4 Preamble: referenced user accounts
5 ----------------------------------
7 In subsequent sections, we will refer to a number of different accounts, as
10 * Linux user accounts:
11 ** The *user* Linux account is the account that you use to log onto the
12 Linux system as a regular user.
13 ** The *root* Linux account is an account that has system administrator
14 privileges. On Debian you can switch to this account from
15 your *user* account by issuing the `su -` command and entering the
16 password for the *root* account when prompted. On Ubuntu you can switch
17 to this account from your *user* account using the `sudo su -` command
18 and entering the password for your *user* account when prompted.
19 ** The *opensrf* Linux account is an account that you will create as part
20 of installing OpenSRF. You can switch to this account from the *root*
21 account by issuing the `su - opensrf` command.
23 Download and unpack the code
24 ----------------------------
26 Issue the following commands as the *user* Linux account.
28 1. Acquire a stable release tarball from https://evergreen-ils.org/opensrf-downloads/
31 ------------------------------------------------------------------------------
32 wget https://evergreen-ils.org/downloads/opensrf-OSRFVERSION.tar.gz
33 ------------------------------------------------------------------------------
36 Developers can find the full source code at the OpenSRF Git repository:
37 http://git.evergreen-ils.org/?p=OpenSRF.git
39 2. Unpack the tarball, and move into that directory:
42 ------------------------------------------------------------------------------
43 tar -xvf opensrf-OSRFVERSION.tar.gz
44 cd opensrf-OSRFVERSION/
45 ------------------------------------------------------------------------------
47 Installing prerequisites
48 ------------------------
50 OpenSRF has a number of prerequisite packages that must be installed
51 before you can successfully configure, compile, and install OpenSRF.
52 On Debian and Ubuntu, the easiest way to install these prerequisites
53 is to use the Makefile.install prerequisite installer.
55 Issue the following commands as the *root* Linux account to install
56 prerequisites using the Makefile.install prerequisite installer, substituting
57 your operating system identifier for <osname> below:
60 ---------------------------------------------------------------------------
62 make -f src/extras/Makefile.install <osname>
63 ---------------------------------------------------------------------------
65 Well-tested values for <osname> include:
67 * `debian-bookworm` for Debian 12
68 * `debian-bullseye` for Debian 11
69 * `debian-buster` for Debian 10
70 * `ubuntu-focal` for Ubuntu 20.04
71 * `ubuntu-jammy` for Ubuntu 22.04
73 Patches and suggestions for improvement from users of these distributions,
74 or others, are welcome!
76 When the prerequisite installer reaches the Perl module stage, you may
77 be prompted for configuration of Comprehensive Perl Archive Network (CPAN)
78 on your server. You can generally accept the defaults by pressing <return>
79 for all of the prompts, except for the country configuration.
81 Preamble: Developer instructions
82 --------------------------------
85 Skip this section if you are using an official release tarball downloaded
86 from https://evergreen-ils.org/opensrf-downloads/
88 Developers working directly with the source code from the Git repository,
89 rather than an official release tarball, must install some extra packages
90 and perform one step before they can proceed with the `./configure` step.
92 As the *root* Linux account, install the following packages:
98 As the *user* Linux account, issue the following command in the OpenSRF
99 source directory to generate the configure script and Makefiles:
102 ------------------------------------------------------------------------------
104 ------------------------------------------------------------------------------
106 Configuration and compilation instructions
107 ------------------------------------------
109 Use the `configure` command to configure OpenSRF, and the `make` command to
110 build OpenSRF. The default installation prefix (PREFIX) for OpenSRF is
113 If you are building OpenSRF for Evergreen, issue the following commands as
114 the *user* Linux account to configure and build OpenSRF:
