4 Preamble: referenced user accounts
5 ----------------------------------
7 In subsequent sections, we will refer to a number of different accounts, as
10 * Linux user accounts:
11 ** The *user* Linux account is the account that you use to log onto the
12 Linux system as a regular user.
13 ** The *root* Linux account is an account that has system administrator
14 privileges. On Debian you can switch to this account from
15 your *user* account by issuing the `su -` command and entering the
16 password for the *root* account when prompted. On Ubuntu you can switch
17 to this account from your *user* account using the `sudo su -` command
18 and entering the password for your *user* account when prompted.
19 ** The *opensrf* Linux account is an account that you will create as part
20 of installing OpenSRF. You can switch to this account from the *root*
21 account by issuing the `su - opensrf` command.
23 Download and unpack the code
24 ----------------------------
26 Issue the following commands as the *user* Linux account.
28 1. Acquire a stable release tarball from https://evergreen-ils.org/opensrf-downloads/
31 ------------------------------------------------------------------------------
32 wget https://evergreen-ils.org/downloads/opensrf-3.2.4.tar.gz
33 ------------------------------------------------------------------------------
36 Developers can find the full source code at the OpenSRF Git repository:
37 http://git.evergreen-ils.org/?p=OpenSRF.git
39 2. Unpack the tarball, and move into that directory:
42 ------------------------------------------------------------------------------
43 tar -xvf opensrf-3.2.4.tar.gz
45 ------------------------------------------------------------------------------
47 Installing prerequisites
48 ------------------------
50 OpenSRF has a number of prerequisite packages that must be installed
51 before you can successfully configure, compile, and install OpenSRF.
52 On Debian and Ubuntu, the easiest way to install these prerequisites
53 is to use the Makefile.install prerequisite installer.
55 Issue the following commands as the *root* Linux account to install
56 prerequisites using the Makefile.install prerequisite installer, substituting
57 your operating system identifier for <osname> below:
60 ---------------------------------------------------------------------------
62 make -f src/extras/Makefile.install <osname>
63 ---------------------------------------------------------------------------
65 Well-tested values for <osname> include:
67 * `debian-bullseye` for Debian 11
68 * `debian-buster` for Debian 10
69 * `debian-stretch` for Debian 9
70 * `ubuntu-bionic` for Ubuntu 18.04
71 * `ubuntu-focal` for Ubuntu 20.04
73 Patches and suggestions for improvement from users of these distributions,
74 or others, are welcome!
76 When the prerequisite installer reaches the Perl module stage, you may
77 be prompted for configuration of Comprehensive Perl Archive Network (CPAN)
78 on your server. You can generally accept the defaults by pressing <return>
79 for all of the prompts, except for the country configuration.
81 Preamble: Developer instructions
82 --------------------------------
85 Skip this section if you are using an official release tarball downloaded
86 from https://evergreen-ils.org/opensrf-downloads/
88 Developers working directly with the source code from the Git repository,
89 rather than an official release tarball, must install some extra packages
90 and perform one step before they can proceed with the `./configure` step.
92 As the *root* Linux account, install the following packages:
98 As the *user* Linux account, issue the following command in the OpenSRF
99 source directory to generate the configure script and Makefiles:
102 ------------------------------------------------------------------------------
104 ------------------------------------------------------------------------------
106 Configuration and compilation instructions
107 ------------------------------------------
109 Use the `configure` command to configure OpenSRF, and the `make` command to
110 build OpenSRF. The default installation prefix (PREFIX) for OpenSRF is
113 If you are building OpenSRF for Evergreen, issue the following commands as
114 the *user* Linux account to configure and build OpenSRF:
