4 Preamble: referenced user accounts
5 ----------------------------------
7 In subsequent sections, we will refer to a number of different accounts, as
10 * Linux user accounts:
11 ** The *user* Linux account is the account that you use to log onto the
12 Linux system as a regular user.
13 ** The *root* Linux account is an account that has system administrator
14 privileges. On Debian you can switch to this account from
15 your *user* account by issuing the `su -` command and entering the
16 password for the *root* account when prompted. On Ubuntu you can switch
17 to this account from your *user* account using the `sudo su -` command
18 and entering the password for your *user* account when prompted.
19 ** The *opensrf* Linux account is an account that you will create as part
20 of installing OpenSRF. You can switch to this account from the *root*
21 account by issuing the `su - opensrf` command.
23 Download and unpack the code
24 ----------------------------
26 Issue the following commands as the *user* Linux account.
28 1. Acquire a stable release tarball from https://evergreen-ils.org/opensrf-downloads/
31 ------------------------------------------------------------------------------
32 wget https://evergreen-ils.org/downloads/opensrf-OSRFVERSION.tar.gz
33 ------------------------------------------------------------------------------
36 Developers can find the full source code at the OpenSRF Git repository:
37 http://git.evergreen-ils.org/?p=OpenSRF.git
39 2. Unpack the tarball, and move into that directory:
42 ------------------------------------------------------------------------------
43 tar -xvf opensrf-OSRFVERSION.tar.gz
44 cd opensrf-OSRFVERSION/
45 ------------------------------------------------------------------------------
47 Installing prerequisites
48 ------------------------
50 OpenSRF has a number of prerequisite packages that must be installed
51 before you can successfully configure, compile, and install OpenSRF.
52 On Debian and Ubuntu, the easiest way to install these prerequisites
53 is to use the Makefile.install prerequisite installer.
55 Issue the following commands as the *root* Linux account to install
56 prerequisites using the Makefile.install prerequisite installer, substituting
57 your operating system identifier for <osname> below:
60 ---------------------------------------------------------------------------
62 make -f src/extras/Makefile.install <osname>
63 ---------------------------------------------------------------------------
65 Well-tested values for <osname> include:
67 * `debian-stretch` for Debian 9
68 * `debian-jessie` for Debian 8
69 * `ubuntu-trusty` for Ubuntu 14.04
70 * `ubuntu-xenial` for Ubuntu 16.04
72 Patches and suggestions for improvement from users of these distributions,
73 or others, are welcome!
75 When the prerequisite installer reaches the Perl module stage, you may
76 be prompted for configuration of Comprehensive Perl Archive Network (CPAN)
77 on your server. You can generally accept the defaults by pressing <return>
78 for all of the prompts, except for the country configuration.
80 Preamble: Developer instructions
81 --------------------------------
84 Skip this section if you are using an official release tarball downloaded
85 from https://evergreen-ils.org/opensrf-downloads/
87 Developers working directly with the source code from the Git repository,
88 rather than an official release tarball, must install some extra packages
89 and perform one step before they can proceed with the `./configure` step.
91 As the *root* Linux account, install the following packages:
97 As the *user* Linux account, issue the following command in the OpenSRF
98 source directory to generate the configure script and Makefiles:
101 ------------------------------------------------------------------------------
103 ------------------------------------------------------------------------------
105 Configuration and compilation instructions
106 ------------------------------------------
108 Use the `configure` command to configure OpenSRF, and the `make` command to
109 build OpenSRF. The default installation prefix (PREFIX) for OpenSRF is
112 If you are building OpenSRF for Evergreen, issue the following commands as
113 the *user* Linux account to configure and build OpenSRF:
116 ---------------------------------------------------------------------------
117 ./configure --prefix=/openils --sysconfdir=/openils/conf
119 ---------------------------------------------------------------------------
121 By default, OpenSRF includes C, Perl, and JavaScript support.
122 You can add the `--enable-python` option to the configure command
123 to build Python support and `--enable-java` for Java support.
