Index: openacs-4/packages/acs-core-docs/www/openacs.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/openacs.html,v diff -u -r1.6.2.2 -r1.6.2.3 --- openacs-4/packages/acs-core-docs/www/openacs.html 24 Nov 2002 21:29:17 -0000 1.6.2.2 +++ openacs-4/packages/acs-core-docs/www/openacs.html 29 Mar 2003 20:44:54 -0000 1.6.2.3 @@ -1,80 +1,166 @@ -Install OpenACS 4.6

Install OpenACS 4.6

+Install OpenACS 4.6.2

Install OpenACS 4.6.2

by Vinod Kurup
OpenACS docs are written by the named authors, but may be edited by OpenACS documentation staff. -

Downloading OpenACS

Set up the file system for an OpenACS Service

  1. Unpack the OpenACS tarball. If you are following the + instructions linearly, you should done this already, in which case + you can skip this step. If not, make sure you have the OpenACS + tarball in /tmp and proceed: +

    [root@yourserver root]# cd /tmp
    +[root@yourserver tmp]# tar xzf openacs-4-6.tgz
    +
    cd /tmp
    +tar xzf openacs-4-6.tgz
  2. The reference install stores all OpenACS instances in + /web, with one subdirectory per + instance. Create that directory:

    [root@yourserver root]# mkdir /web
    +[root@yourserver root]# chgrp web /web
    +[root@yourserver root]# chmod 770 /web
    +[root@yourserver root]#
    +
    mkdir /web
    +chgrp web /web
    +chmod 770 /web
  3. Set up your user account.

    + AOLserver needs to be started as the root user if you want to use + port 80. Once it starts, though, it will drop the root privileges and + run as another user, which you must specify on the command line. It's + important that this user has as few privileges as possible. Why? + Because if an intruder somehow breaks in through AOLserver, you don't + want her to have any ability to do damage to the rest of your + server.

    At the same time, AOLserver needs to have write access to + some files on your system in order for OpenACS to function + properly. So, we'll run AOLserver with a different user account + for each different service. A service name should be a single + word, letters and numbers only. If the name + of your site is one word, that would be a good choice. For + example "server0" might be the service name for the + server0.net + community.

    For the 4.6.2-P and 4.6.2-O Reference Platform, + we'll use a server named server0 and + a user named server0. We'll leave the password + blank for increased security. The only way to log in will be + with ssh certificates. The only people who should log in are + developers for that specific instance. Add this user, and put + it in the web group so that it + can use database commands associated with that group. +

    [root@yourserver root]# useradd -g web server0
    +[root@yourserver root]#

    Set up database environment variables. They are + necessary for working with the database. +

    [root@yourserver root]# su - server0
    +[server0@yourserver server0]$ emacs .bashrc

    Put in the appropriate lines for the database you are running. If you will use both databases, put in both sets of lines.

    • PostGreSQL:

      export LD_LIBRARY_PATH=LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/pgsql/lib
      +export PATH=$PATH:/usr/local/pgsql/bin
    • Oracle. These environment variables are specific for a local Oracle + installation communicating via IPC. If you are connecting to a remote + Oracle installation, you'll need to adjust these appropriately. Also, + make sure that the '8.1.7' matches your Oracle version. +

      export ORACLE_BASE=/ora8/m01/app/oracle
      +export ORACLE_HOME=$ORACLE_BASE/product/8.1.7
      +export PATH=$PATH:$ORACLE_HOME/bin
      +export LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib
      +export ORACLE_SID=ora8
      +export ORACLE_TERM=vt100
      +export ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data

    Test this by logging out and back in as + server0 and checking the paths.

    [server0@yourserver server0]$ exit
    +logout
    +[root@yourserver src]# su - server0
    +[postgres@yourserver pgsql]$ env | grep PATH
    +

    For PostGreSQL, you should see:

    +LD_LIBRARY_PATH=LD_LIBRARY_PATH=:/usr/local/pgsql/lib
    +PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin/X11:/usr/X11R6/bin:/root/bin:/usr/local/pgsql/bin:/usr/local/pgsql/bin

    For Oracle:

    ORACLE_BASE=/ora8/m01/app/oracle
    +ORACLE_HOME=/ora8/m01/app/oracle/product/8.1.7
    +PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin/X11:/usr/X11R6/bin:/root/bin:/ora8/m01/app/oracle/product/8.1.7/bin
    +LD_LIBRARY_PATH=/ora8/m01/app/oracle/product/8.1.7/lib:/lib:/usr/lib
    +ORACLE_SID=ora8
    +ORACLE_TERM=vt100
    +ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data
    [server0@yourserver server0]$ exit
    +logout
     
    -		  Create a directory called web
    -		  inside your home directory and untar the downloaded components
    -		  there. Set the permissions as directed. The OpenACS 4.6
    -		  tarball is currently named
    -		  openacs-4-6-release.tgz. Replace
    -		  openacs-4-6-release.tgz in the
    -		  commands below with whatever the current tarball is named.
    +[root@yourserver root]#
  4. Move the OpenACS tarball to be the new root directory for + the server0 service. Secure the directory so that only the owner can access it.

    [root@yourserver root]# mv /tmp/openacs-4-6 /web/server0
    +[root@yourserver root]# chown -R server0.web /web/server0
    +[root@yourserver root]# chmod -R 700 /web/server0
    +
    mv /tmp/openacs-4-6 /web/server0
    +chown -R server0.web /web/server0/
    +chmod -R 700 /web/server0
  5. Add the Service to CVS - OPTIONAL.�If this is a development server, you may want to add it to your local CVS repository.

    1. Create and set permissions on a subdirectory in the local cvs repository.

      [root@yourserver root]# mkdir /cvsroot/server0
      +[root@yourserver root]# chown server0.web /cvsroot/server0
      +[root@yourserver root]#
      +
      mkdir /cvsroot/server0
      +chown server0.web /cvsroot/server0
    2. Add the repository location to the user environment.