117 ---------------------------------------------------------------------------
118 ./configure --prefix=/openils --sysconfdir=/openils/conf
120 ---------------------------------------------------------------------------
122 By default, OpenSRF includes C, Perl, and JavaScript support.
124 If you are planning on proxying WebSockets traffic (see below), you
125 can add `--with-websockets-port=443` to specify that WebSockets traffic
126 will be going through port 443. Without that option, the default port
129 Installation instructions
130 -------------------------
132 1. Once you have configured and compiled OpenSRF, issue the following
133 command as the *root* Linux account to install OpenSRF:
136 ---------------------------------------------------------------------------
138 ---------------------------------------------------------------------------
140 Create and set up the opensrf Unix user environment
141 ---------------------------------------------------
143 This user is used to start and stop all OpenSRF processes, and must own all
144 files contained in the PREFIX directory hierarchy. Issue the following
145 commands as the *root* Linux account to create the `opensrf` user and set up
146 its environment, substituting <PREFIX> with the value you passed to `--prefix`
147 in your configure command:
149 .Creating the `opensrf` user
151 ---------------------------------------------------------------------------
152 useradd -m -s /bin/bash opensrf
153 echo "export PATH=\$PATH:/<PREFIX>/bin" >> /home/opensrf/.bashrc
155 chown -R opensrf:opensrf /<PREFIX>
156 ---------------------------------------------------------------------------
158 Define your public and private OpenSRF domains
159 ----------------------------------------------
161 For security purposes, OpenSRF uses Jabber domains to separate services
162 into public and private realms. Throughout these instructions, we will use
163 the example domains `public.localhost` and `private.localhost`.
165 On a single-server system, the easiest way to define public and private
166 domains is to define separate hostnames by adding entries to the `/etc/hosts`
167 file. Here are entries that you could add to a stock `/etc/hosts` file for our
170 .Example added entries for `/etc/hosts`
172 ---------------------------------------------------------------------------
173 127.0.1.2 public.localhost public
174 127.0.1.3 private.localhost private
175 ---------------------------------------------------------------------------
177 Adjust the system dynamic library path
178 --------------------------------------
180 Add `<PREFIX>/lib/` to the system's dynamic library path, and then run
181 `ldconfig` as the *root* Linux account.
183 On Debian and Ubuntu systems, run the following commands as the *root*
186 .Adjusting the system dynamic library path
188 ---------------------------------------------------------------------------
189 echo <PREFIX>/lib > /etc/ld.so.conf.d/opensrf.conf
191 ---------------------------------------------------------------------------
193 On most other systems, you can add these entries to `/etc/ld.so.conf`, or
194 create a file within the `/etc/ld.so.conf.d/` directory, and then run
195 `ldconfig` as the *root* Linux account.
197 Configure the ejabberd server
198 -----------------------------
202 It is recommended to disable the apparmor profile for ejabberd on *Ubuntu* before
203 continuing. If you are installing on any version of *Ubuntu*, run the following
204 commands as the *root* Linux account:
207 ---------------------------------------------------------------------------
208 ln -s /etc/apparmor.d/usr.sbin.ejabberdctl /etc/apparmor.d/disable/
209 apparmor_parser -R /etc/apparmor.d/usr.sbin.ejabberdctl
210 ---------------------------------------------------------------------------
213 OpenSRF requires an XMPP (Jabber) server. For performance reasons, ejabberd is
214 the Jabber server of choice for the OpenSRF project. In most cases, you only
215 have to make a few changes to the default configuration file to make ejabberd
218 1. Stop ejabberd before making any changes to its configuration by issuing the
219 following command as the *root* Linux account:
223 ---------------------------------------------------------------------------
224 systemctl stop ejabberd.service
225 ---------------------------------------------------------------------------
227 2. Edit the ejabberd config file.
