1. Preamble: referenced user accounts

In subsequent sections, we will refer to a number of different accounts, as follows:

  • Linux user accounts:

    • The user Linux account is the account that you use to log onto the Linux system as a regular user.

    • The root Linux account is an account that has system administrator privileges. On Debian you can switch to this account from your user account by issuing the su - command and entering the password for the root account when prompted. On Ubuntu you can switch to this account from your user account using the sudo su - command and entering the password for your user account when prompted.

    • The opensrf Linux account is an account that you will create as part of installing OpenSRF. You can switch to this account from the root account by issuing the su - opensrf command.

2. Download and unpack the code

Issue the following commands as the user Linux account.

  1. Acquire a stable release tarball from https://evergreen-ils.org/opensrf-downloads/

    wget https://evergreen-ils.org/downloads/opensrf-3.0.2.tar.gz
    Note
    Developers can find the full source code at the OpenSRF Git repository: http://git.evergreen-ils.org/?p=OpenSRF.git
  2. Unpack the tarball, and move into that directory:

    tar -xvf opensrf-3.0.2.tar.gz
    cd opensrf-3.0.2/

3. Installing prerequisites

OpenSRF has a number of prerequisite packages that must be installed before you can successfully configure, compile, and install OpenSRF. On Debian and Ubuntu, the easiest way to install these prerequisites is to use the Makefile.install prerequisite installer.

Issue the following commands as the root Linux account to install prerequisites using the Makefile.install prerequisite installer, substituting your operating system identifier for <osname> below:

apt-get install make
make -f src/extras/Makefile.install <osname>

Well-tested values for <osname> include:

  • debian-stretch for Debian 9

  • debian-jessie for Debian 8

  • debian-wheezy for Debian 7

  • ubuntu-trusty for Ubuntu 14.04

  • ubuntu-xenial for Ubuntu 16.04

Patches and suggestions for improvement from users of these distributions, or others, are welcome!

When the prerequisite installer reaches the Perl module stage, you may be prompted for configuration of Comprehensive Perl Archive Network (CPAN) on your server. You can generally accept the defaults by pressing <return> for all of the prompts, except for the country configuration.

4. Preamble: Developer instructions

Note
Skip this section if you are using an official release tarball downloaded from https://evergreen-ils.org/opensrf-downloads/

Developers working directly with the source code from the Git repository, rather than an official release tarball, must install some extra packages and perform one step before they can proceed with the ./configure step.

As the root Linux account, install the following packages:

  • autoconf

  • automake

  • libtool

As the user Linux account, issue the following command in the OpenSRF source directory to generate the configure script and Makefiles:

autoreconf -i

5. Configuration and compilation instructions

Use the configure command to configure OpenSRF, and the make command to build OpenSRF. The default installation prefix (PREFIX) for OpenSRF is /opensrf/.

If you are building OpenSRF for Evergreen, issue the following commands as the user Linux account to configure and build OpenSRF:

./configure --prefix=/openils --sysconfdir=/openils/conf
make

By default, OpenSRF includes C, Perl, and JavaScript support. You can add the --enable-python option to the configure command to build Python support and --enable-java for Java support.

If you are planning on proxying WebSockets traffic (see below), you can add --with-websockets-port=443 to specify that WebSockets traffic will be going through port 443. Without that option, the default port is 7682.

6. Installation instructions

  1. Once you have configured and compiled OpenSRF, issue the following command as the root Linux account to install OpenSRF:

    make install

7. Create and set up the opensrf Unix user environment

This user is used to start and stop all OpenSRF processes, and must own all files contained in the PREFIX directory hierarchy. Issue the following commands as the root Linux account to create the opensrf user and set up its environment, substituting <PREFIX> with the value you passed to --prefix in your configure command:

Creating the opensrf user
useradd -m -s /bin/bash opensrf
echo "export PATH=\$PATH:/<PREFIX>/bin" >> /home/opensrf/.bashrc
passwd opensrf
chown -R opensrf:opensrf /<PREFIX>

8. Define your public and private OpenSRF domains

For security purposes, OpenSRF uses Jabber domains to separate services into public and private realms. Throughout these instructions, we will use the example domains public.localhost and private.localhost.

On a single-server system, the easiest way to define public and private domains is to define separate hostnames by adding entries to the /etc/hosts file. Here are entries that you could add to a stock /etc/hosts file for our example domains:

Example added entries for /etc/hosts
127.0.1.2       public.localhost        public
127.0.1.3       private.localhost       private

9. Adjust the system dynamic library path

Add <PREFIX>/lib/ to the system’s dynamic library path, and then run ldconfig as the root Linux account.