125 If you are planning on proxying WebSockets traffic (see below), you
126 can add `--with-websockets-port=443` to specify that WebSockets traffic
127 will be going through port 443. Without that option, the default port
130 Installation instructions
131 -------------------------
133 1. Once you have configured and compiled OpenSRF, issue the following
134 command as the *root* Linux account to install OpenSRF:
137 ---------------------------------------------------------------------------
139 ---------------------------------------------------------------------------
141 Create and set up the opensrf Unix user environment
142 ---------------------------------------------------
144 This user is used to start and stop all OpenSRF processes, and must own all
145 files contained in the PREFIX directory hierarchy. Issue the following
146 commands as the *root* Linux account to create the `opensrf` user and set up
147 its environment, substituting <PREFIX> with the value you passed to `--prefix`
148 in your configure command:
150 .Creating the `opensrf` user
152 ---------------------------------------------------------------------------
153 useradd -m -s /bin/bash opensrf
154 echo "export PATH=\$PATH:/<PREFIX>/bin" >> /home/opensrf/.bashrc
156 chown -R opensrf:opensrf /<PREFIX>
157 ---------------------------------------------------------------------------
159 Define your public and private OpenSRF domains
160 ----------------------------------------------
162 For security purposes, OpenSRF uses Jabber domains to separate services
163 into public and private realms. Throughout these instructions, we will use
164 the example domains `public.localhost` and `private.localhost`.
166 On a single-server system, the easiest way to define public and private
167 domains is to define separate hostnames by adding entries to the `/etc/hosts`
168 file. Here are entries that you could add to a stock `/etc/hosts` file for our
171 .Example added entries for `/etc/hosts`
173 ---------------------------------------------------------------------------
174 127.0.1.2 public.localhost public
175 127.0.1.3 private.localhost private
176 ---------------------------------------------------------------------------
178 Adjust the system dynamic library path
179 --------------------------------------
181 Add `<PREFIX>/lib/` to the system's dynamic library path, and then run
182 `ldconfig` as the *root* Linux account.
184 On Debian and Ubuntu systems, run the following commands as the *root*
187 .Adjusting the system dynamic library path
189 ---------------------------------------------------------------------------
190 echo <PREFIX>/lib > /etc/ld.so.conf.d/opensrf.conf
192 ---------------------------------------------------------------------------
194 On most other systems, you can add these entries to `/etc/ld.so.conf`, or
195 create a file within the `/etc/ld.so.conf.d/` directory, and then run
196 `ldconfig` as the *root* Linux account.
198 Configure the ejabberd server
199 -----------------------------
201 OpenSRF requires an XMPP (Jabber) server. For performance reasons, ejabberd is
202 the Jabber server of choice for the OpenSRF project. In most cases, you only
203 have to make a few changes to the default configuration file to make ejabberd
206 1. Stop ejabberd before making any changes to its configuration by issuing the
207 following command as the *root* Linux account:
209 .(Ubuntu Trusty) Stopping ejabberd
211 ---------------------------------------------------------------------------
212 /etc/init.d/ejabberd stop
213 ---------------------------------------------------------------------------
215 .(Debian / Ubuntu Xenial) Stopping ejabberd
217 ---------------------------------------------------------------------------
218 systemctl stop ejabberd.service
219 ---------------------------------------------------------------------------
221 2. Edit the ejabberd config file.
223 (Ubuntu Trusty) Ejabberd 2.x.x::
224 Open `/etc/ejabberd/ejabberd.cfg` and make the following
226 a. Define your public and private domains in the `hosts` directive. For
230 ---------------------------------------------------------------------------
231 {hosts, ["localhost", "private.localhost", "public.localhost"]}.