      [root@yourserver root]# su - server0
      +[server0@yourserver server0]$ emacs .bashrc

      Put this string into /home/server0/.bashrc:

      export CVSROOT=/cvsroot
      [server0@yourserver server0]$ exit
      +logout
       
      -		

      -joeuser:~$ mkdir -p web
      -joeuser:~$ chown joeuser.web web
      -joeuser:~$ cd web
      -joeuser:~/web$ tar xzf /tmp/openacs-4-6-release.tgz
      -joeuser:~/web$ chown -R joeuser.web openacs-4
      -joeuser:~/web$ chmod -R g+w openacs-4
    3. - You should now have an - openacs-4/ directory tree in - ~/web. Rename this directory to - whatever you want your web service to be identified as. The name - of your web service is referred to as the - service_name. Since you can run multiple - separate web services under AOLserver, this identification is - used internally by AOLserver to differentiate your services from - one another. A service name should be a single word, - letters and numbers only. If the name of - your site is one word, that would be a good choice. For example - "birdnotes" might be the service name for the birdnotes.net - community. We'll use birdnotes as an example - in these docs. -

      -joeuser:~/web$ ls -l
      -drwxrwxr-x    8 joeuser  web      4096 Nov 27 09:32 openacs-4
      -joeuser:~/web$ mv openacs-4 birdnotes
      -joeuser:~/web$ ls -l
      -drwxrwxr-x    8 joeuser  web      4096 Dec 20 14:37 birdnotes
    4. +[root@yourserver root]#

    5. Import all files into cvs. In order to work on + files with source control, the files must be checked out + from cvs. So we will import, move aside, and then check + out all of the files. In the cvs import command, + server0 + refers to the cvs repository to use; it uses the CVSROOT + plus this string, + i.e. + /cvsroot/server0. + "OpenACS" is the vendor tag, and "openacs-4-6" is the + release tag. These tags will be useful in upgrading and + branching. -m sets the version comment.

      [root@yourserver root]# su - server0
      +[server0@yourserver server0]$ cd /web/server0
      +[server0@yourserver server0]$ cvs import -m "initial install" server0 OpenACS openacs-4-6
      +N server0/license.txt
      +N server0/readme.txt
      +(many lines omitted)
      +N server0/www/SYSTEM/flush-memoized-statement.tcl
       
      -		  Finally create a directory for the AOLserver logs.
      +No conflicts created by this import
       
      -		

      -joeuser:~/web$ mkdir birdnotes/log

- Skip ahead if you want to Prepare PostgreSQL for OpenACS -

Prepare Oracle for OpenACS

+[server0@yourserver server0]$ +

su - server0
+cd /web/server0
+cvs import -m "initial install" server0 OpenACS openacs-4-6

Move the original directory to a temporary location, and check out the cvs repository in its place. If the service starts correctly, come back and remove the temporary copy of the uploaded files.

[server0@yourserver server0]$ cd ..
+[server0@yourserver web]$ mv server0 server0.orig
+[server0@yourserver web]$ cvs checkout server0
+cvs checkout: Updating server0
+U server0/license.txt
+(many lines omitted)
+U server0/www/SYSTEM/dbtest.tcl
+U server0/www/SYSTEM/flush-memoized-statement.tcl
+[server0@yourserver web]$ exit
+logout
 
+[root@yourserver web]#
+
cd ..
+mv server0 server0.orig
+cvs checkout server0
+exit
  • Set up several additional directories in the service root: + etc is for configuration files + and log is for log + files. If you did the CVS step, note that these new directories are excluded from that step so that you can decide whether or not you want your logs and config files in source control.

    [root@yourserver root]# su - server0
    +[server0@yourserver server0]$ mkdir /web/server0/etc /web/server0/log
    +[server0@yourserver web]$ exit
    +logout
    +
    +[root@yourserver web]#
    +
    su - server0
    +mkdir /web/server0/etc /web/server0/log
    +exit
  • Prepare Oracle for OpenACS

    OPTIONAL - if you won't be using Oracle, skip to Prepare PostgreSQL for OpenACS

    You should be sure that your user account - (e.g. joeuser) is in the + (e.g. server0) is in the dba group. - -

    • +

      1. Verify membership by typing groups when you login: -

        -joeuser:~$ groups
        -dba web

        +

        +server0:~$ groups
        +dba web
        If you do not see these groups, take the following action: -

        -joeuser:~$ su -      
        +		  
        +server0:~$ su -      
         Password: ************
        -root:~# adduser joeuser dba

        +root:~# adduser server0 dba

        If you get an error about an undefined group, then add that group manually: -

        +
         root:~# groupadd dba
        -root:~# groupadd web

        +root:~# groupadd web

        Make sure to logout as root when you are finished with this step and log back in as @@ -83,26 +169,26 @@ Connect to Oracle using svrmgrl and login: -

        -joeuser:~$ svrmgrl
        +		  
        +server0:~$ svrmgrl
         
         SVRMGR> connect internal
        -Connected.

        +Connected.

      2. Determine where the system tablespaces are stored: -

        -SVRMGR>  select file_name from dba_data_files;

        +

        +SVRMGR>  select file_name from dba_data_files;
        Example results: -

        +		  
         /ora8/m01/app/oracle/oradata/ora8/system01.dbf
         /ora8/m01/app/oracle/oradata/ora8/tools01.dbf
         /ora8/m01/app/oracle/oradata/ora8/rbs01.dbf
         /ora8/m01/app/oracle/oradata/ora8/temp01.dbf
         /ora8/m01/app/oracle/oradata/ora8/users01.dbf
         /ora8/m01/app/oracle/oradata/ora8/indx01.dbf
        -/ora8/m01/app/oracle/oradata/ora8/drsys01.dbf

        +/ora8/m01/app/oracle/oradata/ora8/drsys01.dbf

      3. Using the above output, you should determine where to store your tablespace. As a general rule, you'll want to @@ -122,13 +208,13 @@ exit from svrmgrl and login as root for this step:

         SVRMGR> exit
        -joeuser:~$ su -
        +server0:~$ su -
         Password: ************
         root:~# mkdir -p /ora8/m02/oradata/ora8/
        -root:~# chown joeuser.web /ora8/m02/oradata/ora8
        +root:~# chown server0.web /ora8/m02/oradata/ora8
         root:~# chmod 775 /ora8/m02/oradata/ora8
         root:~# exit
        -joeuser:~$
      4. +server0:~$

      5. Create a tablespace for the service. It is important that the tablespace can autoextend. This @@ -140,11 +226,11 @@ tablespace.