On Debian and Ubuntu systems, run the following commands as the root Linux account:

Adjusting the system dynamic library path
echo <PREFIX>/lib > /etc/ld.so.conf.d/opensrf.conf
ldconfig

On most other systems, you can add these entries to /etc/ld.so.conf, or create a file within the /etc/ld.so.conf.d/ directory, and then run ldconfig as the root Linux account.

10. Configure the ejabberd server

OpenSRF requires an XMPP (Jabber) server. For performance reasons, ejabberd is the Jabber server of choice for the OpenSRF project. In most cases, you only have to make a few changes to the default configuration file to make ejabberd work for OpenSRF.

  1. Stop ejabberd before making any changes to its configuration by issuing the following command as the root Linux account:

    (Debian / Ubuntu Trusty) Stopping ejabberd
    /etc/init.d/ejabberd stop
    (Debian Stretch / Ubuntu Xenial) Stopping ejabberd
    systemctl stop ejabberd.service
  2. Edit the ejabberd config file.

    (Debian Wheezy / Ubuntu Trusty) Ejabberd 2.x.x

    Open /etc/ejabberd/ejabberd.cfg and make the following changes:

    1. Define your public and private domains in the hosts directive. For example:

      {hosts, ["localhost", "private.localhost", "public.localhost"]}.
    2. Change all maxrate values to 500000

    3. Increase the max_user_sessions value to 10000

    4. Comment out the mod_offline directive

    (Debian Jessie) Ejabberd 13.x and 14.x

    Open /etc/ejabberd/ejabberd.yml and make the following changes:

    1. Define your public and private domains in the hosts directive. For example:

      hosts:
        - "localhost"
        - "private.localhost"
        - "public.localhost"
    2. Change shaper: normal and fast values to 500000

    3. Increase the max_user_sessions: all: value to 10000

    4. Comment out the mod_offline directive

      ##mod_offline:
          ##access_max_user_messages: max_user_offline_messages
    (Debian Stretch / Ubuntu Xenial) Ejabberd 16.x

    Open /etc/ejabberd/ejabberd.yml and make the following changes:

    1. Define your public and private domains in the hosts directive. For example:

      hosts:
        - "localhost"
        - "private.localhost"
        - "public.localhost"
    2. Change auth_password_format to plain

    3. Change shaper: normal and fast values to 500000

    4. Increase the max_user_sessions: all: value to 10000

    5. Comment out the mod_offline directive

      ##mod_offline:
          ##access_max_user_messages: max_user_offline_messages
  3. Restart the ejabberd server to make the changes take effect:

    (Debian / Ubuntu Trusty) Starting ejabberd
    /etc/init.d/ejabberd start
    (Debian Stretch / Ubuntu Xenial) Starting ejabberd
    systemctl start ejabberd.service

11. Create the OpenSRF Jabber users

On each domain, you need two Jabber users to manage the OpenSRF communications:

  • a router user, to whom all requests to connect to an OpenSRF service will be routed; this Jabber user must be named router

  • an opensrf user, which clients use to connect to OpenSRF services; this user can be named anything you like

Create the Jabber users by issuing the following commands as the root Linux account. Substitute <password> for your chosen passwords for each user respectively:

Creating the OpenSRF Jabber users
ejabberdctl register router private.localhost <password>
ejabberdctl register opensrf private.localhost <password>
ejabberdctl register router public.localhost <password>
ejabberdctl register opensrf public.localhost <password>

12. Update the OpenSRF configuration files

12.1. About the OpenSRF configuration files

There are several configuration files that you must update to make OpenSRF work. SYSCONFDIR is /opensrf/etc by default, or the value that you passed to --sysconfdir during the configuration phase.

  • SYSCONFDIR/opensrf.xml - this file lists the services that this OpenSRF installation supports; if you create a new OpenSRF service, you need to add it to this file.

    • The <hosts> element at the bottom of the file lists the services that should be started for each hostname. You can force the system to use localhost, so in most cases you will leave this section as-is.

  • SYSCONFDIR/opensrf_core.xml - this file lists the Jabber connection information that will be used for the system, as well as determining logging verbosity and defining which services will be exposed on the HTTP gateway.

  • ~/.srfsh.xml - this file gives a Linux account the ability to use the srfsh interpreter to communicate with OpenSRF services.

