for HTTPS
501 and ensure that it is not listening on ports 80 and 443, then restart Apache.
503 4. If you didn't run `configure` with the `--with-websockets-port=443` option,
504 edit `<PREFIX>/javascript/opensrf_ws.js` and `<PREFIX>/javascript/opensrf_ws_shared.js`
508 ---------------------------------------------------------------------------
509 var WEBSOCKET_PORT_SSL = 7682;
510 ---------------------------------------------------------------------------
515 ---------------------------------------------------------------------------
516 var WEBSOCKET_PORT_SSL = 443;
517 ---------------------------------------------------------------------------
520 Optional: Using NGINX as a proxy
521 --------------------------------
522 NGINX can be used to proxy HTTP, HTTPS, and WebSockets traffic. Among other
523 reasons, this can be useful for Evergreen setups that want to have both
524 HTTPS and secure WebSockets traffic both go through port 443 while using
525 two Apache instances (one for the WebSockets gateway and one for the more
526 memory-intensive TPAC pages).
528 The following instructions are a guide for setting this up on Debian
529 and Ubuntu systems, but expect general familiarity with various system
530 administration and network tasks. The steps should be run as the *root*
531 Linux account, and assume that you already followed the instructions
532 for installing WebSockets support.
534 1. Install NGINX if not already present:
537 ---------------------------------------------------------------------------
538 apt-get install nginx
539 ---------------------------------------------------------------------------
541 2. Copy the example NGINX configuration file into place and remove default.
544 ---------------------------------------------------------------------------
545 cd /path/to/opensrf-3.2.1
546 cp examples/nginx/osrf-ws-http-proxy /etc/nginx/sites-available/
547 ln -s /etc/nginx/sites-available/osrf-ws-http-proxy /etc/nginx/sites-enabled/osrf-ws-http-proxy
548 rm /etc/nginx/sites-enabled/default
549 ---------------------------------------------------------------------------
551 3. Edit `/etc/nginx/sites-available/osrf-ws-http-proxy` to set the location
552 of the SSL certificate and private key.
553 4. Generate a dhparam file in the directory specified in the nginx config.
556 ---------------------------------------------------------------------------
557 # Default config stores dhparam.pem in the Apache2 ssl directory.
558 openssl dhparam -out /etc/apache2/ssl/dhparam.pem 2048
559 ---------------------------------------------------------------------------
564 ---------------------------------------------------------------------------
565 /etc/init.d/nginx start
566 ---------------------------------------------------------------------------
568 Optional: Using HAProxy as a proxy
569 ----------------------------------
570 HAProxy can also be used to proxy HTTP, HTTPS, and WebSockets traffic
571 as an alternative to NGINX.
573 The following instructions are a guide for setting this up on Debian
574 and Ubuntu systems, but expect general familiarity with various system
575 administration and network tasks. The steps should be run as the *root*
576 Linux account, and assume that you already followed the instructions
577 for installing WebSockets support.
579 1. Install HAProxy if not already present:
582 ---------------------------------------------------------------------------
583 apt-get install haproxy
584 ---------------------------------------------------------------------------
586 2. Append the example HAProxy to `haproxy.cfg`.
589 ---------------------------------------------------------------------------
590 cd /path/to/opensrf-3.2.1
591 cat examples/haproxy/osrf-ws-http-proxy >> /etc/haproxy/haproxy.cfg
592 ---------------------------------------------------------------------------
594 3. Edit `/etc/haproxy/haproxy.cfg` to set the location
595 of the PEM file containing the SSL certificate and private key.
599 ---------------------------------------------------------------------------
600 /etc/init.d/haproxy start
601 ---------------------------------------------------------------------------
603 Troubleshooting note for Python users
604 -------------------------------------
606 If you are running a Python client and trying to connect to OpenSRF running on
607 localhost rather than a hostname that can be resolved via DNS, you will
608 probably receive exceptions about `dns.resolver.NXDOMAIN`. If this happens,
609 you need to install the `dnsmasq` package, configure it to serve up a DNS
610 entry for localhost, and point your local DNS resolver to `dnsmasq`. For example,
611 on Ubuntu you can issue the following commands as the *root* Linux account:
613 .Installing and starting `dnsmasq`
615 ---------------------------------------------------------------------------
616 aptitude install dnsmasq
617 /etc/init.d/dnsmasq restart
618 ---------------------------------------------------------------------------
620 Then edit `/etc/resolv.conf` and ensure that `nameserver 127.0.0.1` is the
621 first entry in the file.
626 Need help installing or using OpenSRF? Join the mailing lists at
627 http://evergreen-ils.org/communicate/mailing-lists/ or contact us
628 on the Freenode IRC network on the #evergreen channel.