        -joeuser:~$ svrmgrl
        +server0:~$ svrmgrl
         
         SVRMGR> connect internal;
        -SVRMGR> create tablespace birdnotes 
        -             datafile '/ora8/m02/oradata/ora8/birdnotes01.dbf' 
        +SVRMGR> create tablespace server0 
        +             datafile '/ora8/m02/oradata/ora8/server001.dbf' 
                      size 50M 
                      autoextend on 
                      next 10M
        @@ -153,26 +239,26 @@
                      uniform size 32K;
      6. Create a database user for this service. Give the user access to the tablespace and rights to connect. We'll use - birdnotespassword as our password.

        + server0password as our password.

        Write down what you specify as service_name - (i.e. birdnotes) and + (i.e. server0) and database_password - (i.e. birdnotespassword). You + (i.e. server0password). You will need this information for configuring exports and AOLserver.

        -SVRMGR> create user birdnotes identified by birdnotespassword default tablespace birdnotes
        -temporary tablespace temp quota unlimited on birdnotes;
        -SVRMGR> grant connect, resource, ctxapp, javasyspriv, query rewrite to birdnotes;
        -SVRMGR> revoke unlimited tablespace from birdnotes;
        -SVRMGR> alter user birdnotes quota unlimited on birdnotes;
        +SVRMGR> create user server0 identified by server0password default tablespace server0
        +temporary tablespace temp quota unlimited on server0;
        +SVRMGR> grant connect, resource, ctxapp, javasyspriv, query rewrite to server0;
        +SVRMGR> revoke unlimited tablespace from server0;
        +SVRMGR> alter user server0 quota unlimited on server0;
         SVRMGR> exit;

        Your table space is now ready. In case you are trying to delete a - previous OpenACS installation, consult these commands in the section called “Deleting a tablespace” below. + previous OpenACS installation, consult these commands in the section called “Deleting a tablespace” below.

      7. Make sure that you can login to Oracle using your service_name account:

        -joeuser:~$ sqlplus birdnotes/birdnotespassword
        +server0:~$ sqlplus server0/server0password
         SQL> select sysdate from dual;
         
         SYSDATE
        @@ -184,102 +270,160 @@
         		  If you can't login, try redoing step 1 again. If the date is
         		  in the wrong format, make sure you followed the steps outlined in
         		  the section called “Troubleshooting Oracle Dates”
        -		  

      8. - Next we'll set up AOLserver so that it has the proper environment - variables set before launching. Download this nsd-oracle script into - /tmp/nsd-oracle.txt : -

        -joeuser:~$ su -
        -Password: ********
        -root:~# cd /usr/local/aolserver/bin
        -root:/usr/local/aolserver/bin# cp /tmp/nsd-oracle.txt ./nsd-oracle
        -root:/usr/local/aolserver/bin# chmod 750 nsd-oracle
        -root:/usr/local/aolserver/bin# exit

    Prepare PostgreSQL for OpenACS

    - Preparing PostgreSQL is just a little bit simpler than preparing - Oracle. We simply need to create a database with the name of our - service-name - (i.e. birdnotes) -

    -joeuser:~/web$ createdb birdnotes
    -CREATE DATABASE

    Next we'll set up AOLserver so that it has the proper environment - variables set before launching. Download this nsd-postgres script into - /tmp/nsd-postgres.txt :

    -joeuser:~/web$ cd
    -joeuser:~$ su -
    -Password: ********
    -root:~# cd /usr/local/aolserver/bin
    -root:/usr/local/aolserver/bin# cp /tmp/nsd-postgres.txt ./nsd-postgres
    -root:/usr/local/aolserver/bin# chmod 755 nsd-postgres
    -root:/usr/local/aolserver/bin# exit

    Configuring AOLserver

    - The AOLserver architecture lets you run an arbitrary number of - virtual servers. A virtual server is an HTTP service running on a - specific port, e.g. port 80. In order for the OpenACS to work, you - need to configure a virtual server. Because the process is involved, - we have prepared a sample virtual server configuration file. -

    1. - Download openacs4.tcl.txt - into /tmp. -

    2. +

    Prepare PostgreSQL for an OpenACS Service

    1. Create a user in the database matching the service name.

      [root@yourserver root]# su - postgres
      +[postgres@yourserver pgsql]$ createuser server0
      +Shall the new user be allowed to create databases? (y/n) y
      +Shall the new user be allowed to create more new users? (y/n) y
      +CREATE USER
      +[postgres@yourserver pgsql]$ exit
      +logout
       
      -		  Modify it for your needs and save it inside your
      -		  ~/web/birdnotes directory.  (Of
      -		  course change birdnotes to
      -		  whatever you're using as your service-name.)
      +[root@yourserver root]#
    2. Create a database with the same name as our service name, server0.

      [root@yourserver root]# su - server0
      +[server0@yourserver server0]$ createdb server0
      +CREATE DATABASE
      +[server0@yourserver server0]$
      +
      su - server0
      +createdb server0
    3. Automate daily database Vacuuming. This is a process which cleans out discarded data from the database. A quick way to automate vacuuming is to edit the cron file for the database user.