232 ---------------------------------------------------------------------------
234 b. Change all `maxrate` values to 500000
235 c. Increase the `max_user_sessions` value to 10000
236 d. Comment out the `mod_offline` directive
238 (Debian Jessie) Ejabberd 13.x and 14.x::
239 Open `/etc/ejabberd/ejabberd.yml` and make the following
241 a. Define your public and private domains in the `hosts` directive. For
245 ---------------------------------------------------------------------------
248 - "private.localhost"
250 ---------------------------------------------------------------------------
252 b. Change `shaper:` `normal` and `fast` values to 500000
253 c. Increase the `max_user_sessions:` `all:` value to 10000
254 d. Comment out the `mod_offline` directive
256 -----------------------
258 ##access_max_user_messages: max_user_offline_messages
259 -----------------------
261 (Debian Stretch / Ubuntu Xenial) Ejabberd 16.x::
262 Open `/etc/ejabberd/ejabberd.yml` and make the following
264 a. Define your public and private domains in the `hosts` directive. For
268 ---------------------------------------------------------------------------
271 - "private.localhost"
273 ---------------------------------------------------------------------------
275 b. Change `auth_password_format` to plain
276 c. Change `shaper:` `normal` and `fast` values to 500000
277 d. Increase the `max_user_sessions:` `all:` value to 10000
278 e. Comment out the `mod_offline` directive
280 -----------------------
282 ##access_max_user_messages: max_user_offline_messages
283 -----------------------
285 3. Restart the ejabberd server to make the changes take effect:
287 .(Ubuntu Trusty) Starting ejabberd
289 ---------------------------------------------------------------------------
290 /etc/init.d/ejabberd start
291 ---------------------------------------------------------------------------
293 .(Debian / Ubuntu Xenial) Starting ejabberd
295 ---------------------------------------------------------------------------
296 systemctl start ejabberd.service
297 ---------------------------------------------------------------------------
299 Create the OpenSRF Jabber users
300 -------------------------------
302 On each domain, you need two Jabber users to manage the OpenSRF communications:
304 * a `router` user, to whom all requests to connect to an OpenSRF service
305 will be routed; this Jabber user must be named `router`
306 * an `opensrf` user, which clients use to connect to OpenSRF services; this
307 user can be named anything you like
309 Create the Jabber users by issuing the following commands as the *root* Linux
310 account. Substitute `<password>` for your chosen passwords for each user
313 .Creating the OpenSRF Jabber users
315 ---------------------------------------------------------------------------
316 ejabberdctl register router private.localhost <password>
317 ejabberdctl register opensrf private.localhost <password>
318 ejabberdctl register router public.localhost <password>
319 ejabberdctl register opensrf public.localhost <password>
320 ---------------------------------------------------------------------------
322 Update the OpenSRF configuration files
323 --------------------------------------
325 About the OpenSRF configuration files
326 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
327 There are several configuration files that you must update to make OpenSRF
328 work. SYSCONFDIR is `/opensrf/etc` by default, or the value that you passed to
329 `--sysconfdir` during the configuration phase.
331 * `SYSCONFDIR/opensrf.xml` - this file lists the services that this
332 OpenSRF installation supports; if you create a new OpenSRF service,
333 you need to add it to this file.
334 ** The `<hosts>` element at the bottom of the file lists the services
335 that should be started for each hostname. You can force the system
336 to use `localhost`, so in most cases you will leave this section
339 * `SYSCONFDIR/opensrf_core.xml` - this file lists the Jabber connection
340 information that will be used for the system, as well as determining
341 logging verbosity and defining which services will be exposed on the
344 * `~/.srfsh.xml` - this file gives a Linux account the ability to use
345 the `srfsh` interpreter to communicate with OpenSRF services.
347 Updating the OpenSRF configuration files
348 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
349 1. As the *opensrf* Linux account, copy the example configuration files
350 to create your locally customizable OpenSRF configuration files:
352 .Copying the example OpenSRF configuration files
354 ---------------------------------------------------------------------------
356 cp opensrf_core.xml.example opensrf_core.xml
357 cp opensrf.xml.example opensrf.xml
358 ---------------------------------------------------------------------------
360 2. Edit the `SYSCONFDIR/opensrf_core.xml` file to update the four username
361 / password pairs to match the Jabber user accounts you just created:
363 a. `<config><opensrf>` = use the private Jabber `opensrf` user
364 b. `<config><gateway>` = use the public Jabber `opensrf` user
365 c. `<config><routers><router>` = use the public Jabber `router` user
366 d. `<config><routers><router>` = use the private Jabber `router` user
367 3. Create a `.srfsh.xml` file in the home directory of each user
368 that you want to use `srfsh` to communicate with OpenSRF services. For
369 example, to enable the *opensrf* Linux account to use `srfsh`:
370 a. `cp SYSCONFDIR/srfsh.xml.example ~/.srfsh.xml`
371 b. Open `~/.srfsh.xml` in your text editor of choice and update the
372 password to match the password you set for the Jabber `opensrf` user
373 at the `private.localhost` domain.