12.2. Updating the OpenSRF configuration files

  1. As the opensrf Linux account, copy the example configuration files to create your locally customizable OpenSRF configuration files:

    Copying the example OpenSRF configuration files
    cd SYSCONFDIR
    cp opensrf_core.xml.example opensrf_core.xml
    cp opensrf.xml.example opensrf.xml
  2. Edit the SYSCONFDIR/opensrf_core.xml file to update the four username / password pairs to match the Jabber user accounts you just created:

    1. <config><opensrf> = use the private Jabber opensrf user

    2. <config><gateway> = use the public Jabber opensrf user

    3. <config><routers><router> = use the public Jabber router user

    4. <config><routers><router> = use the private Jabber router user

  3. Create a .srfsh.xml file in the home directory of each user that you want to use srfsh to communicate with OpenSRF services. For example, to enable the opensrf Linux account to use srfsh:

    1. cp SYSCONFDIR/srfsh.xml.example ~/.srfsh.xml

    2. Open ~/.srfsh.xml in your text editor of choice and update the password to match the password you set for the Jabber opensrf user at the private.localhost domain.

13. Starting and stopping OpenSRF services

To start all OpenSRF services with a hostname of localhost, issue the following command as the opensrf Linux account:

osrf_control --localhost --start-all

To stop all OpenSRF services with a hostname of localhost, issue the following command as the opensrf Linux account:

osrf_control --localhost --stop-all

14. Testing the default OpenSRF services

By default, OpenSRF ships with an opensrf.math service that performs basic calculations involving two integers. Once you have started the OpenSRF services, test the services as follows:

  1. Start the srfsh interactive OpenSRF shell by issuing the following command as the opensrf Linux account:

    Starting the srfsh interactive OpenSRF shell
    srfsh
  2. Issue the following request to test the opensrf.math service:

    srfsh# request opensrf.math add 2,2

    You should receive the value 4.

15. Optional: Websockets installation instructions

Websockets are new to OpenSRF 2.4+ and are required for operating the new web-based staff client for Evergreen. Complete the following steps as the root Linux account:

  1. Install git if not already present:

    apt-get install git-core
  2. Install the apache-websocket module:

    # Use a temporary directory
    cd /tmp
    git clone https://github.com/disconnect/apache-websocket
    cd apache-websocket
    apxs2 -i -a -c mod_websocket.c
  3. Create the websocket Apache instance (more information about this in /usr/share/doc/apache2/README.multiple-instances)

    (Debian Wheezy)
    sh /usr/share/doc/apache2.2-common/examples/setup-instance websockets
    (Debian Jessie/Stretch, Ubuntu Trusty/Xenial)
    sh /usr/share/doc/apache2/examples/setup-instance websockets
  4. Remove from the main apache instance

    a2dismod websocket
  5. Change to the directory into which you unpacked OpenSRF, then copy into place the config files

    (Debian Wheezy)
    cd /path/to/opensrf-3.0.2
    cp examples/apache2/websockets/apache2.conf /etc/apache2-websockets/
    (Debian Jessie/Stretch, Ubuntu Trusty/Xenial)
    cd /path/to/opensrf-3.0.2
    cp examples/apache_24/websockets/apache2.conf /etc/apache2-websockets/
  6. OPTIONAL: add these configuration variables to /etc/apache2-websockets/envvars and adjust as needed.

    export OSRF_WEBSOCKET_IDLE_TIMEOUT=120
    export OSRF_WEBSOCKET_IDLE_CHECK_INTERVAL=5
    export OSRF_WEBSOCKET_CONFIG_FILE=/openils/conf/opensrf_core.xml
    export OSRF_WEBSOCKET_CONFIG_CTXT=gateway
    export OSRF_WEBSOCKET_MAX_REQUEST_WAIT_TIME=600
    • IDLE_TIMEOUT specifies how long we will allow a client to stay connected while idle. A longer timeout means less network traffic (from fewer websocket CONNECT calls), but it also means more Apache processes are tied up doing nothing.

    • IDLE_CHECK_INTERVAL specifies how often we wake to check the idle status of the connected client.

    • MAX_REQUEST_WAIT_TIME is the maximum amount of time the gateway will wait before declaring a client as idle when there is a long-running outstanding request, yet no other activity is occurring. This is primarily a fail-safe to allow idle timeouts when one or more requests died on the server, and thus no response was ever delivered to the gateway.

    • CONFIG_FILE / CTXT are the standard opensrf core config options.

  7. Before you can start websockets, you must install a valid SSL certificate in /etc/apache2/ssl/. It is possible, but not recommended, to generate a self-signed SSL certificate. For example, if you need to test with a self-signed certicate on Chrome or Chromimum browsers, one workaround is to start the browser with --ignore-certificate-errors.