      [server0@yourserver server0]$ export EDITOR=emacs;crontab -e

      Add this line to the file. The numbers and stars at the beginning are cron columns that specify when the program should be run - in this case, whenever the minute is 0 and the hour is 1, i.e., 1:00 am every day.

      0 1 * * * /usr/local/pgsql/bin/vacuumdb server0
    4. Add Full Text Search Support - OPTIONAL

      If you are installing Full Text Search, add required packages to the new database.

      [server0@yourserver server0]$ /usr/local/pgsql/bin/psql server0 -f /usr/local/src/postgresql-7.2.3/contrib/tsearch/tsearch.sql
      +BEGIN
      +CREATE
      +(many lines omitted)
      +INSERT 0 1
      +COMMIT
      +[server0@yourserver server0]$ /usr/local/pgsql/bin/psql server0 -f /usr/local/src/postgresql-7.2.3/contrib/pgsql_contrib_openfts/openfts.sql
      +CREATE
      +CREATE
      +[server0@yourserver server0]$
      +
      /usr/local/pgsql/bin/psql server0 -f /usr/local/src/postgresql-7.2.3/contrib/tsearch/tsearch.sql
      +/usr/local/pgsql/bin/psql server0 -f /usr/local/src/postgresql-7.2.3/contrib/pgsql_contrib_openfts/openfts.sql
    5. [server0@yourserver server0]$ exit
      +logout
       
      -		

    -joeuser:~$ cp /tmp/openacs4.tcl.txt ./web/birdnotes/nsd.tcl
    -joeuser:~$ chmod 600 ./web/birdnotes/nsd.tcl
    -joeuser:~$ emacs ./web/birdnotes/nsd.tcl

    - Specifically, you'll have set the following variables -

    • - server - This is the name of - the directory where your code resides. In our example above, we - used birdnotes. -

    • db_name - In almost all cases, +[root@yourserver root]#

    Configure an AOLserver Service for OpenACS

    1. + The AOLserver architecture lets you run an arbitrary number of + virtual servers. A virtual server is an HTTP service running on a + specific port, e.g. port 80. In order for OpenACS to work, you + need to configure a virtual server. The Reference Platform uses a configuration file included in the OpenACS tarball. Copy it to the /web/server0/etc directory and open it in an editor to adjust the parameters.

      [root@yourserver root]# su - server0
      +[server0@yourserver server0]$ cd /web/server0/etc
      +[server0@yourserver etc]# cp /web/server0/packages/acs-core-docs/www/files/config.tcl.txt config.tcl
      +[server0@yourserver etc]# emacs config.tcl
      +

      + You can continue without changing any values in the file. However, if you don't change address to match the computer's ip address, you won't be able to browse to your server from other machines. +

      • httpport - If you want your + server on a different port, enter it here. The Reference Platform port is 8000, which is suitable for development use. Port 80 is the standard http port - it's the port used by your browser when you enter http://yourserver.test. So you should use port 80 for your production site.

      • httpsport - This is the + port for https requests. The Reference Platform https port is + 8443. If http port is set to 80, httpsport should be 143 to + match the standard.

      • + address - The IP address of the server. If you are hosting multiple IPs on one computer, this is the address specific to the web site. Each virtual server will ignore any requests directed at other addresses.

      • server - This is the keyword that, by convention, identifies the service. It is also used as part of the path for the service root, as the name of the user for running the service, as the name of the database, and in various dependent places. The Reference Platform uses server0. + +

      • db_name - In almost all cases, this can be kept as a reference to $server. If for some reason, the tablespace you are using is different than your servername, then you can set it here. You should have a good reason for doing this.

      • - servername - This is just a - *pretty* name for your server. For example, we might call ours - "Birdnotes.net Community" -

      • httpport - If you want your - server on a different port, enter it here

      • - - user_account - The account that will both - own OpenACS files and connect to the database (for Postgresql). - -

      + servername - This is just a *pretty* name for your server.

    2. user_account - The account that + will both own OpenACS files and connect to the database (for + Postgresql).

    3. debug - Set to true for a very verbose error log, including many lines for every page view, success or failure.

    AOLServer is very configurable. These settings should get you started, but for more options, read the AOLServer docs. -

    +

  • OPTIONAL: To run OpenFTS, uncomment this line from config.tcl. (To uncomment a line in a tcl file, remove the # at the beginning of the line.)

    #ns_param   nsfts           ${bindir}/nsfts.so
  • OPTIONAL: To run nsopenssl:

    1. Uncomment this line from config.tcl.

      #ns_param   nsopenssl       ${bindir}/nsopenssl.so
      +
    2. Prepare a certificate directory for the service.

      [server0@yourserver etc]$ mkdir /web/server0/etc/certs
      +[server0@yourserver etc]$ chmod 700 /web/server0/etc/certs
      +[server0@yourserver etc]$ 
      +
      mkdir /web/server0/etc/certs
      +chmod 700 /web/server0/etc/certs
    3. It takes two files to support an SSL connection. The certificate is the public half of the key pair - the server sends the certificate to browser requesting ssl. The key is the private half of the key pair. In addition, the certificate must be signed by Certificate Authority or browsers will protest. Each web browser ships with a built-in list of acceptable Certificate Authorities (CAs) and their keys. Only a site certificate signed by a known and approved CA will work smoothly. Any other certificate will cause browsers to produce some messages or block the site. Unfortunately, getting a site certificate signed by a CA costs money. In this section, we'll generate an unsigned certificate which will work in most browsers, albeit with pop-up messages.

      Use an OpenSSL perl script to generate a certificate and key.