375 Starting and stopping OpenSRF services
376 --------------------------------------
378 To start all OpenSRF services with a hostname of `localhost`, issue the
379 following command as the *opensrf* Linux account:
382 ---------------------------------------------------------------------------
383 osrf_control --localhost --start-all
384 ---------------------------------------------------------------------------
386 To stop all OpenSRF services with a hostname of `localhost`, issue the
387 following command as the *opensrf* Linux account:
390 ---------------------------------------------------------------------------
391 osrf_control --localhost --stop-all
392 ---------------------------------------------------------------------------
394 Testing the default OpenSRF services
395 ------------------------------------
397 By default, OpenSRF ships with an `opensrf.math` service that performs basic
398 calculations involving two integers. Once you have started the OpenSRF
399 services, test the services as follows:
401 1. Start the `srfsh` interactive OpenSRF shell by issuing the following
402 command as the *opensrf* Linux account:
404 .Starting the `srfsh` interactive OpenSRF shell
406 ---------------------------------------------------------------------------
408 ---------------------------------------------------------------------------
410 2. Issue the following request to test the `opensrf.math` service:
413 ---------------------------------------------------------------------------
414 srfsh# request opensrf.math add 2,2
415 ---------------------------------------------------------------------------
417 You should receive the value `4`.
419 Websockets installation instructions: Option #1 Apache
420 -------------------------------------------------------
421 Websockets are new to OpenSRF 2.4+ and are required for operating the new web-based
422 staff client for Evergreen. Complete the following steps as the *root* Linux
425 1. Install git if not already present:
428 ---------------------------------------------------------------------------
429 apt-get install git-core
430 ---------------------------------------------------------------------------
432 2. Install the apache-websocket module:
435 ---------------------------------------------------------------------------
436 # Use a temporary directory
438 git clone https://github.com/disconnect/apache-websocket
440 apxs2 -i -a -c mod_websocket.c
441 ---------------------------------------------------------------------------
443 3. Create the websocket Apache instance (more information about this in
444 `/usr/share/doc/apache2/README.multiple-instances`)
447 ---------------------------------------------------------------------------
448 sh /usr/share/doc/apache2/examples/setup-instance websockets
449 ---------------------------------------------------------------------------
451 4. Remove from the main apache instance
454 ---------------------------------------------------------------------------
456 ---------------------------------------------------------------------------
458 5. Change to the directory into which you unpacked OpenSRF, then copy into
459 place the config files
462 ---------------------------------------------------------------------------
463 cd /path/to/opensrf-OSRFVERSION
464 cp examples/apache_24/websockets/apache2.conf /etc/apache2-websockets/
465 ---------------------------------------------------------------------------
467 6. OPTIONAL: add these configuration variables to `/etc/apache2-websockets/envvars`
468 and adjust as needed.
471 ---------------------------------------------------------------------------
472 export OSRF_WEBSOCKET_IDLE_TIMEOUT=120
473 export OSRF_WEBSOCKET_IDLE_CHECK_INTERVAL=5
474 export OSRF_WEBSOCKET_CONFIG_FILE=/openils/conf/opensrf_core.xml
475 export OSRF_WEBSOCKET_CONFIG_CTXT=gateway
476 export OSRF_WEBSOCKET_MAX_REQUEST_WAIT_TIME=600
477 ---------------------------------------------------------------------------
479 * `IDLE_TIMEOUT` specifies how long we will allow a client to stay connected
480 while idle. A longer timeout means less network traffic (from fewer
481 websocket CONNECT calls), but it also means more Apache processes are
482 tied up doing nothing.