117 ---------------------------------------------------------------------------
118 ./configure --prefix=/openils --sysconfdir=/openils/conf
120 ---------------------------------------------------------------------------
122 By default, OpenSRF includes C, Perl, and JavaScript support.
123 You can add the `--enable-java` for Java support.
125 If you are planning on proxying WebSockets traffic (see below), you
126 can add `--with-websockets-port=443` to specify that WebSockets traffic
127 will be going through port 443. Without that option, the default port
130 Installation instructions
131 -------------------------
133 1. Once you have configured and compiled OpenSRF, issue the following
134 command as the *root* Linux account to install OpenSRF:
137 ---------------------------------------------------------------------------
139 ---------------------------------------------------------------------------
141 Create and set up the opensrf Unix user environment
142 ---------------------------------------------------
144 This user is used to start and stop all OpenSRF processes, and must own all
145 files contained in the PREFIX directory hierarchy. Issue the following
146 commands as the *root* Linux account to create the `opensrf` user and set up
147 its environment, substituting <PREFIX> with the value you passed to `--prefix`
148 in your configure command:
150 .Creating the `opensrf` user
152 ---------------------------------------------------------------------------
153 useradd -m -s /bin/bash opensrf
154 echo "export PATH=\$PATH:/<PREFIX>/bin" >> /home/opensrf/.bashrc
156 chown -R opensrf:opensrf /<PREFIX>
157 ---------------------------------------------------------------------------
159 Define your public and private OpenSRF domains
160 ----------------------------------------------
162 For security purposes, OpenSRF uses Jabber domains to separate services
163 into public and private realms. Throughout these instructions, we will use
164 the example domains `public.localhost` and `private.localhost`.
166 On a single-server system, the easiest way to define public and private
167 domains is to define separate hostnames by adding entries to the `/etc/hosts`
168 file. Here are entries that you could add to a stock `/etc/hosts` file for our
171 .Example added entries for `/etc/hosts`
173 ---------------------------------------------------------------------------
174 127.0.1.2 public.localhost public
175 127.0.1.3 private.localhost private
176 ---------------------------------------------------------------------------
178 Adjust the system dynamic library path
179 --------------------------------------
181 Add `<PREFIX>/lib/` to the system's dynamic library path, and then run
182 `ldconfig` as the *root* Linux account.
184 On Debian and Ubuntu systems, run the following commands as the *root*
187 .Adjusting the system dynamic library path
189 ---------------------------------------------------------------------------
190 echo <PREFIX>/lib > /etc/ld.so.conf.d/opensrf.conf
192 ---------------------------------------------------------------------------
194 On most other systems, you can add these entries to `/etc/ld.so.conf`, or
195 create a file within the `/etc/ld.so.conf.d/` directory, and then run
196 `ldconfig` as the *root* Linux account.
198 Configure the ejabberd server
199 -----------------------------
201 OpenSRF requires an XMPP (Jabber) server. For performance reasons, ejabberd is
202 the Jabber server of choice for the OpenSRF project. In most cases, you only
203 have to make a few changes to the default configuration file to make ejabberd
206 1. Stop ejabberd before making any changes to its configuration by issuing the
207 following command as the *root* Linux account:
211 ---------------------------------------------------------------------------
212 systemctl stop ejabberd.service
213 ---------------------------------------------------------------------------
215 2. Edit the ejabberd config file.
217 (Debian Stretch) Ejabberd 16.x::
218 Open `/etc/ejabberd/ejabberd.yml` and make the following
220 a. Define your public and private domains in the `hosts` directive. For
224 ---------------------------------------------------------------------------
227 - "private.localhost"
229 ---------------------------------------------------------------------------
231 b. Change `auth_password_format` to plain
232 c. Change `shaper:` `normal` and `fast` values to 500000
233 d. Increase the `max_user_sessions:` `all:` value to 10000
234 e. Comment out the `mod_offline` directive
236 -----------------------
238 ##access_max_user_messages: max_user_offline_messages
239 -----------------------
241 (Debian Buster / Ubuntu Bionic / Ubuntu Focal) Ejabberd 18.x::
242 Open `/etc/ejabberd/ejabberd.yml` and make the following
244 a. Define your public and private domains in the `hosts` directive. For
248 ---------------------------------------------------------------------------
251 - "private.localhost"
253 ---------------------------------------------------------------------------
255 b. Change `starttls_required` to false
256 c. Change `auth_password_format` to plain
257 d. Change `shaper:` `normal` and `fast` values to 500000