      [server0@yourserver server0]$ cd /web/server0/etc/certs
      +[server0@yourserver certs]$ perl /usr/share/ssl/misc/CA -newcert
      +Using configuration from /usr/share/ssl/openssl.cnf
      +Generating a 1024 bit RSA private key
      +...++++++
      +.......++++++
      +writing new private key to 'newreq.pem'
      +Enter PEM pass phrase:

      Enter a pass phrase for the CA certificate. Then, answer the rest of the questions. At the end you should see this:

      Certificate (and private key) is in newreq.pem
      +[server0@yourserver certs]$

      newreq.pem contains our certificate and private key. The key is protected by a passphrase, which means that we'll have to enter the pass phrase each time the server starts. This is impractical and unnecessary, so we create an unprotected version of the key. Security implication: if anyone gets access to the file keyfile.pem, they effectively own the key as much as you do. Mitigation: don't use this key/cert combo for anything besides providing ssl for the web site.

      [root@yourserver misc]# openssl rsa -in newreq.pem -out keyfile.pem
      +read RSA key
      +Enter PEM pass phrase:
      +writing RSA key
      +[server0@yourserver certs]$ 

      To create the certificate file, we take the combined file, copy it, and strip out the key.

      [server0@yourserver certs]$ cp newreq.pem certfile.pem
      +[root@yourserver misc]# emacs certfile.pem

      Strip out the section that looks like

      -----BEGIN RSA PRIVATE KEY-----
      +Proc-Type: 4,ENCRYPTED
      +DEK-Info: DES-EDE3-CBC,F3EDE7CA1B404997
      +S/Sd2MYA0JVmQuIt5bYowXR1KYKDka1d3DUgtoVTiFepIRUrMkZlCli08mWVjE6T
      +(11 lines omitted)
      +1MU24SHLgdTfDJprEdxZOnxajnbxL420xNVc5RRXlJA8Xxhx/HBKTw==
      +-----END RSA PRIVATE KEY-----
  • Verify AOLserver startup

    1. Kill any current running AOLserver processes and start a new one. (Note, if you are using Oracle, rather than PostgreSQL, replace nsd-postgres with - nsd-oracle):

      -joeuser:~$ killall nsd
      -; Should probably see:
      +	  nsd-oracle).  If you are using port 80, you must be root for this step. 

      [server0@yourserver etc]$ killall nsd
       nsd: no process killed
      -joeuser:~$ /usr/local/aolserver/bin/nsd-postgres -t ~/web/birdnotes/nsd.tcl

      +[server0@yourserver server0]$ /usr/local/aolserver/bin/nsd-postgres -t /web/server0/etc/config.tcl +[server0@yourserver server0]$ [08/Mar/2003:18:13:29][32131.8192][-main-] Notice: nsd.tcl: starting to read config file... +[08/Mar/2003:18:13:29][32131.8192][-main-] Notice: nsd.tcl: finished reading config file.

    2. Attempt to connect to the service from a web browser as you did - in the Test AOLserver section. You should - specify a URL like: -

      -http://ip_name:ip_port/

      - You should see a page that looks like this - if so, go on to Using the OpenACS Installer. + You should specify a URL like: +

      http://yourserver.test:8000

      + You should see a page that looks like this. If you imported your files into + cvs, now that you know it worked you can erase the temp + directory with rm -rf /web/server0.orig.

      If you don't see the login page, view your error log - (~/web/birdnotes/log/error.log) + (/web/server0/log/server0-error.log) to make sure the service is starting without any problems. If you - need to make changes, don't forget to kill any running servers. + need to make changes, don't forget to kill any running servers with killall nsd. -

      -joeuser:~$ killall nsd

    Using the OpenACS Installer

    +

  • OPTIONAL - Automate AOLserver keepalive

    Assuming AOLserver started cleanly in the previous step, we'll set it up so that it's always running, and automatically restarts whenever it dies or is stopped. This step is strongly recommended, even for development sites, because it makes install and maintenance much simpler.

    The Reference Platform uses Daemontools to control AOLserver. An earlier method using init, less flexible and reliable, is here.

    1. Daemontools must already be installed. If not, install it.

    2. Each service controlled by daemontools must have a directory in /service. That directory must have a file called run. Daemontools then creates additional files and directories to track status and log. Create the appropriate directory as /web/server0/etc/daemontools, copy the prepared run file, and set permissions. If your server is not called server0, edit /web/server0/etc/run accordingly.

      [server0@yourserver log]$ cd /web/server0/etc
      +[server0@yourserver etc]$ mkdir daemontools
      +[server0@yourserver etc]$ cp /web/server0/packages/acs-core-docs/www/files/run.txt daemontools/run
      +[server0@yourserver etc]$ chmod 700 daemontools/run
      +
      cd /web/server0/etc
      +mkdir daemontools
      +cp /web/server0/packages/acs-core-docs/www/files/run.txt daemontools/run
      +chmod 700 daemontools/run
    3. Kill any existing AOLserver instances. As root, link the daemontools directory into the /service directory. Daemontools' svscan process checks this directory every five seconds, and will quickly execute run.

      [server0@yourserver etc]$ killall nsd
      +nsd: no process killed
      +[server0@yourserver etc]$ exit
      +
      +[root@yourserver root]# ln -s /web/server0/etc/daemontools/ /service/server0

      Verify that AOLserver is running.

      [root@yourserver root]# ps -auxw | grep nsd
      +server0   5562 14.2  6.2 22436 15952 ?       S    11:55   0:04 /usr/local/aolserver/bin/nsd -it /web/server0/etc/config.tcl -u serve
      +root      5582  0.0  0.2  3276  628 pts/0    S    11:55   0:00 grep nsd
      +[root@yourserver root]#
    4. The user server0 can now control the service server0 with these commands:

      • + + svc -d /service/server0 - + Bring the server down + +

      • + + svc -u /service/server0 - + Start the server up and leave it in keepalive mode. + +

      • + + svc -o /service/server0 - + Start the server up once. Do not restart it if it stops. + +

      • + + svc -t /service/server0 - + Stop and immediately restart the server. + +

      • + + svc -k /service/server0 - + Sends the server a KILL signal. This is like KILL -9. AOLserver + exits immediately. If svc -t fails to fully kill AOLserver, use + this option. This does not take the server out of keepalive mode, so it should still bounce back up immediately. + +

    5. + At this point, these commands will work only for the + root user. Grant permission for the web group to use svc commands on the server0 server.