483 * `IDLE_CHECK_INTERVAL` specifies how often we wake to check the idle status
484 of the connected client.
485 * `MAX_REQUEST_WAIT_TIME` is the maximum amount of time the gateway will
486 wait before declaring a client as idle when there is a long-running
487 outstanding request, yet no other activity is occurring. This is
488 primarily a fail-safe to allow idle timeouts when one or more requests
489 died on the server, and thus no response was ever delivered to the gateway.
490 * `CONFIG_FILE / CTXT` are the standard opensrf core config options.
492 7. Before you can start websockets, you must install a valid SSL certificate
493 in `/etc/apache2/ssl/`. It is possible, but not recommended, to generate a
494 self-signed SSL certificate. For example, if you need to test with a self-signed
495 certicate on Chrome or Chromimum browsers, one workaround is to start the browser
496 with `--ignore-certificate-errors`.
498 8. After OpenSRF is up and running (or after any re-install),
499 fire up the secondary Apache instance. Errors will appear in
500 `/var/log/apache2-websockets/error.log`. Start apache2-websockets with:
503 ---------------------------------------------------------------------------
504 /etc/init.d/apache2-websockets start
505 ---------------------------------------------------------------------------
507 Websockets installation instructions: Option #2 Websocketd
508 ----------------------------------------------------------
510 1. Install websocketd (latest stable release from http://websocketd.com/)
514 ---------------------------------------------------------------------------
516 wget 'https://github.com/joewalnes/websocketd/releases/download/v0.3.0/websocketd-0.3.0-linux_amd64.zip'
517 unzip websocketd-0.3.0-linux_amd64.zip
518 sudo cp websocketd /usr/local/bin/
519 ---------------------------------------------------------------------------
523 Choose option a or b, below.
525 a. Run websocketd as 'opensrf'
528 ===========================================================================
529 This choice requires one of the proxy configurations mentioned below.
530 ===========================================================================
534 ---------------------------------------------------------------------------
535 /usr/local/bin/websocketd --port 7682 /openils/bin/osrf-websocket-stdio &
537 # Other useful command line parameters include:
538 # --loglevel debug|trace|access|info|error|fatal
541 # --origin=host[:port][,host[:port]...]
543 # See https://github.com/joewalnes/websocketd/blob/master/help.go
544 ---------------------------------------------------------------------------
546 b. Run websocketd without a proxy
550 ---------------------------------------------------------------------------
551 sudo -b /usr/local/bin/websocketd --port 7682 --ssl --sslcert=/etc/apache2/ssl/server.crt \
552 --sslkey=/etc/apache2/ssl/server.key /openils/bin/osrf-websocket-stdio
553 ---------------------------------------------------------------------------
555 Optional: Using NGINX as a proxy
556 --------------------------------
557 NGINX can be used to proxy HTTP, HTTPS, and WebSockets traffic. Among other
558 reasons, this can be useful for Evergreen setups that want to have both
559 HTTPS and secure WebSockets traffic both go through port 443 while using
560 two Apache instances (one for the WebSockets gateway and one for the more
561 memory-intensive TPAC pages).
563 The following instructions are a guide for setting this up on Debian
564 and Ubuntu systems, but expect general familiarity with various system
565 administration and network tasks. The steps should be run as the *root*
566 Linux account, and assume that you already followed the instructions
567 for installing WebSockets support.
569 1. Configure the main Apache instance to listen on port 7080 for HTTP and
570 port 7443 for HTTPS and ensure that it is not listening on ports 80
571 and 443, then restart Apache.
573 2. Install NGINX if not already present:
576 ---------------------------------------------------------------------------
577 apt-get install nginx
578 ---------------------------------------------------------------------------
580 3. Copy the example NGINX configuration file into place and remove default.