229 (Debian Buster / Ubuntu Focal) Ejabberd 18.x::
230 Open `/etc/ejabberd/ejabberd.yml` and make the following
232 a. Define your public and private domains in the `hosts` directive. For
236 ---------------------------------------------------------------------------
239 - "private.localhost"
241 ---------------------------------------------------------------------------
243 b. Change `starttls_required` to false
244 c. Change `auth_password_format` to plain
245 d. Change `shaper:` `normal` and `fast` values to 500000
246 e. Increase the `max_user_sessions:` `all:` value to 10000
247 f. Comment out the `mod_offline` directive
249 -----------------------
251 ##access_max_user_messages: max_user_offline_messages
252 -----------------------
254 g. Uncomment or add the `mod_legacy_auth` directive under the `modules:` section
256 -----------------------
258 -----------------------
260 (Debian Bullseye / Debian Bookworm / Ubuntu Jammy) Ejabberd 21.x::
261 Open `/etc/ejabberd/ejabberd.yml` and make the following
263 a. Define your public and private domains in the `hosts` directive. For
267 ---------------------------------------------------------------------------
272 ---------------------------------------------------------------------------
274 b. Change `starttls_required` to false
275 c. Change `auth_password_format` to plain
276 d. Change all `shaper:` `normal` and `fast` values to 500000
277 e. Increase the `shaper_rules:` `max_user_sessions:` value to 10000
278 f. Comment out the `shaper_rules:` `max_user_offline_messages:` values
280 -----------------------
281 ##max_user_offline_messages:
284 -----------------------
286 g. Comment out the `mod_offline` directive
288 -----------------------
290 ##access_max_user_messages: max_user_offline_messages
291 -----------------------
293 h. Add the `mod_legacy_auth` directive under the `modules:` section
295 -----------------------
297 -----------------------
299 3. Restart the ejabberd server to make the changes take effect:
303 ---------------------------------------------------------------------------
304 systemctl start ejabberd.service
305 ---------------------------------------------------------------------------
307 Create the OpenSRF Jabber users
308 -------------------------------
310 On each domain, you need two Jabber users to manage the OpenSRF communications:
312 * a `router` user, to whom all requests to connect to an OpenSRF service
313 will be routed; this Jabber user must be named `router`
314 * an `opensrf` user, which clients use to connect to OpenSRF services; this
315 user can be named anything you like
317 Create the Jabber users by issuing the following commands as the *root* Linux
318 account. Substitute `<password>` for your chosen passwords for each user
321 .Creating the OpenSRF Jabber users
323 ---------------------------------------------------------------------------
324 ejabberdctl register router private.localhost <password>
325 ejabberdctl register opensrf private.localhost <password>
326 ejabberdctl register router public.localhost <password>
327 ejabberdctl register opensrf public.localhost <password>
328 ---------------------------------------------------------------------------
330 Update the OpenSRF configuration files
331 --------------------------------------
333 About the OpenSRF configuration files
334 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
335 There are several configuration files that you must update to make OpenSRF
336 work. SYSCONFDIR is `/opensrf/etc` by default, or the value that you passed to
337 `--sysconfdir` during the configuration phase.
339 * `SYSCONFDIR/opensrf.xml` - this file lists the services that this
340 OpenSRF installation supports; if you create a new OpenSRF service,
341 you need to add it to this file.
342 ** The `<hosts>` element at the bottom of the file lists the services
343 that should be started for each hostname. You can force the system
344 to use `localhost`, so in most cases you will leave this section
347 * `SYSCONFDIR/opensrf_core.xml` - this file lists the Jabber connection
348 information that will be used for the system, as well as determining
349 logging verbosity and defining which services will be exposed on the
352 * `~/.srfsh.xml` - this file gives a Linux account the ability to use
353 the `srfsh` interpreter to communicate with OpenSRF services.
355 Updating the OpenSRF configuration files
356 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
357 1. As the *opensrf* Linux account, copy the example configuration files
358 to create your locally customizable OpenSRF configuration files:
360 .Copying the example OpenSRF configuration files
362 ---------------------------------------------------------------------------
364 cp opensrf_core.xml.example opensrf_core.xml
365 cp opensrf.xml.example opensrf.xml
366 ---------------------------------------------------------------------------
368 2. Edit the `SYSCONFDIR/opensrf_core.xml` file to update the four username
369 / password pairs to match the Jabber user accounts you just created:
371 a. `<config><opensrf>` = use the private Jabber `opensrf` user
372 b. `<config><gateway>` = use the public Jabber `opensrf` user
373 c. `<config><routers><router>` = use the public Jabber `router` user
374 d. `<config><routers><router>` = use the private Jabber `router` user
375 3. Create a `.srfsh.xml` file in the home directory of each user
376 that you want to use `srfsh` to communicate with OpenSRF services. For
377 example, to enable the *opensrf* Linux account to use `srfsh`:
378 a. `cp SYSCONFDIR/srfsh.xml.example ~/.srfsh.xml`
379 b. Open `~/.srfsh.xml` in your text editor of choice and update the
380 password to match the password you set for the Jabber `opensrf` user
381 at the `private.localhost` domain.