      [root@yourserver root]# svgroup web /service/server0
      +[root@yourserver root]#
    6. Verify that the controls work. You may want to tail -f /web/server0/log/server0-error.log in another window, so you can see what happens when you type these commands. +

      + + Most of this information comes from Tom Jackson's AOLServer+Daemontools + Mini-HOWTO. +

  • Configure a Service with the OpenACS Installer

    Now that you've got AOLserver up and running, let's install OpenACS - 4.6. + 4.6.2.

    • You should see a page from the webserver titled OpenACS Installation: @@ -331,270 +475,75 @@ being restarted; note that unless you already set up a way for AOLServer to restart itself (ie. inittab or daemontools), you'll need to manually restart your service. -

      -joeuser:~$ /usr/local/aolserver/bin/nsd-postgres -t ~/web/birdnotes/nsd.tcl
    • +

      [server0@yourserver server0]$ /usr/local/aolserver/bin/nsd-postgres -t /web/server0/config.tcl
    • Give the server a few minutes to start up. Then reload the final page above. You should see the front page, with an area to login near the upper right. Congratulations, OpenACS - 4.6 is now up and running! -

    Keep AOLserver alive

    - Now, we'll describe how to start AOLserver automatically on boot, - or whenever else the service dies. -

    - There are 2 ways of doing this - via inittab or via daemontools. The - second way is by far the better way. Using daemontools gives you much - finer control over your servers and avoids the hassle of messing with - /etc/inittab. But, we'll describe - the inittab way as this may be easier for some users. I encourage - everyone to follow the links provided which describe how to Install daemontools. -

    Important: You need to set up - either inittab or daemontools, not both!

    Editing inittab

    - This step should be completed as root. This can break every service - on your machine, so proceed with caution. -

    • - There are 2 general steps to getting this working. -

      1. - Install a script called - restart-aolserver. This - script doesn't actually restart AOLserver - it just kills - it. -

      2. - Ask the OS to restart our service whenever it's not - running. We do this by adding a line to - /etc/inittab. -

      - Calling restart-aolserver - kills our service. The OS notices that our service is not - running, so it automatically restarts it. Thus, calling - restart-aolserver effectively - restarts our service. -

    • - Copy this file into - /tmp/restart-aolserver.txt. -

    • - This script needs to be SUID-root, which means - that the script will run as root. This is necessary to ensure - that the AOLserver processes are killed regardless of who owns - them. However the script should be executable by the - web group to ensure that the - users updating the web page can use the script, but that - general system users cannot run the script. You also need to - have Perl installed and also a symbolic link to it in - /usr/local/bin. -

      -joeuser:~$ su - 
      -Password: ***********
      -root:~# cp /tmp/restart-aolserver.txt /usr/local/bin/restart-aolserver
      -root:~# chown root.web /usr/local/bin/restart-aolserver
      -root:~# chmod 4750 /usr/local/bin/restart-aolserver
      -root:~# ln -s /usr/bin/perl /usr/local/bin/perl
      -root:~# exit
    • - Test the restart-aolserver - script. We'll first kill all running servers to clean the - slate. Then, we'll start one server and use - restart-aolserver to kill - it. If it works, then there should be no more servers - running. You should see the following lines.

      -joeuser:~$ killall nsd
      -nsd: no process killed
      -joeuser:~$ /usr/local/aolserver/bin/nsd-postgres -t ~/web/birdnotes/nsd.tcl
      -joeuser:~$ restart-aolserver birdnotes
      -Killing 23727 
      -joeuser:~$ killall nsd
      -nsd: no process killed

      - The number 23727 indicates the process id(s) (PIDs) of the - processes being killed. It is important that no processes are killed by the second - call to killall. If there are - processes being killed, it means that the script is not - working.

    • - Assuming that the restart-aolserver - script worked, login as root and open - /etc/inittab for - editing.

      -joeuser:~$ su -
      -Password: ************
      -root:~# emacs -nw /etc/inittab
    • - Copy this line into the bottom of the file as a template, - making sure that the first field - nss1 is unique. -

      -nss1:345:respawn:/usr/local/aolserver/bin/nsd-postgres -i -u nobody -g web -t /home/joeuser/web/birdnotes/nsd.tcl
    • - Important: Make sure there is a - newline at the end of the file. If there is not a newline at - the end of the file, the system may suffer catastrophic - failures. -

    • - Still as root, enter the following command to re-initialize - /etc/inittab.

      -root:~# killall nsd    
      -nsd: no process killed
      -root:~# /sbin/init q
    • - See if it worked by running the - restart-aolserver script - again.

      -root:~# restart-aolserver birdnotes
      -Killing 23750

    - If processes were killed, congratulations, your server is now - automated for startup and shutdown. -

    Install daemontools

    + 4.6.2 is now up and running! +

  • OPTIONAL - Install Full Text Search.

    1. Click Package Manager on the right side of the default home page. If prompted, log in with the account and password you entered during install.

    2. Click on the Install +packages link.

    3. On the next screen, after it loads, click on Uncheck all boxes, then click the second checkbox next to OpenFTS Driver 4.2. This will automatically check the first box. Then click Next.

    4. Click Install Packages

    5. Restart the service.

      [server0@yourserver server0]$ svc -t /service/server0
      +[server0@yourserver server0]$
    6. Wait a minute, then browse back to the home page.