583 ---------------------------------------------------------------------------
584 cd /path/to/opensrf-OSRFVERSION
585 cp examples/nginx/osrf-ws-http-proxy /etc/nginx/sites-available/
586 ln -s /etc/nginx/sites-available/osrf-ws-http-proxy /etc/nginx/sites-enabled/osrf-ws-http-proxy
587 rm /etc/nginx/sites-enabled/default
588 ---------------------------------------------------------------------------
590 4. Edit `/etc/nginx/sites-available/osrf-ws-http-proxy` to set the location
591 of the SSL certificate and private key.
595 ---------------------------------------------------------------------------
596 /etc/init.d/nginx start
597 ---------------------------------------------------------------------------
599 6. If you didn't run `configure` with the `--with-websockets-port=443` option,
600 edit `<PREFIX>/javascript/opensrf_ws.js` and `<PREFIX>/javascript/opensrf_ws_shared.js`
604 ---------------------------------------------------------------------------
605 var WEBSOCKET_PORT_SSL = 7682;
606 ---------------------------------------------------------------------------
611 ---------------------------------------------------------------------------
612 var WEBSOCKET_PORT_SSL = 443;
613 ---------------------------------------------------------------------------
615 Optional: Using HAProxy as a proxy
616 ----------------------------------
617 HAProxy can also be used to proxy HTTP, HTTPS, and WebSockets traffic
618 as an alternative to NGINX.
620 The following instructions are a guide for setting this up on Debian
621 and Ubuntu systems, but expect general familiarity with various system
622 administration and network tasks. The steps should be run as the *root*
623 Linux account, and assume that you already followed the instructions
624 for installing WebSockets support.
626 1. Install HAProxy if not already present:
629 ---------------------------------------------------------------------------
630 apt-get install haproxy
631 ---------------------------------------------------------------------------
633 2. Configure the main Apache instance to listen on port 7080 for HTTP and
634 port 7443 for HTTPS and ensure that it is not listening on ports 80
635 and 443, then restart Apache.
636 3. Append the example HAProxy to `haproxy.cfg`.
639 ---------------------------------------------------------------------------
640 cd /path/to/opensrf-OSRFVERSION
641 cat examples/haproxy/osrf-ws-http-proxy >> /etc/haproxy/haproxy.cfg
642 ---------------------------------------------------------------------------
644 4. Edit `/etc/haproxy/haproxy.cfg` to set the location
645 of the PEM file containing the SSL certificate and private key.
649 ---------------------------------------------------------------------------
650 /etc/init.d/haproxy start
651 ---------------------------------------------------------------------------
653 6. Edit `<PREFIX>/javascript/opensrf_ws.js` and `<PREFIX>/javascript/opensrf_ws_shared.js`
657 ---------------------------------------------------------------------------
658 var WEBSOCKET_PORT_SSL = 7682;
659 ---------------------------------------------------------------------------
664 ---------------------------------------------------------------------------
665 var WEBSOCKET_PORT_SSL = 443;
666 ---------------------------------------------------------------------------
668 Troubleshooting note for Python users
669 -------------------------------------
671 If you are running a Python client and trying to connect to OpenSRF running on
672 localhost rather than a hostname that can be resolved via DNS, you will
673 probably receive exceptions about `dns.resolver.NXDOMAIN`. If this happens,
674 you need to install the `dnsmasq` package, configure it to serve up a DNS
675 entry for localhost, and point your local DNS resolver to `dnsmasq`. For example,
676 on Ubuntu you can issue the following commands as the *root* Linux account:
678 .Installing and starting `dnsmasq`
680 ---------------------------------------------------------------------------
681 aptitude install dnsmasq
682 /etc/init.d/dnsmasq restart
683 ---------------------------------------------------------------------------
685 Then edit `/etc/resolv.conf` and ensure that `nameserver 127.0.0.1` is the
686 first entry in the file.
691 Need help installing or using OpenSRF? Join the mailing lists at
692 http://evergreen-ils.org/communicate/mailing-lists/ or contact us
693 on the Freenode IRC network on the #evergreen channel.