258 e. Increase the `max_user_sessions:` `all:` value to 10000
259 f. Comment out the `mod_offline` directive
261 -----------------------
263 ##access_max_user_messages: max_user_offline_messages
264 -----------------------
266 g. Uncomment or add the `mod_legacy_auth` directive under the `modules:` section
268 -----------------------
270 -----------------------
272 (Debian Bullseye) Ejabberd 21.x::
273 Open `/etc/ejabberd/ejabberd.yml` and make the following
275 a. Define your public and private domains in the `hosts` directive. For
279 ---------------------------------------------------------------------------
284 ---------------------------------------------------------------------------
286 b. Change `starttls_required` to false
287 c. Change `auth_password_format` to plain
288 d. Change all `shaper:` `normal` and `fast` values to 500000
289 e. Increase the `shaper_rules:` `max_user_sessions:` value to 10000
290 f. Comment out the `shaper_rules:` `max_user_offline_messages:` values
292 -----------------------
293 ##max_user_offline_messages:
296 -----------------------
298 g. Comment out the `mod_offline` directive
300 -----------------------
302 ##access_max_user_messages: max_user_offline_messages
303 -----------------------
305 h. Add the `mod_legacy_auth` directive under the `modules:` section
307 -----------------------
309 -----------------------
311 3. Restart the ejabberd server to make the changes take effect:
315 ---------------------------------------------------------------------------
316 systemctl start ejabberd.service
317 ---------------------------------------------------------------------------
319 Create the OpenSRF Jabber users
320 -------------------------------
322 On each domain, you need two Jabber users to manage the OpenSRF communications:
324 * a `router` user, to whom all requests to connect to an OpenSRF service
325 will be routed; this Jabber user must be named `router`
326 * an `opensrf` user, which clients use to connect to OpenSRF services; this
327 user can be named anything you like
329 Create the Jabber users by issuing the following commands as the *root* Linux
330 account. Substitute `<password>` for your chosen passwords for each user
333 .Creating the OpenSRF Jabber users
335 ---------------------------------------------------------------------------
336 ejabberdctl register router private.localhost <password>
337 ejabberdctl register opensrf private.localhost <password>
338 ejabberdctl register router public.localhost <password>
339 ejabberdctl register opensrf public.localhost <password>
340 ---------------------------------------------------------------------------
342 Update the OpenSRF configuration files
343 --------------------------------------
345 About the OpenSRF configuration files
346 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
347 There are several configuration files that you must update to make OpenSRF
348 work. SYSCONFDIR is `/opensrf/etc` by default, or the value that you passed to
349 `--sysconfdir` during the configuration phase.
351 * `SYSCONFDIR/opensrf.xml` - this file lists the services that this
352 OpenSRF installation supports; if you create a new OpenSRF service,
353 you need to add it to this file.
354 ** The `<hosts>` element at the bottom of the file lists the services
355 that should be started for each hostname. You can force the system
356 to use `localhost`, so in most cases you will leave this section
359 * `SYSCONFDIR/opensrf_core.xml` - this file lists the Jabber connection
360 information that will be used for the system, as well as determining
361 logging verbosity and defining which services will be exposed on the
364 * `~/.srfsh.xml` - this file gives a Linux account the ability to use
365 the `srfsh` interpreter to communicate with OpenSRF services.
367 Updating the OpenSRF configuration files
368 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
369 1. As the *opensrf* Linux account, copy the example configuration files
370 to create your locally customizable OpenSRF configuration files:
372 .Copying the example OpenSRF configuration files
374 ---------------------------------------------------------------------------
376 cp opensrf_core.xml.example opensrf_core.xml
377 cp opensrf.xml.example opensrf.xml
378 ---------------------------------------------------------------------------
380 2. Edit the `SYSCONFDIR/opensrf_core.xml` file to update the four username
381 / password pairs to match the Jabber user accounts you just created:
383 a. `<config><opensrf>` = use the private Jabber `opensrf` user
384 b. `<config><gateway>` = use the public Jabber `opensrf` user
385 c. `<config><routers><router>` = use the public Jabber `router` user
386 d. `<config><routers><router>` = use the private Jabber `router` user
387 3. Create a `.srfsh.xml` file in the home directory of each user
388 that you want to use `srfsh` to communicate with OpenSRF services. For
389 example, to enable the *opensrf* Linux account to use `srfsh`:
390 a. `cp SYSCONFDIR/srfsh.xml.example ~/.srfsh.xml`
391 b. Open `~/.srfsh.xml` in your text editor of choice and update the
392 password to match the password you set for the Jabber `opensrf` user
393 at the `private.localhost` domain.