    7. Click on Site Map on the top right side of the screen.

    8. Mount the OpenFTS Full Text Search Engine in the site map.

      1. Click the new sub folder link on the "/" line, the first line under Main Site:/.

      2. Type openfts +and click New.

      3. On the new openfts line, click the mount link.

      4. Click OpenFTS +Driver.

      5. On the openfts line, click set parameters.

      6. Change openfts_tcl_src_path to /usr/local/src/Search-OpenFTS-tcl-0.3.2/ and click Set Parameters +

    9. Mount the Search interface in the site map.

      1. Click the +new sub folder link on the +Main Site line.

      2. Type search +and click New.

      3. Click the new +application link on the search + line.

      4. Type search +where it says +untitled, choose +search from the +drop-down list, and click +New. +

    10. Restart the service.

      [server0@yourserver server0]$ svc -t /service/server0
      +[server0@yourserver server0]$
    11. Wait a minute, then click on Main Site at the top of the page.

    12. Initialize the OpenFTS Engine. This creates a set of tables in the database to support FTS.

      Near the bottom of the page, click on the OpenFTS Driver link. Click on Administration. +Click on Initialize OpenFTS Engine. +Click Initialize OpenFTS Engine.

    13. Add the FTS Engine service contract

      1. Click on the Main +Site.

      2. Click on the ACS +Service Contract link near the bottom of the home page.

      3. On the FtsEngineDriver +line, click +Install. +

    14. Restart the service.

      [server0@yourserver server0]$ svc -t /service/server0
      +[server0@yourserver server0]$
    15. Test FTS. (INCOMPLETE). Add a package that supports search,like "note," add some content, and search for it.

  • Back up the New Service - OPTIONAL

    This is a very good time to back the service, even if it's not a production service. Making a backup now lets you roll back to this initial, clean setup at any point in the future, without repeating the install process. A full OpenACS service backup includes everything in the /web/server0/ directory. At this point it's probably sufficient to back up just the database, because you can recover the files from a tarball.

    Note that, if you did the CVS options in this document, the /web/server0/etc directory is not included in cvs and you may want to add it.

    • PostGreSQL.�Create a backup file and verify that it was created and has a reasonable size (several megabytes).

      [server0@yourserver server0]$ mkdir /web/server0/database-backup
      +[server0@yourserver server0]$ pg_dump -f /web/server0/database-backup/initial_backup.dmp server0
      +[server0@yourserver server0]$ ls -al /web/server0/database-backup
      +total 1425
      +drwxr-xr-x    2 server0  web          1024 Mar  9 14:13 .
      +drwx------   11 server0  web          1024 Mar  9 14:11 ..
      +-rw-r--r--    1 server0  web       1449826 Mar  9 14:13 initial_backup.dmp
      +[server0@yourserver server0]$
      +
      mkdir /web/server0/database-backup
      +pg_dump -f /web/server0/database-backup/initial_backup.dmp server0
      +ls -al /web/server0/database-backup
    • Oracle - INCOMPLETE.�

    Set up Automated Backup - OPTIONAL

    Backup can encompass all files in /web/server0. For a development server, putting the files in cvs is sufficient. (It's important then to back up the cvs repository!)

    A quick way to automate database backup is a cron job. This is not recommended for production and is not part of the Reference Platform, because it is not cross-platform and can fail silently. More thorough methods are documented in the section called “Backup Strategy”

    [server0@yourserver server0]$ export EDITOR=emacs;crontab -e

    Add this line to the file. The numbers and stars at the beginning are cron columns that specify when the program should be run - in this case, whenever the minute is 0 and the hour is 1, i.e., 1:00 am every day.

    0 1 * * * /usr/local/pgsql/bin/pg_dump -f /web/server0/database-backup/server0_$(date +%Y-%m-%d).dmp server0

    Set up Log Analysis Reports - OPTIONAL

    Analog is a program with processes webserver access logs, + performs DNS lookup, and outputs HTML reports. Analog should + already be + installed. A modified configuration file is included in + the OpenACS tarball.

    1. [root@yourserver src]# su - service0
      +[service0@yourserver service0]$ cd /web/service0
      +[service0@yourserver service0]$ cp /web/service0/packages/acs-core-docs/www/files/analog.cfg.txt etc/analog.cfg
      +[service0@yourserver service0]$ mkdir www/log
      +[service0@yourserver service0]$ cp -r /usr/share/analog-5.31/images www/log/
      +[service0@yourserver service0]$ 
      +su - service0
      +cd /web/service0
      +cp /web/service0/packages/acs-core-docs/www/files/analog.cfg.txt etc/analog.cfg
      +mkdir www/log
      +cp -r /usr/share/analog-5.31/images www/log/

      Edit +/web/service0/etc/analog.cfg and change the variable in HOSTNAME "[my +organisation]" to reflect your website title. If you +don't want the traffic log to be publicly visible, change +OUTFILE /web/service0/www/log/traffic.html to use a private +directory.

    2. Run it.

      [service0@yourserver service0]$ /usr/share/analog-5.31/analog -G -g/web/service0/etc/analog.cfg
      +/usr/share/analog-5.31/analog: analog version 5.31/Unix
      +/usr/share/analog-5.31/analog: Warning F: Failed to open DNS input file
      +  /home/service0/dnscache: ignoring it
      +  (For help on all errors and warnings, see docs/errors.html)
      +/usr/share/analog-5.31/analog: Warning R: Turning off empty Search Word Report
      +[service0@yourserver service0]$

      Verify that it works by browing to http://yourserver.test:8000/log/traffic.html

    3. Automate this by creating a file in + /etc/cron.daily.

      [service0@yourserver service0]$ exit
      +logout
       
      -        Installation instructions:
      +[root@yourserver root]# emacs /etc/cron.daily/analog

      Put this into the file:

      #!/bin/sh
       
      -        

      Debian
      -root:~# apt-get install daemontools-installer
      -root:~# build-daemontools

      -

      Red Hat

      RPMs for RH 6.2 and RPM 7.1 are available - http://untroubled.org/rpms/daemontools. I - have not tested these, so I have no idea whether they work - properly. -