383 Starting and stopping OpenSRF services
384 --------------------------------------
386 To start all OpenSRF services with a hostname of `localhost`, issue the
387 following command as the *opensrf* Linux account:
390 ---------------------------------------------------------------------------
391 osrf_control --localhost --start-all
392 ---------------------------------------------------------------------------
394 To stop all OpenSRF services with a hostname of `localhost`, issue the
395 following command as the *opensrf* Linux account:
398 ---------------------------------------------------------------------------
399 osrf_control --localhost --stop-all
400 ---------------------------------------------------------------------------
402 Testing the default OpenSRF services
403 ------------------------------------
405 By default, OpenSRF ships with an `opensrf.math` service that performs basic
406 calculations involving two integers. Once you have started the OpenSRF
407 services, test the services as follows:
409 1. Start the `srfsh` interactive OpenSRF shell by issuing the following
410 command as the *opensrf* Linux account:
412 .Starting the `srfsh` interactive OpenSRF shell
414 ---------------------------------------------------------------------------
416 ---------------------------------------------------------------------------
418 2. Issue the following request to test the `opensrf.math` service:
421 ---------------------------------------------------------------------------
422 srfsh# request opensrf.math add 2,2
423 ---------------------------------------------------------------------------
425 You should receive the value `4`.
427 Websockets installation instructions
428 ------------------------------------
430 1. Install websocketd (latest stable release from http://websocketd.com/)
434 ---------------------------------------------------------------------------
436 wget 'https://github.com/joewalnes/websocketd/releases/download/v0.3.0/websocketd-0.3.0-linux_amd64.zip'
437 unzip websocketd-0.3.0-linux_amd64.zip
438 sudo cp websocketd /usr/local/bin/
439 ---------------------------------------------------------------------------
443 Choose option a or b, below.
446 ===========================================================================
447 websocketd does not offer a configurable inactivity timeout, meaning
448 websocket client connections will persist until each client disconnects
449 or the service is restarted. However, a timeout can be achieved with
450 the use of a proxy (option 'a' below). A proxy also allows websocketd
451 to be exposed to web clients on port 443 instead of its internal port,
452 which may simplify firewall configuration.
453 ===========================================================================
455 a. Run websocketd as 'opensrf'
458 ===========================================================================
459 This choice requires one of the proxy configurations mentioned below.
460 ===========================================================================
464 ---------------------------------------------------------------------------
465 /usr/local/bin/websocketd --port 7682 /openils/bin/osrf-websocket-stdio &
467 # Other useful command line parameters include:
468 # --loglevel debug|trace|access|info|error|fatal
471 # --origin=host[:port][,host[:port]...]
473 # See https://github.com/joewalnes/websocketd/blob/master/help.go
474 ---------------------------------------------------------------------------
476 b. Run websocketd without a proxy
480 ---------------------------------------------------------------------------
481 sudo -b /usr/local/bin/websocketd --port 7682 --ssl --sslcert=/etc/apache2/ssl/server.crt \
482 --sslkey=/etc/apache2/ssl/server.key /openils/bin/osrf-websocket-stdio
483 ---------------------------------------------------------------------------
485 Optional Systemd Setup
486 ~~~~~~~~~~~~~~~~~~~~~~
488 Websocketd is a standalone program with no daemon mode, but can be implemented as a systemd service.
490 Copy <PREFIX>/examples/websocketd-osrf.service.example into file /lib/systemd/system/websocketd-osrf.service
492 Then add & start the service.
495 --------------------------------------
496 sudo systemctl daemon-reload
497 sudo systemctl enable websocketd-osrf
498 sudo systemctl start websocketd-osrf
499 --------------------------------------
501 Optional: Using a web proxy (Apache 2.4 and above)
502 --------------------------------------------------
503 When the OpenSRF HTTP Translator runs behind a proxy, Apache must be
504 configured to read the IP address of the originating client instead
505 of the proxy IP address.