395 Starting and stopping OpenSRF services
396 --------------------------------------
398 To start all OpenSRF services with a hostname of `localhost`, issue the
399 following command as the *opensrf* Linux account:
402 ---------------------------------------------------------------------------
403 osrf_control --localhost --start-all
404 ---------------------------------------------------------------------------
406 To stop all OpenSRF services with a hostname of `localhost`, issue the
407 following command as the *opensrf* Linux account:
410 ---------------------------------------------------------------------------
411 osrf_control --localhost --stop-all
412 ---------------------------------------------------------------------------
414 Testing the default OpenSRF services
415 ------------------------------------
417 By default, OpenSRF ships with an `opensrf.math` service that performs basic
418 calculations involving two integers. Once you have started the OpenSRF
419 services, test the services as follows:
421 1. Start the `srfsh` interactive OpenSRF shell by issuing the following
422 command as the *opensrf* Linux account:
424 .Starting the `srfsh` interactive OpenSRF shell
426 ---------------------------------------------------------------------------
428 ---------------------------------------------------------------------------
430 2. Issue the following request to test the `opensrf.math` service:
433 ---------------------------------------------------------------------------
434 srfsh# request opensrf.math add 2,2
435 ---------------------------------------------------------------------------
437 You should receive the value `4`.
439 Websockets installation instructions
440 ------------------------------------
442 1. Install websocketd (latest stable release from http://websocketd.com/)
446 ---------------------------------------------------------------------------
448 wget 'https://github.com/joewalnes/websocketd/releases/download/v0.3.0/websocketd-0.3.0-linux_amd64.zip'
449 unzip websocketd-0.3.0-linux_amd64.zip
450 sudo cp websocketd /usr/local/bin/
451 ---------------------------------------------------------------------------
455 Choose option a or b, below.
458 ===========================================================================
459 websocketd does not offer a configurable inactivity timeout, meaning
460 websocket client connections will persist until each client disconnects
461 or the service is restarted. However, a timeout can be achieved with
462 the use of a proxy (option 'a' below). A proxy also allows websocketd
463 to be exposed to web clients on port 443 instead of its internal port,
464 which may simplify firewall configuration.
465 ===========================================================================
467 a. Run websocketd as 'opensrf'
470 ===========================================================================
471 This choice requires one of the proxy configurations mentioned below.
472 ===========================================================================
476 ---------------------------------------------------------------------------
477 /usr/local/bin/websocketd --port 7682 /openils/bin/osrf-websocket-stdio &
479 # Other useful command line parameters include:
480 # --loglevel debug|trace|access|info|error|fatal
483 # --origin=host[:port][,host[:port]...]
485 # See https://github.com/joewalnes/websocketd/blob/master/help.go
486 ---------------------------------------------------------------------------
488 b. Run websocketd without a proxy
492 ---------------------------------------------------------------------------
493 sudo -b /usr/local/bin/websocketd --port 7682 --ssl --sslcert=/etc/apache2/ssl/server.crt \
494 --sslkey=/etc/apache2/ssl/server.key /openils/bin/osrf-websocket-stdio
495 ---------------------------------------------------------------------------
497 Optional Systemd Setup
498 ~~~~~~~~~~~~~~~~~~~~~~
500 Websocketd is a standalone program with no daemon mode, but can be implemented as a systemd service.
502 Copy <PREFIX>/examples/websocketd-osrf.service.example into file /lib/systemd/system/websocketd-osrf.service
504 Then add & start the service.
507 --------------------------------------
508 sudo systemctl daemon-reload
509 sudo systemctl enable websocketd-osrf
510 sudo systemctl start websocketd-osrf
511 --------------------------------------
513 Optional: Using a web proxy (Apache 2.4 and above)
514 --------------------------------------------------
515 When the OpenSRF HTTP Translator runs behind a proxy, Apache must be
516 configured to read the IP address of the originating client instead
517 of the proxy IP address.