  8. After OpenSRF is up and running (or after any re-install), fire up the secondary Apache instance. Errors will appear in /var/log/apache2-websockets/error.log. Start apache2-websockets with:

    /etc/init.d/apache2-websockets start

16. Optional: Using a web proxy (Apache 2.4 and above)

When the OpenSRF HTTP Translator runs behind a proxy, Apache must be configured to read the IP address of the originating client instead of the proxy IP address.

  1. Enable mod_remoteip

    sudo a2enmod remoteip
  2. Enable remote IP settings by uncommenting and modifying as needed the Apache configuration variables starting with RemoteIP* in the sample Apache configuration file opensrf.conf.

17. Optional: Using NGINX as a proxy

NGINX can be used to proxy HTTP, HTTPS, and WebSockets traffic. Among other reasons, this can be useful for Evergreen setups that want to have both HTTPS and secure WebSockets traffic both go through port 443 while using two Apache instances (one for the WebSockets gateway and one for the more memory-intensive TPAC pages).

The following instructions are a guide for setting this up on Debian and Ubuntu systems, but expect general familiarity with various system administration and network tasks. The steps should be run as the root Linux account, and assume that you already followed the instructions for installing WebSockets support.

  1. Configure the main Apache instance to listen on port 7080 for HTTP and port 7443 for HTTPS and ensure that it is not listening on ports 80 and 443, then restart Apache.

  2. Install NGINX if not already present:

    apt-get install nginx
  3. Copy the example NGINX configuration file into place and remove default.

    cd /path/to/opensrf-3.0.2
    cp examples/nginx/osrf-ws-http-proxy /etc/nginx/sites-available/
    ln -s /etc/nginx/sites-available/osrf-ws-http-proxy /etc/nginx/sites-enabled/osrf-ws-http-proxy
    rm /etc/nginx/sites-enabled/default
  4. Edit /etc/nginx/sites-available/osrf-ws-http-proxy to set the location of the SSL certificate and private key.

  5. Generate a dhparam file in the directory specified in the nginx config.

    # Default config stores dhparam.pem in the Apache2 ssl directory.
    openssl dhparam -out /etc/apache2/ssl/dhparam.pem 2048
  6. Start NGINX

    /etc/init.d/nginx start
  7. If you didn’t run configure with the --with-websockets-port=443 option, edit <PREFIX>/javascript/opensrf_ws.js and <PREFIX>/javascript/opensrf_ws_shared.js and change

    var WEBSOCKET_PORT_SSL = 7682;

    to

    var WEBSOCKET_PORT_SSL = 443;

18. Optional: Using HAProxy as a proxy

HAProxy can also be used to proxy HTTP, HTTPS, and WebSockets traffic as an alternative to NGINX.

The following instructions are a guide for setting this up on Debian and Ubuntu systems, but expect general familiarity with various system administration and network tasks. The steps should be run as the root Linux account, and assume that you already followed the instructions for installing WebSockets support.

  1. Install HAProxy if not already present:

    apt-get install haproxy
  2. Configure the main Apache instance to listen on port 7080 for HTTP and port 7443 for HTTPS and ensure that it is not listening on ports 80 and 443, then restart Apache.

  3. Append the example HAProxy to haproxy.cfg.

    cd /path/to/opensrf-3.0.2
    cat examples/haproxy/osrf-ws-http-proxy >> /etc/haproxy/haproxy.cfg
  4. Edit /etc/haproxy/haproxy.cfg to set the location of the PEM file containing the SSL certificate and private key.

  5. Start HAProxy.

    /etc/init.d/haproxy start
  6. Edit <PREFIX>/javascript/opensrf_ws.js and <PREFIX>/javascript/opensrf_ws_shared.js and change

    var WEBSOCKET_PORT_SSL = 7682;

    to

    var WEBSOCKET_PORT_SSL = 443;

19. Troubleshooting note for Python users

If you are running a Python client and trying to connect to OpenSRF running on localhost rather than a hostname that can be resolved via DNS, you will probably receive exceptions about dns.resolver.NXDOMAIN. If this happens, you need to install the dnsmasq package, configure it to serve up a DNS entry for localhost, and point your local DNS resolver to dnsmasq. For example, on Ubuntu you can issue the following commands as the root Linux account:

(Debian / Ubuntu) Installing and starting dnsmasq
aptitude install dnsmasq
/etc/init.d/dnsmasq restart

Then edit /etc/resolv.conf and ensure that nameserver 127.0.0.1 is the first entry in the file.

20. Getting help

Need help installing or using OpenSRF? Join the mailing lists at http://evergreen-ils.org/communicate/mailing-lists/ or contact us on the Freenode IRC network on the #evergreen channel.