507 1. Enable mod_remoteip
510 ---------------------------------------------------------------------------
511 sudo a2enmod remoteip
512 ---------------------------------------------------------------------------
514 2. Enable remote IP settings by uncommenting and modifying as needed the
515 Apache configuration variables starting with RemoteIP* in the sample Apache
516 configuration file opensrf.conf.
518 3. Configure Apache to listen on port 7080 for HTTP and port 7443 for HTTPS
519 and ensure that it is not listening on ports 80 and 443, then restart Apache.
521 4. If you didn't run `configure` with the `--with-websockets-port=443` option,
522 edit `<PREFIX>/javascript/opensrf_ws.js` and `<PREFIX>/javascript/opensrf_ws_shared.js`
526 ---------------------------------------------------------------------------
527 var WEBSOCKET_PORT_SSL = 7682;
528 ---------------------------------------------------------------------------
533 ---------------------------------------------------------------------------
534 var WEBSOCKET_PORT_SSL = 443;
535 ---------------------------------------------------------------------------
538 Optional: Using NGINX as a proxy
539 --------------------------------
540 NGINX can be used to proxy HTTP, HTTPS, and WebSockets traffic. Among other
541 reasons, this can be useful for Evergreen setups that want to have both
542 HTTPS and secure WebSockets traffic both go through port 443 while using
543 two Apache instances (one for the WebSockets gateway and one for the more
544 memory-intensive TPAC pages).
546 The following instructions are a guide for setting this up on Debian
547 and Ubuntu systems, but expect general familiarity with various system
548 administration and network tasks. The steps should be run as the *root*
549 Linux account, and assume that you already followed the instructions
550 for installing WebSockets support.
552 1. Install NGINX if not already present:
555 ---------------------------------------------------------------------------
556 apt-get install nginx
557 ---------------------------------------------------------------------------
559 2. Copy the example NGINX configuration file into place and remove default.
562 ---------------------------------------------------------------------------
563 cd /path/to/opensrf-OSRFVERSION
564 cp examples/nginx/osrf-ws-http-proxy /etc/nginx/sites-available/
565 ln -s /etc/nginx/sites-available/osrf-ws-http-proxy /etc/nginx/sites-enabled/osrf-ws-http-proxy
566 rm /etc/nginx/sites-enabled/default
567 ---------------------------------------------------------------------------
569 3. Edit `/etc/nginx/sites-available/osrf-ws-http-proxy` to set the location
570 of the SSL certificate and private key.
571 4. Generate a dhparam file in the directory specified in the nginx config.
574 ---------------------------------------------------------------------------
575 # Default config stores dhparam.pem in the Apache2 ssl directory.
576 openssl dhparam -out /etc/apache2/ssl/dhparam.pem 2048
577 ---------------------------------------------------------------------------
582 ---------------------------------------------------------------------------
583 /etc/init.d/nginx start
584 ---------------------------------------------------------------------------
586 Optional: Using HAProxy as a proxy
587 ----------------------------------
588 HAProxy can also be used to proxy HTTP, HTTPS, and WebSockets traffic
589 as an alternative to NGINX.
591 The following instructions are a guide for setting this up on Debian
592 and Ubuntu systems, but expect general familiarity with various system
593 administration and network tasks. The steps should be run as the *root*
594 Linux account, and assume that you already followed the instructions
595 for installing WebSockets support.
597 1. Install HAProxy if not already present:
600 ---------------------------------------------------------------------------
601 apt-get install haproxy
602 ---------------------------------------------------------------------------
604 2. Append the example HAProxy to `haproxy.cfg`.
607 ---------------------------------------------------------------------------
608 cd /path/to/opensrf-OSRFVERSION
609 cat examples/haproxy/osrf-ws-http-proxy >> /etc/haproxy/haproxy.cfg
610 ---------------------------------------------------------------------------
612 3. Edit `/etc/haproxy/haproxy.cfg` to set the location
613 of the PEM file containing the SSL certificate and private key.
617 ---------------------------------------------------------------------------
618 /etc/init.d/haproxy start
619 ---------------------------------------------------------------------------
624 Need help installing or using OpenSRF? Join the mailing lists at
625 http://evergreen-ils.org/communicate/mailing-lists/ or contact us
626 on the Freenode IRC network on the #evergreen channel.