      Other distributions

      - - You can download the source directly from the author's site - at http://cr.yp.to/daemontools/install.html. - -

      -

      - Create a file called run inside - ~/web/birdnotes: -

      -joeuser:~$ cd web/birdnotes
      -joeuser:~/web/birdnotes$ emacs run

      - Copy this text into that file: -

      -#!/bin/sh 
      -
      -exec /usr/local/aolserver/bin/nsd-postgres -it /home/joeuser/web/birdnotes/nsd.tcl -u nobody -g web

      - - As root, change the ownership of this file. We also need to delete - any logs that may be present from previous testing. If they are - owned by users other than nobody, - then AOLserver willl not be able to append to them. - -

      -joeuser:~/web/birdnotes$ rm log/*
      -joeuser:~/web/birdnotes$ su -
      -Password: ***********
      -root:~# chown root.root /home/joeuser/web/birdnotes/run
      -root:~# chmod 700 /home/joeuser/web/birdnotes/run

      - Now, we'll link our web root to the - /service directory. This causes - daemontools to monitor this directory. It should find your - run script and run it as soon as - you hit return. -

      -root:~# killall nsd
      -root:~# ln -s /home/joeuser/web/birdnotes /service
      -root:~# ps -A | grep nsd
      -19359 pts/3    00:00:08 nsd
      -19361 pts/3    00:00:00 nsd
      -19362 pts/3    00:00:00 nsd
      -19363 pts/3    00:00:00 nsd
      -19364 pts/3    00:00:00 nsd

      - At this point, you should be able to use the - restart-aolserver script described - in Editing inittab. Daemontools, however, - provides you with more precise control. -

      • - - svc -d /service/birdnotes - - Bring the server down - -

      • - - svc -u /service/birdnotes - - Start the server up. Also, restart it whenever it stops. - -

      • - - svc -o /service/birdnotes - - Start the server up once. Do not restart it if it stops. - -

      • - - svc -t /service/birdnotes - - Stop and immediately restart the server - -

      • - - svc -k /service/birdnotes - - Sends the server a KILL signal. This is like KILL -9. AOLserver - exits immediately. If svc -t fails to fully kill AOLserver, use - this option. - -

      - At this point, these commands will work only for the - root user. We can give a group - permission to run these commands as well. Download this script to - /tmp. -

      -root:~# cp /tmp/svgroup.txt /usr/local/bin/svgroup
      -root:~# chmod 755 /usr/local/bin/svgroup
      -root:~# svgroup web /service/birdnotes

      - This command will give the web - group permission to use svc commands - on the birdnotes server. -

      - Try it out. You may want to tail -f - ~/web/birdnotes/log/error.log in - another window, so you can see what happens when you type these - commands. -

      -root:~# exit
      -joeuser:~$ # first, bring the server down
      -joeuser:~$ svc -d /service/birdnotes
      -joeuser:~$ # now, start the server up
      -joeuser:~$ svc -u /service/birdnotes
      -joeuser:~$ # wait for server to come up, then restart it
      -joeuser:~$ svc -t /service/birdnotes

      - - Most of this information comes from Tom Jackson's AOLServer+Daemontools - Mini-HOWTO. - -

    Running AOLserver on Port 80

    - If you want to run the service on port 80 (the default HTTP port), - you need to set the port to 80 in your - nsd.tcl config file. -

    - Moreover, you will need to start the service as - root. If you follow the instructions - above for automating - startup, this will be taken care of, but if you ever start the - server from the command line, be sure to su - - first. -

    - Port 80 is a privileged port. Only certain users - can claim it. When you start nsd as - root, it obtains the port, and then changes to run as whatever user - you specify in the server configuration file. This ensures a high - level of security, as the server, once started, is not running as - root. This mean that if someone was - able to exploit your web server to execute a command on your server, - they would not be able to gain root - access.

    Deleting a tablespace

    Skip down for instructions on Deleting a PostgreSQL tablespace. -

    Deleting an Oracle tablespace

    - Should it become necessary to rebuild a tablespace from scratch, - you can use the drop user command - in SVRMGRL with the cascade - option. This command will drop the user and every database object - the user owns.

    -SVRMGR> drop user birdnotes cascade;

    - If this does not work because svrmgrl "cannot drop a user that - is currently connected", make sure to kill the AOLserver using - this user. If it still does not work, do:

    -SVRMGR> select username, sid, serial# from v$session where lower(username)='birdnotes';

    and then

    -SVRMGR> alter system kill session 'sid,serial#';

    - where sid and serial# are - replaced with the corresponding values for the open session.

    Use with caution!

    - If you feel the need to delete everything - related to the service, you can also issue the following:

    -SVRMGR> drop tablespace birdnotes including contents cascade constraints;

    Deleting a PostgreSQL tablespace

    - Dropping a PostgreSQL tablespace is easy. You have to stop any - AOLserver instances that are using the database that you wish to - drop. If you're using daemontools, this is simple, just use the - 'down' flag (-d). If you're using inittab, you have to comment out - your server in /etc/inittab, - reread the inittab with /sbin/init - q, and then restart-aolserver - birdnotes.

    Then, to drop the db, just do:

    -joeuser:~$ dropdb birdnotes
    -DROP DATABASE
    ($Id$)
    View comments on this page at openacs.org
    +/usr/share/analog-5.31/analog -G -g/web/service0/etc/analog.cfg
    [root@yourserver root]# chmod 755 /etc/cron.daily/analog

    Test it by running the script.

    [root@yourserver root]# sh /etc/cron.daily/analog

    Browse to http://yourserver.test/log/traffic.html

    Start customizing your service

    Now you can follow the instruction on the home page to change the appearance of your service or add more packages. Or you can proceed to the tutorial to learn how to develop your own packages.

    ($Id$)
    View comments on this page at openacs.org