519 1. Enable mod_remoteip
522 ---------------------------------------------------------------------------
523 sudo a2enmod remoteip
524 ---------------------------------------------------------------------------
526 2. Enable remote IP settings by uncommenting and modifying as needed the
527 Apache configuration variables starting with RemoteIP* in the sample Apache
528 configuration file opensrf.conf.
530 3. Configure Apache to listen on port 7080 for HTTP and port 7443 for HTTPS
531 and ensure that it is not listening on ports 80 and 443, then restart Apache.
533 4. If you didn't run `configure` with the `--with-websockets-port=443` option,
534 edit `<PREFIX>/javascript/opensrf_ws.js` and `<PREFIX>/javascript/opensrf_ws_shared.js`
538 ---------------------------------------------------------------------------
539 var WEBSOCKET_PORT_SSL = 7682;
540 ---------------------------------------------------------------------------
545 ---------------------------------------------------------------------------
546 var WEBSOCKET_PORT_SSL = 443;
547 ---------------------------------------------------------------------------
550 Optional: Using NGINX as a proxy
551 --------------------------------
552 NGINX can be used to proxy HTTP, HTTPS, and WebSockets traffic. Among other
553 reasons, this can be useful for Evergreen setups that want to have both
554 HTTPS and secure WebSockets traffic both go through port 443 while using
555 two Apache instances (one for the WebSockets gateway and one for the more
556 memory-intensive TPAC pages).
558 The following instructions are a guide for setting this up on Debian
559 and Ubuntu systems, but expect general familiarity with various system
560 administration and network tasks. The steps should be run as the *root*
561 Linux account, and assume that you already followed the instructions
562 for installing WebSockets support.
564 1. Install NGINX if not already present:
567 ---------------------------------------------------------------------------
568 apt-get install nginx
569 ---------------------------------------------------------------------------
571 2. Copy the example NGINX configuration file into place and remove default.
574 ---------------------------------------------------------------------------
575 cd /path/to/opensrf-3.2.4
576 cp examples/nginx/osrf-ws-http-proxy /etc/nginx/sites-available/
577 ln -s /etc/nginx/sites-available/osrf-ws-http-proxy /etc/nginx/sites-enabled/osrf-ws-http-proxy
578 rm /etc/nginx/sites-enabled/default
579 ---------------------------------------------------------------------------
581 3. Edit `/etc/nginx/sites-available/osrf-ws-http-proxy` to set the location
582 of the SSL certificate and private key.
583 4. Generate a dhparam file in the directory specified in the nginx config.
586 ---------------------------------------------------------------------------
587 # Default config stores dhparam.pem in the Apache2 ssl directory.
588 openssl dhparam -out /etc/apache2/ssl/dhparam.pem 2048
589 ---------------------------------------------------------------------------
594 ---------------------------------------------------------------------------
595 /etc/init.d/nginx start
596 ---------------------------------------------------------------------------
598 Optional: Using HAProxy as a proxy
599 ----------------------------------
600 HAProxy can also be used to proxy HTTP, HTTPS, and WebSockets traffic
601 as an alternative to NGINX.
603 The following instructions are a guide for setting this up on Debian
604 and Ubuntu systems, but expect general familiarity with various system
605 administration and network tasks. The steps should be run as the *root*
606 Linux account, and assume that you already followed the instructions
607 for installing WebSockets support.
609 1. Install HAProxy if not already present:
612 ---------------------------------------------------------------------------
613 apt-get install haproxy
614 ---------------------------------------------------------------------------
616 2. Append the example HAProxy to `haproxy.cfg`.
619 ---------------------------------------------------------------------------
620 cd /path/to/opensrf-3.2.4
621 cat examples/haproxy/osrf-ws-http-proxy >> /etc/haproxy/haproxy.cfg
622 ---------------------------------------------------------------------------
624 3. Edit `/etc/haproxy/haproxy.cfg` to set the location
625 of the PEM file containing the SSL certificate and private key.
629 ---------------------------------------------------------------------------
630 /etc/init.d/haproxy start
631 ---------------------------------------------------------------------------
636 Need help installing or using OpenSRF? Join the mailing lists at
637 http://evergreen-ils.org/communicate/mailing-lists/ or contact us
638 on the Freenode IRC network on the #evergreen channel.